Re: [secdir] Review of draft-ietf-v6ops-unique-ipv6-prefix-per-host
"Van De Velde, Gunter (Nokia - BE/Antwerp)" <gunter.van_de_velde@nokia.com> Mon, 26 June 2017 11:40 UTC
Return-Path: <gunter.van_de_velde@nokia.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6D2A129AF4 for <secdir@ietfa.amsl.com>; Mon, 26 Jun 2017 04:40:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgMJlO2OGJfz for <secdir@ietfa.amsl.com>; Mon, 26 Jun 2017 04:40:45 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0132.outbound.protection.outlook.com [104.47.0.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 669001272E1 for <secdir@ietf.org>; Mon, 26 Jun 2017 04:40:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fGTQKPwGfQDCwc+TSD9Cn4pLUhFSDQW6wMDMqLihfGs=; b=cYQjhrDfzj2WDnGiRnmHnhYaS49pFPFdvP3fYa/0ebsX1IjMaw8vZVbeAfPsctz+8Y0N3+VbroYVz4zX7kQMS4aCvjFo6D6BzGj1QgxsZQL7gR2UPKX80ldlgjV0WDrmJzwykK7xYnKeT/VvXZeXBlIm8IOAb6Asf+XqC0hK8wI=
Received: from AM4PR07MB1715.eurprd07.prod.outlook.com (10.166.133.23) by AM4PR07MB1219.eurprd07.prod.outlook.com (10.164.81.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1220.5; Mon, 26 Jun 2017 11:40:41 +0000
Received: from AM4PR07MB1715.eurprd07.prod.outlook.com ([fe80::d832:c9c1:9dfa:23af]) by AM4PR07MB1715.eurprd07.prod.outlook.com ([fe80::d832:c9c1:9dfa:23af%13]) with mapi id 15.01.1220.009; Mon, 26 Jun 2017 11:40:41 +0000
From: "Van De Velde, Gunter (Nokia - BE/Antwerp)" <gunter.van_de_velde@nokia.com>
To: Watson Ladd <watsonbladd@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-v6ops-unique-ipv6-prefix-per-host.all@tools.ietf.org" <draft-ietf-v6ops-unique-ipv6-prefix-per-host.all@tools.ietf.org>, "iseg@ietf.org" <iseg@ietf.org>
Thread-Topic: Review of draft-ietf-v6ops-unique-ipv6-prefix-per-host
Thread-Index: AQHS7nEK8Ccj6Q4tyk+FfpziyYjc3g==
Date: Mon, 26 Jun 2017 11:40:41 +0000
Message-ID: <3FEF62DE-B27E-4937-95E9-B2AFF1523004@nokia.com>
References: <CACsn0cmv37zF0f_9trPeS8xCu0NeE6sryV=tuVH9fCbjVXXq7A@mail.gmail.com>
In-Reply-To: <CACsn0cmv37zF0f_9trPeS8xCu0NeE6sryV=tuVH9fCbjVXXq7A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=gunter.van_de_velde@nokia.com;
x-originating-ip: [212.88.252.216]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR07MB1219; 7:WmbVLrz3l4UFYtWIJo8vn88c7VwCmXkLptynpeN0Bk+SrJn+ETkKJ0+uJBKGPUlm3xy4bxPW3UP/zHav+N3ARUfCLZf9IO0G2nUXfulancqQMB1Gx6HtM0cN4GEsi663M/Wyj3/mMwd+9adbKOqP4/GaYc//q5RRc7X0GJcGHdCwHrX2u08qf4LOKHYGR9iVItzAQbL5U878hO2upUKIsKSV1CXZ+EUNfYzXy7MocfKB6HkZrkpHv1lcFHFVqIfGOVavBh1K8HYchXyAT904IviCoVJDnT7E2zmeavvCEy5avy7srRaXvd5IE7RoUG2KR4i0gKQ1Fshl6wcETpgQkpxYzAwx+FwnewgYphN5kuAl9EU/YLjXADqHZXtdtws6cnEe4SZkhE2V9NggKg6NG1X5tpbDArclroM1UyLS1YNuKC5g29EMYbJCJeSlpB66SDM8ELB2Wd3GMtf2OKiTMmaF0wR6fxckqbdDFKMd0kzHx8lsvWac2TyZKHrSwap2mU4fxlC04aWMrJ6zSfpjFBK+HeISBp5rPbilWLDuNhDslVKNt1idugVqg/O7zSUIrnRnXQ/nLDf21OBvAvquGYlA8ShSBZ+fN8EPz4ANCkvsPpZiFeq6HG4huLkysthjQOJGAasZ/xH3Ce2bILz9GDtbNSXeLcwVySWt2KUm3w214V6QNsLoWIS1CYJj6MSAyi1rRcd+gWy8k01Xy79eww8+bKqqMsM8/ZCqGBpe3ViLB8x/knca1S+Y/L1vwiUuIoeVAMQd/m2syDlh0VjXGXWHy4sKkWWpA+rqVxxwEXk=
x-ms-office365-filtering-correlation-id: 45e27afe-004d-4d3a-3930-08d4bc882cbe
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(48565401081)(300000503095)(300135400095)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095); SRVR:AM4PR07MB1219;
x-ms-traffictypediagnostic: AM4PR07MB1219:
x-microsoft-antispam-prvs: <AM4PR07MB1219CD4338634541F35D1E9EE0DF0@AM4PR07MB1219.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(151999592597050)(278178393323532)(26388249023172)(236129657087228)(192374486261705)(138986009662008)(82608151540597)(62221491112393)(48057245064654)(95692535739014);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(6055026)(6041248)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123562025)(20161123564025)(20161123560025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:AM4PR07MB1219; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:AM4PR07MB1219;
x-forefront-prvs: 0350D7A55D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(39450400003)(39840400002)(39850400002)(39400400002)(39410400002)(43544003)(16064003)(66654002)(2900100001)(6486002)(101416001)(478600001)(14454004)(229853002)(33656002)(83716003)(39060400002)(7736002)(8936002)(53546010)(54356999)(9326002)(8676002)(50986999)(81166006)(66066001)(76176999)(5660300001)(2950100002)(189998001)(25786009)(6436002)(102836003)(3846002)(99286003)(6116002)(82746002)(230783001)(3660700001)(6512007)(6506006)(5250100002)(2501003)(2201001)(53936002)(54896002)(3280700002)(6306002)(6246003)(36756003)(86362001)(38730400002)(2906002); DIR:OUT; SFP:1102; SCL:1; SRVR:AM4PR07MB1219; H:AM4PR07MB1715.eurprd07.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_3FEF62DEB27E493795E9B2AFF1523004nokiacom_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2017 11:40:41.5820 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR07MB1219
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/wWp_0vlmsz7Ss-nowjhehYImOeg>
Subject: Re: [secdir] Review of draft-ietf-v6ops-unique-ipv6-prefix-per-host
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jun 2017 11:40:48 -0000
Hi Watson,
My apologies for the delay in answer. Its been a hectic time for me. Many thanks for your review.
I modified the text in the security considerations to include your suggestion to make the correlation between both more clear.
<>
<t>The mechanics of IPv6 privacy extensions <xref target="RFC4941">RFC4941</xref>
is compatible with assignment of an Unique IPv6 Prefix per Host.
The combination of both IPv6 privacy extensions
and operator based assignment of a Unique IPv6 Prefix per Host provides
each implementing operator a tool to manage and provide subscriber services
and hence reduces the experienced privacy within each operator controlled domain.
However, beyond the operator controlled domain, IPv6 privacy extensions provide
the desired privacy as documented in <xref target="RFC4941">RFC4941</xref>.</t>
<>
Thanks and take care,
G/
From: Watson Ladd <watsonbladd@gmail.com>
Date: Monday, 5 June 2017 at 07:10
To: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-v6ops-unique-ipv6-prefix-per-host.all@tools.ietf.org" <draft-ietf-v6ops-unique-ipv6-prefix-per-host.all@tools.ietf.org>, "iseg@ietf.org" <iseg@ietf.org>
Subject: Review of draft-ietf-v6ops-unique-ipv6-prefix-per-host
Resent-From: <alias-bounces@ietf.org>, <watsonbladd@gmail.com>
Resent-To: <john_brzozowski@comcast.com>, <gunter.van_de_velde@nokia.com>, <rbonica@juniper.net>, <lee@asgard.org>, <fredbaker.ietf@gmail.com>, <bclaise@cisco.com>, <warren@kumari.net>, Ron Bonica <rbonica@juniper.net>, <draft-ietf-v6ops-unique-ipv6-prefix-per-host.all@ietf.org>
Resent-Date: Monday, 5 June 2017 at 07:34
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.
The summary of the review is that this document is has one substantial issue plus a formatting nit: the author names are running into the title. Perhaps this can be fixed
The substantial comment is that the interaction of privacy addresses with giving each subscriber a unique IPv6 address prefix space is not discussed in this document at all. This seems like a security issue that should be addressed as it reduces privacy compared to a shared prefix for all users. (Or maybe I am completely wrong: I do not know IPv6 in great detail). At minimum it should be discussed in the security considerations section, even if explicitly dismissed.
Sincerely,
Watson
- [secdir] Review of draft-ietf-v6ops-unique-ipv6-p… Watson Ladd
- Re: [secdir] Review of draft-ietf-v6ops-unique-ip… Van De Velde, Gunter (Nokia - BE/Antwerp)