Re: [secdir] [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12

JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Mon, 07 January 2019 19:58 UTC

Return-Path: <prvs=19105d24b1=jordi.palet@consulintel.es>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7474D12008A; Mon, 7 Jan 2019 11:58:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3FzzF1Dh1qEn; Mon, 7 Jan 2019 11:58:18 -0800 (PST)
Received: from mail.consulintel.es (mail.consulintel.es [IPv6:2001:470:1f09:495::5]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6404124C04; Mon, 7 Jan 2019 11:58:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1546891094; x=1547495894; i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date: Subject:From:To:CC:Message-ID:Thread-Topic:References: In-Reply-To:Mime-version:Content-type:Content-transfer-encoding; bh=L4E9job2HdDnkFUeE2oXTo/ELS7SU5jTi299G1MwtjA=; b=QHpjO8l/AxPRi GvPmmO4ROhLZFBizW3gMrR9Zm19h4S5tDGUbacABlFhg0Ym1a+lbfs/fTzlWfX66 HcWNjStYWizFKtUV0gV/MH4GwhadnP+goY5SPytnKxmW1k8XmfelpbZr4Ag9GbpN XN70cB7AsVJLnf8x6V9eRy6XqPZppE=
X-MDAV-Result: clean
X-MDAV-Processed: mail.consulintel.es, Mon, 07 Jan 2019 20:58:14 +0100
X-Spam-Processed: mail.consulintel.es, Mon, 07 Jan 2019 20:58:14 +0100
Received: from [10.10.10.131] by mail.consulintel.es (MDaemon PRO v16.5.2) with ESMTPA id md50006100772.msg; Mon, 07 Jan 2019 20:58:13 +0100
X-MDRemoteIP: 2001:470:1f09:495:707a:ed9e:3096:7905
X-MDHelo: [10.10.10.131]
X-MDArrival-Date: Mon, 07 Jan 2019 20:58:13 +0100
X-Authenticated-Sender: jordi.palet@consulintel.es
X-Return-Path: prvs=19105d24b1=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
User-Agent: Microsoft-MacOutlook/10.10.5.181209
Date: Mon, 07 Jan 2019 20:58:10 +0100
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: "STARK, BARBARA H" <bs7652@att.com>, 'Christian Huitema' <huitema@huitema.net>
CC: "v6ops@ietf.org" <v6ops@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Message-ID: <F3B1CC63-AF3F-4E13-B03B-FD596113CC44@consulintel.es>
Thread-Topic: [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12
References: <154684244329.17044.2866311660755291596@ietfa.amsl.com> <CD5A6FC1-77A1-42F8-83F6-86581F11E838@consulintel.es> <8E63971A-FEB2-4AB4-BED5-0FEBC8D6949D@consulintel.es> <B0031737-005E-4AF9-9C0C-4A2A5774F73C@huitema.net> <2D09D61DDFA73D4C884805CC7865E6114DF86BB4@GAALPA1MSGUSRBF.ITServices.sbc.com>
In-Reply-To: <2D09D61DDFA73D4C884805CC7865E6114DF86BB4@GAALPA1MSGUSRBF.ITServices.sbc.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Xk8WHPqxhLxMJ_awxoZJOmQ1vMM>
Subject: Re: [secdir] [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2019 19:58:22 -0000

Hi Barbara,

I agree with your regarding the WPA, not sure to understand the point from Christian.

If a local device is compromised, that happens in the LANs and this will only affect the CE, if the "virus" or "bot" or whatever is able to compromise the CE configuration and then replace some of the settings done by the provisioning system.

This is something that may happen regardless of using DHCP in the WAN or other protocols.

I recall having seen some TR-069 mechanism (maybe it was proprietary) to provide something related to access control security, but if it is not standard, I will remove it. Let's see if someone in the list can provide some info and I will also try to recall what was in the case I've in mind.

Regards,
Jordi
 
 

-----Mensaje original-----
De: ietf <ietf-bounces@ietf.org>; en nombre de "STARK, BARBARA H" <bs7652@att.com>;
Fecha: lunes, 7 de enero de 2019, 20:20
Para: 'Christian Huitema' <huitema@huitema.net>;, JORDI PALET MARTINEZ <jordi.palet@consulintel.es>;
CC: "v6ops@ietf.org"; <v6ops@ietf.org>;, "ietf@ietf.org"; <ietf@ietf.org>;, "secdir@ietf.org"; <secdir@ietf.org>;
Asunto: RE: [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12

    > From: v6ops <v6ops-bounces@ietf.org>; On Behalf Of Christian Huitema
    ...
    > I am not so sure about 802.1x. The routers could of course support a setting
    > like that of the IETF network, and that would have some advantage over
    > WPA residential, but it would not address an important threat: local device
    > compromised by some virus and engaging in DHCP spoofing. DHCP guard or
    > RA guard would still be needed.
    
    802.1X is very widely used in GPON and DSL networks and I haven't heard of it having any issues. I'm not understanding the reference to WPA and local devices, since I think we're talking about the WAN and not the LAN interface here? 
    
    ..........
    > > On Jan 7, 2019, at 2:38 AM, JORDI PALET MARTINEZ
    ...
    > >   Considering that, networks using DHCPv6, depending on their specific
    > >   topologies, should consider using authentication mechanisms such as
    > >   those based on IEEE-802.1X or access control mechanisms such as DHCP
    > >   snooping, DHCP guard, or TR-069, among other possible choices.
    
    TR-069 is a management protocol (that goes over HTTP, using TLS for security), and not an access control mechanism. I suggest it be removed from this list.
    
    Barbara
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.