Re: [secdir] Security review of draft-shore-icmp-aup-06
"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Thu, 14 November 2013 00:42 UTC
Return-Path: <cpignata@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A73611E8122; Wed, 13 Nov 2013 16:42:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.47
X-Spam-Level:
X-Spam-Status: No, score=-110.47 tagged_above=-999 required=5 tests=[AWL=0.128, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ipVCYU16ahSg; Wed, 13 Nov 2013 16:42:17 -0800 (PST)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id C69BB11E8102; Wed, 13 Nov 2013 16:42:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6692; q=dns/txt; s=iport; t=1384389736; x=1385599336; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=dlGDg6tGupJPpFHKtxE7gnGuFG4Wh/hfzSzkcrylScI=; b=MVf2xaRbvc5TWaudjg+m6AqkU6DBuFg1+Llh+hfnLN06cuRdOnmMJWPm VRx79/gljT6zmqY/UGvoUWFqmnAGoTgHbnfr/TmdDixhPjERE/Ofef1PE xMPJ70hGCEp3YbZXFpOvY0W/YSafyJ2sznD6DvvM7btKUQ8kXirBszp8q M=;
X-Files: signature.asc : 203
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFAAAbhFKtJXG8/2dsb2JhbABZgweBC78qgSUWdIIlAQEBAwF5BQsCAQgYLjIlAgQBDQUOh20GwBGPXweDIIERA5AwgTCGMJILgyiCKg
X-IronPort-AV: E=Sophos; i="4.93,696,1378857600"; d="asc'?scan'208,217"; a="284538141"
Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-6.cisco.com with ESMTP; 14 Nov 2013 00:42:16 +0000
Received: from xhc-aln-x02.cisco.com (xhc-aln-x02.cisco.com [173.36.12.76]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id rAE0gGYu003010 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 14 Nov 2013 00:42:16 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.229]) by xhc-aln-x02.cisco.com ([173.36.12.76]) with mapi id 14.03.0123.003; Wed, 13 Nov 2013 18:42:15 -0600
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Melinda Shore <melinda.shore@nomountain.net>, Hilarie Orman <hilarie@purplestreak.com>
Thread-Topic: Security review of draft-shore-icmp-aup-06
Thread-Index: AQHO4EQ5HTlaGMkN0EGJGvvyQ8I+zpojNesAgAES24A=
Date: Thu, 14 Nov 2013 00:42:15 +0000
Message-ID: <3A1F8736-5E28-4841-BA01-61A602087FB3@cisco.com>
References: <201311130743.rAD7hqQg002177@sylvester.rhmr.com> <528335D6.2010109@nomountain.net>
In-Reply-To: <528335D6.2010109@nomountain.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.117.115.59]
Content-Type: multipart/signed; boundary="Apple-Mail=_FACB674C-5227-4B75-8989-FCA75D8FB211"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Cc: The IESG <iesg@ietf.org>, "<draft-shore-icmp-aup@tools.ietf.org>" <draft-shore-icmp-aup@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Security review of draft-shore-icmp-aup-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2013 00:42:22 -0000
Thanks, Hilarie, How's this updated Security Considerations? 5. Security considerations This document attempts to describe a high-level policy for adding ICMP types and codes. While special attention must be paid to the security implications of any particular new ICMP type or code, this recommendation presents no new security considerations. From a security perspective, ICMP plays a part in the Photuris protocol. But more generally, ICMP is not a secure protocol, and does not include features to be used to discover network security parameters or to report on network security anomalies in the forwarding plane. Thanks, -- Carlos. On Nov 13, 2013, at 3:18 AM, Melinda Shore <melinda.shore@nomountain.net> wrote: > On 11/12/13 10:43 PM, Hilarie Orman wrote: >> While there are ostensibly no new security considerations, it is >> worthwhile noting that ICMP plays a part in the Photuris protocol and >> was also used in SKIP (though that usage is deprecated). In general, >> I have some concern about using ICMP to discover network security >> parameters or to report on network security anomalies in the >> forwarding plane. > > I hadn't been aware of its use in Photuris. We'll get some > text in there mentioning that, as well as some discussion of > the problems you've mentioned with regard to reporting of > security parameters/anomalies. And now that you mention it > that's actually a more general security problem. > > Melinda > > > -- > Melinda Shore > No Mountain Software > melinda.shore@nomountain.net > > "Software longa, hardware brevis."
- [secdir] Security review of draft-shore-icmp-aup-… Hilarie Orman
- Re: [secdir] Security review of draft-shore-icmp-… Melinda Shore
- Re: [secdir] Security review of draft-shore-icmp-… Carlos Pignataro (cpignata)
- Re: [secdir] Security review of draft-shore-icmp-… Hilarie Orman