Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
Lorenzo Colitti <lorenzo@google.com> Wed, 20 November 2013 10:18 UTC
Return-Path: <lorenzo@google.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AF0A1AD937 for <v6ops@ietfa.amsl.com>; Wed, 20 Nov 2013 02:18:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r92VhHBfOfDe for <v6ops@ietfa.amsl.com>; Wed, 20 Nov 2013 02:17:59 -0800 (PST)
Received: from mail-ie0-x22f.google.com (mail-ie0-x22f.google.com [IPv6:2607:f8b0:4001:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id D81471AD8F7 for <v6ops@ietf.org>; Wed, 20 Nov 2013 02:17:58 -0800 (PST)
Received: by mail-ie0-f175.google.com with SMTP id x13so236182ief.6 for <v6ops@ietf.org>; Wed, 20 Nov 2013 02:17:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=sr1Ks0riXIow4Y+mgWp3sBhi1i4MLdoI4iiY65KSUL0=; b=o1IOwkhWgo57dXy7cN4dLAMelNds0iRx5DwjEu/c7Co0SUcbWaoKzSKCQY43D86UQs PGRUZxt97pPR9o/WWUzqSd4RhpjZjcj25RF7hyoQYCWxeC244TpLKlrh2nJkGWiMdwXv LXYYBk+xDQ33431U0kY/XYRLRO0/+PBju/N03a0uYYiQmFGxGw9iiOp1+O4b6t290aQN eynVIwQqSV2Iklb9OuR1Uwxbz1l87aL9jx6hz6tufIf441hh8fHDCht94l+xUBIXm2Hn LNQukOHOtaUtervUtuPKdwfS7+LtknJSXjLFBeeO7XxJSpk7OA/d/vskdiOpNOilVxCL yLqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=sr1Ks0riXIow4Y+mgWp3sBhi1i4MLdoI4iiY65KSUL0=; b=dw8wVuTXISvz2jROIdGxKhCUyS8zh4UcNr+qHODjyDCxZqT2IcjrLysyYXlf6rwkqL 2DG9I323wHIbYz+E5nrki8vq/17qEGrt6aR4giG6kZ6IYgenJDLC2JuMq+4vMMi5zoGm 4f6pIqwxx5OA/GSHVyH7xKmYseBq7PsQPT0YByCJiTZpGsXx008HbOPj4kBCMYYE9Lj6 15I1pR/zrwQHrzK/RZdosbNAmhm4aPzu1CD8+jGrmUiA7GnOomO4g0n3E6G552d4b9Gs NJucGMYF7PYGWqzZ5ngalKsgvuIC4RqHGUGMvX9jzjC3emVbNZLQ3IwQcaraajhk7h9k jyrQ==
X-Gm-Message-State: ALoCoQlyK4+H7W+pHtm9Zo+gQRTRCw+ZsLjSuGfyeywTLqYhQ4TE21VLUtqhCJPwhLJFQCUtuB6WkLCqGXLhguBQ3/LK2L48Mj3zAsxRS2hfNWWTcRmM9/vKoXR0ZbGkMwzctXamT9no86RFktXehiassioeMZRfb8PAzu6A15bVNHDTLFN+DqPFLmIgbL2mRdi3ro9bX/G7
X-Received: by 10.50.153.50 with SMTP id vd18mr22303858igb.6.1384942672327; Wed, 20 Nov 2013 02:17:52 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.86.106 with HTTP; Wed, 20 Nov 2013 02:17:31 -0800 (PST)
In-Reply-To: <528C8878.4090808@globis.net>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com> <989B8ED6-273E-45D4-BFD8-66A1793A1C9F@cisco.com> <5288FC15.5080508@globis.net> <CAKD1Yr1gQ8r80NxbJwxbNc8esm1ekk1JGMUoQo712CpvLJ8ogw@mail.gmail.com> <528C6E76.1010704@globis.net> <CAKD1Yr3Jfv+4+_KYHzkDP=Sm2-5jvDs_V32wrJ74YY_gZi-3AQ@mail.gmail.com> <528C8878.4090808@globis.net>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 20 Nov 2013 19:17:31 +0900
Message-ID: <CAKD1Yr2oAR7Zz_iTPSwfjFLRnYHofOsfvcnQ8jsYTeurnf7NrA@mail.gmail.com>
To: Ray Hunter <v6ops@globis.net>
Content-Type: multipart/alternative; boundary="089e013a009e04d53a04eb99180f"
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 10:18:01 -0000
On Wed, Nov 20, 2013 at 7:01 PM, Ray Hunter <v6ops@globis.net> wrote: > So what does the draft really say? > > Here's some filtering rules, that you may or may not like, which may or > may not be overridden, which may change over time, which only mitigate a > very limited number of threats, and maybe the ISP will manage the > security policy but maybe the end user wants to take this responsibility > Pretty much. Oh, and "this ISP has rolled it out and has not seen any issues so far". > Where's the evidence to say that this approach is any better than an > open security policy of "allow everything bi-directionally" ? > None, but none is required because nobody is trying to make such a statement. Which is good, because there is zero chance of this or any other IETF working group (or actually, any group of more than... oh, about 3 engineers) agreeing on such statement. > The threats are listed in the draft as: > > o denial of service by packet flooding: overwhelming either the > access bandwidth or the bandwidth of a slower link in the > residential network (like a slow home automation network) or the > CPU power of a slow IPv6 host (like networked thermostat or any > other sensor type nodes); > > not covered. > o denial of service by Neighbor Discovery cache exhaustion > [RFC6583]: the outside attacker floods the inside prefix(es) with > packets with a random destination address forcing the CPE to > exhaust its memory and its CPU in useless Neighbor Solicitations; > > not covered. > o denial of service by service requests: like sending print jobs > from the Internet to an ink jet printer until the ink cartridge is > empty or like filing some file server with junk data; > > not covered.e.g. port 515 > > o unauthorized use of services: like accessing a webcam or a file > server which are open to anonymous access within the residential > network but should not be accessed from outside of the home > network or accessing to remote desktop or SSH with weak password > protection; > > not covered. e.g. port 8080. > > o exploiting a vulnerability in the host in order to get access to > data or to execute some arbitrary code in the attacked host such > as several against old versions of Windows; > > not covered. > > o trojanized host (belonging to a Botnet) can communicate via a > covert channel to its master and launch attacks to Internet > targets. > > not covered. > Right. And the draft doesn't claim that to addresses those threats. > And in the Security section, the draft only addresses "Unauthorized > access because vulnerable ports are blocked" ? > Yep. As the abstract says, it's a balance. But the point about this draft is not the filtering policy itself, and in fact, the document makes no claims about what the policy should be. (This is good, because there's no chance of the WG ever agreeing on any specific policy.) It simply says, "here are some threats. here's what we rolled out. here's what we found out." IMO this is perfectly acceptable for an operational group such as this one, and it is of value because it represents real operational experience. IMHO this threat is anyway blocked by machine firewalls running on every > modern OS shipping today (any device that is likely to support IPv6) > I agree with you, but good luck finding lots of other people who do. As an aside, I'm confused how can you simultaneously make the argument that the draft doesn't cover port 515 and port 8080, and then in the same breath say that that threat is blocked anyway by any device that is likely to support IPv6. But again, neither is really the point of this draft. Cheees, Lorenzo
- [v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tore Anderson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark Andrews
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Sander Steffann
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- [v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Joe Touch
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… de =?iso-8859-1?q?Br=FCn?=, Markus
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- [v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-i… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Marc Lampo
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter