Re: [OPSEC] New Version Notification for draft-yourtchenko-opsec-humansafe-ipv6-00.txt
Andrew Yourtchenko <ayourtch@cisco.com> Tue, 06 March 2012 10:32 UTC
Return-Path: <ayourtch@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9527221F880B for <opsec@ietfa.amsl.com>; Tue, 6 Mar 2012 02:32:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J8BF0DYVFtw2 for <opsec@ietfa.amsl.com>; Tue, 6 Mar 2012 02:32:38 -0800 (PST)
Received: from av-tac-bru.cisco.com (weird-brew.cisco.com [144.254.15.118]) by ietfa.amsl.com (Postfix) with ESMTP id 9F71521F8741 for <opsec@ietf.org>; Tue, 6 Mar 2012 02:32:37 -0800 (PST)
X-TACSUNS: Virus Scanned
Received: from stew-brew.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-bru.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id q26AWaZT002447 for <opsec@ietf.org>; Tue, 6 Mar 2012 11:32:36 +0100 (CET)
Received: from ams-ayourtch-8719.cisco.com (ams-ayourtch-8719.cisco.com [10.55.144.250]) by stew-brew.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id q26AWVgS021843; Tue, 6 Mar 2012 11:32:32 +0100 (CET)
Date: Tue, 06 Mar 2012 11:32:29 +0100
From: Andrew Yourtchenko <ayourtch@cisco.com>
X-X-Sender: ayourtch@ayourtch-lnx
To: Fernando Gont <fernando@gont.com.ar>
In-Reply-To: <4F55B1A2.7000909@gont.com.ar>
Message-ID: <alpine.DEB.2.00.1203061046000.2860@ayourtch-lnx>
References: <alpine.DEB.2.00.1203051204580.20167@ayourtch-lnx> <4F55B1A2.7000909@gont.com.ar>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: opsec@ietf.org, mircea.pisica@bt.com, sasad@cisco.com
Subject: Re: [OPSEC] New Version Notification for draft-yourtchenko-opsec-humansafe-ipv6-00.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2012 10:32:38 -0000
Hi Fernando, Thanks for the comments! inline.. On Tue, 6 Mar 2012, Fernando Gont wrote: > Hi, Andrew, > > I read the I-D. Here are some comments: > > * Section 4 states: > The problem is twofold: first, from the security point of view, one > should try to avoid the easy to guess patterns that the traditional > address assignment entails. At the same time, the naive approach of > assigning purely random addresses to servers is not very scalable in > real world for maintenance reasons > > I think this one is somewhat incorrect: What's usually deemed as hard to > manage is temporary addresses (RFC 4941), rather than the fact that the > identifiers are random (see e.g., > <http://tools.ietf.org/id/draft-gont-6man-managing-slaac-policy-00.txt>). No, in this case I'm talking about permanently assigned addresses. It's just that telling the full IPv6 address over the phone or remembering it is a chore. Example: 2001:db8:d923:297a:2068:d95d:cff5:308a. Make an experiment and measure how much it takes to get this address over to someone over the phone, without errors. That's the type of problem I had in mind. > > > * Section 5 states: > The idea is to exploit the randomness property of the encryption > function output. The interface identifier, used within the IPv6 > address of the host, would be derived from the 64-bit data > corresponding to hostname, encrypted with a site-wide "secret". > > How would you distribute the secret. USB stick, for example. Or write it on the wall in the ops room :-) I probably should have not named it a "secret" - the idea was to have it secret enough so that a random script kiddie does not know it, yet it can be easily known by the staff. Any suggestions on how I should rename it so there's less confusion ? > > That aside: have you read > <http://tools.ietf.org/id/draft-gont-6man-stable-privacy-addresses-00.txt>. > It solves the scanning problem and the management problem, with no need > to distribute secrets. It's nice, however it requires changes to host OSes. --a > > Thanks, > Fernando > > > > > On 03/05/2012 08:06 AM, Andrew Yourtchenko wrote: >> Hi all, >> >> We will be very thankful for the review/comments on this draft and hope >> to present it in Paris. >> >> --a >> >> ---------- Forwarded message ---------- >> Date: Mon, 05 Mar 2012 03:04:14 -0800 >> From: internet-drafts@ietf.org >> To: ayourtch@cisco.com >> Cc: mircea.pisica@bt.com, sasad@cisco.com >> Subject: New Version Notification for >> draft-yourtchenko-opsec-humansafe-ipv6-00.txt >> >> A new version of I-D, draft-yourtchenko-opsec-humansafe-ipv6-00.txt has >> been successfully submitted by Andrew Yourtchenko and posted to the IETF >> repository. >> >> Filename: draft-yourtchenko-opsec-humansafe-ipv6 >> Revision: 00 >> Title: Human-safe IPv6: Cryptographic transformation of >> hostnames as a base for secure and manageable addressing >> Creation date: 2012-03-02 >> WG ID: Individual Submission >> Number of pages: 9 >> >> Abstract: >> Although the IPv6 address space within a single /64 subnet is very >> large, the typical distribution of the addresses in this space is >> very non-uniform. This non-uniformity, together with the dictionary- >> based DNS brute-force enumeration, allows practical remote mapping of >> the IPv6 addresses in these subnets. This document proposes a >> technique which can be used to decrease the exposure of the server >> subnets to trivial scanning. As a side effect, the proposed >> technique allows to drastically simplify the address management. >> >> >> >> >> The IETF Secretariat >> >> _______________________________________________ >> OPSEC mailing list >> OPSEC@ietf.org >> https://www.ietf.org/mailman/listinfo/opsec >> > > > -- > Fernando Gont > e-mail: fernando@gont.com.ar || fgont@si6networks.com > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > > >
- [OPSEC] New Version Notification for draft-yourtc… Andrew Yourtchenko
- Re: [OPSEC] New Version Notification for draft-yo… Fernando Gont
- Re: [OPSEC] New Version Notification for draft-yo… Andrew Yourtchenko
- Re: [OPSEC] New Version Notification for draft-yo… Fernando Gont
- Re: [OPSEC] New Version Notification for draft-yo… Andrew Yourtchenko
- Re: [OPSEC] New Version Notification for draft-yo… Fernando Gont
- Re: [OPSEC] New Version Notification for draft-yo… Andrew Yourtchenko
- Re: [OPSEC] New Version Notification for draft-yo… Fernando Gont