IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-6man-addr-select-opt

"Dan Harkins" <dharkins@lounge.org> Tue, 11 June 2013 16:32 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03BE321F9622; Tue, 11 Jun 2013 09:32:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.265
X-Spam-Level:
X-Spam-Status: No, score=-6.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h2ncRbKajHb5; Tue, 11 Jun 2013 09:31:56 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id D899021F8BC0; Tue, 11 Jun 2013 09:31:56 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 2F449A888006; Tue, 11 Jun 2013 09:31:56 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 11 Jun 2013 09:31:56 -0700 (PDT)
Message-ID: <fb61afaa7d78273cb257bab766d03bcc.squirrel@www.trepanning.net>
In-Reply-To: <14984CD7-6EDD-49E6-A3C2-4775E80041AC@employees.org>
References: <3dc2e7cf8e11e1928d71c08895be5c68.squirrel@www.trepanning.net> <14984CD7-6EDD-49E6-A3C2-4775E80041AC@employees.org>
Date: Tue, 11 Jun 2013 09:31:56 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Ole Troan <otroan@employees.org>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: draft-ietf-6man-addr-select-opt.all@tools.ietf.org, draft-ietf-6man-rfc3484bis@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-6man-addr-select-opt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2013 16:32:02 -0000

  Hi Ole,

On Tue, June 11, 2013 2:24 am, Ole Troan wrote:
> Dan,
>
> let me chime in as the document shepherd.
> (thank you very much for the thorough comments by the way).
>
>>  For instance, while I think I understand the policy override of RFC
>> 6724, having the Automatic Row Additions Flag be part of the address
>> selection options seems problematic. If it is set to zero, then what are
>> the semantics of such a message? "Here's an address selection option
>> but don't you dare use it!"? What is the point? Me, as a node, can have
>> this as part of my policy state which would allow me to ignore such
>> an update but to have the bit be part of the option to update does
>> not seem to make much sense. The semantics of the message needs
>> to be explained much more clearly, or the bit needs to be removed
>> from the message.
>
> my reading of the meaning of the A flag is a little different. (I have
> cc'ed the authors of rfc6724 for confirmation.)
>
> an implementation of RFC6724 may automatically add entries in the policy
> table based on addresses configured on the node.
> e.g. the node has an interface with a ULA address.
>
> RFC6724 also says:
>    An implementation SHOULD provide a means (the Automatic Row Additions
> flag) for an administrator to disable
>    automatic row additions.

  That makes perfect sense. A client implementation SHOULD provide a
means to disable automatic row additions. So it has some knob that can
be turned on or off locally that would allow for update of its policy table
by receiving policy options (enable) or forbid received policy options from
updating the policy table (disable).

> the A-flag in draft-ietf-6man-addr-select-opt provides the means.

  So this is where I'm confused. The sender of the policy option should
not have the ability to control the knob that an implementation added
locally to satisfy RFC 6724. If a client implementation sets its knob to
"disable" then it forbids policy option updates to its policy table. It
shouldn't inspect the received option update to decide whether it
should override the setting of its local knob.

  This seems like a security issue to me. There's a reason why an
implementation would choose to disable updates of its policy table
and allowing the sender of policy updates to override that seems
wrong.

> it does not affect the policy entries that is contained in the DHCP
> option.
> the A-flag only affects the RFC6724 behaviour of adding entries based on
> address configuration on the node.

  Again, according to the draft a message can be received by a client
implementation that provides policy update options to its policy table
with semantics of "you SHOULD NOT use these!" So what is the point
of sending that message? Why not just refrain from sending the message
if that's what the message is?

  Would you ever tell someone, "disregard what I am about to tell you"? I
can't see why. And that's what the semantics of this message seem to be.

  regards,

  Dan.

v2.23.0 | Report a Bug | By Email