Re: [secdir] Discussion from the Security Directorate
Fred Baker <fred@cisco.com> Thu, 30 July 2009 12:03 UTC
Return-Path: <fred@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7EC793A6BB1 for <secdir@core3.amsl.com>; Thu, 30 Jul 2009 05:03:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.562
X-Spam-Level:
X-Spam-Status: No, score=-99.562 tagged_above=-999 required=5 tests=[AWL=-9.563, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8, URIBL_BLACK=20, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mfuKwPc+8OKt for <secdir@core3.amsl.com>; Thu, 30 Jul 2009 05:03:00 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id 5642828C162 for <secdir@ietf.org>; Thu, 30 Jul 2009 05:02:59 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AnQAAFsocUqQ/uCKe2dsb2JhbACBUpg7FiQGnnyIJ5ApBYQRgU4
X-IronPort-AV: E=Sophos;i="4.43,295,1246838400"; d="scan'208";a="46137694"
Received: from ams-dkim-1.cisco.com ([144.254.224.138]) by ams-iport-1.cisco.com with ESMTP; 30 Jul 2009 12:02:59 +0000
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n6UC2xlI026699; Thu, 30 Jul 2009 14:02:59 +0200
Received: from dhcp-56c8.meeting.ietf.org (dhcp-10-61-102-132.cisco.com [10.61.102.132]) by ams-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n6UC2wZE010623; Thu, 30 Jul 2009 12:02:58 GMT
Message-Id: <07CE53A0-BEA8-41C0-BE06-7E0B0B9FD7AE@cisco.com>
From: Fred Baker <fred@cisco.com>
To: Tina TSOU <tena@huawei.com>
In-Reply-To: <85C22B4D-F60E-47C4-95A1-2AFCB3917114@cisco.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Thu, 30 Jul 2009 14:02:58 +0200
References: <EDC652A26FB23C4EB6384A4584434A04018CF83B@307622ANEX5.global.avaya.com> <B40EE4C2-93AE-45A3-89AA-8601BFC76346@huawei.com> <633E561F-48D1-42DE-A310-9E77DB0A87F1@cisco.com> <4A6D98AC.4060100@bogus.com> <5AECC74E-90A0-45DA-9D23-7DE64F3488CB@cisco.com> <04f701ca102f$3e6d2c90$7958404e@china.huawei.com> <4C4D74B8-10FA-458E-93E4-37EE48F9D386@cisco.com> <50F560B9-787C-4B90-903B-28F27E67CF85@huawei.com> <132FFEDA-A10E-4CF2-9090-B2BBD274F6BA@huawei.com> <85C22B4D-F60E-47C4-95A1-2AFCB3917114@cisco.com>
X-Mailer: Apple Mail (2.935.3)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=10578; t=1248955379; x=1249819379; c=relaxed/simple; s=amsdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fred@cisco.com; z=From:=20Fred=20Baker=20<fred@cisco.com> |Subject:=20Re=3A=20[secdir]=20Discussion=20from=20the=20Se curity=20Directorate |Sender:=20; bh=jH1wnJ1cTWgPfD5Pd4I9HsGhPt/hOYwOhXWXgZnLoFc=; b=snHBRHf1U9IgATYka/utmH3rFbGM8kXSHKaJM7btCxab/+dnfr+rV6jIYv MzpFFXX/309lgHjh9v8hta0o1RxODlPbmwT8V4+5Off4enLqG/Po7DbFSGfM HNd9teeYIq;
Authentication-Results: ams-dkim-1; header.From=fred@cisco.com; dkim=pass ( sig from cisco.com/amsdkim1002 verified; );
Cc: 6man Chairs <6man-chairs@tools.ietf.org>, Joel Jaeggli <joelja@bogus.com>, 6man-ads@tools.ietf.org, secdir@ietf.org, behave-ads@tools.ietf.org, Kurt Erik Lindqvist <kurtis@kurtis.pp.se>, Joe Abley <jabley@ca.afilias.info>, Tina <tina@huawei.com>, Softwire Chairs <softwire-chairs@tools.ietf.org>, v6ops-ads@tools.ietf.org, softwire-ads@tools.ietf.org, Behave Chairs <behave-chairs@tools.ietf.org>
Subject: Re: [secdir] Discussion from the Security Directorate
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2009 12:03:01 -0000
additional drafts: http://tools.ietf.org/html/draft-despres-6rd "IPv6 Rapid Deployment on IPv4 infrastructures (6rd)", Remi Despres, 7-Apr-09, <draft-despres-6rd-03.txt> http://tools.ietf.org/html/draft-despres-sam "Scalable Multihoming across IPv6 Local-Address Routing Zones Global-Prefix/Local-Address Stateless Address Mapping (SAM)", Remi Despres, 13-Jul-09, <draft-despres-sam-03.txt> http://tools.ietf.org/html/draft-despres-6rd "IPv6 Rapid Deployment on IPv4 infrastructures (6rd)", Remi Despres, 7-Apr-09, <draft-despres-6rd-03.txt> http://tools.ietf.org/html/draft-despres-sam "Scalable Multihoming across IPv6 Local-Address Routing Zones Global-Prefix/Local-Address Stateless Address Mapping (SAM)", Remi Despres, 13-Jul-09, <draft-despres-sam-03.txt> http://tools.ietf.org/html/draft-denis-behave-v4v6exthdr "IPv6 destination header option for IPv4 translator mapping notification", Remi Denis-Courmont, 9-Mar-09, <draft-denis-behave-v4v6exthdr-01.txt> http://tools.ietf.org/html/draft-ietf-behave-v6v4-framework "Framework for IPv4/IPv6 Translation", Fred Baker, Xing Li, Congxiao Bao, Kevin Yin, 6-Jul-09, <draft-ietf-behave-v6v4-framework-00.txt> http://tools.ietf.org/html/draft-ietf-behave-v6v4-xlate "IP/ICMP Translation Algorithm", Xing Li, Congxiao Bao, Fred Baker, 26-Jun-09, <draft-ietf-behave-v6v4-xlate-00.txt> http://tools.ietf.org/html/draft-ietf-behave-v6v4-xlate-stateful "NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", Marcelo Bagnulo, Philip Matthews, Iljitsch van Beijnum, 11-Jul-09, <draft-ietf-behave-v6v4-xlate-stateful-01.txt> http://tools.ietf.org/html/draft-ietf-behave-dns64 "DNS64: DNS extensions for Network Address Translation from IPv6 Clients to IPv4 Servers", Marcelo Bagnulo, Andrew Sullivan, Philip Matthews, Iljitsch van Beijnum, 4-Jul-09, <draft-ietf-behave-dns64-00.txt> http://tools.ietf.org/html/draft-xli-behave-ivi "The CERNET IVI Translation Design and Deployment for the IPv4/IPv6 Coexistence and Transition", Xing Li, Congxiao Bao, Maoke Chen, Hong Zhang, Jianping Wu, 13-Jun-09, <draft-xli-behave-ivi-02.txt> http://tools.ietf.org/html/draft-wu-softwire-4over6 "4over6 Transit Solution using IP Encapsulation and MP-BGP Extensions", Jianping Wu, Yong Cui, Xing Li, Mingwei Xu, Chris Metz, 14-Apr-09, <draft-wu-softwire-4over6-02.txt> On Jul 30, 2009, at 1:56 PM, Fred Baker wrote: > who is "we"? > > I would suggest that you make your request to the chairs of the > various working groups doing the work. These include 6man > (designated custodian of all things IPv6 and therefore of RFCs 3053, > 3056, 4213, and 5214), behave (translation), and softwire (tunnels). > > On Jul 29, 2009, at 8:45 PM, Tina wrote: > >> Hi again:) >> Some clarifications for the slides. >> >> a. security assessment, to evaluate the security of a transition >> technology. What aspects do we need to judge and consider? >> b. function recommendation, to reduce the security threat of some >> kind of transition technology. When deploy this technology, what >> functionalities should the device need to have? >> >> >> B. R. >> Tina >> http://tinatsou.weebly.com/contact.html >> >> >> >> On Jul 29, 2009, at 5:23 PM, Tina wrote: >> >>> Hi Fred and David, >>> The slides were sent to OPS ADs, and we discussed it a bit in OPS- >>> DIR work lunch on Monday. According to the suggestion from Dan, I >>> forwarded the slides to the WG chairs of v6ops and opsec. >>> >>> Then Fred forwarded to SEC-DIR. >>> >>> I mentioned Fred's email during SEC-DIR work lunch on Tuesday. >>> There was discussion. >>> >>> I went to Tuesday v6ops session before my slides were taken. Then >>> I left for some personal emergency reasons. Therefore I was not >>> able to present the slides. But Fred did it. >>> >>> The slides will be presented in OPS Area Opening meeting in the >>> Large Stage between 15:10 to 16:10. >>> >>> >>> B. R. >>> Tina >>> http://tinatsou.weebly.com/contact.html >>> >>> >>> On Jul 29, 2009, at 5:04 PM, Fred Baker wrote: >>> >>>> It was presented to the ops directorate as "from the security >>>> directorate" on Monday, and shipped off to my working group. >>>> >>>> OK, Tina, over to you... >>>> >>>> On Jul 29, 2009, at 11:30 AM, David Harrington wrote: >>>> >>>>> Hi, >>>>> >>>>> I have a question. >>>>> I am a member of the Security Directorate, and I do not remember >>>>> any >>>>> discussion leading to this powerpoint presentation or request. I >>>>> may >>>>> have missed a SECDIR session. I didn't find discussion of this >>>>> powerpoint presentation in the secdir archives prior to this week. >>>>> >>>>> Is this a "Discussion from the Security Directorate"? If so, >>>>> when was >>>>> this discussed? Has the SECDIR reviewed this powerpoint slide >>>>> deck and >>>>> approved it being sent to working groups? >>>>> >>>>> David Harrington >>>>> dbharrington@comcast.net >>>>> ietfdbh@comcast.net >>>>> dharrington@huawei.com >>>>> >>>>> >>>>>> -----Original Message----- >>>>>> From: secdir-bounces@ietf.org >>>>>> [mailto:secdir-bounces@ietf.org] On Behalf Of Fred Baker >>>>>> Sent: Tuesday, July 28, 2009 10:49 PM >>>>>> To: Joel Jaeggli >>>>>> Cc: 6man Chairs; 6man-ads@tools.ietf.org; secdir@ietf.org; >>>>>> Kurt Erik Lindqvist; Joe Abley; Softwire Chairs; >>>>>> v6ops-ads@tools.ietf.org; softwire-ads@tools.ietf.org; Tina >>>>>> TSOU; behave-ads@tools.ietf.org; Behave Chairs >>>>>> Subject: Re: [secdir] Discussion from the Security Directorate >>>>>> >>>>>> I'm not arguing against the request. I'm asking what it is >>>>>> requesting, >>>>>> as I have no idea... >>>>>> >>>>>> I think I know what a threat analysis is. >>>>>> >>>>>> What is a "security assessment" apart from a "threat >>>>>> assessment"? I >>>>> >>>>>> told v6ops (which does not develop transition technologies, by >>>>>> charter, and therefore is the absolute wrong place to send >>>>>> this) that >>>>>> I thought it might mean an assessment of how we might mitigate >>>>>> the >>>>>> threats. Absent any answers from the Security Directorate >>>>>> responsive >>>>> >>>>>> to the question, I have no idea whether I was correct. >>>>>> >>>>>> And what on God's Green Earth is a "function recommendation"? I >>>>>> have >>>>> >>>>>> no idea what you want. >>>>>> >>>>>> Nobody from the Security Directorate was there today to deliver >>>>>> the >>>>> >>>>>> message. If I were developing a threat assessment of that >>>>>> protocol... >>>>>> let's see: delivered to the wrong WG by someone who didn't know >>>>>> what >>>>> >>>>>> the message was supposed to be using slides he didn't >>>>>> understand and >>>>> >>>>>> the security directorate didn't take the time to explain... >>>>>> >>>>>> On Jul 27, 2009, at 2:08 PM, Joel Jaeggli wrote: >>>>>> >>>>>>> I'd probably tune the slides a bit still: >>>>>>> >>>>>>> Security problems show up in deployment and use, these cannot >>>>> be >>>>>>> thought out at all when designing the protocols >>>>>>> >>>>>>> Is an assertion you'll get pushback on. we have signficant >>>>>> operational >>>>>>> experience with variations on many of the proposed or deployed >>>>>>> transition mechanisms. necessarily that experience informs both >>>>> our >>>>>>> current thinking and the desirability of any particular >>>>>>> approach. >>>>>>> >>>>>>> bump in the wire type transition technologies certainly are an >>>>> area >>>>>>> potential concern for opsec >>>>>>> >>>>>>> Fred Baker wrote: >>>>>>>> Thanks, Tina. I will add this to the IPv6 Operations >>>>>> agenda, probably >>>>>>>> during our second session Tuesday. >>>>>>>> >>>>>>>> You will note that I am copying the chairs and ADs from several >>>>>>>> working >>>>>>>> groups. The reason is that the primary thrust of the >>>>>> comments you are >>>>>>>> making apply to work being done in those working groups. >>>>>>>> Slide 5 >>>>>>>> specifically requests a threat analysis, security assessment, >>>>>>>> and >>>>>>>> "function recommendation" on each transition technology; >>>>>> these are in >>>>>>>> fact being done in behave and softwires. I mention 6man because >>>>>>>> marketing blather from the IPv6 form makes security claims >>>>>> for IPv6, >>>>>>>> which it would be good if that working group clarified. >>>>>>>> >>>>>>>> I do have to ask specifically what the Security >>>>>> Directorate hopes to >>>>>>>> find in the three documents that have been requested for each >>>>>>>> of >>>>> >>>>>>>> these >>>>>>>> various technologies. What, specifically, is a "function >>>>>>>> recommendation"? A threat analysis is a statement that >>>>>> there exist >>>>>>>> a set >>>>>>>> of possible threats. Is a security assessment a statement about >>>>> how >>>>>>>> those threats are responded to? What, if the WGs don't >>>>>> produce it, is >>>>>>>> going to leave the Security Directorate feeling ill-used? >>>>>>>> >>>>>>>> On Jul 27, 2009, at 12:56 PM, Tina TSOU wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> B. R. >>>>>>>>> ">http://tinatsou.weebly.com/contact.html >>>>>>>> >>>>>>>>> Begin forwarded message: >>>>>>>>> >>>>>>>>>> From: "Romascanu, Dan (Dan)" <dromasca@avaya.com> >>>>>>>>>> Date: July 27, 2009 7:52:20 AM GMT+02:00 >>>>>>>>>> To: Ron Bonica <rbonica@juniper.net> >>>>>>>>>> Cc: Tina TSOU <tena@huawei.com> >>>>>>>>>> Subject: FW: [OPS-DIR] Reminder: OPS-DIR working lunch >>>>>>>>>> >>>>>>>>>> Ron, >>>>>>>>>> >>>>>>>>>> This looks more like an opsec (who are not meeting this >>>>>> time) or >>>>>>>>>> v6ops >>>>>>>>>> subject. >>>>>>>>>> >>>>>>>>>> Dan >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -----Original Message----- >>>>>>>>>> From: Tina TSOU [mailto:tena@huawei.com] >>>>>>>>>> Sent: Monday, July 27, 2009 12:02 AM >>>>>>>>>> To: Romascanu, Dan (Dan) >>>>>>>>>> Subject: Re: [OPS-DIR] Reminder: OPS-DIR working lunch >>>>>>>>>> >>>>>>>>>> Hi Dan, >>>>>>>>>> Could this be discussed at OPS-DIR working lunch? >>>>>>>>> <Recommendation of IPv6 Security work--on the flight-2.ppt> >>>>>>>>> <ATT4180184.txt> >>>>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> secdir mailing list >>>>>> secdir@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/secdir >>>>>> >>>>> >>>> >>> >> >
- [secdir] Discussion from the Security Directorate Fred Baker
- Re: [secdir] Discussion from the Security Directo… Joel Jaeggli
- Re: [secdir] Discussion from the Security Directo… Fred Baker
- Re: [secdir] Discussion from the Security Directo… Joel Jaeggli
- Re: [secdir] Discussion from the Security Directo… David Harrington
- Re: [secdir] Discussion from the Security Directo… Fred Baker
- Re: [secdir] Discussion from the Security Directo… Richard Barnes
- Re: [secdir] Discussion from the Security Directo… Tina
- Re: [secdir] Discussion from the Security Directo… Jeffrey Hutzelman
- Re: [secdir] Discussion from the Security Directo… Tina TSOU
- Re: [secdir] Discussion from the Security Directo… Fred Baker
- Re: [secdir] Discussion from the Security Directo… Fred Baker
- Re: [secdir] Discussion from the Security Directo… Fred Baker
- Re: [secdir] Discussion from the Security Directo… Pasi.Eronen