IETF Logo Mail Archive

Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08

Marco Ermini <Marco.Ermini@ResMed.com> Fri, 17 June 2016 11:29 UTC

Return-Path: <Marco.Ermini@ResMed.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CB5712D1D1; Fri, 17 Jun 2016 04:29:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HIJeb1wE1E3n; Fri, 17 Jun 2016 04:29:11 -0700 (PDT)
Received: from mail1.bemta6.messagelabs.com (mail1.bemta6.messagelabs.com [85.158.143.249]) by ietfa.amsl.com (Postfix) with ESMTP id DBBC912D19B; Fri, 17 Jun 2016 04:29:10 -0700 (PDT)
Received: from [85.158.143.99] by server-2.bemta-6.messagelabs.com id E3/6F-11548-50FD3675; Fri, 17 Jun 2016 11:29:09 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrNKsWRWlGSWpSXmKPExsVy+JUily7z/eR wgy9bhCye7rzCYvFh6102i9PH9jI7MHssWfKTKYAxijUzLym/IoE1Y9vL7UwFH3Ur9q6dwNzA uES3i5GLQ0hgPaNE14QNjBDOHkaJs6dvMXcxcnKwCehI/F++ix3EFhGolZhy/A8zSBGzwBdGi WNzVjF1MXJwCAt4SVzs9Iao8ZZoePubFcL2k9h3chULiM0ioCrR/OATWJxXwFni7ue/bBDLJj JJfN+8jQ0kwSlgK/H31kywZYwCshJfGleDHcEsIC5x68l8JhBbQkBAYsme88wQtqjEy8f/WCF sRYnLv6ewgNzDLKApsX6XPkSrosSU7ofsEHsFJU7OfAJ2j5CAikT7gmVQrcESs7/dYJrAKDYL ybZZCJNmIZk0C8mkBYwsqxjVi1OLylKLdA31kooy0zNKchMzc3QNDcz0clOLixPTU3MSk4r1k vNzNzECI4sBCHYw7nzudIhRkoNJSZR37rnkcCG+pPyUyozE4oz4otKc1OJDjDIcHEoSvHfvAu UEi1LTUyvSMnOAMQ6TluDgURLhnQWS5i0uSMwtzkyHSJ1itOS4s/jGWiaOW88eAMlPEw4cYxJ iycvPS5US5z0D0iAA0pBRmgc3DpaGLjHKSgnzMgIdKMRTkFqUm1mCKv+KUZyDUUmYdzHIFJ7M vBK4ra+ADmICOkhzHthBJYkIKakGRtaYr4fiPrRpfePo2/k6+JlTxCI52yKBYw8OcBqvzLG3m 3zbTCjQ6BPf7vc5oSzcF07NYgnf8I7508XAGfec9YW/bj1vu2iaHPOr4+dO+c+SZnb/wnNF0u 3ie6Y+Lnml3HerRD5X7HFs/vDyGtfU3S9Ovn59pGL7Xe7mQw5zbibM//XT3MlPr1eJpTgj0VC Luag4EQA6weCAPgMAAA==
X-Env-Sender: Marco.Ermini@ResMed.com
X-Msg-Ref: server-8.tower-216.messagelabs.com!1466162947!11271579!1
X-Originating-IP: [195.234.33.10]
X-StarScan-Received:
X-StarScan-Version: 8.46; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 27432 invoked from network); 17 Jun 2016 11:29:07 -0000
Received: from unknown (HELO mx.resmed.de) (195.234.33.10) by server-8.tower-216.messagelabs.com with SMTP; 17 Jun 2016 11:29:07 -0000
Received: from GE2EML2K1002.corp.resmed.org ([172.17.6.117]) by mx.resmed.de over TLS secured channel with Microsoft SMTPSVC(8.5.9600.16384); Fri, 17 Jun 2016 13:29:06 +0200
Received: from GE2EML2K1004.corp.resmed.org ([172.17.6.120]) by GE2EML2K1002.corp.resmed.org ([fe80::f03c:7713:9fd9:8984%16]) with mapi id 14.03.0210.002; Fri, 17 Jun 2016 13:29:08 +0200
From: Marco Ermini <Marco.Ermini@ResMed.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Erik Kline <ek@google.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Thread-Topic: [OPSEC] [v6ops] Asking for a review of draft-ietf-opsec-v6-08
Thread-Index: AQHRxvO7NZqKAcq6O0Gp7Rf6mrYAKJ/qzYSAgABC14CAAMBooIAA8f0AgADFp2A=
Date: Fri, 17 Jun 2016 11:29:05 +0000
Message-ID: <38465846B6383D4A8688C0A13971900C48DC4637@ge2eml2k1004>
References: <D386FF93.75916%evyncke@cisco.com> <CAAedzxqBr=ApvGTUrjNUnRmpcamkt4OH1CchcDEWgDcXRgo8Fw@mail.gmail.com> <173d2c6b-4cbf-88da-cf20-710a90e04c7e@gmail.com> <38465846B6383D4A8688C0A13971900C48DBF82F@ge2eml2k1004> <cb206c2c-a6ce-9ea9-4818-57c90bda3583@gmail.com>
In-Reply-To: <cb206c2c-a6ce-9ea9-4818-57c90bda3583@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.17.48.101]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginalArrivalTime: 17 Jun 2016 11:29:06.0849 (UTC) FILETIME=[758AB910:01D1C88B]
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/l2brMGcBs4zdP5Deuvhe0XGhz7I>
Cc: "fgont@si6networks.com" <fgont@si6networks.com>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "linkedin@xn--debrn-nva.de" <linkedin@xn--debrn-nva.de>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2016 11:29:13 -0000

I am sorry Brian, I don't think you understood my argument.  I am not arguing about you mention.  I am arguing against the semantic of a phrase that says "NAT does not provide security".  This sentence is semantically wrong, and usually comes from a priori NAT-haters (I have met a few).

I am only against stating such sentence in the RFC, not against the fact that we don't need NAT.  I hope this is clearer now.

Anyway, I have made my point sufficiently, I believe.


Regards,
Marco.

-----Original Message-----
From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] 
Sent: Friday, June 17, 2016 3:40 AM
To: Marco Ermini; Erik Kline; Eric Vyncke (evyncke)
Cc: fgont@si6networks.com; opsec@ietf.org; linkedin@xn--debrn-nva.de; draft-ietf-opsec-v6@ietf.org; v6ops@ietf.org
Subject: Re: [OPSEC] [v6ops] Asking for a review of draft-ietf-opsec-v6-08

On 16/06/2016 21:15, Marco Ermini wrote:
> Well, actually, infrastructure hiding IS part of security.  It is not the full picture, but it is incorrect to say that it is not.

Have you read RFC4864 recently? Section 4.4 is all about how you don't need NAT to hide infrastructure topology in IPv6.

> I personally don't sympathize on NAT-haters.  NAT has its reasons, especially for carrier-grade NAT and especially in the telco scenario, and yes, it does provide some level of security - again, not the complete picture, but it does.

That's IPv4. This is IPv6.

    Brian

> 
> 
> Regards,
> ​​​​​
> Marco Ermini
> 
> CISSP, CISA, CISM, CEH, ITIL, MCP, PhD Senior IT Security Analyst D 
> +49 (0)899 901 1523  M +49 (0)175 439 5642
> 
> ResMed Germany Inc
> 
> 
> -----Original Message-----
> From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Brian E 
> Carpenter
> Sent: Thursday, June 16, 2016 1:45 AM
> To: Erik Kline; Eric Vyncke (evyncke)
> Cc: fgont@si6networks.com; opsec@ietf.org; linkedin@xn--debrn-nva.de; 
> draft-ietf-opsec-v6@ietf.org; v6ops@ietf.org
> Subject: Re: [OPSEC] [v6ops] Asking for a review of 
> draft-ietf-opsec-v6-08
> 
> On 16/06/2016 07:45, Erik Kline wrote:
>> Section 2.1.2 is far too permissive for my tastes.  We need to be 
>> able to say that ULA+IPv6 NAT is NOT RECOMMENDED by the IETF.
> 
> I have strong sympathy with that statement, but I don't think this is the document to do it; the point is made in RFC4864 too. What we should do here is underline that NAT != security.
> 
> While I'm here, some other points:
> 
> "2.2.  Extension Headers
> 
>    TBD, a short section referring to all Fernando's I-D & RFC."
> 
> That's not the whole story ;-). Firstly, RFC 7045 has a lot of 
> relevance to security aspects. Second, there is no reason to refer to 
> most of the material (Fernando's or not) unless it's directly relevant 
> to opsec. I think the reference is draft-ietf-opsec-ipv6-eh-filtering,
> but only if that document is going anywhere.
> 
> "2.3.3.  ND/RA Rate Limiting
> ...
>    The following drafts are actively discussing methods to
>    rate limit RAs and other ND messages on wifi networks in order to
>    address this issue:
> 
>    o  [I-D.thubert-savi-ra-throttler]
> 
>    o  [I-D.chakrabarti-nordmark-6man-efficient-nd]"
> 
> Neither of those drafts is in the least active (from 2012 and 2015 respectively). Dead drafts are of no help to the reader, IMHO.
> 
> "4.2.  Transition Mechanism
> 
>    SP will typically use transition mechanisms such as 6rd, 6PE, MAP,
>    DS-Lite which have been analyzed in the transition Section 2.7.2
>    section."
> 
> Shouldn't you add RFC6877 464XLAT now?
> 
> Finally, I think there should be a Privacy Considerations section.
> 
> Rgds
>     Brian
> 
>>
>> Section 2.6.1.5 could punch up the SAVI stuff a bit more as well.  We 
>> should, in my opinion, make it painfully clear that DHCP (of any
>> protocol) in the absence of link-layer security/auditability features 
>> does not provide any satisfactory way "to ensure audibility and 
>> traceability" [Section 2.1.6].
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
> 
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec
>

v2.23.0 | Report a Bug | By Email