Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
"cb.list6" <cb.list6@gmail.com> Fri, 15 November 2013 18:50 UTC
Return-Path: <cb.list6@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EE0611E821B for <v6ops@ietfa.amsl.com>; Fri, 15 Nov 2013 10:50:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X2ga0c464C8O for <v6ops@ietfa.amsl.com>; Fri, 15 Nov 2013 10:50:11 -0800 (PST)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) by ietfa.amsl.com (Postfix) with ESMTP id 5923011E8210 for <v6ops@ietf.org>; Fri, 15 Nov 2013 10:49:33 -0800 (PST)
Received: by mail-wg0-f51.google.com with SMTP id m15so3843232wgh.6 for <v6ops@ietf.org>; Fri, 15 Nov 2013 10:49:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=jycGwhl1UBAOro3ws/8tURLaFaN+oYPe6/07ludNxIQ=; b=AqMdDidD1I9ifRtJtENhLvfsYdpD7ZchdCk/gg6IDYhoTqMcTe6w4m/lYV5fXCy5sm 81YmQlcemnWMOe+Mrl7HZVXch8qBJwuBxkbjMQcH3B7gkqofq/ULKFszAQ2mCYa0hDvj X+zaYnT/HMKNe8FQ4oS7Ew+LAnTOVyJ+S+LKHdUiPfb6hFpGRQMm/R8eva3CzhxJZqmj veXkt3dN2vIlfQsBKnxg2UF2taYjmmqZo3kZA+oo1cP6vOJAsgwUnX4ET/XclQnD6+X/ hIiHtvpAboTelIOX4SomcM02LaIqAnZJ2JwLjAY4/Srj+PJED+xCJCKk0A/oaFfdS4jJ MW6Q==
MIME-Version: 1.0
X-Received: by 10.180.183.72 with SMTP id ek8mr8397645wic.49.1384541372535; Fri, 15 Nov 2013 10:49:32 -0800 (PST)
Received: by 10.217.58.133 with HTTP; Fri, 15 Nov 2013 10:49:32 -0800 (PST)
In-Reply-To: <2BED1CEF-FBF2-490B-8468-8024BCBEC1F0@cisco.com>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <528661C5.3060005@forthnet.gr> <2BED1CEF-FBF2-490B-8468-8024BCBEC1F0@cisco.com>
Date: Fri, 15 Nov 2013 10:49:32 -0800
Message-ID: <CAD6AjGQxmBn8qURu056bhkNcE0WFd7rwmHP1HryLGHS+zOV0BA@mail.gmail.com>
From: "cb.list6" <cb.list6@gmail.com>
To: "Fred Baker (fred)" <fred@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Nov 2013 18:50:14 -0000
On Fri, Nov 15, 2013 at 10:35 AM, Fred Baker (fred) <fred@cisco.com> wrote: > > On Nov 15, 2013, at 10:02 AM, Tassos Chatzithomaoglou <achatz@forthnet.gr> wrote: > >> So, although i support this, i would like to see a note warning about some of the above dangers and noting that extra caution is to be used when following this. > > Thanks. > > Again, speaking as a participant. > > Where I most scratch my head is that the threat the firewall presumably is intended to defend against, and the asset it is trying to defend, is not usually related to a protocol. If we decide that a given protocol number or port number is "universally OK", such as RFC 6092's comments on ESP/AH/IKE, one can expect port-agile attacks to use that port number for whatever protocol they use. If we say that we want a specified server to act as a listener for a protocol, such as a web server for http/https, that doesn't imply that all devices implementing listeners should be exposed as a matter of policy (if you have a Canon MP620 series printer or a Cisco telephone, and its address is X.X.X.X, open http://X.X.X.X, and ask yourself if that's information you want available to the world). > > So, blocking a couple of ports doesn't seem to accomplish much from a security perspective. I'm not sure what I would call "security" in this draft, much less "balanced". What the draft does, as near as I can tell, is give service providers something that somebody called a firewall, so that they can tell their customers that have the presence of a firewall as a market requirement that they are deploying a firewall, but depending on their customers to be dumb enough to not realize that the firewall doesn't secure anything. > Network operators who have deployed this strategy outlined in the draft have penned the draft, they have to deal with the strain on their network and helpdesk calls related to being hacked. I believe the point of the draft is to share deployment experience that there is no material change to the relevant network provider metrics related to those costs of hacking. If i understanding the scenario correctly, Swisscom had IPv4 NAT CPE deployed with "stateful connection inspection" by default They deployed IPv6 on a large scale without "stateful connection inspection" for IPv6 and the relevant metrics of attack traffic and helpdesk calls have not changed. This is not a matter of theory, this a matter of network operators sharing operational experience for the betterment of other network operators. CB > BTW, as chair, I have asked for a security directorate review of this draft. > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tore Anderson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark Andrews
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Sander Steffann
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- [v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Joe Touch
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… de =?iso-8859-1?q?Br=FCn?=, Markus
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- [v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-i… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Marc Lampo
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter