IETF Logo Mail Archive

Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6

otroan@employees.org Tue, 18 April 2017 11:44 UTC

Return-Path: <otroan@employees.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 806F212EAF6; Tue, 18 Apr 2017 04:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=employees.org; domainkeys=pass (1024-bit key) header.from=otroan@employees.org header.d=employees.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kip--Hzj8hW3; Tue, 18 Apr 2017 04:44:47 -0700 (PDT)
Received: from esa01.kjsl.com (esa01.kjsl.com [IPv6:2607:7c80:54:3::87]) by ietfa.amsl.com (Postfix) with ESMTP id 8C3A8129481; Tue, 18 Apr 2017 04:44:47 -0700 (PDT)
Received: from cowbell.employees.org ([198.137.202.74]) by esa01.kjsl.com with ESMTP; 18 Apr 2017 11:44:47 +0000
Received: from cowbell.employees.org (localhost [127.0.0.1]) by cowbell.employees.org (Postfix) with ESMTP id 1DBD9D788B; Tue, 18 Apr 2017 04:44:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=employees.org; h=from :message-id:content-type:mime-version:subject:date:in-reply-to :cc:to:references; s=selector1; bh=yhQgaSTwtKWUDSSleodGkfbxePY=; b= q13bhEs4npatv82KBDKrd+CmsB4qAm2xEDT/miLKv5zZPq+efZFWoSQE3LPUSZtm Kma76DIh95shECkDY+lDG5eKKCJWeqWnKTk2dwBVTOAjtAKAS/spy1pWVNaJbdAH TQJaT+Jvh/WM8MhbIBLxk8Yck5oUeQWkQdRCEoz3utg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=employees.org; h=from :message-id:content-type:mime-version:subject:date:in-reply-to :cc:to:references; q=dns; s=selector1; b=r6rflq/j3c7N1irgYXSwB8Q ZiMCn5IulXjW8OpwoIR2L6PkCXY8NjcbX5cs5mVoW/tFUr1gEyrpAo+PxAiQ1iC4 nu3NPqbLxiZLGPL0VC+W4s7hAgbEbvX7IFgPE5cxKK/yizpJNNvxwW3lTDB+shqW GvwmQTBcRs4HrKgm0JSQ=
Received: from h.hanazo.no (96.51-175-103.customer.lyse.net [51.175.103.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: otroan) by cowbell.employees.org (Postfix) with ESMTPSA id 63663D788A; Tue, 18 Apr 2017 04:44:46 -0700 (PDT)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by h.hanazo.no (Postfix) with ESMTP id DD2F8AA3FB43; Tue, 18 Apr 2017 13:44:44 +0200 (CEST)
From: otroan@employees.org
Message-Id: <20391B01-0677-4E55-B83F-B517A32B7066@employees.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_7D6D9090-7387-493C-9B2C-DAE1936B11BC"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 18 Apr 2017 13:44:44 +0200
In-Reply-To: <1491877d-b445-af79-1f44-2e5507054a92@si6networks.com>
Cc: opsec@ietf.org, Gunter Van De Velde <guntervandeveldecc@icloud.com>, "v6ops@ietf.org Operations" <v6ops@ietf.org>, 6man@ietf.org
To: Fernando Gont <fgont@si6networks.com>
References: <55cb757e-ee2d-4818-9fc2-67d559006f34@me.com> <3E179F05-ACCD-4290-A65F-57E4202FAA15@icloud.com> <097C5D0E-5708-4CE4-989A-0174B11D1B25@employees.org> <1491877d-b445-af79-1f44-2e5507054a92@si6networks.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/wZnMfGz2f-GgEXUeljyTctLXK7I>
Subject: Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 11:44:49 -0000

> 
> On 18 Apr 2017, at 13:10, Fernando Gont <fgont@si6networks.com> wrote:
> 
> On 04/18/2017 09:18 AM, otroan@employees.org wrote:
>> A few initial comments. Draft is not quite ready.
>> 
>> Section 2.1.3:
>> 6164 does not _recommend_ /127 it _permits_ /127 on p2p links.
> 
> Agreed on this.
> 
> 
>> The ping pong attack is mitigated in RFC4443.
> 
> I must be missing something.. what does RFC4443 have to do with this? A
> ping pong attack does not require the attack packets to be ICMPv6 echo
> requests...

https://tools.ietf.org/html/rfc4443#section-3.1 <https://tools.ietf.org/html/rfc4443#section-3.1>
  One specific case in which a Destination Unreachable message is sent
  with a code 3 is in response to a packet received by a router from a
  point-to-point link, destined to an address within a subnet assigned
  to that same link (other than one of the receiving router's own
  addresses).  In such a case, the packet MUST NOT be forwarded back
  onto the arrival link.

Most implementations I'm aware of now implement this.

>> I am not convinced there is justification that this document should recommend /127 for "security reasons".
> 
> Besides ping-pong, there's NCE. While I do agree that the real solution
> to the above two issues is *not* to use a /127, this document being an
> operational one, I can see why the authors may want to recommend /127.

Neighbour cache exhaustion has to be mitigated anyway.
On router-router links that's a relatively simple problem compared to links with hosts.
I'm still not convinced that /127 should be recommended over any of the other addressing models for router to router links.
/64, link-local only, /128s.

>> Section 2.2:
>> I am not sure that extension headers are one of the most critical differentiators between IPv4 and IPv6. IPv4 had variable length options...
> 
> The packet structure does make a big difference. For instance, it's
> trivial to find (in IPv4-based packets) the upper layer protocol type
> and protocol header, while in IPv6 it actually isn't.

It isn't supposed to be.

>> Section 2.3.2:
>> Consider Secure DHCPv6?
> 
> Question: is that doable? (i.e., widely supported)

You expect this document to have a short lifetime?
(Which I guess is the exact problem of publishing this type of advice as an IETF RFC).

>> Section 3.1:
>> In general update references. e.g. ipv6-eh-filtering is outdated.
>> I question referencing opsec-ipv6-eh-filtering. It has wrong and outdated advice. E.g. on section of HBH header.
>> The advice in ipv6-eh-filtering is essentially to ossify the network.
> 
> Have you read the I-D? Because the I-D boils down to: "pass all EHs
> unless they are known to be very harmdful".

Hmm, I see the latest opsec version has put this right, thanks.
I must have read the earlier individual draft, cause that said "should drop HBH".

Best regards,
Ole

v2.23.0 | Report a Bug | By Email