IETF Logo Mail Archive

Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 17 June 2016 20:14 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4A0C12D112; Fri, 17 Jun 2016 13:14:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IffnKXeaLpQU; Fri, 17 Jun 2016 13:14:42 -0700 (PDT)
Received: from mail-pf0-x232.google.com (mail-pf0-x232.google.com [IPv6:2607:f8b0:400e:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8318112DAAB; Fri, 17 Jun 2016 13:14:41 -0700 (PDT)
Received: by mail-pf0-x232.google.com with SMTP id c2so33843729pfa.2; Fri, 17 Jun 2016 13:14:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=k58vCRAygyXHmWeOMPHIWr6RNXxFVX8zErJ6gNGyPzs=; b=ZVnWxXMKagph+KAKb9qP5NK5Ic7FSG7F58Pu5gRNv5fWNr+9h8M0su/I6/UX8AeWTx l5LTPVlwrM/Vz7Ght5GjYK4s5XFE5BHRCZAlhNjQ3sZGrP5ZEGKk7Li6GVd4IxkSUteM vn1CY5ATNiqAwoWigC4ZIIqJ3LgwU1ItRdApyqa8dSaYoChnQwI9FO6X2GsPOOZqKwUf WY27iKdRRRgQq74ojT8OGkdSiZNFJl9TbjAgEpfqKP7GXSVLnHHKUQwenut0pGBj/FRN B8nu0LdScsLRyuTsnYKzIlEniUz8Ga74ysU/J3fT/qTaCzx1pK/OFecThiZMzVwrchW8 KD5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=k58vCRAygyXHmWeOMPHIWr6RNXxFVX8zErJ6gNGyPzs=; b=nGCw6LY/IVWTkjCudWK6i6XAXevvJtA+FLDPYs12CGPztwUTG7h8oAOtl6rG6aIqj/ cFjx/CVFeW5n9WJ+jKsQSNnEObABNCCjN1ijk67m9aN01yDI1ICVVck3/3HohAUb6J01 YBQvczBqJPIHTvNOgH462UPOBJUiDc+FsjPwFLaAmRLpNfDrim9U5dHMwL97G/Q0kRF3 0tHmk9gEMde7v7yXlTM2gMevQYJ65x56MKeV/OYvtuYkR/feGZpUzLleupyth/nd9W2I eTWacHrhSHe84evvgxdb6eeQTFCrasCnnKtJVqQwYHh7V6tN2eGfGwsbhjeaiEUsZstX OnWA==
X-Gm-Message-State: ALyK8tK5cNI2toa0ABonXB7vchXpzZpPUd3G/FL91RKcUGkTSNcSmDn3UiUJhzcg4ybmuQ==
X-Received: by 10.98.103.198 with SMTP id t67mr4200582pfj.158.1466194480933; Fri, 17 Jun 2016 13:14:40 -0700 (PDT)
Received: from [192.168.178.23] ([118.148.67.217]) by smtp.gmail.com with ESMTPSA id an13sm70368752pac.42.2016.06.17.13.14.37 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 17 Jun 2016 13:14:40 -0700 (PDT)
To: Marco Ermini <Marco.Ermini@ResMed.com>, Erik Kline <ek@google.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
References: <D386FF93.75916%evyncke@cisco.com> <CAAedzxqBr=ApvGTUrjNUnRmpcamkt4OH1CchcDEWgDcXRgo8Fw@mail.gmail.com> <173d2c6b-4cbf-88da-cf20-710a90e04c7e@gmail.com> <38465846B6383D4A8688C0A13971900C48DBF82F@ge2eml2k1004> <cb206c2c-a6ce-9ea9-4818-57c90bda3583@gmail.com> <38465846B6383D4A8688C0A13971900C48DC4637@ge2eml2k1004>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <26aa8d79-7f3c-d05b-15ea-dc11b240a19c@gmail.com>
Date: Sat, 18 Jun 2016 08:14:46 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <38465846B6383D4A8688C0A13971900C48DC4637@ge2eml2k1004>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/lU1Chj8QxLb9gxGnCwZ0dn5Nqb8>
Cc: "fgont@si6networks.com" <fgont@si6networks.com>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "linkedin@xn--debrn-nva.de" <linkedin@xn--debrn-nva.de>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2016 20:14:44 -0000

So, can we agree on "NAT is not required to provide security in IPv6 (see
for example [RFC4864])."

I agree that this aspect of IPv6, including the appropriate use of ULAs,
is definitely hard to explain to people brought up on common IPv4 practice.

Regards
   Brian

On 17/06/2016 23:29, Marco Ermini wrote:
> I am sorry Brian, I don't think you understood my argument.  I am not arguing about you mention.  I am arguing against the semantic of a phrase that says "NAT does not provide security".  This sentence is semantically wrong, and usually comes from a priori NAT-haters (I have met a few).
> 
> I am only against stating such sentence in the RFC, not against the fact that we don't need NAT.  I hope this is clearer now.
> 
> Anyway, I have made my point sufficiently, I believe.
> 
> 
> Regards,
> Marco.
> 
> -----Original Message-----
> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] 
> Sent: Friday, June 17, 2016 3:40 AM
> To: Marco Ermini; Erik Kline; Eric Vyncke (evyncke)
> Cc: fgont@si6networks.com; opsec@ietf.org; linkedin@xn--debrn-nva.de; draft-ietf-opsec-v6@ietf.org; v6ops@ietf.org
> Subject: Re: [OPSEC] [v6ops] Asking for a review of draft-ietf-opsec-v6-08
> 
> On 16/06/2016 21:15, Marco Ermini wrote:
>> Well, actually, infrastructure hiding IS part of security.  It is not the full picture, but it is incorrect to say that it is not.
> 
> Have you read RFC4864 recently? Section 4.4 is all about how you don't need NAT to hide infrastructure topology in IPv6.
> 
>> I personally don't sympathize on NAT-haters.  NAT has its reasons, especially for carrier-grade NAT and especially in the telco scenario, and yes, it does provide some level of security - again, not the complete picture, but it does.
> 
> That's IPv4. This is IPv6.
> 
>     Brian
> 
>>
>>
>> Regards,
>> ​​​​​
>> Marco Ermini
>>
>> CISSP, CISA, CISM, CEH, ITIL, MCP, PhD Senior IT Security Analyst D 
>> +49 (0)899 901 1523  M +49 (0)175 439 5642
>>
>> ResMed Germany Inc
>>
>>
>> -----Original Message-----
>> From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Brian E 
>> Carpenter
>> Sent: Thursday, June 16, 2016 1:45 AM
>> To: Erik Kline; Eric Vyncke (evyncke)
>> Cc: fgont@si6networks.com; opsec@ietf.org; linkedin@xn--debrn-nva.de; 
>> draft-ietf-opsec-v6@ietf.org; v6ops@ietf.org
>> Subject: Re: [OPSEC] [v6ops] Asking for a review of 
>> draft-ietf-opsec-v6-08
>>
>> On 16/06/2016 07:45, Erik Kline wrote:
>>> Section 2.1.2 is far too permissive for my tastes.  We need to be 
>>> able to say that ULA+IPv6 NAT is NOT RECOMMENDED by the IETF.
>>
>> I have strong sympathy with that statement, but I don't think this is the document to do it; the point is made in RFC4864 too. What we should do here is underline that NAT != security.
>>
>> While I'm here, some other points:
>>
>> "2.2.  Extension Headers
>>
>>    TBD, a short section referring to all Fernando's I-D & RFC."
>>
>> That's not the whole story ;-). Firstly, RFC 7045 has a lot of 
>> relevance to security aspects. Second, there is no reason to refer to 
>> most of the material (Fernando's or not) unless it's directly relevant 
>> to opsec. I think the reference is draft-ietf-opsec-ipv6-eh-filtering,
>> but only if that document is going anywhere.
>>
>> "2.3.3.  ND/RA Rate Limiting
>> ...
>>    The following drafts are actively discussing methods to
>>    rate limit RAs and other ND messages on wifi networks in order to
>>    address this issue:
>>
>>    o  [I-D.thubert-savi-ra-throttler]
>>
>>    o  [I-D.chakrabarti-nordmark-6man-efficient-nd]"
>>
>> Neither of those drafts is in the least active (from 2012 and 2015 respectively). Dead drafts are of no help to the reader, IMHO.
>>
>> "4.2.  Transition Mechanism
>>
>>    SP will typically use transition mechanisms such as 6rd, 6PE, MAP,
>>    DS-Lite which have been analyzed in the transition Section 2.7.2
>>    section."
>>
>> Shouldn't you add RFC6877 464XLAT now?
>>
>> Finally, I think there should be a Privacy Considerations section.
>>
>> Rgds
>>     Brian
>>
>>>
>>> Section 2.6.1.5 could punch up the SAVI stuff a bit more as well.  We 
>>> should, in my opinion, make it painfully clear that DHCP (of any
>>> protocol) in the absence of link-layer security/auditability features 
>>> does not provide any satisfactory way "to ensure audibility and 
>>> traceability" [Section 2.1.6].
>>>
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>
>>
>> _______________________________________________
>> OPSEC mailing list
>> OPSEC@ietf.org
>> https://www.ietf.org/mailman/listinfo/opsec
>>
>

v2.23.0 | Report a Bug | By Email