Re: [secdir] SecDir review of draft-ietf-v6ops-64share-09
Vízdal Aleš <ales.vizdal@t-mobile.cz> Thu, 20 February 2014 09:55 UTC
Return-Path: <ales.vizdal@t-mobile.cz>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06BD31A0083 for <secdir@ietfa.amsl.com>; Thu, 20 Feb 2014 01:55:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.8
X-Spam-Level:
X-Spam-Status: No, score=-0.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_CZ=0.445, HOST_EQ_CZ=0.904, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H9hqbjwUc8Gc for <secdir@ietfa.amsl.com>; Thu, 20 Feb 2014 01:55:35 -0800 (PST)
Received: from ctxmailhub.t-mobile.cz (ctxmailhub.t-mobile.cz [93.153.104.87]) by ietfa.amsl.com (Postfix) with ESMTP id E554B1A0063 for <secdir@ietf.org>; Thu, 20 Feb 2014 01:55:32 -0800 (PST)
From: Vízdal Aleš <ales.vizdal@t-mobile.cz>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Thu, 20 Feb 2014 10:55:23 +0100
Thread-Topic: SecDir review of draft-ietf-v6ops-64share-09
Thread-Index: Ac8uGGCXp2OwkdPOQ/uwlLfeYhot7AABtuwA
Message-ID: <1808340F7EC362469DDFFB112B37E2FCDA3256BD0B@SRVHKE02.rdm.cz>
References: <4FBFAE5F.8010305@gmail.com> <5304D298.7050101@gmail.com> <1808340F7EC362469DDFFB112B37E2FCDA3256BC44@SRVHKE02.rdm.cz> <5305C118.5040507@gmail.com>
In-Reply-To: <5305C118.5040507@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-loop: 2
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Forwarded
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/Lt0wlVP1IUzU1Z2u-n8LUwVmM4A
Cc: "draft-ietf-v6ops-64share.all@tools.ietf.org" <draft-ietf-v6ops-64share.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-v6ops-64share-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Feb 2014 09:55:38 -0000
Hi Yaron, Please see inline. > >> -----Original Message----- > >> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com] > > [...] > > >> Summary > >> > >> The document is ready to progress. > >> > >> Details > >> > >> - I don't understand why the first scenario (sec. 4.2) is > even > >> useful, i.e. why allocate the /64 to the LAN (and not just > settle for > >> a link-local prefix) when the UE does not have an address > on the 3GPP > >> link, and so cannot route traffic to the Internet? > > > > This scenario is discussing a case where the 3GPP interface > assigned > > GUA prefix will be moved to the LAN link, the 3GPP link > will still be > > LLA numbered. > > So can Internet traffic from the LAN be routed through the > 3GPP link in this case? Yes, that's the intention. >It looks funny to me to have a default route with an LLA. If you do SLAAC, the on-link router will send you the RA message whose source IPv6 address will be LLA and will be also used as the default route. (as per Neighbor Discovery RFC) > If this is a small independent network with no Internet > routing, you don't really need a GUA prefix. The use-case is your mobile phone acting as a WiFi access point for your notebook while travelling or while being at home. There is a need for GUA for the tethered devices. (IPv4 approach would be private IPV4+NAT44) > >> - Despite the non-normative status of the document, I > think the > >> security considerations deserve stronger wording. I > suggest to > >> replace "shall be considered" by "SHOULD be applied". > > > > OK, we will consider it. > > > >> - I would suggest that the security considerations also > mention the > >> privacy implications of having a (typically) small number > of devices, > >> all within a single unchanging network prefix. I *believe* > this is > >> behind the discussion of RFC 4941 is Sec. 4.3, but I would > rather > >> have the threat spelled out. > > > > OK, the lifetime of a prefix is bound to the lifetime of > the network > > attach (context), once the device (UE) re-attaches a new > prefix will > > be assigned by the network. This solution shall be > understood as an > > interim one bridging the gap till DHCP-PD will be widely > available. > > This "interim" period can be a few years, and in the meantime > we have a large privacy issue here. Does the provider > normally enforce periodic reassignment of the network prefix? > Otherwise I can see prefixes remaining valid for months (for > small routers of course, not for phones). You're right, the interim solutions tend to become permanent. Some networks do, some don't. Please note that the mobile phones are getting a /64 these days, so the potential privacy issue is already there, we're just extending the same /64 to a small LAN. A user may re-load the device to get a new prefix if their network is not enforcing a new prefix every n hours. > >> Thanks, > >> Yaron Cheers, Ales
- [secdir] SecDir review of draft-camarillo-rai-med… Yaron Sheffer
- Re: [secdir] SecDir review of draft-camarillo-rai… Gonzalo Camarillo
- Re: [secdir] SecDir review of draft-camarillo-rai… Gonzalo Camarillo
- [secdir] SecDir review of draft-yegin-pana-encr-a… Yaron Sheffer
- [secdir] SecDir review of draft-ietf-krb-wg-kerbe… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-krb-wg-k… Sean Turner
- Re: [secdir] SecDir review of draft-ietf-krb-wg-k… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-krb-wg-k… Stephen Farrell
- Re: [secdir] SecDir review of draft-ietf-krb-wg-k… Sam Hartman
- Re: [secdir] SecDir review of draft-ietf-krb-wg-k… Tom Yu
- [secdir] SecDir and AppsDir review of draft-ietf-… Alexey Melnikov
- Re: [secdir] SecDir and AppsDir review of draft-i… Alexey Melnikov
- [secdir] Use of StringPrep/Unicode (was Re: SecDi… Alexey Melnikov
- Re: [secdir] Use of StringPrep/Unicode (was Re: S… Alexey Melnikov
- Re: [secdir] SecDir and AppsDir review of draft-i… Mallikarjun Chadalapaka
- Re: [secdir] SecDir and AppsDir review of draft-i… Mallikarjun Chadalapaka
- Re: [secdir] Use of StringPrep/Unicode (was Re: S… Black, David
- Re: [secdir] Use of StringPrep/Unicode (was Re: S… Black, David
- Re: [secdir] SecDir and AppsDir review of draft-i… Black, David
- Re: [secdir] SecDir and AppsDir review of draft-i… Alexey Melnikov
- Re: [secdir] SecDir and AppsDir review of draft-i… Mallikarjun Chadalapaka
- Re: [secdir] SecDir and AppsDir review of draft-i… Alexey Melnikov
- [secdir] SecDir review of draft-ietf-6renum-enter… Yaron Sheffer
- [secdir] SecDir repeat review of draft-ietf-6renu… Yaron Sheffer
- [secdir] SecDir review of draft-ietf-rtgwg-ipfrr-… Yaron Sheffer
- [secdir] SecDir review of draft-ietf-clue-telepre… Yaron Sheffer
- [secdir] SecDir review of draft-ietf-v6ops-64shar… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-v6ops-64… Vízdal Aleš
- Re: [secdir] SecDir review of draft-ietf-v6ops-64… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-v6ops-64… Vízdal Aleš