Re: [secdir] Secdir review of draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03

Fernando Gont <fgont@si6networks.com> Thu, 02 May 2013 18:38 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D3D821F9199; Thu, 2 May 2013 11:38:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.53
X-Spam-Level:
X-Spam-Status: No, score=-2.53 tagged_above=-999 required=5 tests=[AWL=0.069, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R+i0ohugCcP1; Thu, 2 May 2013 11:38:13 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 9262E21F9193; Thu, 2 May 2013 11:38:13 -0700 (PDT)
Received: from [186.134.26.236] (helo=[192.168.123.125]) by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.80.1) (envelope-from <fgont@si6networks.com>) id 1UXyOI-0006xX-K1; Thu, 02 May 2013 20:38:02 +0200
Message-ID: <5182B282.4000307@si6networks.com>
Date: Thu, 02 May 2013 15:37:54 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
References: <A95B4818FD85874D8F16607F1AC7C628B32E41@xmb-rcd-x09.cisco.com> <516DD980.10806@si6networks.com> <A95B4818FD85874D8F16607F1AC7C628B35843@xmb-rcd-x09.cisco.com>
In-Reply-To: <A95B4818FD85874D8F16607F1AC7C628B35843@xmb-rcd-x09.cisco.com>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "draft-ietf-opsec-ipv6-implications-on-ipv4-nets.all@tools.ietf.org" <draft-ietf-opsec-ipv6-implications-on-ipv4-nets.all@tools.ietf.org>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2013 18:38:14 -0000

>>> It seems the document should at least mention this risk in the
>>> security considerations since hosts on these networks may be IPv6
>>> enabled.    One related issue I have seen is in end host
>>> configuration where a host based firewall is configured with IPv4
>>> rules and left silent on IPv6 with varying results.   I don't
>>> recall seeing any discussion of this in the document, but it
>>> might also be worth covering in security considerations as well.
>> 
>> Isn't this covered in the "native ipv6" section?
> 
> [Joe]  I was thinking of having some text that is a bit more host
> centric.

I've added this parenthetical note to Section 1:

      The aforementioned security controls should contemplate not only
      network-based solutions, but also host-based solutions (such as
      e.g. personal firewalls).

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492