Re: [v6ops] Asking for a review of draft-ietf-opsec-v6-08
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Thu, 07 July 2016 15:36 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1460912D7EC; Thu, 7 Jul 2016 08:36:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.946
X-Spam-Level:
X-Spam-Status: No, score=-15.946 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZDrGrp1uEAt; Thu, 7 Jul 2016 08:36:00 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39C0A12D7DB; Thu, 7 Jul 2016 08:36:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=43700; q=dns/txt; s=iport; t=1467905760; x=1469115360; h=from:to:cc:subject:date:message-id:mime-version; bh=BGsr6uUXEBpPftyIlfqopOCNYWCdJHxpwWRD9XCj/Sk=; b=WPFWMU3sHYusSMEjMWtuoklZwPgMrjX5NOj4vFqAZDSGQOe3vLPsMsKf NjrUbAbzz9zAeZl0lq2QGq3/E62WCNdTr78NxFf7bm0xTCGBAsROF80Be K5MWNv+Ftrz3R+c+d3/+Phne1ixWPc4kJant9thdcbv78LG/lf8tVKYEP c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AQBQDHdX5X/4kNJK1cgnBOVnwGuwQihXYCHIEOOxEBAQEBAQEBZSeETAEBBSMEUhIBCBEDAQIhAQYDAgQwFAkKBA4FiDAOrUKGJokNAQEBAQEBAQEBAQEBAQEBAQEBAQEBFwWGJ4RNhFcJFoJLgloFmRMBhgiIPoFqjUCGV4kyATQgggkcgUxuh31/AQEB
X-IronPort-AV: E=Sophos;i="5.28,324,1464652800"; d="scan'208,217";a="294798399"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 07 Jul 2016 15:35:59 +0000
Received: from XCH-RTP-012.cisco.com (xch-rtp-012.cisco.com [64.101.220.152]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id u67FZwVT032757 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 7 Jul 2016 15:35:59 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-012.cisco.com (64.101.220.152) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 7 Jul 2016 11:35:57 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1210.000; Thu, 7 Jul 2016 11:35:58 -0400
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Markus deBruen <linkedin@xn--debrn-nva.de>
Thread-Topic: Aw: Asking for a review of draft-ietf-opsec-v6-08
Thread-Index: AQHR2GVBi5ZDkDzj802jyMIukJSwZQ==
Date: Thu, 07 Jul 2016 15:35:58 +0000
Message-ID: <D3A3CD7A.7721A%evyncke@cisco.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.159.132]
Content-Type: multipart/alternative; boundary="_000_D3A3CD7A7721Aevynckeciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Af5CFCPAMvcEZyNSpUE0ZXue-Gs>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "fgont@si6networks.com" <fgont@si6networks.com>
Subject: Re: [v6ops] Asking for a review of draft-ietf-opsec-v6-08
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2016 15:36:03 -0000
Markus Thanks very much for your review, I know it takes time to do. I have accepted most of them except those marked with EVY>> Thanks again and see you in Berlin, your ::1 ;-) -éric From: Markus deBruen <linkedin@xn--debrn-nva.de<mailto:linkedin@xn--debrn-nva.de>> Date: Wednesday 15 June 2016 at 07:04 To: Eric Vyncke <evyncke@cisco.com<mailto:evyncke@cisco.com>> Cc: "opsec@ietf.org<mailto:opsec@ietf.org>" <opsec@ietf.org<mailto:opsec@ietf.org>>, "v6ops@ietf.org<mailto:v6ops@ietf.org>" <v6ops@ietf.org<mailto:v6ops@ietf.org>>, Fred Baker <fred@cisco.com<mailto:fred@cisco.com>>, "fgont@si6networks.com<mailto:fgont@si6networks.com>" <fgont@si6networks.com<mailto:fgont@si6networks.com>>, "Howard, Lee" <lee.howard@twcable.com<mailto:lee.howard@twcable.com>>, "draft-ietf-opsec-v6@ietf.org<mailto:draft-ietf-opsec-v6@ietf.org>" <draft-ietf-opsec-v6@ietf.org<mailto:draft-ietf-opsec-v6@ietf.org>> Subject: Aw: Asking for a review of draft-ietf-opsec-v6-08 Hi Eric, the draft is very well written and contains useful guidance/recommendations. Sections 2.4 and 2.5 do not contain much IPv6-specific information and sections 2.7.2.* do not give much guidance. However, these three sections together amount to ~11 pages (1/3 of the document). If you could shorten these sections, the document would become more manageable. EVY>> hum good idea: we the authors also feel that the overall text could be improved in the form (keeping the content), alas, we also lack time to redo much of it... (see my reply 4 weeks after your review!) Some minor comments and nits: 2.1.2 "... The latter would be problematic." I suspect by "latter" you mean NPTv6. Better make that explicit. EVY>> actually, we meant that IPv6 NAPT is problematic regarding logging... Thanks "A typical argument is that there are too many mistakes made with filters and ULAs make things easier to hide machines." Why "to hide machienes"? I would suggest "to set filters". 2.1.4 "... privacy extension addresses should be used" Punctuation mark is missing. 2.2 still TBD EVY>> argh indeed, cannot fix it in -09, so, a -10 is to be expected 2.3.2 "... for protecting hosts connected against..." "Connected hosts" maybe!? 2.3.4 "RFC6980 [RFC6980] aims to update RFC4861 [RFC4861]" "[RFC6980] updates [RFC4861]" EVY>>> time flies... The original sentence was written when RFC 6980 was still a draft... 2.7.2 "embeb" -> embed 2.7.2.4 "... operational problems" Punctuation mark is missing. EVY>> Sigh... Working in XML does not help :-( Thanks 2.7.2.8 The second "MAP-E" should be "MAP-T". 2.8 "device to authenticated" -> "device authenticated" EVY>> ??? We wanted to say that only authenticated and authorised user can manage the devices (changed the text to "authorised users" as authorisation requires authentication) 3.1 "bogon and reserved space" Some links might be helpful (e.g. to IANA). 5 "[RFC7084] (which obsoletes [RFC6204]" Missing ")" "[RFC7084] states that a clear choice must be given to the user to select one of those two policies." Does it? I did not find the corresponding passage. EVY>> good catch, it is REC-49 of RFC 6092 Throughout the document there are some "IPV6", "DOS" and " ", which should be replaced with "IPv6", "DoS" and " ". I hope these comments are helpful. Cheers, Markus ---- Ein Mi, 15 Jun 2016 12:50:29 +0200 Eric Vyncke (evyncke)<evyncke@cisco.com<mailto:evyncke@cisco.com>> hat geschrieben ---- The authors (and OPSEC WG chairs) would really appreciate if a review of https://tools.ietf.org/html/draft-ietf-opsec-v6-08 is done in the coming days/weeks (in time to submit a -09 in case it needs to be amended). This I-D is about the operation security considerations when operating an IPv6 network (both as Service Provider and enterprise/subscriber). Thanks a lot in advance for your review and be sure to include opsec@ietf.org<mailto:opsec@ietf.org> in your reply. - the authors (Merike, KK and Eric) - the chairmen (Gunter and Eric) PS: Markus, Fred, Fernando and Lee, as you kindly volunteered to review it during IETF-95, I also put your names ;-)
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Gert Doering
- Re: [v6ops] Asking for a review of draft-ietf-ops… Erik Kline
- Re: [v6ops] Asking for a review of draft-ietf-ops… Eric Vyncke (evyncke)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Eric Vyncke (evyncke)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Markus deBruen
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Fred Baker (fred)
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Andrews
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Brian E Carpenter
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Gert Doering
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Gert Doering
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] Asking for a review of draft-ietf-ops… Lorenzo Colitti
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Brian E Carpenter
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Brian E Carpenter
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] Asking for a review of draft-ietf-ops… Brian E Carpenter
- Re: [v6ops] Asking for a review of draft-ietf-ops… Erik Kline
- Re: [v6ops] Asking for a review of draft-ietf-ops… Sleigh, Robert
- [v6ops] Asking for a review of draft-ietf-opsec-v… Eric Vyncke (evyncke)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Fred Baker (fred)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Howard, Lee
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] Asking for a review of draft-ietf-ops… Mark Smith