Re: [v6ops] Benjamin Kaduk's No Objection on draft-ietf-v6ops-conditional-ras-06: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Thu, 02 August 2018 03:18 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64AE6130EA8; Wed, 1 Aug 2018 20:18:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TlH-seN9BS9U; Wed, 1 Aug 2018 20:18:17 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92E59130DCA; Wed, 1 Aug 2018 20:18:16 -0700 (PDT)
X-AuditID: 1209190d-50bff70000006081-f3-5b6277f69496
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id BC.25.24705.7F7726B5; Wed, 1 Aug 2018 23:18:15 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w723IAji012109; Wed, 1 Aug 2018 23:18:11 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w723I5Io018630 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 1 Aug 2018 23:18:08 -0400
Date: Wed, 01 Aug 2018 22:18:06 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Jen Linkova <furry13@gmail.com>
Cc: The IESG <iesg@ietf.org>, Russ White <russ@riw.us>, v6ops-chairs@ietf.org, V6 Ops List <v6ops@ietf.org>, draft-ietf-v6ops-conditional-ras@ietf.org
Message-ID: <20180802031803.GA96369@kduck.kaduk.org>
References: <153317681682.21918.12970450956130307676.idtracker@ietfa.amsl.com> <CAFU7BARsDaOnk6LNxFeZkKKGcjhbFVjkMLEiyMpPcQkG5U+Zpg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAFU7BARsDaOnk6LNxFeZkKKGcjhbFVjkMLEiyMpPcQkG5U+Zpg@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprAKsWRmVeSWpSXmKPExsUixG6nrvu9PCnaYMd7OYsVC/qYLC7tbGOy mPFnIrPFw24Ti6mP3zNZnD62l9mBzWPnrLvsHkuW/GTyOP1wMnsAcxSXTUpqTmZZapG+XQJX xuwrXUwFEyUrnqy4wtrAuFOki5GTQ0LARGJ793yWLkYuDiGBxUwSL66uYoJwNjBK7O95BOVc YZJo+rKOFaSFRUBFovXmQmYQmw3Ibui+DGaLCChLLL93hRmkgVlgBaPE7wXnWUASwgLZEus7 3oHZvED7er5cBBskJDCVUeLBBXGIuKDEyZlPwGqYBbQkbvx7CbSZA8iWllj+jwMkzCkQKNG+ awUbiC0KtGtv3yH2CYwCs5B0z0LSPQuhewEj8ypG2ZTcKt3cxMyc4tRk3eLkxLy81CJdI73c zBK91JTSTYygwOaU5N3B+O+u1yFGAQ5GJR7eGwxJ0UKsiWXFlbmHGCU5mJREeV3SgUJ8Sfkp lRmJxRnxRaU5qcWHGCU4mJVEeJs9gHK8KYmVValF+TApaQ4WJXHeezXh0UIC6YklqdmpqQWp RTBZGQ4OJQleeWAECwkWpaanVqRl5pQgpJk4OEGG8wANDykDGV5ckJhbnJkOkT/FqMvx5/3U ScxCLHn5ealS4rw5IEUCIEUZpXlwc0AJSSJ7f80rRnGgt4R5+0GqeIDJDG7SK6AlTEBLsh0T QZaUJCKkpBoYn5XffGUQwVil2xwVGe4qxN24cdKyTStvnLkld/HXfhfvOW3vVPJantd0Gk6e sWnzSrsj/nOPyOk9kFvr+9rz9u3g08fkrZgjrc3KP9THF/9bn/Vg66Mr1lx7TiQf2uW9btes z+sqirpMb0xX1tszyWCzY8qmU62aredt/5nstFa4usv1fbhVvRJLcUaioRZzUXEiAJb7lJMj AwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/WO-KOpY5iTfvQduG9fkRoXOz6rQ>
Subject: Re: [v6ops] Benjamin Kaduk's No Objection on draft-ietf-v6ops-conditional-ras-06: (with COMMENT)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Aug 2018 03:18:18 -0000
Thanks for the updates, Jen. [inline] On Thu, Aug 02, 2018 at 12:50:46PM +1000, Jen Linkova wrote: > Hi Benjamin, > > > I'll echo Mirja and Spencer's question about the "empty" security > > considerations. (I actually don't much care for the "This memo introduces no > > new security considerations" formulation in general, unless it's literally the > > only content of the section -- it's either followed by new security > > considerations, in which it's just wrong, or followed by calling out specific > > portions of the referenced security considerations that are particularly > > relevant. In the latter case, it seems useful to provide more of a lead-in > > like "The general security considerations of [X] and[Y] apply, and in > > particular [...]".) > > The most recent version (-06) submitted yesterday now has some text in > the Security Considerations section: > > https://tools.ietf.org/html/draft-ietf-v6ops-conditional-ras-06#section-5 > > I hope it addresses your question. Oh! I was actually looking at the -06, but hadn't noticed how new it was (and thus that the previous comments referred to a much more empty security considerations section). I'd suggest dropping "This memo introduces no new security considerations." and starting off with something like "This memo describes a way to use existing Router Advertisements ([RFC4861]) and SLAAC ([RFC4862] mechansisms, and the security considerations for those technologies continue to apply. The types of message flows described in this memo could allow an attacker who is able to send a rogue RA to deprecate IPv6 addresses on hosts or [...]". > > Unfortunately, I don't seem to be in a good position to comment on actual > > additions to the security considerations section, since I don't have a clear > > picture of what the proposal in this document actually changes when compared to > > current/normal practices. This is presumably just a matter of my lacking the > > appropriate background knowledge for the routing bits, but in a scenario like > > Figure 3, with distinct edge and first-hop routers, what kind of RAs would the > > first-hop routers normally be sending? Would they be announcing the routes in > > question here just without the PIO markings, or not advertising anything at > > all, or something else? > > Normally the first-hop routers are sending RAs which contain PIOs for > the prefixes configured in the network. > If the preferred-lifetime is not explicitly specified in the > configuration by the administrator, those prefixes would have > the default value of lifetime (7 days). Or any other value explicitly > configured on the router (e.g. to deprecate a prefix for > renumbering/if the wrong > prefix has been configured, I have to edit routers configuration and > set "prefix 2001:db8:1::/54 preferred-lifetime 0"). Okay, so it sounds like the "new information" here is to conceptually tie the uplink status together with the RA preferred_lifetime fields, along with the policy implications on the routers themselves. The coverage added in the -06 seems to be enough, then. Thanks for the (quick) reply and clarifications! -Benjamin
- [v6ops] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk
- Re: [v6ops] Benjamin Kaduk's No Objection on draf… Jen Linkova
- Re: [v6ops] Benjamin Kaduk's No Objection on draf… Benjamin Kaduk