IETF Logo Mail Archive

Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08

Marco Ermini <Marco.Ermini@ResMed.com> Thu, 16 June 2016 09:15 UTC

Return-Path: <Marco.Ermini@ResMed.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AFED12D0BA; Thu, 16 Jun 2016 02:15:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C0bjFTu-mqwM; Thu, 16 Jun 2016 02:15:21 -0700 (PDT)
Received: from mail1.bemta6.messagelabs.com (mail1.bemta6.messagelabs.com [85.158.143.242]) by ietfa.amsl.com (Postfix) with ESMTP id 7B05212D0A4; Thu, 16 Jun 2016 02:15:20 -0700 (PDT)
Received: from [85.158.143.99] by server-1.bemta-6.messagelabs.com id 03/3D-09256-72E62675; Thu, 16 Jun 2016 09:15:19 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrJKsWRWlGSWpSXmKPExsVy+JUil656XlK 4webPbBZPd15hsfiw9S6bxelje5kdmD2WLPnJFMAYxZqZl5RfkcCaMWHNPcaC6woVsw+vY25g XKDQxcjJISSwnlHi8xGfLkYuIHsPo8Sf6f+ZQRJsAjoS/5fvYgexRQRqJaYc/8MMUsQs8IVR4 ticVUxdjBwcwgJeEhc7vSFqvCUa3v5mhbCdJFrnnWABsVkEVCXWdb8Gi/MKOEt8njqfBWLxMk aJWWuKQGxOAVuJjz+fgNUwCshKfGlcDXYDs4C4xK0n85lAbAkBAYkle84zQ9iiEi8f/2OFsBU kVlyaAHYOs4CmxPpd+hCtihJTuh+yQ6wVlDg58wnUWhWJ9gXLoFqDJU6c3M8ygVFsFpJtsxAm zUIyaRaSSQsYWVYxqhenFpWlFuka6iUVZaZnlOQmZuboGhqY6eWmFhcnpqfmJCYV6yXn525iB EYVAxDsYNz53OkQoyQHk5Ior6NGUrgQX1J+SmVGYnFGfFFpTmrxIUYZDg4lCV7RXKCcYFFqem pFWmYOML5h0hIcPEoivO9ygNK8xQWJucWZ6RCpU4yWHHcW31jLxHHr2QMg+WnCgWNMQix5+Xm pUuK8/CDzBEAaMkrz4MbBUtAlRlkpYV5GoAOFeApSi3IzS1DlXzGKczAqCfM+AVnLk5lXArf1 FdBBTEAH2UyPBzmoJBEhJdXAaK87sedEw0/zFz6bnrdd360cuH55okFE1qRntacfWKyc1rdU6 9n0x16vNUW2rzP3+Wt862bG9ruyBtfzOC/rb5zMsMvEfMnz46dfZDSZbFi8Y8c+tQXRU9ICtu hFHGa8td1swiWu2JnijL1mS+bskHG+JHxNtbvhjsenoxJ8h4tqi0U/cnjeslRiKc5INNRiLip OBAC4Ac88PAMAAA==
X-Env-Sender: Marco.Ermini@ResMed.com
X-Msg-Ref: server-13.tower-216.messagelabs.com!1466068518!11174090!1
X-Originating-IP: [195.234.33.10]
X-StarScan-Received:
X-StarScan-Version: 8.46; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 35496 invoked from network); 16 Jun 2016 09:15:19 -0000
Received: from unknown (HELO mx.resmed.de) (195.234.33.10) by server-13.tower-216.messagelabs.com with SMTP; 16 Jun 2016 09:15:19 -0000
Received: from GE2EML2K1001.corp.resmed.org ([172.17.6.115]) by mx.resmed.de over TLS secured channel with Microsoft SMTPSVC(8.5.9600.16384); Thu, 16 Jun 2016 11:15:18 +0200
Received: from GE2EML2K1004.corp.resmed.org ([172.17.6.120]) by GE2EML2K1001.corp.resmed.org ([fe80::d04f:a66e:be79:d90a%20]) with mapi id 14.03.0210.002; Thu, 16 Jun 2016 11:15:18 +0200
From: Marco Ermini <Marco.Ermini@ResMed.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Erik Kline <ek@google.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Thread-Topic: [OPSEC] [v6ops] Asking for a review of draft-ietf-opsec-v6-08
Thread-Index: AQHRxvO7NZqKAcq6O0Gp7Rf6mrYAKJ/qzYSAgABC14CAAMBooA==
Date: Thu, 16 Jun 2016 09:15:17 +0000
Message-ID: <38465846B6383D4A8688C0A13971900C48DBF82F@ge2eml2k1004>
References: <D386FF93.75916%evyncke@cisco.com> <CAAedzxqBr=ApvGTUrjNUnRmpcamkt4OH1CchcDEWgDcXRgo8Fw@mail.gmail.com> <173d2c6b-4cbf-88da-cf20-710a90e04c7e@gmail.com>
In-Reply-To: <173d2c6b-4cbf-88da-cf20-710a90e04c7e@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.17.15.27]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginalArrivalTime: 16 Jun 2016 09:15:18.0659 (UTC) FILETIME=[99F46530:01D1C7AF]
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/hrwk8fTsjDlwMKg12-6Y3Djfqtc>
Cc: "fgont@si6networks.com" <fgont@si6networks.com>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "linkedin@xn--debrn-nva.de" <linkedin@xn--debrn-nva.de>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2016 09:15:22 -0000

Well, actually, infrastructure hiding IS part of security.  It is not the full picture, but it is incorrect to say that it is not.

I personally don't sympathize on NAT-haters.  NAT has its reasons, especially for carrier-grade NAT and especially in the telco scenario, and yes, it does provide some level of security - again, not the complete picture, but it does.


Regards,
​​​​​
Marco Ermini

CISSP, CISA, CISM, CEH, ITIL, MCP, PhD
Senior IT Security Analyst
D +49 (0)899 901 1523  M +49 (0)175 439 5642

ResMed Germany Inc


-----Original Message-----
From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Brian E Carpenter
Sent: Thursday, June 16, 2016 1:45 AM
To: Erik Kline; Eric Vyncke (evyncke)
Cc: fgont@si6networks.com; opsec@ietf.org; linkedin@xn--debrn-nva.de; draft-ietf-opsec-v6@ietf.org; v6ops@ietf.org
Subject: Re: [OPSEC] [v6ops] Asking for a review of draft-ietf-opsec-v6-08

On 16/06/2016 07:45, Erik Kline wrote:
> Section 2.1.2 is far too permissive for my tastes.  We need to be able 
> to say that ULA+IPv6 NAT is NOT RECOMMENDED by the IETF.

I have strong sympathy with that statement, but I don't think this is the document to do it; the point is made in RFC4864 too. What we should do here is underline that NAT != security.

While I'm here, some other points:

"2.2.  Extension Headers

   TBD, a short section referring to all Fernando's I-D & RFC."

That's not the whole story ;-). Firstly, RFC 7045 has a lot of relevance to security aspects. Second, there is no reason to refer to most of the material (Fernando's or not) unless it's directly relevant to opsec. I think the reference is draft-ietf-opsec-ipv6-eh-filtering,
but only if that document is going anywhere.

"2.3.3.  ND/RA Rate Limiting
...
   The following drafts are actively discussing methods to
   rate limit RAs and other ND messages on wifi networks in order to
   address this issue:

   o  [I-D.thubert-savi-ra-throttler]

   o  [I-D.chakrabarti-nordmark-6man-efficient-nd]"

Neither of those drafts is in the least active (from 2012 and 2015 respectively). Dead drafts are of no help to the reader, IMHO.

"4.2.  Transition Mechanism

   SP will typically use transition mechanisms such as 6rd, 6PE, MAP,
   DS-Lite which have been analyzed in the transition Section 2.7.2
   section."

Shouldn't you add RFC6877 464XLAT now?

Finally, I think there should be a Privacy Considerations section.

Rgds
    Brian

> 
> Section 2.6.1.5 could punch up the SAVI stuff a bit more as well.  We 
> should, in my opinion, make it painfully clear that DHCP (of any
> protocol) in the absence of link-layer security/auditability features 
> does not provide any satisfactory way "to ensure audibility and 
> traceability" [Section 2.1.6].
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
> 

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email