Re: [OPSEC] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
gengnan <gengnan@huawei.com> Wed, 08 February 2023 03:52 UTC
Return-Path: <gengnan@huawei.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE331C14CF1E for <opsec@ietfa.amsl.com>; Tue, 7 Feb 2023 19:52:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00-goYXOPDLA for <opsec@ietfa.amsl.com>; Tue, 7 Feb 2023 19:52:29 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C95A9C14CF1B for <opsec@ietf.org>; Tue, 7 Feb 2023 19:52:28 -0800 (PST)
Received: from lhrpeml500003.china.huawei.com (unknown [172.18.147.201]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4PBQv50JzSz6J6kK for <opsec@ietf.org>; Wed, 8 Feb 2023 11:48:01 +0800 (CST)
Received: from kwepemm600011.china.huawei.com (7.193.23.229) by lhrpeml500003.china.huawei.com (7.191.162.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.17; Wed, 8 Feb 2023 03:52:25 +0000
Received: from kwepemm600009.china.huawei.com (7.193.23.164) by kwepemm600011.china.huawei.com (7.193.23.229) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.34; Wed, 8 Feb 2023 11:52:23 +0800
Received: from kwepemm600009.china.huawei.com ([7.193.23.164]) by kwepemm600009.china.huawei.com ([7.193.23.164]) with mapi id 15.01.2375.034; Wed, 8 Feb 2023 11:52:23 +0800
From: gengnan <gengnan@huawei.com>
To: Fernando Gont <fgont@si6networks.com>, "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: [OPSEC] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Thread-Index: AQHZN4gRlPNX4h/iQEu+qUxtDMYs+a7EWeQw
Date: Wed, 08 Feb 2023 03:52:23 +0000
Message-ID: <938d6bf054ac47caa963efc7a0989900@huawei.com>
References: <167539612053.40479.6488206666590835722@ietfa.amsl.com> <091075f1-033a-5577-60d9-3c6a009b3e21@si6networks.com>
In-Reply-To: <091075f1-033a-5577-60d9-3c6a009b3e21@si6networks.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.112.40.101]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/QPZ4MLpjdZ02resBQDg_D48Qwkg>
Subject: Re: [OPSEC] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2023 03:52:32 -0000
Hi Fernando, Here are some thoughts after I reading the draft: 1. To my knowledge, the block-lists can be used for mitigating some DDoS attacks by putting the Zombie's addresses in the block-lists. Of course the lists should be updated dynamically in some way so as to reduce false negatives and false positives. 2. For "Both types of ACLs have a similar challenge in common": IMO, how to keep high accuracy for address filtering/validation in an efficient way is really a challenging problem for both manual configuration-based filtering and automated tool-based filtering. Particularly, I think (more from the operator's point of view) there should be zero false positive so that legitimate users are not affected and operators have confidence to conduct filtering operations (e.g., deploying some tools). On the basis of zero false positive, false negatives should be reduced as less as possible. 3. There are also some methods (e.g., RTBH [RFC 5635], uRPF [RFC3704]) which do address filtering based on FIB instead of ACL. Are they in the scope of the draft? Best, Nan -----Original Message----- From: OPSEC <opsec-bounces@ietf.org> On Behalf Of Fernando Gont Sent: Friday, February 3, 2023 12:28 PM To: opsec@ietf.org Subject: [OPSEC] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Hi, All, I happened to participate in an IPv6 deployment meeting with some large content provider. Eventually there was a discussion about how to mitigate some attacks using block-lists, and they argued that they ban offending addresses (/128 for the IPv6 case), following IPv4 practices. While they had already deployed IPv6, some of the associated implications arising from the increased address space seemed to be non-obvious to them. So that's what motivated the publication of this document. * TXT: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt * HTML: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html Comments welcome! Thanks, Fernando -------- Forwarded Message -------- Subject: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt Date: Thu, 02 Feb 2023 19:48:40 -0800 From: internet-drafts@ietf.org To: Fernando Gont <fgont@si6networks.com>, Guillermo Gont <ggont@si6networks.com> A new version of I-D, draft-gont-opsec-ipv6-addressing-00.txt has been successfully submitted by Fernando Gont and posted to the IETF repository. Name: draft-gont-opsec-ipv6-addressing Revision: 00 Title: Implications of IPv6 Addressing on Security Operations Document date: 2023-02-02 Group: Individual Submission Pages: 8 URL: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt Status: https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-addressing/ Htmlized: https://datatracker.ietf.org/doc/html/draft-gont-opsec-ipv6-addressing Abstract: The increased address availability provided by IPv6 has concrete implications on security operations. This document discusses such implications, and sheds some light on how existing security operations techniques and procedures might need to be modified accommodate the increased IPv6 address availability. The IETF Secretariat _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec