Re: [secdir] Fwd: New SG17 proposed work items on IPv6

David McGrew <mcgrew@cisco.com> Fri, 01 April 2011 11:19 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1B48F3A6811 for <secdir@core3.amsl.com>; Fri, 1 Apr 2011 04:19:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.53
X-Spam-Level:
X-Spam-Status: No, score=-109.53 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_06_12=1.069, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGK+yQlSw35S for <secdir@core3.amsl.com>; Fri, 1 Apr 2011 04:19:01 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 28C1B3A67FA for <secdir@ietf.org>; Fri, 1 Apr 2011 04:19:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mcgrew@cisco.com; l=1709; q=dns/txt; s=iport; t=1301656841; x=1302866441; h=message-id:from:to:in-reply-to:content-transfer-encoding: mime-version:subject:date:references; bh=BD6R7ZjXJc6m+Woko2pTfjizBj56uLLOWqh6xTPmD6U=; b=SCZMCKqGWDQzQPpefQRgisLPedzVcAYsaQyXZ1osDpK+Y0JVMnIdcmpB lo4IOatYaeovBs+oQg10Up4xtcshjoyzkT9NHdp2YCovYWOCDqiZL/Onc Bo47Ihvg2El5IXIPntqXUl0ln34toWevykKM652M0r5t+7k8sBDiUlpw4 Q=;
X-IronPort-AV: E=Sophos;i="4.63,282,1299456000"; d="scan'208";a="287274479"
Received: from mtv-core-1.cisco.com ([171.68.58.6]) by sj-iport-3.cisco.com with ESMTP; 01 Apr 2011 11:20:40 +0000
Received: from stealth-10-32-254-211.cisco.com (stealth-10-32-254-211.cisco.com [10.32.254.211]) by mtv-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p31BKcld029681; Fri, 1 Apr 2011 11:20:40 GMT
Message-Id: <93D11D9B-299A-490E-A6A7-E78EAE4713F4@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: Fred Baker <fred@cisco.com>, secdir@ietf.org, Tim Polk <tim.polk@nist.gov>
In-Reply-To: <03BEA4A7-EE27-4961-B23D-9AD276797D09@cisco.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Thu, 31 Mar 2011 17:33:45 -0700
References: <32850C9F-72A5-4E2A-BF15-FF6A236A6B77@cisco.com> <03BEA4A7-EE27-4961-B23D-9AD276797D09@cisco.com>
X-Mailer: Apple Mail (2.936)
Subject: Re: [secdir] Fwd: New SG17 proposed work items on IPv6
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2011 11:19:02 -0000

"many new functions or requirements of IPv6 [including] mandatory  
IPsec ... can be abused for compromising computer systems or networks. "

IPsec does not belong on that list; it is silly to have it there.   
Unless a v6 device is configured with keys and IPsec policy, it will  
behave as if IPsec is not present.  IPsec is mandatory to implement,  
but not mandatory to use, of course.  A great many v4 devices have had  
IPsec for years.  And lastly, it defies logic to say that IPsec can be  
used to compromise a device; DoS is not a compromise.

"National Institute of Information and Communications Technology  
(NICT) has identified more than 60 security threats and  
vulnerabilities that may be caused by new functions or requirements of  
IPv6"   These threats should be referenced so they can be assessed and  
dealt with; the most useful place to publish them would be as an  
internet-draft.

David

On Mar 30, 2011, at 8:52 PM, Fred Baker wrote:

> The attached was passed to me, and I think it is something that  
> would be good for you to comment on to the IETF community.
>
> Begin forwarded message:
>
>> From: Hascall Sharp <chsharp@cisco.com>
>> Date: March 31, 2011 5:24:00 AM GMT+02:00
>> To: "Fred Baker (fred)" <fred@cisco.com>
>> Subject: New SG17 proposed work items on IPv6
>>
>> This is probably not high on your list of things you'd like to see,  
>> but I figured you should be aware of it.
>>
>> "Technical security guideline on deploying IPv6"
>>
>>
> <T09-SG17-C-0454!!MSW-E.doc>
>>
>>
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir