Re: [secdir] secdir review of draft-ietf-v6ops-tunnel-loops-01

Gabi Nakibly <gnakibly@yahoo.com> Tue, 11 January 2011 07:02 UTC

Return-Path: <gnakibly@yahoo.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0162F3A69B7 for <secdir@core3.amsl.com>; Mon, 10 Jan 2011 23:02:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CODEmBJfAZde for <secdir@core3.amsl.com>; Mon, 10 Jan 2011 23:02:52 -0800 (PST)
Received: from nm25-vm0.bullet.mail.sp2.yahoo.com (nm25-vm0.bullet.mail.sp2.yahoo.com [98.139.91.228]) by core3.amsl.com (Postfix) with SMTP id 42A2E3A6765 for <secdir@ietf.org>; Mon, 10 Jan 2011 23:02:52 -0800 (PST)
Received: from [98.139.91.70] by nm25.bullet.mail.sp2.yahoo.com with NNFMP; 11 Jan 2011 07:05:05 -0000
Received: from [98.139.91.4] by tm10.bullet.mail.sp2.yahoo.com with NNFMP; 11 Jan 2011 07:05:05 -0000
Received: from [127.0.0.1] by omp1004.mail.sp2.yahoo.com with NNFMP; 11 Jan 2011 07:05:05 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 908838.44534.bm@omp1004.mail.sp2.yahoo.com
Received: (qmail 25568 invoked by uid 60001); 11 Jan 2011 07:05:05 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1294729505; bh=3Tts7Tl0Kys5EzXbChwUzd/FBIrJqNXbj4hgodvG8ps=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=sgiFN5pTi1hiAiirxQsJsSJNSlDTxLdtjqq4MarmSxdbNmjtOUX3WfU+cv8N5TfkA0e0hxj8EDLzBEo//dEf0f9dSHk469fWFLcmDhE/2hTbJaecE38DWmBKPs50jj8JdlyFkowUw7sFEKEsLZ4LcuH0falywnv5FAqbziHidI0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=1c87KImWOTO/mkQqFDRtpx59HKjd50vr/9CJ4+0QtfSBoJ+D0783lcZtHgX6wIJF/JdpBQSHbjfRvQ0Yzma7/XH52plq+ZS3Z49HNinRZnrkStFn2DlrUVWOnUSnQ+rtJsfMzf26swbxJwF4RNh00zmK8KE8kajSlsI9mmk+wKQ=;
Message-ID: <774066.24552.qm@web45512.mail.sp1.yahoo.com>
X-YMail-OSG: GE1X5b0VM1kBUW0Ho.IGtrm7O4HMmuJbZQqUXWFlODvT4nb LwBKApDnE2pmgJ3n6WlztY2XFKftSHAbc5oxW2RfpxeFQldgJYJcfAfTvLdD Ix9j_Uw0.wPmjCF3Nfjm7WRl0sROQez9nQG8QWWdjre1jH7E3I2Oc_WC0ZO4 smxoQWRscBvpKG_WO3NJgCXbxKVuGch696AlwWyLxMZbwvgangs.0w20KWuY QoDdJdp9Fs95ep0PQzTRjcn40Z.mS45LoO23vsQVt6PeQi8nV97GQ5l1Gmf7 GNHgAsse2EwBehqJbj3o-
Received: from [93.172.151.94] by web45512.mail.sp1.yahoo.com via HTTP; Mon, 10 Jan 2011 23:05:05 PST
X-Mailer: YahooMailRC/553 YahooMailWebService/0.8.107.285259
References: <ldvhbdv29lz.fsf@cathode-dark-space.mit.edu>
Date: Mon, 10 Jan 2011 23:05:05 -0800 (PST)
From: Gabi Nakibly <gnakibly@yahoo.com>
To: Tom Yu <tlyu@MIT.EDU>, iesg@ietf.org, secdir@ietf.org, draft-ietf-v6ops-tunnel-loops.all@tools.ietf.org
In-Reply-To: <ldvhbdv29lz.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [secdir] secdir review of draft-ietf-v6ops-tunnel-loops-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jan 2011 07:02:55 -0000

Hi Tom,
Thanks for the valuable input. See our reponse inline.

Fred and Gabi



----- Original Message ----
> From: Tom Yu <tlyu@MIT.EDU>;
> To: iesg@ietf.org; secdir@ietf.org; 
>draft-ietf-v6ops-tunnel-loops.all@tools.ietf.org
> Sent: Thu, December 30, 2010 6:00:24 AM
> Subject: secdir review of draft-ietf-v6ops-tunnel-loops-01
> 
> This document describes routing loop vulnerabilities inherent in the
> existing design of IPv6-in-IPv4 tunneling protocols, and suggests
> mitigation strategies.
> 
> While the Security Considerations section of this document claims that
> the recommended checks do not introduce new security threats, Section
> 3.1 mentions that the additional processing overhead for checking
> destination and source addresses may be considerable.  It would be
> useful to have measurements or estimates of how this additional
> processing overhead compares to the effects of the routing loop attack
> that it is intended to mitigate.

Such estimates will be added to the Security Considerations section.

> 
> This document makes no mention of the Teredo attacks that are
> discussed in the USENIX WOOT paper.  The authors may wish to mention
> draft-gont-6man-teredo-loops-00 for the sake of completeness.
> 

We will cite this draft.

> Editorial:
> 
> Section 3 lists three categories of mitigation measures but the
> accompanying text states that they fall under two categories.
> 
> In Section 3.1, in the sentence "However, this approach has some
> inherit limitations", replace "inherit" with "inherent".
> 
> In Section 4, in the sentence "...other mitigation measures may be
> allowed is specific deployment scenarios", replace "may be allowed is"
> with "may be feasible in".
> 

All these will be corrected.