Re: [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Thu, 07 July 2016 14:15 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8764C12D5BC; Thu, 7 Jul 2016 07:15:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.947
X-Spam-Level:
X-Spam-Status: No, score=-15.947 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2d6JcNs7NpP2; Thu, 7 Jul 2016 07:15:10 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7253B12D5CE; Thu, 7 Jul 2016 07:15:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=20548; q=dns/txt; s=iport; t=1467900908; x=1469110508; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=BB161h7PZ8+YW/1/ckC5QaD4a61ZvXEb9BFWG1L82Tc=; b=DTiAOEs7Gs1Qfjm5KMXxRKTMLPuJ3CCTqwXN5gqV5tM1zSlkXmSpJL48 6kNW6kBxlyxa/9nR9IrRMlO80CGVJIZI4akpQ9hFn1LAZMwAvGBo1EgbW WMLpcqdpZ7MrvCqAP1a781foej+SxDTLjHC4Vw5QQMVn1jV1Rhlu89uFT w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A+BgDQYn5X/4UNJK1SCoM+Vm0PBrsEHoJDgzcCHIEMPBABAQEBAQEBZSeETQEEASMRRRACAQgSCAImAgICMBUCAQ0CBA4FiCgIrhWPPAEBAQEBAQEBAgEBAQEBAQEBH4EBhSaDSoEDhBIGCwEoCyOCR4JaBY4Eiw8BjkaPKpAJATUfggkcgUxuhzgPFwQbfwEBAQ
X-IronPort-AV: E=Sophos;i="5.28,324,1464652800"; d="scan'208";a="294900283"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 07 Jul 2016 14:15:07 +0000
Received: from XCH-RTP-015.cisco.com (xch-rtp-015.cisco.com [64.101.220.155]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id u67EF621023187 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 7 Jul 2016 14:15:06 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-015.cisco.com (64.101.220.155) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 7 Jul 2016 10:15:05 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1210.000; Thu, 7 Jul 2016 10:15:05 -0400
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: "Fred Baker (fred)" <fred@cisco.com>
Thread-Topic: Asking for a review of draft-ietf-opsec-v6-08
Thread-Index: AQHRxvO7NZqKAcq6O0Gp7Rf6mrYAKA==
Date: Thu, 07 Jul 2016 14:15:05 +0000
Message-ID: <D3A3B811.7718E%evyncke@cisco.com>
References: <D386FF93.75916%evyncke@cisco.com> <BED28C4D-3F36-43E7-8D3E-70CB885C9543@cisco.com>
In-Reply-To: <BED28C4D-3F36-43E7-8D3E-70CB885C9543@cisco.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.159.132]
Content-Type: text/plain; charset="utf-8"
Content-ID: <9C63361F7F6A5048ABDF78C34D32CCC1@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/gYSJNMlUB5Qa7A6zjswWq9lj-y8>
Cc: "Howard, Lee" <lee.howard@twcable.com>, "fgont@si6networks.com" <fgont@si6networks.com>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "linkedin@xn--debrn-nva.de" <linkedin@xn--debrn-nva.de>
Subject: Re: [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2016 14:15:12 -0000
Fred, First thank you for the review, to be honest I was unaware that per RFC 2119 "SHOULD" was a synonym of "RECOMMENDED" ;-) And you suggestion of listing all recommendations is indeed a good idea (but I am afraid that we won't have time to add it for the -09 rev). All other comments are accepted with a few exceptions below. EVY>> Thanks again :-) -éric On 15/06/16 22:05, "Fred Baker (fred)" <fred@cisco.com> wrote: >One thing I wondered about as reading this - many and perhaps most >sections gave a fairly informative comment, and then made one or two >recommendations. I wonder (this is a question) whether it would be >worthwhile capitalizing "RECOMMEND", both in the sense of defining the >term (RFC 2119) and highlighting it in the text. I also wonder if it >would make sense to pull together a list of recommendations made in a >table somewhere, perhaps in an appendix. I could imagine someone wanting >a list of them without wading through the text. > >> 1. Introduction >> >> Running an IPv6 network is new for most operators not only because >> they are not yet used to large scale IPv6 networks but also because >> there are subtle differences between IPv4 and IPv6 especially with >> respect to security. For example, all layer-2 interactions are now >> done by Neighbor Discovery Protocol [RFC4861] rather than by Address > >s/by/using/, twice. As worded, it sounds like NDP and ARP doing this by >themselves, as *actors*; no, the *system* does them using NDP and ARP as >its *language*. > >> Resolution Protocol [RFC0826]. Also, there are subtle differences >> between NAT44 and NPTv6 [RFC6296] which are explicitly pointed out in >> the latter's security considerations section. > >For NAT44, I might also point to RFC 2993 and maybe 4864. > >> IPv6 networks are deployed using a variety of techniques, each of >> which have their own specific security concerns. > > >> 2. Generic Security Considerations >> >> 2.1. Addressing Architecture >> >> IPv6 address allocations and overall architecture are an important >> part of securing IPv6. Typically what you initially design for will >> be what you use for a very long time. > >This sentence is in the second person ("you"), and most of the document >is third person ("it"). Reword as "Initial designs, even if intended to >be temporary, tend to last much longer than expected"? > >> Although initially IPv6 was >> thought to make renumbering easy, in practice, it would be extremely >> difficult to renumber. > >I would temper the statement. As we said in RFC 4192, the problems with >renumbering tends to be the places where a number is written into a >static configuration rather than managed using a database or whatever, >and the places where people cut corners ("its address will never change, >so I don't need to worry about its name and DNS"). I would find myself >saying that good OSS trumps static configurations, and in IPv6, systems >change at least their IIDs from time to time (RFC 7721). It's not that >IPv6 (or IPv4) is hard to renumber, it's that the required operational >support is often not there or not workable due to poor practice. > >> Once an address allocation has been assigned, there should be some >> thought given to an overall address allocation plan. With the >> abundance of address space available, an address allocation may be >> structured around services along with geographic locations, which > >"topology"? Topology is often structured geographically, yes, but if A >provides services to B and C and is a logical gateway to them, A, B, and >C can be grouped for management purposes even if they are not in the same >geographic location. EVY>> we wrote "around services along with geographic locations" which appears to me pretty much what you wrote above (i.e. A mix of services and proximity) > >> then can be a basis for more structured security policies to permit >> or deny services between geographic regions. >> >> A common question is whether companies should use PI vs PA space >> [RFC7381] but from a security perspective there is little difference. > >comma after "[RFC7381]". > >> However, one aspect to keep in mind is who has ownership of the >> address space and who is responsible if/when Law Enforcement may need >> to enforce restrictions on routability of the space due to malicious >> criminal activity. > >Pregnant statement. I find myself wondering about the implications of >"ownership" and "law enforcement restrictions on routability". In >"ownership", are you pointing to issues when you change providers and >therefore need to change PA addresses? If not, something else? In "LEA >issues", are you talking about law enforcement blocking the address >space, turning BGP announcements off, etc? EVY>> Good point, I rephrased it as "However, one aspect to keep in mind is who has administrative ownership of the address space and who is technically responsible if/when there is a need to enforce restrictions on routability of the space due to malicious criminal activity." > > >> 2.1.1. Statically Configured Addresses >> >> When considering how to assign statically configured addresses it is >> necessary to take into consideration the effectiveness of perimeter >> security in a given environment. There is a trade-off between ease >> of operational deployment where some portions of the IPv6 address >> could be easily recognizable for operational debugging and >> troubleshooting versus the risk of scanning; [SCANNING] shows that >> there are scientifically based mechanisms that make scanning for IPv6 >> reachable nodes more realizable than expected. The use of common >> multicast groups which are defined for important networked devices >> and the use of commonly repeated addresses could make it easy to >> figure out which devices are name servers, routers or other critical >> devices. >> >> While in some environments the perimeter security is so poor that >> obfuscating addresses is considered a benefit; it is a better >> practice to ensure that perimeter rules are actively checked and >> enforced and that statically configured addresses follow some logical >> allocation scheme for ease of operation. > >I find myself on both sides of the prophylactic security discussion. I >compare and network and its defenses to the human immune system, and >perimeter security to the skin. I favor having a working perimeter >security system much like I favor a functional skin, and for the same >immunologic reasons. That said, the body provides the defense, reducing >the rate at which it needs to bring other systems into play, and then >assumes it has been breached; a person whose only immunologic defense is >their skin is an AIDS patient, and doesn't have a good prognosis. My >fundamental problem with most network security systems is that they >over-emphasize perimeter security. > >I say that because this paragraph seems to over-emphasize perimeter >security - "in some environments the perimeter security is so poor...". I >think I would say that "security is so poor". I would be tempted to go >beyond to talk about the ways a remote network can be mapped, such as by >observing email envelopes and addresses found in WWW logs etc, and the >value of temporary random addresses (as opposed to permanent addresses, >whether DHCP -assigned or MAC/SLAAC). > >But I agree with the recommendation. > >> 2.1.2. Use of ULAs >> >> ULAs are intended for scenarios where IP addresses will not have >> global scope. The implicit expectation from the RFC is that all ULAs >> will be randomly created as /48s. Any use of ULAs that are not >> created as a /48 violates RFC4193 [RFC4193]. > >Mention also that they are expected to not be announced, and if announced >not accepted, in BGP? > >> ULAs could be useful for infrastructure hiding as described in >> RFC4864 [RFC4864]; > >I believe that at least one cable operator uses them for cable modem >addresses, which need no GUA and want to be hidden. Personally, I think >that's a better use of a ULA - for something does doesn't actually need a >global address. The paragraph here seems to assume that the only valid >use of a ULA is as a counterpart to RFC 1918, and with NAT. > >I'd really wish that we could talk about infrastructure (count the >addresses in the envelope of this email; they are mostly infrastructure >addresses) and internal-only services (wwwin-SERVICE.cisco.com names >being a classic Cisco example, to my mind) when we start a paragraph with >a comment on "infrastructure hiding", rather than proceeding directly to >NAT. EVY>> I will rely on my co-author for this part. > >> 2.1.4. Temporary Addresses - Privacy Extensions for SLAAC >> ... >> As privacy extension addresses could also be used to obfuscate some >> malevolent activities (whether on purpose or not), it is advised in >> scenarios where user attribution is important to disable SLAAC and >> rely only on DHCPv6. However, in scenarios where anonymity is a >> strong desire since protecting user privacy is more important than >> user attribution, privacy extension addresses should be used > >No mention of IEEE 802.1X? > >> Using privacy extension addresses prevents the operator from building >> a priori host specific access control lists (ACLs). It must be noted >> that recent versions of Windows do not use the MAC address anymore to >> build the stable address but use a mechanism similar to the one >> described in [RFC7217], this also means that such an ACL cannot be >> configured based solely on the MAC address of the nodes, diminishing >> the value of such ACL. On the other hand, different VLANs are often >> used to segregate users, then ACL can rely on a /64 prefix per VLAN >> rather than a per host ACL entry. > >"then ACL"? Either I don't understand the sentence, or you meant "the". > > >> 2.1.6. DHCP/DNS Considerations >> >> Many environments use DHCPv6 to allocate addresses to ensure >> audibility and traceability (but see Section 2.6.1.5). A main > >audit-ability > >> security concern is the ability to detect and mitigate against rogue >> DHCP servers (Section 2.3.2). > >I think you want to say "counteract" rather than "mitigate against". > >> 2.3.5. 3GPP Link-Layer Security >> >> The 3GPP link is a point-to-point like link that has no link-layer >> address. This implies there can only be an end host (the mobile >> hand-set) and the first-hop router (i.e., a GPRS Gatewat Support Node > >Gateway > >> 2.4. Control Plane Security >> >> RFC6192 [RFC6192] defines the router control plane and this >> definition is repeated here for the reader's convenience. > >Run-on sentence. Replace "and" with a period and capitalize the next word. > >> Modern router architecture design maintains a strict separation of >> forwarding and router control plane hardware and software. The >> router control plane supports routing and management functions. It >> is generally described as the router architecture hardware and >> software components for handling packets destined to the device >> itself as well as building and sending packets originated locally on >> the device. > >I'm having trouble parsing the above sentence... EVY>> copied ad verbatim from RFC 6192 ;-) Else, I agree with you > >> The forwarding plane is typically described as the >> router architecture hardware and software components responsible for >> >> >> >> Chittimaneni, et al. Expires September 22, 2016 [Page 11] >> Internet-Draft OPsec IPV6 March 2016 >> >> >> receiving a packet on an incoming interface, performing a lookup to >> identify the packet's IP next hop and determine the best outgoing >> interface towards the destination, and forwarding the packet out >> through the appropriate outgoing interface. > >I'm having trouble parsing the above as well. I'd suggest breaking it >into 2-3 sentences. EVY>> see above ;-) > >> 2.4.3. Packet Exceptions >> >> This class covers multiple cases where a data plane packet is punted >> to the route processor because it requires specific processing: >> ... >> o processing of the hop-by-hop extension header; > >May I suggest the authors comment on draft-ietf-6man-hbh-header-handling >as it progresses? Let's not let that and this conflict. > >> 2.6.1.1. Logs of Applications >> ... >> #!/usr/bin/perl ?w > >Should that be "-w"? > >> use strict ; >> use warnings ; >> use Socket ; >> use Socket6 ; >> >> my (@words, $word, $binary_address) ; >> >> ## go through the file one line at a time >> while (my $line = <STDIN>) { >> chomp $line; >> foreach my $word (split /[ \n]/, $line) { > >replace "[ \n]" with "\s+". \s includes any white space character, >including a space, a tab, \n, \r, and a couple of others. The "+" >specifies strings of one or more in length. EVY>> shame on me :-( You are right > >> $binary_address = inet_pton AF_INET6, $word ; >> if ($binary_address) { >> print inet_ntop AF_INET6, $binary_address ; >> } else { >> print $word ; >> } >> print " " ; >> } >> print "\n" ; >> } > > >> 2.7.1. Dual Stack >> >> Dual stack has established itself as the preferred deployment choice >> for most network operators without a MPLS core where 6PE RFC4798 > >without *an* MPLS core... > >> 2.7.3.2. NAT64/DNS64 >> >> Stateful NAT64 translation [RFC6146] allows IPv6-only clients to >> contact IPv4 servers using unicast UDP, TCP, or ICMP. It can be used >> in conjunction with DNS64 [RFC6147], a mechanism which synthesizes >> AAAA records from existing A records. >> >> The Security Consideration sections of [RFC6146] and [RFC6147] list >> the comprehensive issues. A specific issue with the use of NAT64 is >> that it will interfere with most IPsec deployments unless UDP >> encapsulation is used. DNS64 has an incidence on DNSSEC see section >> 3.1 of [RFC7050]. > >You might want to mention 6145, draft-bao-v6ops-rfc6145bis, and SIIT-DC. > >> 3.1. External Security Considerations: > >You mention having a firewall that only permits inbound traffic that >corresponds to an active session. Would RFC 6092 be worth mentioning in >that context? > >> 5. Residential Users Security Considerations > >Would RFC 6092 be worth mentioning in this context? EVY >> it is mentioned in this section >
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Mark Smith
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Gert Doering
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Mark Smith
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Erik Kline
- Re: [OPSEC] Asking for a review of draft-ietf-ops… Eric Vyncke (evyncke)
- Re: [OPSEC] Asking for a review of draft-ietf-ops… Eric Vyncke (evyncke)
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Fred Baker (fred)
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Mark Andrews
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Brian E Carpenter
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Gert Doering
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Marco Ermini
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Marco Ermini
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Gert Doering
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Marco Ermini
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Lorenzo Colitti
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Brian E Carpenter
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Brian E Carpenter
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Mark Smith
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Marco Ermini
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Marco Ermini
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Mark Smith
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Marco Ermini
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Brian E Carpenter
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Erik Kline
- Re: [OPSEC] Asking for a review of draft-ietf-ops… Fred Baker (fred)
- Re: [OPSEC] Asking for a review of draft-ietf-ops… Markus deBruen
- Re: [OPSEC] Asking for a review of draft-ietf-ops… Sleigh, Robert
- [OPSEC] Asking for a review of draft-ietf-opsec-v… Eric Vyncke (evyncke)
- Re: [OPSEC] Asking for a review of draft-ietf-ops… Fred Baker (fred)
- Re: [OPSEC] Asking for a review of draft-ietf-ops… Howard, Lee
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Mark Smith
- Re: [OPSEC] [v6ops] Asking for a review of draft-… Eric Vyncke (evyncke)