Re: [OPSEC] Opsdir last call review of draft-ietf-opsec-v6-21

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Fri, 06 December 2019 14:19 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB53F12081C; Fri, 6 Dec 2019 06:19:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=MfmmBiJX; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=mxazyVCK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fKVs_ZQ9NUKm; Fri, 6 Dec 2019 06:19:31 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3167412080A; Fri, 6 Dec 2019 06:19:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7132; q=dns/txt; s=iport; t=1575641971; x=1576851571; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=h8MxXdxolJR/7UzyIipQkMWQvq0YTbLWJtXCAgVTxRg=; b=MfmmBiJXZEAUbf1dSBoLRhCrwxwqDhMbRXqnubGSqxJqgwul48DU7pLr W8PDSSIwjNY3MsptNEt55Q8XHFVXXJP3VFvqThcZp2SP6Crb4Kx4sxmS0 w8GY/fbQf3LCnlaxpdPfw9vLWHs3xhkxv7fWvUEKciOu71vqkh4V5t3RL g=;
IronPort-PHdr: =?us-ascii?q?9a23=3AfMX/oBWMP74aSdlZazQkdMJSYg7V8LGuZFwc94?= =?us-ascii?q?YnhrRSc6+q45XlOgnF6O5wiEPSA92J8OpK3uzRta2oGXcN55qMqjgjSNRNTF?= =?us-ascii?q?dE7KdehAk8GIiAAEz/IuTtank3AtVEX1xo13q6KkNSXs35Yg6arw=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DZAQA5Yupd/4QNJK1kDg0BAQEBAQE?= =?us-ascii?q?BBQEBAREBAQMDAQEBgX6BS1AFbFggBAsqhCuDRgOKfppjgUKBEANUCQEBAQw?= =?us-ascii?q?BASMKAgEBhEACF4F+JDgTAgMNAQEEAQEBAgEFBG2FCwclDIVTAgEDEhEEDQw?= =?us-ascii?q?BAS0KAQ8CAQgaAiYCAgIwFRACBAENBSKDAAGCRgMuAQ6iAgKBOIhgdX8zgn4?= =?us-ascii?q?BAQWFFxiCFwMGgQ4ojAgPGoFBP4ERJyCCTD6CZAKBJzwXgnkygiyNEIMRni0?= =?us-ascii?q?Kgi6HH4okhBcbgkGMLYs4jkqIQZFiAgQCBAUCDgEBBYFpIoFYcBVlAYJBUBE?= =?us-ascii?q?UiwiBXgwXg1CFFIUEO3SBKJBAAQE?=
X-IronPort-AV: E=Sophos;i="5.69,285,1571702400"; d="scan'208";a="676705327"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 06 Dec 2019 14:19:30 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id xB6EJUNE014431 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 6 Dec 2019 14:19:30 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 6 Dec 2019 08:19:29 -0600
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 6 Dec 2019 08:19:28 -0600
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 6 Dec 2019 08:19:26 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iue4qv5m1W0GUH574Am6HKIIJUjOA3rmDBIVvbZ58lv4IwhISlGch0H+ZaxjxRspkMEeMDMlJrC9UvabCTQCSG14o32Qikk3NzZlne7UdOKbG27QsCMTy4eCJ3ekGDVKy41p8oLoe99i6Bfp8g0PhXBemQziMs37cEaJaiVCtcVNKIAQLwJIC4MighglQOjVN8wSlDrt5Mh+5qOaMUu9ROCroTTvMJq5xzeq3yYuw0hsI8nJNUZnpSRZ6LKgB7c8nZWmeA4bFAZ9FMPD0+D8go0hv8+2RcVxP9YSE57Q5dO9gBFjZfvXRaYyFOay3vJW33Ob7PwS/8zYahoc5hzGiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=h8MxXdxolJR/7UzyIipQkMWQvq0YTbLWJtXCAgVTxRg=; b=nCPsxKSSN9cHG5f0TXDHwIUdzhEbGi1IoGs6h2Q/Xj2N3Z2YxcKyszuWjlqLE74GVBSFCBsn6G7Ywl68c3dsz9geKtpUytL9hl7eanosDgfpVlCfnvyO6ofDBIg8cei196dvjLtQfAEPPvSOW67dFPAz8g0RlmnYVciabfSnMIcuK15hEIHqn+hh57LiPHmAhk04sXsNgxse2Msw0jlWeKtQIm3uyO0ADke9UtOnSBpU5seXtyMMjxP+9JsBr5N3YjCqznSxymyUSH5RDxBzoEi52PKOV87OoVYVDPnx1jjIPWyNMuzYPRVZSk2hAX8s2xxOMx0dAIIEeeHmhBBthw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=h8MxXdxolJR/7UzyIipQkMWQvq0YTbLWJtXCAgVTxRg=; b=mxazyVCKyYSoLKLuhOgFLW40NzNPLx5hP7EOlU5uJkyYAR+MUWrtORzjhzjZ7yVd59oFIxSJfCUipiI6q7DWfIqdZVupZ8TZBUeOw87skmQkruIeu3KOn9P2FZGxrvmsaH9EQ/KscZHnntxH9K0oA0SFq2cq4368CqUiIGhzues=
Received: from DM5PR11MB1753.namprd11.prod.outlook.com (10.175.88.141) by DM5PR11MB1801.namprd11.prod.outlook.com (10.175.85.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.22; Fri, 6 Dec 2019 14:19:26 +0000
Received: from DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::6c99:679c:82cd:b955]) by DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::6c99:679c:82cd:b955%12]) with mapi id 15.20.2495.026; Fri, 6 Dec 2019 14:19:26 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Tim Chown <tim.chown@jisc.ac.uk>, "ops-dir@ietf.org" <ops-dir@ietf.org>
CC: "last-call@ietf.org" <last-call@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6.all@ietf.org" <draft-ietf-opsec-v6.all@ietf.org>
Thread-Topic: Opsdir last call review of draft-ietf-opsec-v6-21
Thread-Index: AQHVrBhopOzIvqegp0WJgFtmlgmULqetOOWA
Date: Fri, 6 Dec 2019 14:19:26 +0000
Message-ID: <3E6971B4-D213-4F63-A09D-7AEAFE69A2CD@cisco.com>
References: <157562487044.21086.3344278098662647264@ietfa.amsl.com>
In-Reply-To: <157562487044.21086.3344278098662647264@ietfa.amsl.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [2001:420:c0c1:36:dd38:5f4d:e900:15ac]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4ba0cae1-665e-4880-76e0-08d77a574ca8
x-ms-traffictypediagnostic: DM5PR11MB1801:
x-microsoft-antispam-prvs: <DM5PR11MB1801121B36683A3F531BE26DA95F0@DM5PR11MB1801.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0243E5FD68
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(376002)(39860400002)(136003)(346002)(199004)(189003)(966005)(33656002)(186003)(2616005)(305945005)(5660300002)(6506007)(71200400001)(71190400001)(478600001)(76116006)(76176011)(102836004)(110136005)(66946007)(91956017)(66556008)(64756008)(2906002)(99286004)(54906003)(6486002)(58126008)(8676002)(66476007)(86362001)(229853002)(66446008)(8936002)(81166006)(316002)(6512007)(4326008)(36756003)(81156014); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1801; H:DM5PR11MB1753.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2DPzcn+P5MbewALSOzz4Fj7I4mZ5cWMu4p39p/aTMvGmMI240MzyCjyLI3Ob++UyxS8XwrwRGJ4z44hPGYGkEdD2WFIRHYIFdlJYmmj+K6rVifuoLdEKl+WlzXzWUgGCFhTH/xxUBYPmYtucXi3ns4Bmuds2/n3b44/eienTt+xDJFzTmxe+HhdimDKgtlXbCV0db+EQIZaGjaOzf3TO0HAz5ROF5JqQrw55ejSCvXs5JSum6ARQfYorV9kbzENsxvBJvarlw778UQu5sV2vLhQhA+ggUT3wK0xhMeSvGfkGycf1KLX0xv0k1k1Ikg6I6mpGLlpP5a0BwMc37obFef9o8JuRF7oJWN1DAtGtgffwTOB9rVSneKbqHCOQC3hpcMpDdQfK7KuSpRaq3UYnXz+BKDNI2VNL606xGvePxJ3QY1QpnSxq6AGdmil49I6sfrOHwVxtT4MQfu+fxuSPErdMbpaoHuIuJKCeyEvbaNU=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <3AFF8EFF81A2DD46A1A988A59DC56A3E@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4ba0cae1-665e-4880-76e0-08d77a574ca8
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Dec 2019 14:19:26.2457 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: y5Y1JdJS2wEmIvTA5dphyttk9UVfPY1aYXMm6pHuCfXvSr/mTkz1bxpK9kqpG/mUY04V4SLOqozSpHcn/egfMg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1801
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/QeW0TqLqFXVGQ85sGT6eMWIbqPk>
Subject: Re: [OPSEC] Opsdir last call review of draft-ietf-opsec-v6-21
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2019 14:19:34 -0000

Tim

Thank you for your additional review. And, I feel really bad if we, the authors, have not reacted to your previous review (even if I had in mind that we acted on it -- possibly not changing the text to fit completely your view)

-éric

On 06/12/2019, 10:34, "Tim Chown via Datatracker" <noreply@ietf.org> wrote:

    Reviewer: Tim Chown
    Review result: Not Ready
    
    I have reviewed this document as part of the Operational directorate's ongoing
    effort to review all IETF documents being processed by the IESG.  These
    comments were written with the intent of improving the operational aspects of
    the IETF drafts. Comments that are not addressed in last call may be included
    in AD reviews during the IESG review.  Document editors and WG chairs should
    treat these comments just like any other last call comments.
    
    This draft analyses operational security issues related to the deployment of
    IPv6, and describes appropriate mechanisms and practices to mitigate potential
    threats.
    
    I had previously reviewed the draft as an OPS-DIR Early Review in July 2018, as
    detailed in
    https://mailarchive.ietf.org/arch/msg/opsec/6s_YFrXNPwtbQRe62D3_AtXb6as, but I
    don’t see any evidence of these comments being acted upon, or any response, so
    as far as I can see, the comments in this review still apply, and I would urge
    the authors to review these comments.
    
    That said, there have been a number of improvements to the draft in the past 18
    months, and overall it is a much better document for those changes.  The
    question is at what point the WG should simply ship the draft as “good enough”,
    rather than try to improve it further.
    
    At the moment I think the document is Not Ready, though it’s getting nearer to
    being Ready with Nits.
    
    General comments:
    
    There are a number of typos / grammatical errors in the document.  While the
    RFC Editor will correct, e.g., in the abstract - “mitigations” should be
    singular, in the intro “with that have been”, in 2.1 “of address space
    available” (add “is”), “allow” should be “allows”.  Just needs a careful proof
    read.
    
    Specific comments:
    
    Abstract:
    
    “places” should be “aspects” or similar.
    
    2.1.1:
    
    Or for internal communication stability in networks where external connectivity
    may came and go, e.g., many ISPs provide ULAs in home networks.
    
    2.1.5:
    
    This section muddles privacy addresses with stable per-prefix identifiers. 
    They have different uses, and can be used independently or together.
    
    You say “RFC 8064 specifies a way to”, but I think you should cite RFC 7217 as
    the address generation mechanism, and RFC 8064 as the recommendation to use
    that, but note that you can still use RFC 4941 addresses alongside RFC RFC 7217
    addresses.
    
    2.1.6
    
    As per my previous review I think you should have a section on address
    accountability / auditing, and discuss that for all address assignment methods,
    be it DHCPv6 or SLAAC/RFC7217.  You say here DHCPv6 is used for audit purposes,
    yet later in the doc say there are issues with that approach.
    
    Address accountability is the most common question I get asked when speaking to
    universities about IPv6 deployment when there is (dual-stack) multi-addressing.
    
    This can be a place to mention DHCPv6 anonymity profiles, but that would be
    better in a separate section on address and thus user privacy.
    
    2.2.4
    
    As per later in the document, emphasise here that IPSec is optional (some still
    have the original IPv6 marketing message in their head…)
    
    2.3.3
    
    “his packets” -> “their packets” to be gender neutral.
    
    How widely deployed is SAVI in practice?  A comment is rightly made about SeND,
    but what about SAVI implementation?
    
    Can also suggest the /64 per host isolation approach here before the “A drastic
    technique” paragraph.
    
    2.6.1.5
    
    Address accountability appears again here in the 5th paragraph.  You can get a
    level of accountability from polling network devices where DHCPv6 is not used;
    this should be discussed somewhere.
    
    2.7.1
    
    Should mention RFC 7123 here, and also in Section 3.
    
    3.2
    
    Given you raise VPNs, you should add a note about RFC 7359.
    
    In R&E campus enterprises, eduroam is widely deployed and gives accountability
    through federated 802.1x based network access.
    
    4.3
    
    You manage to avoid talking about IPv6 NAT until here.  Then assume there is no
    IPv6 NAT on a CPE.  Would it be better to not mention IPv6 NAT at all, or dare
    you open that can of very wriggly worms in this document?  I imagine the IESG
    reviews may ask, given the widely held industry belief that “NAT is added
    security” :).  RFC 4864 still has value, but you cite that for a different
    reason.