Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

Marc Lampo <marc.lampo.ietf@gmail.com> Wed, 20 November 2013 08:01 UTC

Return-Path: <marc.lampo.ietf@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C06521AE397 for <v6ops@ietfa.amsl.com>; Wed, 20 Nov 2013 00:01:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wr6XpPl2hDvz for <v6ops@ietfa.amsl.com>; Wed, 20 Nov 2013 00:01:34 -0800 (PST)
Received: from mail-ve0-x22e.google.com (mail-ve0-x22e.google.com [IPv6:2607:f8b0:400c:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 5461E1AE390 for <v6ops@ietf.org>; Wed, 20 Nov 2013 00:01:34 -0800 (PST)
Received: by mail-ve0-f174.google.com with SMTP id cz12so6908399veb.19 for <v6ops@ietf.org>; Wed, 20 Nov 2013 00:01:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mi1EKpqwbCcKcdFDrcOy71+GLWyaxtBXZmrZVh/WTu4=; b=e9qaMgSw9KzXtXNrl2eJzich67vWnTgErZ8UL8NNsY19OKcWd5sSmpbcGbVZntz4vQ TpnUDwAWrDk/7CKBgcr2ZHJZCJz1+7+iPfuwZpWFhaixQeUsdYhZHtiDJmvm0y0ZzZcg 9Tl1KncF3nGfFuvcLy1qEwurEZCdgt+hY9isRSMIo2wnFMNrFmbUHweSpYhnuVZcKswM EwHq6BqXcBqAVYMH/tHon7OjAoR0h4tvxItUfLHq4qhLQ4deMEqnS4YHpcekPogrUXnc Rk3DT9DBYYpZ/iQ1g4G4aQVGHTMJq3/g+oMuwrwfot4x3UMS9UVi9diQZ5tVlz00fDbM V5yQ==
MIME-Version: 1.0
X-Received: by 10.58.23.33 with SMTP id j1mr20692vef.27.1384934487905; Wed, 20 Nov 2013 00:01:27 -0800 (PST)
Received: by 10.58.227.66 with HTTP; Wed, 20 Nov 2013 00:01:27 -0800 (PST)
In-Reply-To: <CAKD1Yr1gQ8r80NxbJwxbNc8esm1ekk1JGMUoQo712CpvLJ8ogw@mail.gmail.com>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com> <989B8ED6-273E-45D4-BFD8-66A1793A1C9F@cisco.com> <5288FC15.5080508@globis.net> <CAKD1Yr1gQ8r80NxbJwxbNc8esm1ekk1JGMUoQo712CpvLJ8ogw@mail.gmail.com>
Date: Wed, 20 Nov 2013 09:01:27 +0100
Message-ID: <CAB0C4xOej1KhU2cA_edozG98V8ah1LgqDcu4RdwpXyQTRYRS_w@mail.gmail.com>
From: Marc Lampo <marc.lampo.ietf@gmail.com>
To: Lorenzo Colitti <lorenzo@google.com>
Content-Type: multipart/alternative; boundary=047d7b339df9305b4604eb9730cc
Cc: Ray Hunter <v6ops@globis.net>, "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 08:01:37 -0000

This document states, for several recommendations in RFC 6092, exactly the
opposite of that document.

In addition, as I touched in my very first reaction, this draft lists a
number of threats - section 2.
But, in my opinion, none of those threats are addressed by the rules for
balanced security - section 3.1.
 (my first comment only referred to the last threat on covert channels, but
I must rephrase)

Only "unauthorised use of services" is partly addressed, by blocking access
to some ports.

The later users it might be misleading : like if implementing these
balanced security rules,
 something is done about those threats.


In reply to the question : yes, personally I would be happier if the ISP
dropped all unsolicited packets towards my network (except IPsec).
An analogy :
is the front door of your home locked when nobody is at home ?
or do you have locks on the door towards the living room, kitchen and
bedrooom (only)
 and allow free access to the bathroom ?
Perhaps proper use of the bathroom is not dangerous,
 but it the unknown visitor (ab)uses the electricity outlet in the bathroom
?



On Wed, Nov 20, 2013 at 7:50 AM, Lorenzo Colitti <lorenzo@google.com> wrote:

> On Mon, Nov 18, 2013 at 2:25 AM, Ray Hunter <v6ops@globis.net> wrote:
>
>> Summary: I don't have answers to my own points below, but neither does
>> this draft, so whilst I welcome the authors sharing their experiences, I
>> can't support publishing it as-is as a v6ops WG document.
>>
>> The bottom line is that I wouldn't be happy if my own ISP adopted the
>> policy exactly as-documented in the draft.
>>
>
> Would you be happier if your ISP implemented the "simple security"
> recommendations in RFC 6092 and dropped all unsolicited packets to your
> network except IPsec?
>
> I think we probably need something more sophisticated. And being
>> realistic, we're probably not yet ready to write it.
>>
>
> So let's not throw out the baby with the bathwater then? This group exists
> to share operational experience, and that is what this draft does. It does
> not make any recommendations; even the rules it presents are examples. I
> can't see anyone construing this as a recommendation or endorsement of any
> sort.
>
> We published RFC 6092. Why shouldn't we publish this one? It seems to me
> that there's no real difference between this document and RFC 6092;
> fundamentally, they both simply describe a security profile without making
> any claim about whether it is a recommended profile. If anything, at least
> this one has the advantage that it was deployed before it was
> standardized...
>
> I support this document.
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>
>