IETF Logo Mail Archive

Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08

Mark Smith <markzzzsmith@gmail.com> Thu, 16 June 2016 09:43 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB16512B058; Thu, 16 Jun 2016 02:43:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QmueOSfHfKhO; Thu, 16 Jun 2016 02:43:40 -0700 (PDT)
Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E21DF12D096; Thu, 16 Jun 2016 02:43:39 -0700 (PDT)
Received: by mail-vk0-x229.google.com with SMTP id u64so65747038vkf.3; Thu, 16 Jun 2016 02:43:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=2iI5UQF8KkiTKd/02IhQimbzT+gCNR7EtiEVZkZZ2Zc=; b=xr6uq3d4z0D2HiC4qbNINMWNv9HgUY0O7fAPdnaJN6w81jelvUO20uVWMWUEOtBz6M WBQUUJu35H4x4UTq3gmvNOHNXp7HGgjQT2129EkV4+voCMMsR19UnRx7U7NTj04l7QJr x2fxV+ln9CCZP3dc65uun6PkOCof7u2IxXULKpEApAQ3PVCijQwTMwz5KxouKi85gUzk kmjdmBxG15IIvEnIvWmNOIj5FOz/YczTWA6Qc0RkYyT+8yy0dTn4EE/6SSQ+UGoduMLy p0PDIIyiRu30aSwC86ibwx9S/0RuB7YjzABKKXYJLLV4QxhjH/kQyREwHZqDRckcX84y VsLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=2iI5UQF8KkiTKd/02IhQimbzT+gCNR7EtiEVZkZZ2Zc=; b=Nf3RlGxO7tReAWEsQGjDaLcb2jH2agYgRAXMYbVBcFDuAXbLTuuqCeoFCNLW4rW1o5 B3XVo51O+G/+zpmfI4CTJ4rISeppIVro0qamAucapeDOni4gQX6XxHIkJgfqVFlxiIqT PtVXW0rBloR7BWEMs3CYJU5LBcPmShvCYiTYRCEgqaJ2YIFgfcuLMMWwdd1T8KQLh0fL 9OuKz2WH5Ss9/FlAMLSvxy0GGEdyAdI38yuRw8gGI+2+Cn3DALAxEtXWeBe638skuUOj 7/J65xmp//azhpfYhyp3ZPYEoCidFrWfzwOK27NGEeIz4k3fgh/+1+1SMzpKohd/XHuK LklQ==
X-Gm-Message-State: ALyK8tJ/CI3P1yweIZOtHcD/pdN12/2WCfeXmpM3a4VK0xLkdl97oPJyAFH7NR+kIkTvu/JIh+CMj3aW8vm1dQ==
X-Received: by 10.31.8.77 with SMTP id 74mr1574627vki.150.1466070218954; Thu, 16 Jun 2016 02:43:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.64.168 with HTTP; Thu, 16 Jun 2016 02:43:09 -0700 (PDT)
In-Reply-To: <38465846B6383D4A8688C0A13971900C48DBF82F@ge2eml2k1004>
References: <D386FF93.75916%evyncke@cisco.com> <CAAedzxqBr=ApvGTUrjNUnRmpcamkt4OH1CchcDEWgDcXRgo8Fw@mail.gmail.com> <173d2c6b-4cbf-88da-cf20-710a90e04c7e@gmail.com> <38465846B6383D4A8688C0A13971900C48DBF82F@ge2eml2k1004>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Thu, 16 Jun 2016 19:43:09 +1000
Message-ID: <CAO42Z2z_pgBrn3bNRagx4W2FYn4aJ=NYNGwzDk+Q2o373qux+A@mail.gmail.com>
To: Marco Ermini <Marco.Ermini@resmed.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/1VKktz2kTo-69ryGkPidO8slI6s>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "linkedin@xn--debrn-nva.de" <linkedin@xn--debrn-nva.de>, "fgont@si6networks.com" <fgont@si6networks.com>
Subject: Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2016 09:43:42 -0000

On 16 June 2016 at 19:15, Marco Ermini <Marco.Ermini@resmed.com> wrote:
> Well, actually, infrastructure hiding IS part of security.  It is not the full picture, but it is incorrect to say that it is not.
>
> I personally don't sympathize on NAT-haters.  NAT has its reasons, especially for carrier-grade NAT

CGN isn't necessary in IPv6, it's to solve the problem of ISPs running
out of IPv4 addresses.

 and especially in the telco scenario, and yes, it does provide some
level of security - again, not the complete picture, but it does.
>

NAT is not necessary in IPv6. The equivalent of NAT's perceived
security can be provided via alternative methods, as described in
RFC4864.

A further technique to hide topology that isn't mentioned in RFC4864
is to use something like ISATAP or similar, to create a single /64
subnet over the top of multiple IPv4 subnets. Externally, all hosts
will appear to belong to a single IPv6 subnet, hiding the internal
topology.

If you truly want to hide the identities of hosts, NAT doesn't do
enough - it is only translating addresses, where as there are many
other host identifiers that the host itself supplies or will receive
and supply that can identify hosts e.g. HTTP cookies. "A Technique for
Counting NATted Hosts"
(https://www.cs.columbia.edu/~smb/papers/fnat.pdf) showed how a field
within the IPv4 header that leaked across a NAT was able to be used to
identify hosts.

If you truly want to hide a host from the Internet, yet still allow it
to access things on the Internet, under IPv6 your network would use
ULA addressing, and have a per-application protocol proxy server that
makes all requests look like they've entirely originated from the
application proxy server itself. To the Internet server, the
application proxy server would appear to be the application end host
making the requests, preventing any internal host identifiers or other
attributes from leaking.


Regards,
Mark.


>
> Regards,
>
> Marco Ermini
>
> CISSP, CISA, CISM, CEH, ITIL, MCP, PhD
> Senior IT Security Analyst
> D +49 (0)899 901 1523  M +49 (0)175 439 5642
>
> ResMed Germany Inc
>
>
> -----Original Message-----
> From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Brian E Carpenter
> Sent: Thursday, June 16, 2016 1:45 AM
> To: Erik Kline; Eric Vyncke (evyncke)
> Cc: fgont@si6networks.com; opsec@ietf.org; linkedin@xn--debrn-nva.de; draft-ietf-opsec-v6@ietf.org; v6ops@ietf.org
> Subject: Re: [OPSEC] [v6ops] Asking for a review of draft-ietf-opsec-v6-08
>
> On 16/06/2016 07:45, Erik Kline wrote:
>> Section 2.1.2 is far too permissive for my tastes.  We need to be able
>> to say that ULA+IPv6 NAT is NOT RECOMMENDED by the IETF.
>
> I have strong sympathy with that statement, but I don't think this is the document to do it; the point is made in RFC4864 too. What we should do here is underline that NAT != security.
>
> While I'm here, some other points:
>
> "2.2.  Extension Headers
>
>    TBD, a short section referring to all Fernando's I-D & RFC."
>
> That's not the whole story ;-). Firstly, RFC 7045 has a lot of relevance to security aspects. Second, there is no reason to refer to most of the material (Fernando's or not) unless it's directly relevant to opsec. I think the reference is draft-ietf-opsec-ipv6-eh-filtering,
> but only if that document is going anywhere.
>
> "2.3.3.  ND/RA Rate Limiting
> ...
>    The following drafts are actively discussing methods to
>    rate limit RAs and other ND messages on wifi networks in order to
>    address this issue:
>
>    o  [I-D.thubert-savi-ra-throttler]
>
>    o  [I-D.chakrabarti-nordmark-6man-efficient-nd]"
>
> Neither of those drafts is in the least active (from 2012 and 2015 respectively). Dead drafts are of no help to the reader, IMHO.
>
> "4.2.  Transition Mechanism
>
>    SP will typically use transition mechanisms such as 6rd, 6PE, MAP,
>    DS-Lite which have been analyzed in the transition Section 2.7.2
>    section."
>
> Shouldn't you add RFC6877 464XLAT now?
>
> Finally, I think there should be a Privacy Considerations section.
>
> Rgds
>     Brian
>
>>
>> Section 2.6.1.5 could punch up the SAVI stuff a bit more as well.  We
>> should, in my opinion, make it painfully clear that DHCP (of any
>> protocol) in the absence of link-layer security/auditability features
>> does not provide any satisfactory way "to ensure audibility and
>> traceability" [Section 2.1.6].
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
>
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email