Re: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13
"Smith, Donald" <Donald.Smith@CenturyLink.com> Mon, 02 July 2018 20:14 UTC
Return-Path: <Donald.Smith@CenturyLink.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CF5713129E; Mon, 2 Jul 2018 13:14:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GxznrPVvtCJL; Mon, 2 Jul 2018 13:14:21 -0700 (PDT)
Received: from lxomp52w.centurylink.com (lxomp52w.centurylink.com [155.70.50.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D0C01312EB; Mon, 2 Jul 2018 13:14:18 -0700 (PDT)
Received: from lxdnp04n.corp.intranet (emailout.qintra.com [151.119.92.83]) by lxomp52w.centurylink.com (8.14.8/8.14.8) with ESMTP id w62KEGGJ000883 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 2 Jul 2018 15:14:17 -0500
Received: from lxdnp04n.corp.intranet (localhost [127.0.0.1]) by lxdnp04n.corp.intranet (8.14.8/8.14.8) with ESMTP id w62KEBuq020935; Mon, 2 Jul 2018 14:14:11 -0600
Received: from lxdnp32k.corp.intranet (lxdnp23m.corp.intranet [151.119.92.134]) by lxdnp04n.corp.intranet (8.14.8/8.14.8) with ESMTP id w62KEBP7020931 (version=TLSv1/SSLv3 cipher=AES256-SHA256 bits=256 verify=NO); Mon, 2 Jul 2018 14:14:11 -0600
Received: from lxdnp32k.corp.intranet (localhost [127.0.0.1]) by lxdnp32k.corp.intranet (8.14.8/8.14.8) with ESMTP id w62KEBJM055830; Mon, 2 Jul 2018 14:14:11 -0600
Received: from vddcwhubex501.ctl.intranet (vddcwhubex501.ctl.intranet [151.119.128.28]) by lxdnp32k.corp.intranet (8.14.8/8.14.8) with ESMTP id w62KEBMM055827 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 2 Jul 2018 14:14:11 -0600
Received: from PDDCWMBXEX503.ctl.intranet ([fe80::9033:ef22:df02:32a9]) by vddcwhubex501.ctl.intranet ([151.119.128.28]) with mapi id 14.03.0339.000; Mon, 2 Jul 2018 14:14:11 -0600
From: "Smith, Donald" <Donald.Smith@CenturyLink.com>
To: Tim Chown <tim.chown@jisc.ac.uk>, "ops-dir@ietf.org" <ops-dir@ietf.org>
CC: "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6.all@ietf.org" <draft-ietf-opsec-v6.all@ietf.org>
Thread-Topic: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13
Thread-Index: AQHUEi2KzBjHl60AmkiB+/z/svyR46R8RkUe
Date: Mon, 02 Jul 2018 20:14:10 +0000
Message-ID: <68EFACB32CF4464298EA2779B058889D53DE8559@PDDCWMBXEX503.ctl.intranet>
References: <153055392479.16095.569198674604354407@ietfa.amsl.com>
In-Reply-To: <153055392479.16095.569198674604354407@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [151.119.128.8]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/s6kNjRcCmMRzthuUZMOqR706pbE>
Subject: Re: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2018 20:14:32 -0000
Before approval, all the URIs should be checked, for example the cymru link is broken. Routing security talks exclusively to OSFPv3 which isn't in common use externally today, BGP would be a better choice. 2.1.1 This: There are many scanning techniques and more to come possible, hence, operators should never relly on the 'impossible to find because my address is random' paradigm. Should probably be this: There are many scanning techniques and possibly more to come, hence, operators should never rely on the 'impossible to find because my address is random' paradigm. Or adding Tom's suggestion: There are many scanning techniques and possibly more to come, hence, operators should never rely on the 'security by obscurity' paradigm. Maybe it doesn't belong there but this appears to be a potential new smurf amplification vector. "Another way works only for local network, it consists in sending a ICMP ECHO_REQUEST to the link-local multicast address ff02::1 which is all IPv6 nodes on the network. All nodes should reply to this ECHO_REQUEST per [RFC4443]." But maybe that belongs in 4443 or some other draft? I feel some mention of anycast used for DDoS Reflection and Amplification (RA) should be included (again might be out of scope)? Metric System < +000 > -000 Extra People's Terribly Good Meals Kept mY uNCLE Ned Purring For Ages Exa Peta Tera Giga Mega Kilo milli Micro(u) Nano Pico Femto Atto Donald.Smith@centurylink.com ________________________________________ From: OPSEC [opsec-bounces@ietf.org] on behalf of Tim Chown [tim.chown@jisc.ac.uk] Sent: Monday, July 02, 2018 11:52 AM To: ops-dir@ietf.org Cc: opsec@ietf.org; draft-ietf-opsec-v6.all@ietf.org Subject: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13 Reviewer: Tim Chown Review result: Not Ready Hi, I have reviewed this document as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. This draft analyses operational security issues related to the deployment of IPv6, and describes appropriate mechanisms and practices to mitigate potential threats. The document is Not Ready for publication. General comments: The draft is well written, and the authors are clearly experts in the area, but the evolution of 13 versions of the draft since WG adoption in 2012 means the draft is somewhat disjoint, and has a number of sections where current best practices and related RFCs are not included. A prime example is in the area of address configuration. There are seven pages on transition technologies; might that be better homed in a -bis of RFC 4942? The sections on control plane and routing (2.4, 2.5) are somewhat generic to IPv4 and IPv6; there is very little IPv6-specific information in there. While this isn't bad per se, it pads the length of the document somewhat without much new material. There are many typos and grammatical errors throughout the document. Specific comments: p.3 "subtle differences between IPv4 and IPv6" - I don't think L2 vs L3 resolution, ND vs ARP, is that subtle? Do we need to mention NPTv6 here? p.4 Mention 6renum and the gaps draft it produced (RFC 7010)? The recommendation to use PI for a larger network implicitly means no NPTv6? Any value in adding a note about the size of prefix an ISP offers? (6177, etc) That affects how the network is configured. Where is topology discovery / probing mentioned? Cite RFC 4864? p.5 I think the phrase in para 1 is "security by obscurity". I would argue that that can complement other security, but must not be depended upon! Para 2 - or do both! p.6 Section 2.1.3 - and ND cache exhaustion protection Section 2.1.4 - "Normal" SLAAC no longer relies on EUI-64 from MAC addresses - now RFC 8064 recommends the RFC 7217 version of SLAAC. This whole section is written in a jumbled order. There should be a separate section on address accountability - whether it's needed in a given scenario, and where it is, how best to achieve it - there's bits of this scattered around in many places, but it's independent of privacy addressing. Para 3 - see section 2.1.7. p.7 first line - you can't always control managed vs unmanaged of course; a university eduroam WiFi is unmanaged, generally, where admin systems probably are managed. second para - these are just hints; and for a host not supporting DHCPv6, it gets no address at all. Perhaps also mention SAVI here. Section 2.1.6 - Should mentioned DHCPv6 anonymity profile - RFC 7824 and RFC 7844. RFC 7934 suggests not using DHCPv6 in certain circumstances as a result. Also RFC 7077 recommends to not issue DHCPv6 addresses sequentially from a small pool. Section 2.1.7 - note RFC 8273 is designed for shared environments, and isolation is a primary goal; add reference to RFC 7934. p.8 Perhaps check against text in draft-ietf-6man-rfc6434-bis-08 in section 5.2, and the excessive EH option processing text in 5.3 there. p.9 Section 2.2.4 - worth adding RFC 8221 and RFC 8247? Section 2.3 - split out the NS/NA messaging here from ND in general, else you should include SLAAC. Given you discuss SLAAC later, focus on NS/NA here in its own subsection? p.10 Spurious DHCP-Shield wording at end of para 2. Section 2.3.2 - mention ND cache exhaustion p.11 Rate limit also on ICMP messages? Perhaps separate out the power drain issue as a threat? RFC 7772 is relevant here. The two drafts cited here by thubert and chakrabarti died in 2012 and 2015 respectively? Maybe RFC 6775 instead? Section 2.3.3 - or just supply a 'bad' DNS resolver address p.12 After para 3 emphasise still need RAs in a DHC environment for default router and on-link prefix(es) p.13 A lot of text on something hardly used? p.14 - 20 Lots of generic text applicable to IPv4 too? p.16 Replace RFC 2460 with RFC 8200? p.17 There is now draft-ietf-6man-rfc6434-bis-08 p.20 What's required to differentiate logging of different IP versions? Value in mentioning RFC 8096? Or YANG modules (as per Section 16 of draft-ietf-6man-rfc6434-bis-08) p.21 And RESTCONF? Windows 7? At bottom, "was usually done in the IPv4 era" -> "is commonly used in IPv4 networking" p.22 "era" again. Mention DHCPv6 anonymity profiles - RFC 7844 P.23 Forensics - that's *one* way - can e.g. use a NMS; one that harvests network device data via SNMP; many open source options available. p.24 Mostly duplicating RFC 7077. Section 2.6.2.3 - rfer to RFC 5952, or se Sec 2.6.1.1 p.26 Perhaps be consistent with rather than maintain parity? p.29 6to4...? p.31 Last para is very handwavey! Device OSes are more secure these days to work in IPv4 hotspots too? p.33 A campus enterprise is different - BYOD vs managed, esp. wifi/eduroam, or Science DMZ networks; perhaps mention RFC 7381, esp. sections 2.4, 3.2 and 4.1? p.35 last para - better to omit, I think? _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
- [OPSEC] Opsdir early review of draft-ietf-opsec-v… Tim Chown
- Re: [OPSEC] Opsdir early review of draft-ietf-ops… Smith, Donald
- Re: [OPSEC] Opsdir early review of draft-ietf-ops… Eric Vyncke (evyncke)
- Re: [OPSEC] Opsdir early review of draft-ietf-ops… Eric Vyncke (evyncke)
- Re: [OPSEC] Opsdir early review of draft-ietf-ops… Tim Chown