[secdir] Secdir review of draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03
"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Tue, 16 April 2013 20:43 UTC
Return-Path: <jsalowey@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72E6821F9748; Tue, 16 Apr 2013 13:43:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jTTU1MFf1DjJ; Tue, 16 Apr 2013 13:43:02 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id DB09121F973B; Tue, 16 Apr 2013 13:43:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1424; q=dns/txt; s=iport; t=1366144982; x=1367354582; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=BU4oh9O5GM/VNVZLbE74hizh92+JqGVG/OK/9hNYPCE=; b=FyLeHm8xVkJ6HreZguXgCzo2en/Nnye+utKm/jQFBue7H1P2xgCPoWON 04hyqi9ax+t9Brp1hsOqdD3aLH385NMz0LDX5+BzrYuZh1ZkeZ5Km+E6E 77VoRE6x+npe6lQq5db3Uhf4p9PpDL3s5WMYvWkuGIF2r+qo6/9dEZojV 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFAPa2bVGtJV2Y/2dsb2JhbABQgwbBNIELFnSCIQEEOlEBKhRCJwQBGogMrE+QNo5qgxxhA6gagwuCKA
X-IronPort-AV: E=Sophos;i="4.87,487,1363132800"; d="scan'208";a="199510018"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-6.cisco.com with ESMTP; 16 Apr 2013 20:43:01 +0000
Received: from xhc-aln-x07.cisco.com (xhc-aln-x07.cisco.com [173.36.12.81]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id r3GKh1Bl032476 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 16 Apr 2013 20:43:01 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.83]) by xhc-aln-x07.cisco.com ([173.36.12.81]) with mapi id 14.02.0318.004; Tue, 16 Apr 2013 15:43:01 -0500
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-opsec-ipv6-implications-on-ipv4-nets.all@tools.ietf.org" <draft-ietf-opsec-ipv6-implications-on-ipv4-nets.all@tools.ietf.org>
Thread-Topic: Secdir review of draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03
Thread-Index: AQHOOuL82kKZssNyFEuJtkLLRgrBFg==
Date: Tue, 16 Apr 2013 20:43:00 +0000
Message-ID: <A95B4818FD85874D8F16607F1AC7C628B32E41@xmb-rcd-x09.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.33.250.110]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C44F0B69430F20498C18951EC39EA191@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [secdir] Secdir review of draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2013 20:43:03 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I consider this document ready with issues described below. draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03 discusses issues with IPv6 running on networks that have incomplete security controls (firewall and IDS) for IPv6. It basically describes what you need to filter on to filter out IPv6 traffic and tunneling technologies. This seems like mostly useful information, however its not clear to me if you implement all the controls in the document if you would not still have a problem form IPv6 on a local link or IPv6 tunneled through some non-standard means. It seems the document should at least mention this risk in the security considerations since hosts on these networks may be IPv6 enabled. One related issue I have seen is in end host configuration where a host based firewall is configured with IPv4 rules and left silent on IPv6 with varying results. I don't recall seeing any discussion of this in the document, but it might also be worth covering in security considerations as well. Cheers, Joe
- [secdir] Secdir review of draft-ietf-opsec-ipv6-i… Joseph Salowey (jsalowey)
- Re: [secdir] Secdir review of draft-ietf-opsec-ip… Fernando Gont
- Re: [secdir] Secdir review of draft-ietf-opsec-ip… Joseph Salowey (jsalowey)
- Re: [secdir] Secdir review of draft-ietf-opsec-ip… Fernando Gont