IETF Logo Mail Archive

Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

"cb.list6" <cb.list6@gmail.com> Fri, 15 November 2013 18:50 UTC

Return-Path: <cb.list6@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EE0611E821B for <v6ops@ietfa.amsl.com>; Fri, 15 Nov 2013 10:50:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X2ga0c464C8O for <v6ops@ietfa.amsl.com>; Fri, 15 Nov 2013 10:50:11 -0800 (PST)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) by ietfa.amsl.com (Postfix) with ESMTP id 5923011E8210 for <v6ops@ietf.org>; Fri, 15 Nov 2013 10:49:33 -0800 (PST)
Received: by mail-wg0-f51.google.com with SMTP id m15so3843232wgh.6 for <v6ops@ietf.org>; Fri, 15 Nov 2013 10:49:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=jycGwhl1UBAOro3ws/8tURLaFaN+oYPe6/07ludNxIQ=; b=AqMdDidD1I9ifRtJtENhLvfsYdpD7ZchdCk/gg6IDYhoTqMcTe6w4m/lYV5fXCy5sm 81YmQlcemnWMOe+Mrl7HZVXch8qBJwuBxkbjMQcH3B7gkqofq/ULKFszAQ2mCYa0hDvj X+zaYnT/HMKNe8FQ4oS7Ew+LAnTOVyJ+S+LKHdUiPfb6hFpGRQMm/R8eva3CzhxJZqmj veXkt3dN2vIlfQsBKnxg2UF2taYjmmqZo3kZA+oo1cP6vOJAsgwUnX4ET/XclQnD6+X/ hIiHtvpAboTelIOX4SomcM02LaIqAnZJ2JwLjAY4/Srj+PJED+xCJCKk0A/oaFfdS4jJ MW6Q==
MIME-Version: 1.0
X-Received: by 10.180.183.72 with SMTP id ek8mr8397645wic.49.1384541372535; Fri, 15 Nov 2013 10:49:32 -0800 (PST)
Received: by 10.217.58.133 with HTTP; Fri, 15 Nov 2013 10:49:32 -0800 (PST)
In-Reply-To: <2BED1CEF-FBF2-490B-8468-8024BCBEC1F0@cisco.com>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <528661C5.3060005@forthnet.gr> <2BED1CEF-FBF2-490B-8468-8024BCBEC1F0@cisco.com>
Date: Fri, 15 Nov 2013 10:49:32 -0800
Message-ID: <CAD6AjGQxmBn8qURu056bhkNcE0WFd7rwmHP1HryLGHS+zOV0BA@mail.gmail.com>
From: "cb.list6" <cb.list6@gmail.com>
To: "Fred Baker (fred)" <fred@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Nov 2013 18:50:14 -0000

On Fri, Nov 15, 2013 at 10:35 AM, Fred Baker (fred) <fred@cisco.com> wrote:
>
> On Nov 15, 2013, at 10:02 AM, Tassos Chatzithomaoglou <achatz@forthnet.gr> wrote:
>
>> So, although i support this, i would like to see a note warning about some of the above dangers and noting that extra caution is to be used when following this.
>
> Thanks.
>
> Again, speaking as a participant.
>
> Where I most scratch my head is that the threat the firewall presumably is intended to defend against, and the asset it is trying to defend, is not usually related to a protocol. If we decide that a given protocol number or port number is "universally OK", such as RFC 6092's comments on ESP/AH/IKE, one can expect port-agile attacks to use that port number for whatever protocol they use. If we say that we want a specified server to act as a listener for a protocol, such as a web server for http/https, that doesn't imply that all devices implementing listeners should be exposed as a matter of policy (if you have a Canon MP620 series printer or a Cisco telephone, and its address is X.X.X.X, open http://X.X.X.X, and ask yourself if that's information you want available to the world).
>
> So, blocking a couple of ports doesn't seem to accomplish much from a security perspective. I'm not sure what I would call "security" in this draft, much less "balanced". What the draft does, as near as I can tell, is give service providers something that somebody called a firewall, so that they can tell their customers that have the presence of a firewall as a market requirement that they are deploying a firewall, but depending on their customers to be dumb enough to not realize that the firewall doesn't secure anything.
>

Network operators who have deployed this strategy outlined in the
draft have penned the draft, they have to deal with the strain on
their network and helpdesk calls related to being hacked.

I believe the point of the draft is to share deployment experience
that there is no material change to the relevant network provider
metrics related to those costs of hacking.

If i understanding the scenario correctly, Swisscom had IPv4 NAT CPE
deployed with "stateful connection inspection" by default

They deployed IPv6 on a large scale without "stateful connection
inspection"  for IPv6 and the relevant metrics of attack traffic and
helpdesk calls have not changed.

This is not a matter of theory, this a matter of network operators
sharing operational experience for the betterment of other network
operators.

CB

> BTW, as chair, I have asked for a security directorate review of this draft.
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email