IETF Logo Mail Archive

Re: [secdir] Discussion from the Security Directorate

Fred Baker <fred@cisco.com> Tue, 28 July 2009 20:49 UTC

Return-Path: <fred@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3A9473A68AE for <secdir@core3.amsl.com>; Tue, 28 Jul 2009 13:49:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.862
X-Spam-Level:
X-Spam-Status: No, score=-109.862 tagged_above=-999 required=5 tests=[AWL=0.137, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wWYSpcm45I+8 for <secdir@core3.amsl.com>; Tue, 28 Jul 2009 13:49:28 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id 8F1973A67EB for <secdir@ietf.org>; Tue, 28 Jul 2009 13:49:27 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AmgAAFYBb0qQ/uCKe2dsb2JhbACaBgEBFiQGolOIJ5AgBYQQgU0
X-IronPort-AV: E=Sophos;i="4.43,284,1246838400"; d="scan'208";a="46010102"
Received: from ams-dkim-1.cisco.com ([144.254.224.138]) by ams-iport-1.cisco.com with ESMTP; 28 Jul 2009 20:49:27 +0000
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n6SKnRhX013304; Tue, 28 Jul 2009 22:49:27 +0200
Received: from [10.43.1.21] (ams3-vpn-dhcp1554.cisco.com [10.61.70.18]) by ams-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n6SKnDtq015185; Tue, 28 Jul 2009 20:49:15 GMT
Message-Id: <5AECC74E-90A0-45DA-9D23-7DE64F3488CB@cisco.com>
From: Fred Baker <fred@cisco.com>
To: Joel Jaeggli <joelja@bogus.com>
In-Reply-To: <4A6D98AC.4060100@bogus.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Tue, 28 Jul 2009 22:49:11 +0200
References: <EDC652A26FB23C4EB6384A4584434A04018CF83B@307622ANEX5.global.avaya.com> <B40EE4C2-93AE-45A3-89AA-8601BFC76346@huawei.com> <633E561F-48D1-42DE-A310-9E77DB0A87F1@cisco.com> <4A6D98AC.4060100@bogus.com>
X-Mailer: Apple Mail (2.935.3)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3772; t=1248814167; x=1249678167; c=relaxed/simple; s=amsdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fred@cisco.com; z=From:=20Fred=20Baker=20<fred@cisco.com> |Subject:=20Re=3A=20Discussion=20from=20the=20Security=20Di rectorate |Sender:=20; bh=4dHjt/lsFUKKLeg2AJP2Ev2BB/ekSpDj2Fg0nVli/e0=; b=gZpwLAM/8mvfdQmVZV4F812E43VPyJ9waHd5A412Ek3QX2fxKtQMiIWN9/ iu43NRu/pk3jIEaXSjmVDCSA1U/mft5ImALxOH8F8y821E2cQF87xlEZItPS ZZ3F1qLidE;
Authentication-Results: ams-dkim-1; header.From=fred@cisco.com; dkim=pass ( sig from cisco.com/amsdkim1002 verified; );
Cc: 6man Chairs <6man-chairs@tools.ietf.org>, 6man-ads@tools.ietf.org, secdir@ietf.org, Kurt Erik Lindqvist <kurtis@kurtis.pp.se>, Joe Abley <jabley@ca.afilias.info>, Softwire Chairs <softwire-chairs@tools.ietf.org>, v6ops-ads@tools.ietf.org, softwire-ads@tools.ietf.org, Tina TSOU <tena@huawei.com>, behave-ads@tools.ietf.org, Behave Chairs <behave-chairs@tools.ietf.org>
Subject: Re: [secdir] Discussion from the Security Directorate
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2009 20:49:29 -0000

I'm not arguing against the request. I'm asking what it is requesting,  
as I have no idea...

I think I know what a threat analysis is.

What is a "security assessment" apart from a "threat assessment"? I  
told v6ops (which does not develop transition technologies, by  
charter, and therefore is the absolute wrong place to send this) that  
I thought it might mean an assessment of how we might mitigate the  
threats. Absent any answers from the Security Directorate responsive  
to the question, I have no idea whether I was correct.

And what on God's Green Earth is a "function recommendation"? I have  
no idea what you want.

Nobody from the Security Directorate was there today to deliver the  
message. If I were developing a threat assessment of that protocol...  
let's see: delivered to the wrong WG by someone who didn't know what  
the message was supposed to be using slides he didn't understand and  
the security directorate didn't take the time to explain...

On Jul 27, 2009, at 2:08 PM, Joel Jaeggli wrote:

> I'd probably tune the slides a bit still:
>
> 	Security problems show up in deployment and use, these cannot be
> 	thought out at all when designing the protocols
>
> Is an assertion you'll get pushback on. we have signficant operational
> experience with variations on many of the proposed or deployed
> transition mechanisms. necessarily that experience informs both our
> current thinking and the desirability of any particular approach.
>
> bump in the wire type transition technologies certainly are an area
> potential concern for opsec
>
> Fred Baker wrote:
>> Thanks, Tina. I will add this to the IPv6 Operations agenda, probably
>> during our second session Tuesday.
>>
>> You will note that I am copying the chairs and ADs from several  
>> working
>> groups. The reason is that the primary thrust of the comments you are
>> making apply to work being done in those working groups. Slide 5
>> specifically requests a threat analysis, security assessment, and
>> "function recommendation" on each transition technology; these are in
>> fact being done in behave and softwires. I mention 6man because
>> marketing blather from the IPv6 form makes security claims for IPv6,
>> which it would be good if that working group clarified.
>>
>> I do have to ask specifically what the Security Directorate hopes to
>> find in the three documents that have been requested for each of  
>> these
>> various technologies. What, specifically, is a "function
>> recommendation"? A threat analysis is a statement that there exist  
>> a set
>> of possible threats. Is a security assessment a statement about how
>> those threats are responded to? What, if the WGs don't produce it, is
>> going to leave the Security Directorate feeling ill-used?
>>
>> On Jul 27, 2009, at 12:56 PM, Tina TSOU wrote:
>>
>>>
>>> B. R.
>>> ">http://tinatsou.weebly.com/contact.html
>>
>>> Begin forwarded message:
>>>
>>>> From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
>>>> Date: July 27, 2009 7:52:20 AM GMT+02:00
>>>> To: Ron Bonica <rbonica@juniper.net>
>>>> Cc: Tina TSOU <tena@huawei.com>
>>>> Subject: FW: [OPS-DIR] Reminder: OPS-DIR working lunch
>>>>
>>>> Ron,
>>>>
>>>> This looks more like an opsec (who are not meeting this time) or  
>>>> v6ops
>>>> subject.
>>>>
>>>> Dan
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Tina TSOU [mailto:tena@huawei.com]
>>>> Sent: Monday, July 27, 2009 12:02 AM
>>>> To: Romascanu, Dan (Dan)
>>>> Subject: Re: [OPS-DIR] Reminder: OPS-DIR working lunch
>>>>
>>>> Hi Dan,
>>>> Could this be discussed at OPS-DIR working lunch?
>>> <Recommendation of IPv6 Security work--on the flight-2.ppt>
>>> <ATT4180184.txt>
>>>

v2.23.0 | Report a Bug | By Email