Re: [secdir] Secdir review of draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03
"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Wed, 17 April 2013 14:38 UTC
Return-Path: <jsalowey@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C17121F8AA6; Wed, 17 Apr 2013 07:38:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.299
X-Spam-Level:
X-Spam-Status: No, score=-110.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_53=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ugCPPshCaIWT; Wed, 17 Apr 2013 07:38:50 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id C234721F8709; Wed, 17 Apr 2013 07:38:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2597; q=dns/txt; s=iport; t=1366209530; x=1367419130; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=roljc+PYDFYGHcdYwQe+/RqruuaQueggIQYZbqMzAKw=; b=b+A29Ot17dX7ODUnTv5EgURnLElztQVkI4NH0CoCi5aFYO6/1L1wHoak 2D4pfy2odOllO6dvhhfFKg3U3HE+8xC4TkEx4iIqXW6rJkI+6htHFFmAb YRPPFEFZXR9jXFLs890FuK6+Vq9Ib1tw+Izh0B5BwQQWEyF6qrc13apfC Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhIFAM6xblGtJXHB/2dsb2JhbABQgwbBQoEDFnSCHwEBAQMBeQULAgEIDgoKJDIlAgQOBQiIBga9Uo1ofwIxB4JlYQOITp9MgwuBczU
X-IronPort-AV: E=Sophos;i="4.87,492,1363132800"; d="scan'208";a="199894410"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-4.cisco.com with ESMTP; 17 Apr 2013 14:38:50 +0000
Received: from xhc-aln-x06.cisco.com (xhc-aln-x06.cisco.com [173.36.12.80]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id r3HEcoej004704 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 17 Apr 2013 14:38:50 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.83]) by xhc-aln-x06.cisco.com ([173.36.12.80]) with mapi id 14.02.0318.004; Wed, 17 Apr 2013 09:38:49 -0500
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Fernando Gont <fgont@si6networks.com>
Thread-Topic: Secdir review of draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03
Thread-Index: AQHOOuL82kKZssNyFEuJtkLLRgrBFpjZzCYAgAEEcAA=
Date: Wed, 17 Apr 2013 14:38:48 +0000
Message-ID: <A95B4818FD85874D8F16607F1AC7C628B35843@xmb-rcd-x09.cisco.com>
References: <A95B4818FD85874D8F16607F1AC7C628B32E41@xmb-rcd-x09.cisco.com> <516DD980.10806@si6networks.com>
In-Reply-To: <516DD980.10806@si6networks.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.120.65]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <2AFE086DE3EDB4428054CC8D9F2552A7@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "draft-ietf-opsec-ipv6-implications-on-ipv4-nets.all@tools.ietf.org" <draft-ietf-opsec-ipv6-implications-on-ipv4-nets.all@tools.ietf.org>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2013 14:38:51 -0000
On Apr 16, 2013, at 4:06 PM, Fernando Gont <fgont@si6networks.com> wrote: > Hi, Joseph, > > Thanks so much for your review! -- Please find my comments in-line.... > > On 04/16/2013 03:43 PM, Joseph Salowey (jsalowey) wrote: >> draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03 discusses issues >> with IPv6 running on networks that have incomplete security controls >> (firewall and IDS) for IPv6. It basically describes what you need >> to filter on to filter out IPv6 traffic and tunneling technologies. >> This seems like mostly useful information, however its not clear to >> me if you implement all the controls in the document if you would not >> still have a problem form IPv6 on a local link > > This is discussed in the "native IPv6 section" > [Joe] Yes. I might have chosen to include a stronger statement about"you are not going to be able to filter out all IPv6 attacks" in the security considerations section, but the first paragraph pretty much says this. > >> or IPv6 tunneled >> through some non-standard means. > > How about adding this a the end of Section 3: > > "We note that this document covers standardized IPv6 tunneling > mechanisms, but does not aim to cover non-standard tunneling mechanisms > nor that of IPsec-based or SSL/TLS-based tunneling of IPv6 packets". > [Joe] OK > ? > > >> It seems the document should at >> least mention this risk in the security considerations since hosts on >> these networks may be IPv6 enabled. One related issue I have seen >> is in end host configuration where a host based firewall is >> configured with IPv4 rules and left silent on IPv6 with varying >> results. I don't recall seeing any discussion of this in the >> document, but it might also be worth covering in security >> considerations as well. > > Isn't this covered in the "native ipv6" section? [Joe] I was thinking of having some text that is a bit more host centric. Currently the text reads more oriented towards network devices. THere is some discussion on disabling IPv6 in extreme circumstances. Would it be useful to recommend that IP filters on IPV6 end hosts be configured to apply controls to IPv6 as well as IPv4 since there is a fair chance that the hosts services may be listening on an IPv6 address as well? > > Thanks! > > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > >
- [secdir] Secdir review of draft-ietf-opsec-ipv6-i… Joseph Salowey (jsalowey)
- Re: [secdir] Secdir review of draft-ietf-opsec-ip… Fernando Gont
- Re: [secdir] Secdir review of draft-ietf-opsec-ip… Joseph Salowey (jsalowey)
- Re: [secdir] Secdir review of draft-ietf-opsec-ip… Fernando Gont