[secdir] Secdir Review of draft-ietf-v6ops-6204bis-09

Matt Lepinski <mlepinski@bbn.com> Mon, 23 July 2012 19:36 UTC

Return-Path: <mlepinski@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE3311E809B; Mon, 23 Jul 2012 12:36:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xvgKv+d6Esx9; Mon, 23 Jul 2012 12:36:00 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id A734311E80C4; Mon, 23 Jul 2012 12:36:00 -0700 (PDT)
Received: from mail.bbn.com ([128.33.0.48]:43961) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <mlepinski@bbn.com>) id 1StOQ9-00059V-GG; Mon, 23 Jul 2012 15:35:57 -0400
Received: from [128.89.253.157] by mail.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from <mlepinski@bbn.com>) id 1StOQ9-0006Jh-CP; Mon, 23 Jul 2012 15:35:57 -0400
Message-ID: <500DA7BB.9090403@bbn.com>
Date: Mon, 23 Jul 2012 15:36:27 -0400
From: Matt Lepinski <mlepinski@bbn.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-v6ops-6204bis.all@tools.ietf.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [secdir] Secdir Review of draft-ietf-v6ops-6204bis-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jul 2012 19:36:01 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

This informational document is an update to the requirements for an IPv6 
Customer Edge Router (i.e., a router in a residence or small office that 
supports IPv6). Note that most of the security requirements (e.g., 
packet filtering / sanitation) for such a Customer Edge Router are 
provided not in this document but in RFC 6092 and RFC 2827 (which are 
included by reference, i.e., that draft states that Customer Edge 
Routers SHOULD be compliant with RFCs 6092 and 2827).

The most significant change between this draft and RFC 6204 (which it 
replaces) is that it adds a section recommending (at the SHOULD level) 
support for 6RD (RFC 5969) and DS-LITE (RFC 6333). Note that supporting 
6RD and/or DS-LITE the CPE is causes the Customer Edge Router to perform 
the additional role of encapsulation/decapsulation of tunneled packets. 
Due to the addition of support for 6RD, and DS-LITE the security 
considerations adds the additional clarification that it should be 
possible to apply filtering (as per RFC 6092) to decapsulated packets 
(i.e., apply filter rules after stripping off the outer header). Other 
than this consideration, I cannot see any additional security issues 
related to adding support for 6RD and/or DS-LITE to Customer Edge 
Routers (excepting, of course, the general 6RD/DS-LITE security 
considerations in RFCs 5969 and 6333 which need not be repeated in this 
document).

The only concern that I have is that requirement S-3 in the Security 
Considerations section is a "SHOULD" and not a "MUST". If I understand 
S-3 correctly it says "If the Customer Edge Router supports filtering as 
described in 6092, and if this feature is turned on, then it SHOULD be 
possible to apply this filtering after decapsulation (as opposed to 
applying filters before the outer tunnel header is removed)". I have 
trouble imagining why it would be a good idea to provide the packet 
filtering features described in RFC 6092 but only allow these firewall 
rules to be applied prior to decapsulation. It seems that if the user 
(who may not be well versed in IP tunneling) turns on some 
firewall/filtering service in a Customer Edge Router, that what the user 
probably wants is for the filtering rules to be applied to the packets 
"inside" the tunnel (after decapsulation) and not to packets containing 
the "outer" tunnel header. I would therefore recommend that S-3 be 
changed to a "MUST" instead of a "SHOULD".

[Note: Please correct me if I misunderstood, S-3]

As a concrete example, RFC 6092 (in REC-1) says that when a (Customer 
Premises) router receives a packet with a multicast source address, that 
this packet must not be forwarded. When the incoming packet is a 
tunneled packet, the outer IP header always has as its source address 
the IP address of the tunnel ingress device. Therefore, surely if this 
kind of filtering is turned on in a Customer Edge Router, it ought to be 
applied to the inner packet (after removal of the outer tunnel header).

- Matt Lepinski