IETF Logo Mail Archive

Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 17 June 2016 01:46 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0950812DA0A; Thu, 16 Jun 2016 18:46:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZxADrLFNjejF; Thu, 16 Jun 2016 18:46:16 -0700 (PDT)
Received: from mail-pf0-x233.google.com (mail-pf0-x233.google.com [IPv6:2607:f8b0:400e:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C93112DE56; Thu, 16 Jun 2016 18:46:16 -0700 (PDT)
Received: by mail-pf0-x233.google.com with SMTP id h14so10161240pfe.1; Thu, 16 Jun 2016 18:46:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=ZY0kZ3X+yCP9p6KciCKJCOMMqenZ5XX12oaNASeBKrU=; b=xylTvYBb3/MlGM3TZKIqkaoXIzJzA9wiaZNAH2huQQ2UQ1WYqHIUBc1UJ8gD2ffgbY LhZUd0cHuCAo2G+wWr62FuMcj9SRkFUknQc0TEcaD9FPpGojBe/yCEDD6HcPpAURKdDu HYhdfA2U54DHcMNhpiP0w8YOp9eEWPxtUZ1YWJGMBgsy3IuVa+QAUsXjj7Cqf+54T3xQ tr3PFbqlBgmWyXTreMzLwQW8dnmNykhoWZN5QNvIN7V8m23TmrZJ20bLkcZ6vHd2PkVe 1XP2rgPtiwT/hOSyhQX0X+BmzurfdKa9Zv42OgpjddBYJ7JbMz+wWbf4Z/WZEGXJS1Sq nGcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=ZY0kZ3X+yCP9p6KciCKJCOMMqenZ5XX12oaNASeBKrU=; b=GKpBuZe56HG0Vsy74WcjHrds/fhS5AVTSDmyBPZgJpicxe5Uz/tnjmfq3KfL8xDOkz NhdL3CXP3CF2qB9A7rloWrQNVq2mKAbMG9/Na2aILDPSSY8MW1k5EVHBNp3//PiwJE4o PJUva/CYS4DmGb6PaErqX3YAamcNXlF4xXTatmG2fBza2pJ7/u/BWQCftBnPuZnFTpb1 jT7SsTqQBMHZo3E7mR2F1FuNBSMhV+ShYk4sMXtxU0oFh5ncQqPorq+TjHieh8dByufY 7mwPtBk88+axIKNIDWR0YOdtxVmTeTkLEfOuI9t6LodS3+pzmrOvuzvfF23zdZiIs09F GHiw==
X-Gm-Message-State: ALyK8tKVqS9oZ5Sv7/EYkSTWI03UOsjSEZU8ySuLsxDVDT6rz7e6lznifeRuufAzzgHHZw==
X-Received: by 10.98.56.86 with SMTP id f83mr8734966pfa.83.1466127975543; Thu, 16 Jun 2016 18:46:15 -0700 (PDT)
Received: from [192.168.178.23] ([118.148.76.242]) by smtp.gmail.com with ESMTPSA id p1sm63499854pfb.73.2016.06.16.18.46.11 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 16 Jun 2016 18:46:15 -0700 (PDT)
To: Marco Ermini <Marco.Ermini@ResMed.com>, Mark Smith <markzzzsmith@gmail.com>
References: <D386FF93.75916%evyncke@cisco.com> <CAAedzxqBr=ApvGTUrjNUnRmpcamkt4OH1CchcDEWgDcXRgo8Fw@mail.gmail.com> <173d2c6b-4cbf-88da-cf20-710a90e04c7e@gmail.com> <38465846B6383D4A8688C0A13971900C48DBF82F@ge2eml2k1004> <CAO42Z2z_pgBrn3bNRagx4W2FYn4aJ=NYNGwzDk+Q2o373qux+A@mail.gmail.com> <38465846B6383D4A8688C0A13971900C48DBFD81@ge2eml2k1004>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <1e28b94a-e920-4b0e-c062-100cc598ba85@gmail.com>
Date: Fri, 17 Jun 2016 13:46:20 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <38465846B6383D4A8688C0A13971900C48DBFD81@ge2eml2k1004>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Vjp9y4lEDLxpRHQeLgTPndJgswc>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "linkedin@xn--debrn-nva.de" <linkedin@xn--debrn-nva.de>, "fgont@si6networks.com" <fgont@si6networks.com>
Subject: Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2016 01:46:19 -0000

In addition to what Mark said about this:

On 16/06/2016 22:03, Marco Ermini wrote:
> Hi,
> 
> NAT can be still necessary in IPv6 in dual-stack scenario, for instance, where every host is assigned both a IPv4 and IPv6 addresses and the CGN equipment can't handle them differently.  Unfortunately RFC 4864 does not mention such case, AFAIK.

CGN and IPv6 are completely orthogonal, even in a dual stack scenario.
v4 packets go to the CGN function and v6 packets go to the v6 router
function, possibly in the same box. So absolutely the equipment handles
them differently. (If there are sick products that get this wrong, that
is not really the IETF's business. Although it's a bit out of date in
seome aspects,  RFC 6264, An Incremental Carrier-Grade NAT (CGN) for IPv6
Transition, explains how to do it correctly.)

    Brian

> 
> In any case, I am happy to concede it could be an extreme case and that it is not necessary anymore in IPv6 for the great majority of use cases.
> 
> I was not really making a specific case for IPv6 - my opposition was to the concept that NAT is not security, and to the fact that it should be written as such in the RFC.  NAT *does* provide a form of security - the fact that it is not desirable or it is unnecessary to use is another topic, in which I believe we all agree (at least for 99% of use cases ;-))
> 
> 
> Regards,
> ​​​​​
> Marco Ermini
> 
> CISSP, CISA, CISM, CEH, ITIL, MCP, PhD
> Senior IT Security Analyst
> D +49 (0)899 901 1523  M +49 (0)175 439 5642
> 
> ResMed Germany Inc
> 
> 
> 
> -----Original Message-----
> From: Mark Smith [mailto:markzzzsmith@gmail.com] 
> Sent: Thursday, June 16, 2016 11:43 AM
> To: Marco Ermini
> Cc: Brian E Carpenter; Erik Kline; Eric Vyncke (evyncke); fgont@si6networks.com; opsec@ietf.org; draft-ietf-opsec-v6@ietf.org; linkedin@xn--debrn-nva.de; v6ops@ietf.org
> Subject: Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
> 
> On 16 June 2016 at 19:15, Marco Ermini <Marco.Ermini@resmed.com> wrote:
>> Well, actually, infrastructure hiding IS part of security.  It is not the full picture, but it is incorrect to say that it is not.
>>
>> I personally don't sympathize on NAT-haters.  NAT has its reasons, 
>> especially for carrier-grade NAT
> 
> CGN isn't necessary in IPv6, it's to solve the problem of ISPs running out of IPv4 addresses.
> 
>  and especially in the telco scenario, and yes, it does provide some level of security - again, not the complete picture, but it does.
>>
> 
> NAT is not necessary in IPv6. The equivalent of NAT's perceived security can be provided via alternative methods, as described in RFC4864.
> 
> A further technique to hide topology that isn't mentioned in RFC4864 is to use something like ISATAP or similar, to create a single /64 subnet over the top of multiple IPv4 subnets. Externally, all hosts will appear to belong to a single IPv6 subnet, hiding the internal topology.
> 
> If you truly want to hide the identities of hosts, NAT doesn't do enough - it is only translating addresses, where as there are many other host identifiers that the host itself supplies or will receive and supply that can identify hosts e.g. HTTP cookies. "A Technique for Counting NATted Hosts"
> (https://www.cs.columbia.edu/~smb/papers/fnat.pdf) showed how a field within the IPv4 header that leaked across a NAT was able to be used to identify hosts.
> 
> If you truly want to hide a host from the Internet, yet still allow it to access things on the Internet, under IPv6 your network would use ULA addressing, and have a per-application protocol proxy server that makes all requests look like they've entirely originated from the application proxy server itself. To the Internet server, the application proxy server would appear to be the application end host making the requests, preventing any internal host identifiers or other attributes from leaking.
> 
> 
> Regards,
> Mark.
> 
> 
>>
>> Regards,
>>
>> Marco Ermini
>>
>> CISSP, CISA, CISM, CEH, ITIL, MCP, PhD Senior IT Security Analyst D 
>> +49 (0)899 901 1523  M +49 (0)175 439 5642
>>
>> ResMed Germany Inc
>>
>>
>> -----Original Message-----
>> From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Brian E 
>> Carpenter
>> Sent: Thursday, June 16, 2016 1:45 AM
>> To: Erik Kline; Eric Vyncke (evyncke)
>> Cc: fgont@si6networks.com; opsec@ietf.org; linkedin@xn--debrn-nva.de; 
>> draft-ietf-opsec-v6@ietf.org; v6ops@ietf.org
>> Subject: Re: [OPSEC] [v6ops] Asking for a review of 
>> draft-ietf-opsec-v6-08
>>
>> On 16/06/2016 07:45, Erik Kline wrote:
>>> Section 2.1.2 is far too permissive for my tastes.  We need to be 
>>> able to say that ULA+IPv6 NAT is NOT RECOMMENDED by the IETF.
>>
>> I have strong sympathy with that statement, but I don't think this is the document to do it; the point is made in RFC4864 too. What we should do here is underline that NAT != security.
>>
>> While I'm here, some other points:
>>
>> "2.2.  Extension Headers
>>
>>    TBD, a short section referring to all Fernando's I-D & RFC."
>>
>> That's not the whole story ;-). Firstly, RFC 7045 has a lot of 
>> relevance to security aspects. Second, there is no reason to refer to 
>> most of the material (Fernando's or not) unless it's directly relevant 
>> to opsec. I think the reference is draft-ietf-opsec-ipv6-eh-filtering,
>> but only if that document is going anywhere.
>>
>> "2.3.3.  ND/RA Rate Limiting
>> ...
>>    The following drafts are actively discussing methods to
>>    rate limit RAs and other ND messages on wifi networks in order to
>>    address this issue:
>>
>>    o  [I-D.thubert-savi-ra-throttler]
>>
>>    o  [I-D.chakrabarti-nordmark-6man-efficient-nd]"
>>
>> Neither of those drafts is in the least active (from 2012 and 2015 respectively). Dead drafts are of no help to the reader, IMHO.
>>
>> "4.2.  Transition Mechanism
>>
>>    SP will typically use transition mechanisms such as 6rd, 6PE, MAP,
>>    DS-Lite which have been analyzed in the transition Section 2.7.2
>>    section."
>>
>> Shouldn't you add RFC6877 464XLAT now?
>>
>> Finally, I think there should be a Privacy Considerations section.
>>
>> Rgds
>>     Brian
>>
>>>
>>> Section 2.6.1.5 could punch up the SAVI stuff a bit more as well.  We 
>>> should, in my opinion, make it painfully clear that DHCP (of any
>>> protocol) in the absence of link-layer security/auditability features 
>>> does not provide any satisfactory way "to ensure audibility and 
>>> traceability" [Section 2.1.6].
>>>
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>
>>
>> _______________________________________________
>> OPSEC mailing list
>> OPSEC@ietf.org
>> https://www.ietf.org/mailman/listinfo/opsec
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email