Re: [OPSEC] New Version Notification for draft-yourtchenko-opsec-humansafe-ipv6-00.txt

Hi Fernando,

Thanks for the comments! inline..

On Tue, 6 Mar 2012, Fernando Gont wrote:

> Hi, Andrew,
>
> I read the I-D. Here are some comments:
>
> * Section 4 states:
>   The problem is twofold:  first, from the security point of view, one
>   should try to avoid the easy to guess patterns that the traditional
>   address assignment entails.  At the same time, the naive approach of
>   assigning purely random addresses to servers is not very scalable in
>   real world for maintenance reasons
>
> I think this one is somewhat incorrect: What's usually deemed as hard to
> manage is temporary addresses (RFC 4941), rather than the fact that the
> identifiers are random (see e.g.,
> <http://tools.ietf.org/id/draft-gont-6man-managing-slaac-policy-00.txt>).

No, in this case I'm talking about permanently assigned addresses. It's 
just that telling the full IPv6 address over the phone or remembering it 
is a chore.

Example: 2001:db8:d923:297a:2068:d95d:cff5:308a. Make an experiment and 
measure how much it takes to get this address over to someone over the 
phone, without errors. That's the type of problem I had in mind.

>
>
> * Section 5 states:
>   The idea is to exploit the randomness property of the encryption
>   function output.  The interface identifier, used within the IPv6
>   address of the host, would be derived from the 64-bit data
>   corresponding to hostname, encrypted with a site-wide "secret".
>
> How would you distribute the secret.

USB stick, for example. Or write it on the wall in the ops room :-)

I probably should have not named it a "secret" - the idea was to have it 
secret enough so that a random script kiddie does not know it, yet it can 
be easily known by the staff. Any suggestions on how I should rename it 
so there's less confusion ?

>
> That aside: have you read
> <http://tools.ietf.org/id/draft-gont-6man-stable-privacy-addresses-00.txt>.
> It solves the scanning problem and the management problem, with no need
> to distribute secrets.

It's nice, however it requires changes to host OSes.

--a

>
> Thanks,
> Fernando
>
>
>
>
> On 03/05/2012 08:06 AM, Andrew Yourtchenko wrote:
>> Hi all,
>>
>> We will be very thankful for the review/comments on this draft and hope
>> to present it in Paris.
>>
>> --a
>>
>> ---------- Forwarded message ----------
>> Date: Mon, 05 Mar 2012 03:04:14 -0800
>> From: internet-drafts@ietf.org
>> To: ayourtch@cisco.com
>> Cc: mircea.pisica@bt.com, sasad@cisco.com
>> Subject: New Version Notification for
>>     draft-yourtchenko-opsec-humansafe-ipv6-00.txt
>>
>> A new version of I-D, draft-yourtchenko-opsec-humansafe-ipv6-00.txt has
>> been successfully submitted by Andrew Yourtchenko and posted to the IETF
>> repository.
>>
>> Filename:     draft-yourtchenko-opsec-humansafe-ipv6
>> Revision:     00
>> Title:         Human-safe IPv6: Cryptographic transformation of
>> hostnames as a base for secure and manageable addressing
>> Creation date:     2012-03-02
>> WG ID:         Individual Submission
>> Number of pages: 9
>>
>> Abstract:
>>    Although the IPv6 address space within a single /64 subnet is very
>>    large, the typical distribution of the addresses in this space is
>>    very non-uniform.  This non-uniformity, together with the dictionary-
>>    based DNS brute-force enumeration, allows practical remote mapping of
>>    the IPv6 addresses in these subnets.  This document proposes a
>>    technique which can be used to decrease the exposure of the server
>>    subnets to trivial scanning.  As a side effect, the proposed
>>    technique allows to drastically simplify the address management.
>>
>>
>>
>>
>> The IETF Secretariat
>>
>> _______________________________________________
>> OPSEC mailing list
>> OPSEC@ietf.org
>> https://www.ietf.org/mailman/listinfo/opsec
>>
>
>
> -- 
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@si6networks.com
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>