[OPSEC] RtgDir: Last Call Review of draft-ietf-opsec-v6-21.txt - "Operational Security Considerations for IPv6 Networks"

"Acee Lindem (acee)" <acee@cisco.com> Tue, 03 December 2019 16:21 UTC

Return-Path: <acee@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C3A912024E; Tue, 3 Dec 2019 08:21:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.999
X-Spam-Level:
X-Spam-Status: No, score=-11.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_BODY=0.1, MANY_SPAN_IN_TEXT=1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=dkBBMnC6; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=lVfk2Q7J
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZVmQEOs3Lu0L; Tue, 3 Dec 2019 08:21:25 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3896112006D; Tue, 3 Dec 2019 08:21:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=501875; q=dns/txt; s=iport; t=1575390085; x=1576599685; h=from:to:cc:subject:date:message-id:mime-version; bh=uKLr1GiSymVO1Qjhi34DrsJP3fx6tdS0Y1i9BNh/K3Q=; b=dkBBMnC6CW+H4Vc9i1SARrdD0rWRnXtQ01KTG5O84Qc2zgFw+J1Sl+DB EhvdptLrjwLwL8HL4N7etcmU5lBqM0y7HjpE8wGrmhJbNtN/hVOyuNmC1 eRQlaxvBx77xEMJq+JDUoHdRtWjSyXebif3kQh9X13EgsLd8bb/Z1ouWp g=;
X-Files: Diff_ draft-ietf-opsec-v6-21.txt.orig - draft-ietf-opsec-v6-21.txt.html : 348513
IronPort-PHdr: =?us-ascii?q?9a23=3A5d8GBBwziGhb1gXXCy+N+z0EezQntrPoPwUc9p?= =?us-ascii?q?sgjfdUf7+++4j5YRGN/u1j2VnOW4iTq+lJjebbqejBYSQB+t7A+GsHbIQKUh?= =?us-ascii?q?YEjcsMmAl1CcWIBGXwLeXhaGoxG8ERHFI=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CmBAAmi+Zd/5NdJa2FRIFpBJMgphU?= =?us-ascii?q?bAwUEhjCGGTrFE49v?=
X-IronPort-AV: E=Sophos;i="5.69,273,1571702400"; d="html'217?scan'217,208,217";a="386230988"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Dec 2019 16:21:10 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id xB3GLALP007674 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 3 Dec 2019 16:21:10 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Dec 2019 10:21:09 -0600
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Dec 2019 10:21:07 -0600
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 3 Dec 2019 10:21:07 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q2wCoSSaSzxrRONBvW/HXHZxmx0Xjsm6M5F9BFltUSxqPxpMqTMlMi0XjGWgM6AdSvpq5Y3cr9NBtfpYQJwSFACNhPWYwL5GqrkOD7GhRHw9ndz+Xps8yTJcfDiM6vXQBUVgWAt6zNWklk1M56igAy6OAyGVzG6VGrAOest5njbOILcbZhROeloV/sns+HO2VDCew/L4780E5MACKNY4PR829o75WWbnMKPODF9yqivtEdgV3NoijeotjNAOwAchScEKWjcCbhFGSrmKdA/s+zSTQSKh5m+AV2++oTBrBRbKvZzRdm3en5N0lIjDImw4rd4+z/FZ+/llRPA95am/zw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fyMRuAeOAmiHtg5CbnZjTab+jpRzI6geBkbhZNxlTQY=; b=SJzONb2sPrMuPA6qVoPD71k0Kua1V4DcFjG0lWP14WzJgTi+GDnYoUfeys2sh2L6Gx6+aokO27ZvizrFt2vRSMcEVNxUcRU+X8o1y0I6MmI99ohWPT8teBpGQWQsLz4ZVJkqg0cG6EpJx5QtBBK9TKVV693eOWCpWLicFOA4JaiczkMbqOHw0zJMGasHm40gZoHtFWVRuSnrNpdc8FDTaLa/JWRSEeZ/0dwEebcwLgEOf6AHRiD9Y2As4OftIvCI6TeECQ3GErcC089tgJIhLKC1kKVRVivK9ALbFhtMtcStvplhPBBtW0U+CzRcJw+JdfI7Hl0r8zj+x+StRlJ+/Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fyMRuAeOAmiHtg5CbnZjTab+jpRzI6geBkbhZNxlTQY=; b=lVfk2Q7JnUupM1plWIn0wOUNiN1op/KpHxUHg9ux5zNFfrqY7bySuAxkgl+BR2rG1HJQiGg1O39YdkSw+RIZTbE82fIcOp5gD4EETQdBQGPsKHUzhxOabIBc1OhF97/2kbRBzEhIl8JTfY4xMsU/Z/XkR9KqpBc41jyKwXh4p88=
Received: from MN2PR11MB4221.namprd11.prod.outlook.com (52.135.38.14) by MN2PR11MB4144.namprd11.prod.outlook.com (20.179.150.210) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.19; Tue, 3 Dec 2019 16:21:06 +0000
Received: from MN2PR11MB4221.namprd11.prod.outlook.com ([fe80::218b:2d04:e653:105]) by MN2PR11MB4221.namprd11.prod.outlook.com ([fe80::218b:2d04:e653:105%7]) with mapi id 15.20.2516.003; Tue, 3 Dec 2019 16:21:06 +0000
From: "Acee Lindem (acee)" <acee@cisco.com>
To: "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "rtg-ads@ietf.org" <rtg-ads@ietf.org>
CC: Routing Directorate <rtg-dir@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: RtgDir: Last Call Review of draft-ietf-opsec-v6-21.txt - "Operational Security Considerations for IPv6 Networks"
Thread-Index: AQHVqfWprJAVOQ9x30OpwrvFg/rgjA==
Date: Tue, 3 Dec 2019 16:21:06 +0000
Message-ID: <0652A868-74AF-4CF6-B3E7-45AD91A867E5@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=acee@cisco.com;
x-originating-ip: [2001:420:c0c4:1006::99]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 25324a8a-6fb9-4001-04cd-08d7780ccc85
x-ms-traffictypediagnostic: MN2PR11MB4144:
x-microsoft-antispam-prvs: <MN2PR11MB4144B8717DFBE79DE7E09876C2420@MN2PR11MB4144.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02408926C4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(39860400002)(346002)(376002)(396003)(136003)(199004)(189003)(81166006)(6306002)(966005)(99286004)(2616005)(450100002)(5024004)(14444005)(256004)(86362001)(6486002)(33656002)(46003)(6512007)(316002)(54896002)(186003)(9326002)(110136005)(8676002)(6506007)(81156014)(54906003)(6436002)(8936002)(14454004)(478600001)(6116002)(66574012)(102836004)(5660300002)(2501003)(25786009)(7736002)(71200400001)(2906002)(66946007)(71190400001)(4326008)(66476007)(64756008)(7110500001)(2420400007)(15650500001)(76116006)(66446008)(66556008)(66616009)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4144; H:MN2PR11MB4221.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2cPj7Wq7nYTgXFxsdciI69d3LptAMGdlyLPR3GcbSKxtwHHrERRGINIgGeTY0qK0I6xe4Oi633yQ+/1wwT7/D9ffGavrjYSxGqBXy5a/zJXeCx/9yd59lNlJiXUkfMGKGR2cWQvi3B5dyqRCMjUXQ0PykNRYMsCFoCLFM7vEFh7etI7Be0tYzT7Ob40YUNSARCyiuTDCbXwL90bn+NqeU3e2D6dKv2U+hN/E/Ljl6UjzaGW7sZHQcFUI74R+eE2BKrJ1bd90PmYczl1DVojvFYKh4Z3wRpHX9MspggB6bHNCUMoqKISCqNTlxSr0TBOer13ecOrQcuw6JRBYO8imM8E5Q1vg6U1orxTae3uoXWm3u07jh+gpJsCUvv/9GTh8qe96alru01olABrIErQKLFz3cWxRxiyJZR2jJ/ZNqHbDYi/6E3cmAPu5Mvw4zhZ020Ud5GrZ5gIoOwCfFrMeYbJDj18dxZSM/ClxEJZLh04=
x-ms-exchange-transport-forked: True
Content-Type: multipart/mixed; boundary="_004_0652A86874AF4CF6B3E745AD91A867E5ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 25324a8a-6fb9-4001-04cd-08d7780ccc85
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Dec 2019 16:21:06.1755 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: o/SUrvKckLVbwYao2v734KzH5rEMLF8z+5YJPSwPekbrZL5aqgws6Brxf6eT9ky9
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4144
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: rcdn-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/bosW7rur1u47zyiRYKViyapNrJU>
Subject: [OPSEC] RtgDir: Last Call Review of draft-ietf-opsec-v6-21.txt - "Operational Security Considerations for IPv6 Networks"
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2019 16:21:34 -0000

Hello,

I have been selected as the Routing Directorate reviewer for this draft.
The Routing Directorate seeks to review all routing or routing-related
drafts as they pass through IETF last call and IESG review, and
sometimes on special request. The purpose of the review is to provide
assistance to the Routing ADs. For more information about the Routing
Directorate, please see ​

  http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir

Although these comments are primarily for the use of the Routing ADs,
it would be helpful if you could consider them along with any other
IETF Early Review/Last Call  comments that you receive, and strive to
resolve them through discussion or by updating the draft.

Document: draft-ietf-opsec-v6-21.txt
Reviewer: Acee Lindem
Review Date: 12/2/2019
IETF LC End Date: Soon
Intended Status:  Informational

Summary: The document contains a lot of useful recommendations and
         references for Operational Security in IPv6 networks. Since
                the document has "Informational" status, none of the text is
                normative.

                While the information content is very good, parts of the
                document are very hard to read and need revision. In general,
                the usage of long clauses connected by semicolons should be
                discouraged and the lists connected in this manner should
                be replaced with complete sentences. I've attached a diffs
                with editorial suggests but didn't try and rewrite all the
                semicolon connected text segments.

                There are also minor issues that need to be addressed.

Major Issues: None

Minor Issues:

    1. Section 1.0 - What do you mean by "updating it with that have been
       standardized since 2007."? It just doesn't read right.

    2. Section 2.1 - IPv4 also allows multiple addresses per interface,
       i.e., secondary addresses. So what is new?

    3. Section 2.1.5 - The whole discussion on how to use Router
       Advertisement (RA) messages lacks enough context to understand.
       Also, expand RA in the first occurrence.

    4. Section 2.2.3 - Expand out NDP since it is not clear that it is
       Neighbor Discovery Protocol from the context. It is expanded later
       in section 2.3.

    5. Section 2.4 - RFC 6192 not only defines the "router control plane"
        but provides much better guidance for control plane filtering than
        section 2.4.1 and 2.4.2.

    6. Section 2.4.1 and 2.4.2 - The ingress ACL should only be applied on
       the packets punted to the RP.

    7. Section 2.4.1 - If OSPFv3 vitual links are used, the destination
       address will not be a link-local address.

    8. Section 2.4.3 - Suggest references for Path MTU Discovery
       and traceroute.

    9. Section 2.5.1 - HMAC MD5 is considered vulnerable.

   10. Section 2.5.2 - What prior section describes the operational
       costs of IPsec?

   11. Section 2.5.3 - Need expansion and reference for RADB.

   12. Section 2.6 - Need expansion and reference for GDPR.

   13. Section 2.7.1 - ACLs are typically per address family so this
       recommendation isn't
       really feasible. Please revise.

   14. Section 2.7.2.6 - Expand MAP-E and MAP-T.

   15. Section 3.1 and 4.1 - Define bogon and provide reference.

   16. Section 3.2 - Bad reference in fourth paragraph.

   17. Section 5 - Suggest references for Teredo tunnels and NAT-PT.
       Also, expand NAT-PT on first occurrence.

Nits: Attached diff with suggested edits.

Thanks,
Acee