Re: [secdir] Secdir review of draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03
Fernando Gont <fgont@si6networks.com> Tue, 16 April 2013 23:06 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3E0F21F97B9; Tue, 16 Apr 2013 16:06:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y4F4cmjRk7Ku; Tue, 16 Apr 2013 16:06:48 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id CA9D521F97C2; Tue, 16 Apr 2013 16:06:47 -0700 (PDT)
Received: from [148.220.230.158] by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.80.1) (envelope-from <fgont@si6networks.com>) id 1USExW-0008Na-QU; Wed, 17 Apr 2013 01:06:42 +0200
Message-ID: <516DD980.10806@si6networks.com>
Date: Tue, 16 Apr 2013 18:06:40 -0500
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
References: <A95B4818FD85874D8F16607F1AC7C628B32E41@xmb-rcd-x09.cisco.com>
In-Reply-To: <A95B4818FD85874D8F16607F1AC7C628B32E41@xmb-rcd-x09.cisco.com>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "draft-ietf-opsec-ipv6-implications-on-ipv4-nets.all@tools.ietf.org" <draft-ietf-opsec-ipv6-implications-on-ipv4-nets.all@tools.ietf.org>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2013 23:06:48 -0000
Hi, Joseph, Thanks so much for your review! -- Please find my comments in-line.... On 04/16/2013 03:43 PM, Joseph Salowey (jsalowey) wrote: > draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03 discusses issues > with IPv6 running on networks that have incomplete security controls > (firewall and IDS) for IPv6. It basically describes what you need > to filter on to filter out IPv6 traffic and tunneling technologies. > This seems like mostly useful information, however its not clear to > me if you implement all the controls in the document if you would not > still have a problem form IPv6 on a local link This is discussed in the "native IPv6 section" > or IPv6 tunneled > through some non-standard means. How about adding this a the end of Section 3: "We note that this document covers standardized IPv6 tunneling mechanisms, but does not aim to cover non-standard tunneling mechanisms nor that of IPsec-based or SSL/TLS-based tunneling of IPv6 packets". ? > It seems the document should at > least mention this risk in the security considerations since hosts on > these networks may be IPv6 enabled. One related issue I have seen > is in end host configuration where a host based firewall is > configured with IPv4 rules and left silent on IPv6 with varying > results. I don't recall seeing any discussion of this in the > document, but it might also be worth covering in security > considerations as well. Isn't this covered in the "native ipv6" section? Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [secdir] Secdir review of draft-ietf-opsec-ipv6-i… Joseph Salowey (jsalowey)
- Re: [secdir] Secdir review of draft-ietf-opsec-ip… Fernando Gont
- Re: [secdir] Secdir review of draft-ietf-opsec-ip… Joseph Salowey (jsalowey)
- Re: [secdir] Secdir review of draft-ietf-opsec-ip… Fernando Gont