Re: [secdir] secdir review of draft-ietf-ipsecme-ikev2-ipv6-config-02.txt
Dave Cridland <dave.cridland@isode.com> Fri, 16 October 2009 11:26 UTC
Return-Path: <dave.cridland@isode.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 21ED928B23E; Fri, 16 Oct 2009 04:26:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FHnXGs7OFbMt; Fri, 16 Oct 2009 04:26:53 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id 0AB213A677D; Fri, 16 Oct 2009 04:26:53 -0700 (PDT)
Received: from puncture ((unknown) [217.155.137.60]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <SthYXgBfG586@rufus.isode.com>; Fri, 16 Oct 2009 12:26:22 +0100
X-SMTP-Protocol-Errors: NORDNS
References: <15898.1254832898.040887@puncture> <808FD6E27AD4884E94820BC333B2DB773C09A4472C@NOK-EUMSG-01.mgdnok.nokia.com>
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB773C09A4472C@NOK-EUMSG-01.mgdnok.nokia.com>
Message-Id: <3527.1255692381.824936@puncture>
Date: Fri, 16 Oct 2009 12:26:21 +0100
From: Dave Cridland <dave.cridland@isode.com>
To: "Pasi.Eronen@nokia.com" <Pasi.Eronen@nokia.com>, Security Area Directorate <secdir@ietf.org>, The IESG <iesg@ietf.org>, julienl@qualcomm.com, cmadson@cisco.com
MIME-Version: 1.0
Content-Type: text/plain; delsp="yes"; charset="us-ascii"; format="flowed"
Subject: Re: [secdir] secdir review of draft-ietf-ipsecme-ikev2-ipv6-config-02.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2009 11:26:54 -0000
On Fri Oct 16 12:18:17 2009, Pasi.Eronen@nokia.com wrote: > (replying as document author, not AD) > > Thanks for your review, Dave! > > > The Security Considerations section is actually quite unclear to > me - > > at first glance, the opening phrase suggests that the solution > does > > indeed do the thing it warns against, that is, assigning each > client > > a unique, and therefore identifiable, prefix. > > It indeed does this, and the paragraph should be clearer about it. > Perhaps something like this? > > The mechanism described in this document assigns each client a > unique prefix, which makes using randomized interface identifiers > [RFC4941] ineffective from privacy point of view: the client is > still uniquely identified by the prefix. [...] > > Yes, that's much clearer. > > It also fails to draw the reader's attention to any other relevent > > considerations - I'm assuming that the two and a half pages of > > security considerations in RFC 4306 have some direct relevance > here. > > Since this is a very small extension to RFC 4306, indeed all the > security considerations of RFC 4306 still apply. Perhaps we > should add something like: > > Since this document is an extension to IKEv2, the security > considerations in [IKEv2] apply here as well. > > It seems to be traditional, yes. > > Also, the informative references noted in the Acknowledgements > > section would appear to have some potentially important security > > considerations - for example, RFC 4891's final consideration is: > > > > Please note that using IPsec for the scenarios described in > > Figures 1, 2, and 3 does not aim to protect the end-to-end > > communication. It protects just the tunnel part. It is still > > possible for an IPv6 endpoint not attached to the IPsec tunnel > to > > spoof packets. > > > > ... given that IKEv2's previous support for IPv6 limited it to a > > single host at the client end, one assumes that this document > > introduces at least this security consideration. > > I don't think RFC 4891 is relevant here; remote access VPNs are > almost > never end-to-end, and the situation is the same with IPv4 and IPv6. > So > this document doesn't introduce anything new here... I was under the impression it potentially moved one of the ends in any communication away from the tunnel endpoint? That is, if one is connecting into a secured, trusted network, using this secured VPN tunnel, that doesn't mean that any packets traversing a local network to get to that tunnel are secured. (For whatever meaning of secured you intend to put here). To put it another way, under RFC 4306, the client VPN'ing into the network is always "attached to the IPSec tunnel", whereas this document extends things such that this may not be the case. I'm not jumping up and down insisting on this, by the way, I'm just trying to make sure you understood what I meant. :-) Dave.
- [secdir] secdir review of draft-ietf-ipsecme-ikev… Dave Cridland
- Re: [secdir] secdir review of draft-ietf-ipsecme-… Pasi.Eronen
- Re: [secdir] secdir review of draft-ietf-ipsecme-… Dave Cridland
- Re: [secdir] secdir review of draft-ietf-ipsecme-… Pasi.Eronen
- Re: [secdir] secdir review of draft-ietf-ipsecme-… Laganier, Julien