Re: [secdir] Fwd: New SG17 proposed work items on IPv6
David McGrew <mcgrew@cisco.com> Fri, 01 April 2011 11:19 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1B48F3A6811 for <secdir@core3.amsl.com>; Fri, 1 Apr 2011 04:19:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.53
X-Spam-Level:
X-Spam-Status: No, score=-109.53 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_06_12=1.069, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGK+yQlSw35S for <secdir@core3.amsl.com>; Fri, 1 Apr 2011 04:19:01 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 28C1B3A67FA for <secdir@ietf.org>; Fri, 1 Apr 2011 04:19:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mcgrew@cisco.com; l=1709; q=dns/txt; s=iport; t=1301656841; x=1302866441; h=message-id:from:to:in-reply-to:content-transfer-encoding: mime-version:subject:date:references; bh=BD6R7ZjXJc6m+Woko2pTfjizBj56uLLOWqh6xTPmD6U=; b=SCZMCKqGWDQzQPpefQRgisLPedzVcAYsaQyXZ1osDpK+Y0JVMnIdcmpB lo4IOatYaeovBs+oQg10Up4xtcshjoyzkT9NHdp2YCovYWOCDqiZL/Onc Bo47Ihvg2El5IXIPntqXUl0ln34toWevykKM652M0r5t+7k8sBDiUlpw4 Q=;
X-IronPort-AV: E=Sophos;i="4.63,282,1299456000"; d="scan'208";a="287274479"
Received: from mtv-core-1.cisco.com ([171.68.58.6]) by sj-iport-3.cisco.com with ESMTP; 01 Apr 2011 11:20:40 +0000
Received: from stealth-10-32-254-211.cisco.com (stealth-10-32-254-211.cisco.com [10.32.254.211]) by mtv-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p31BKcld029681; Fri, 1 Apr 2011 11:20:40 GMT
Message-Id: <93D11D9B-299A-490E-A6A7-E78EAE4713F4@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: Fred Baker <fred@cisco.com>, secdir@ietf.org, Tim Polk <tim.polk@nist.gov>
In-Reply-To: <03BEA4A7-EE27-4961-B23D-9AD276797D09@cisco.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Thu, 31 Mar 2011 17:33:45 -0700
References: <32850C9F-72A5-4E2A-BF15-FF6A236A6B77@cisco.com> <03BEA4A7-EE27-4961-B23D-9AD276797D09@cisco.com>
X-Mailer: Apple Mail (2.936)
Subject: Re: [secdir] Fwd: New SG17 proposed work items on IPv6
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2011 11:19:02 -0000
"many new functions or requirements of IPv6 [including] mandatory IPsec ... can be abused for compromising computer systems or networks. " IPsec does not belong on that list; it is silly to have it there. Unless a v6 device is configured with keys and IPsec policy, it will behave as if IPsec is not present. IPsec is mandatory to implement, but not mandatory to use, of course. A great many v4 devices have had IPsec for years. And lastly, it defies logic to say that IPsec can be used to compromise a device; DoS is not a compromise. "National Institute of Information and Communications Technology (NICT) has identified more than 60 security threats and vulnerabilities that may be caused by new functions or requirements of IPv6" These threats should be referenced so they can be assessed and dealt with; the most useful place to publish them would be as an internet-draft. David On Mar 30, 2011, at 8:52 PM, Fred Baker wrote: > The attached was passed to me, and I think it is something that > would be good for you to comment on to the IETF community. > > Begin forwarded message: > >> From: Hascall Sharp <chsharp@cisco.com> >> Date: March 31, 2011 5:24:00 AM GMT+02:00 >> To: "Fred Baker (fred)" <fred@cisco.com> >> Subject: New SG17 proposed work items on IPv6 >> >> This is probably not high on your list of things you'd like to see, >> but I figured you should be aware of it. >> >> "Technical security guideline on deploying IPv6" >> >> > <T09-SG17-C-0454!!MSW-E.doc> >> >> > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir