[OPSEC] RtgDir: Last Call Review of draft-ietf-opsec-v6-21.txt - "Operational Security Considerations for IPv6 Networks"
"Acee Lindem (acee)" <acee@cisco.com> Tue, 03 December 2019 16:21 UTC
Return-Path: <acee@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C3A912024E; Tue, 3 Dec 2019 08:21:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.999
X-Spam-Level:
X-Spam-Status: No, score=-11.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_BODY=0.1, MANY_SPAN_IN_TEXT=1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=dkBBMnC6; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=lVfk2Q7J
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZVmQEOs3Lu0L; Tue, 3 Dec 2019 08:21:25 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3896112006D; Tue, 3 Dec 2019 08:21:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=501875; q=dns/txt; s=iport; t=1575390085; x=1576599685; h=from:to:cc:subject:date:message-id:mime-version; bh=uKLr1GiSymVO1Qjhi34DrsJP3fx6tdS0Y1i9BNh/K3Q=; b=dkBBMnC6CW+H4Vc9i1SARrdD0rWRnXtQ01KTG5O84Qc2zgFw+J1Sl+DB EhvdptLrjwLwL8HL4N7etcmU5lBqM0y7HjpE8wGrmhJbNtN/hVOyuNmC1 eRQlaxvBx77xEMJq+JDUoHdRtWjSyXebif3kQh9X13EgsLd8bb/Z1ouWp g=;
X-Files: Diff_ draft-ietf-opsec-v6-21.txt.orig - draft-ietf-opsec-v6-21.txt.html : 348513
IronPort-PHdr: 9a23:5d8GBBwziGhb1gXXCy+N+z0EezQntrPoPwUc9psgjfdUf7+++4j5YRGN/u1j2VnOW4iTq+lJjebbqejBYSQB+t7A+GsHbIQKUhYEjcsMmAl1CcWIBGXwLeXhaGoxG8ERHFI=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CmBAAmi+Zd/5NdJa2FRIFpBJMgphUbAwUEhjCGGTrFE49v
X-IronPort-AV: E=Sophos;i="5.69,273,1571702400"; d="html'217?scan'217,208,217";a="386230988"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Dec 2019 16:21:10 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id xB3GLALP007674 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 3 Dec 2019 16:21:10 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Dec 2019 10:21:09 -0600
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Dec 2019 10:21:07 -0600
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 3 Dec 2019 10:21:07 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q2wCoSSaSzxrRONBvW/HXHZxmx0Xjsm6M5F9BFltUSxqPxpMqTMlMi0XjGWgM6AdSvpq5Y3cr9NBtfpYQJwSFACNhPWYwL5GqrkOD7GhRHw9ndz+Xps8yTJcfDiM6vXQBUVgWAt6zNWklk1M56igAy6OAyGVzG6VGrAOest5njbOILcbZhROeloV/sns+HO2VDCew/L4780E5MACKNY4PR829o75WWbnMKPODF9yqivtEdgV3NoijeotjNAOwAchScEKWjcCbhFGSrmKdA/s+zSTQSKh5m+AV2++oTBrBRbKvZzRdm3en5N0lIjDImw4rd4+z/FZ+/llRPA95am/zw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fyMRuAeOAmiHtg5CbnZjTab+jpRzI6geBkbhZNxlTQY=; b=SJzONb2sPrMuPA6qVoPD71k0Kua1V4DcFjG0lWP14WzJgTi+GDnYoUfeys2sh2L6Gx6+aokO27ZvizrFt2vRSMcEVNxUcRU+X8o1y0I6MmI99ohWPT8teBpGQWQsLz4ZVJkqg0cG6EpJx5QtBBK9TKVV693eOWCpWLicFOA4JaiczkMbqOHw0zJMGasHm40gZoHtFWVRuSnrNpdc8FDTaLa/JWRSEeZ/0dwEebcwLgEOf6AHRiD9Y2As4OftIvCI6TeECQ3GErcC089tgJIhLKC1kKVRVivK9ALbFhtMtcStvplhPBBtW0U+CzRcJw+JdfI7Hl0r8zj+x+StRlJ+/Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fyMRuAeOAmiHtg5CbnZjTab+jpRzI6geBkbhZNxlTQY=; b=lVfk2Q7JnUupM1plWIn0wOUNiN1op/KpHxUHg9ux5zNFfrqY7bySuAxkgl+BR2rG1HJQiGg1O39YdkSw+RIZTbE82fIcOp5gD4EETQdBQGPsKHUzhxOabIBc1OhF97/2kbRBzEhIl8JTfY4xMsU/Z/XkR9KqpBc41jyKwXh4p88=
Received: from MN2PR11MB4221.namprd11.prod.outlook.com (52.135.38.14) by MN2PR11MB4144.namprd11.prod.outlook.com (20.179.150.210) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.19; Tue, 3 Dec 2019 16:21:06 +0000
Received: from MN2PR11MB4221.namprd11.prod.outlook.com ([fe80::218b:2d04:e653:105]) by MN2PR11MB4221.namprd11.prod.outlook.com ([fe80::218b:2d04:e653:105%7]) with mapi id 15.20.2516.003; Tue, 3 Dec 2019 16:21:06 +0000
From: "Acee Lindem (acee)" <acee@cisco.com>
To: "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "rtg-ads@ietf.org" <rtg-ads@ietf.org>
CC: Routing Directorate <rtg-dir@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: RtgDir: Last Call Review of draft-ietf-opsec-v6-21.txt - "Operational Security Considerations for IPv6 Networks"
Thread-Index: AQHVqfWprJAVOQ9x30OpwrvFg/rgjA==
Date: Tue, 03 Dec 2019 16:21:06 +0000
Message-ID: <0652A868-74AF-4CF6-B3E7-45AD91A867E5@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=acee@cisco.com;
x-originating-ip: [2001:420:c0c4:1006::99]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 25324a8a-6fb9-4001-04cd-08d7780ccc85
x-ms-traffictypediagnostic: MN2PR11MB4144:
x-microsoft-antispam-prvs: <MN2PR11MB4144B8717DFBE79DE7E09876C2420@MN2PR11MB4144.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02408926C4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(39860400002)(346002)(376002)(396003)(136003)(199004)(189003)(81166006)(6306002)(966005)(99286004)(2616005)(450100002)(5024004)(14444005)(256004)(86362001)(6486002)(33656002)(46003)(6512007)(316002)(54896002)(186003)(9326002)(110136005)(8676002)(6506007)(81156014)(54906003)(6436002)(8936002)(14454004)(478600001)(6116002)(66574012)(102836004)(5660300002)(2501003)(25786009)(7736002)(71200400001)(2906002)(66946007)(71190400001)(4326008)(66476007)(64756008)(7110500001)(2420400007)(15650500001)(76116006)(66446008)(66556008)(66616009)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4144; H:MN2PR11MB4221.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2cPj7Wq7nYTgXFxsdciI69d3LptAMGdlyLPR3GcbSKxtwHHrERRGINIgGeTY0qK0I6xe4Oi633yQ+/1wwT7/D9ffGavrjYSxGqBXy5a/zJXeCx/9yd59lNlJiXUkfMGKGR2cWQvi3B5dyqRCMjUXQ0PykNRYMsCFoCLFM7vEFh7etI7Be0tYzT7Ob40YUNSARCyiuTDCbXwL90bn+NqeU3e2D6dKv2U+hN/E/Ljl6UjzaGW7sZHQcFUI74R+eE2BKrJ1bd90PmYczl1DVojvFYKh4Z3wRpHX9MspggB6bHNCUMoqKISCqNTlxSr0TBOer13ecOrQcuw6JRBYO8imM8E5Q1vg6U1orxTae3uoXWm3u07jh+gpJsCUvv/9GTh8qe96alru01olABrIErQKLFz3cWxRxiyJZR2jJ/ZNqHbDYi/6E3cmAPu5Mvw4zhZ020Ud5GrZ5gIoOwCfFrMeYbJDj18dxZSM/ClxEJZLh04=
x-ms-exchange-transport-forked: True
Content-Type: multipart/mixed; boundary="_004_0652A86874AF4CF6B3E745AD91A867E5ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 25324a8a-6fb9-4001-04cd-08d7780ccc85
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Dec 2019 16:21:06.1755 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: o/SUrvKckLVbwYao2v734KzH5rEMLF8z+5YJPSwPekbrZL5aqgws6Brxf6eT9ky9
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4144
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: rcdn-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/bosW7rur1u47zyiRYKViyapNrJU>
Subject: [OPSEC] RtgDir: Last Call Review of draft-ietf-opsec-v6-21.txt - "Operational Security Considerations for IPv6 Networks"
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2019 16:21:34 -0000
Hello, I have been selected as the Routing Directorate reviewer for this draft. The Routing Directorate seeks to review all routing or routing-related drafts as they pass through IETF last call and IESG review, and sometimes on special request. The purpose of the review is to provide assistance to the Routing ADs. For more information about the Routing Directorate, please see http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir Although these comments are primarily for the use of the Routing ADs, it would be helpful if you could consider them along with any other IETF Early Review/Last Call comments that you receive, and strive to resolve them through discussion or by updating the draft. Document: draft-ietf-opsec-v6-21.txt Reviewer: Acee Lindem Review Date: 12/2/2019 IETF LC End Date: Soon Intended Status: Informational Summary: The document contains a lot of useful recommendations and references for Operational Security in IPv6 networks. Since the document has "Informational" status, none of the text is normative. While the information content is very good, parts of the document are very hard to read and need revision. In general, the usage of long clauses connected by semicolons should be discouraged and the lists connected in this manner should be replaced with complete sentences. I've attached a diffs with editorial suggests but didn't try and rewrite all the semicolon connected text segments. There are also minor issues that need to be addressed. Major Issues: None Minor Issues: 1. Section 1.0 - What do you mean by "updating it with that have been standardized since 2007."? It just doesn't read right. 2. Section 2.1 - IPv4 also allows multiple addresses per interface, i.e., secondary addresses. So what is new? 3. Section 2.1.5 - The whole discussion on how to use Router Advertisement (RA) messages lacks enough context to understand. Also, expand RA in the first occurrence. 4. Section 2.2.3 - Expand out NDP since it is not clear that it is Neighbor Discovery Protocol from the context. It is expanded later in section 2.3. 5. Section 2.4 - RFC 6192 not only defines the "router control plane" but provides much better guidance for control plane filtering than section 2.4.1 and 2.4.2. 6. Section 2.4.1 and 2.4.2 - The ingress ACL should only be applied on the packets punted to the RP. 7. Section 2.4.1 - If OSPFv3 vitual links are used, the destination address will not be a link-local address. 8. Section 2.4.3 - Suggest references for Path MTU Discovery and traceroute. 9. Section 2.5.1 - HMAC MD5 is considered vulnerable. 10. Section 2.5.2 - What prior section describes the operational costs of IPsec? 11. Section 2.5.3 - Need expansion and reference for RADB. 12. Section 2.6 - Need expansion and reference for GDPR. 13. Section 2.7.1 - ACLs are typically per address family so this recommendation isn't really feasible. Please revise. 14. Section 2.7.2.6 - Expand MAP-E and MAP-T. 15. Section 3.1 and 4.1 - Define bogon and provide reference. 16. Section 3.2 - Bad reference in fourth paragraph. 17. Section 5 - Suggest references for Teredo tunnels and NAT-PT. Also, expand NAT-PT on first occurrence. Nits: Attached diff with suggested edits. Thanks, Acee
- [OPSEC] RtgDir: Last Call Review of draft-ietf-op… Acee Lindem (acee)
- Re: [OPSEC] RtgDir: Last Call Review of draft-iet… Eric Vyncke (evyncke)
- Re: [OPSEC] RtgDir: Last Call Review of draft-iet… Acee Lindem (acee)
- Re: [OPSEC] RtgDir: Last Call Review of draft-iet… Eric Vyncke (evyncke)