Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 17 June 2016 20:14 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4A0C12D112; Fri, 17 Jun 2016 13:14:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IffnKXeaLpQU; Fri, 17 Jun 2016 13:14:42 -0700 (PDT)
Received: from mail-pf0-x232.google.com (mail-pf0-x232.google.com [IPv6:2607:f8b0:400e:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8318112DAAB; Fri, 17 Jun 2016 13:14:41 -0700 (PDT)
Received: by mail-pf0-x232.google.com with SMTP id c2so33843729pfa.2; Fri, 17 Jun 2016 13:14:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=k58vCRAygyXHmWeOMPHIWr6RNXxFVX8zErJ6gNGyPzs=; b=ZVnWxXMKagph+KAKb9qP5NK5Ic7FSG7F58Pu5gRNv5fWNr+9h8M0su/I6/UX8AeWTx l5LTPVlwrM/Vz7Ght5GjYK4s5XFE5BHRCZAlhNjQ3sZGrP5ZEGKk7Li6GVd4IxkSUteM vn1CY5ATNiqAwoWigC4ZIIqJ3LgwU1ItRdApyqa8dSaYoChnQwI9FO6X2GsPOOZqKwUf WY27iKdRRRgQq74ojT8OGkdSiZNFJl9TbjAgEpfqKP7GXSVLnHHKUQwenut0pGBj/FRN B8nu0LdScsLRyuTsnYKzIlEniUz8Ga74ysU/J3fT/qTaCzx1pK/OFecThiZMzVwrchW8 KD5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=k58vCRAygyXHmWeOMPHIWr6RNXxFVX8zErJ6gNGyPzs=; b=nGCw6LY/IVWTkjCudWK6i6XAXevvJtA+FLDPYs12CGPztwUTG7h8oAOtl6rG6aIqj/ cFjx/CVFeW5n9WJ+jKsQSNnEObABNCCjN1ijk67m9aN01yDI1ICVVck3/3HohAUb6J01 YBQvczBqJPIHTvNOgH462UPOBJUiDc+FsjPwFLaAmRLpNfDrim9U5dHMwL97G/Q0kRF3 0tHmk9gEMde7v7yXlTM2gMevQYJ65x56MKeV/OYvtuYkR/feGZpUzLleupyth/nd9W2I eTWacHrhSHe84evvgxdb6eeQTFCrasCnnKtJVqQwYHh7V6tN2eGfGwsbhjeaiEUsZstX OnWA==
X-Gm-Message-State: ALyK8tK5cNI2toa0ABonXB7vchXpzZpPUd3G/FL91RKcUGkTSNcSmDn3UiUJhzcg4ybmuQ==
X-Received: by 10.98.103.198 with SMTP id t67mr4200582pfj.158.1466194480933; Fri, 17 Jun 2016 13:14:40 -0700 (PDT)
Received: from [192.168.178.23] ([118.148.67.217]) by smtp.gmail.com with ESMTPSA id an13sm70368752pac.42.2016.06.17.13.14.37 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 17 Jun 2016 13:14:40 -0700 (PDT)
To: Marco Ermini <Marco.Ermini@ResMed.com>, Erik Kline <ek@google.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
References: <D386FF93.75916%evyncke@cisco.com> <CAAedzxqBr=ApvGTUrjNUnRmpcamkt4OH1CchcDEWgDcXRgo8Fw@mail.gmail.com> <173d2c6b-4cbf-88da-cf20-710a90e04c7e@gmail.com> <38465846B6383D4A8688C0A13971900C48DBF82F@ge2eml2k1004> <cb206c2c-a6ce-9ea9-4818-57c90bda3583@gmail.com> <38465846B6383D4A8688C0A13971900C48DC4637@ge2eml2k1004>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <26aa8d79-7f3c-d05b-15ea-dc11b240a19c@gmail.com>
Date: Sat, 18 Jun 2016 08:14:46 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <38465846B6383D4A8688C0A13971900C48DC4637@ge2eml2k1004>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/lU1Chj8QxLb9gxGnCwZ0dn5Nqb8>
Cc: "fgont@si6networks.com" <fgont@si6networks.com>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "linkedin@xn--debrn-nva.de" <linkedin@xn--debrn-nva.de>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2016 20:14:44 -0000
So, can we agree on "NAT is not required to provide security in IPv6 (see for example [RFC4864])." I agree that this aspect of IPv6, including the appropriate use of ULAs, is definitely hard to explain to people brought up on common IPv4 practice. Regards Brian On 17/06/2016 23:29, Marco Ermini wrote: > I am sorry Brian, I don't think you understood my argument. I am not arguing about you mention. I am arguing against the semantic of a phrase that says "NAT does not provide security". This sentence is semantically wrong, and usually comes from a priori NAT-haters (I have met a few). > > I am only against stating such sentence in the RFC, not against the fact that we don't need NAT. I hope this is clearer now. > > Anyway, I have made my point sufficiently, I believe. > > > Regards, > Marco. > > -----Original Message----- > From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] > Sent: Friday, June 17, 2016 3:40 AM > To: Marco Ermini; Erik Kline; Eric Vyncke (evyncke) > Cc: fgont@si6networks.com; opsec@ietf.org; linkedin@xn--debrn-nva.de; draft-ietf-opsec-v6@ietf.org; v6ops@ietf.org > Subject: Re: [OPSEC] [v6ops] Asking for a review of draft-ietf-opsec-v6-08 > > On 16/06/2016 21:15, Marco Ermini wrote: >> Well, actually, infrastructure hiding IS part of security. It is not the full picture, but it is incorrect to say that it is not. > > Have you read RFC4864 recently? Section 4.4 is all about how you don't need NAT to hide infrastructure topology in IPv6. > >> I personally don't sympathize on NAT-haters. NAT has its reasons, especially for carrier-grade NAT and especially in the telco scenario, and yes, it does provide some level of security - again, not the complete picture, but it does. > > That's IPv4. This is IPv6. > > Brian > >> >> >> Regards, >> >> Marco Ermini >> >> CISSP, CISA, CISM, CEH, ITIL, MCP, PhD Senior IT Security Analyst D >> +49 (0)899 901 1523 M +49 (0)175 439 5642 >> >> ResMed Germany Inc >> >> >> -----Original Message----- >> From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Brian E >> Carpenter >> Sent: Thursday, June 16, 2016 1:45 AM >> To: Erik Kline; Eric Vyncke (evyncke) >> Cc: fgont@si6networks.com; opsec@ietf.org; linkedin@xn--debrn-nva.de; >> draft-ietf-opsec-v6@ietf.org; v6ops@ietf.org >> Subject: Re: [OPSEC] [v6ops] Asking for a review of >> draft-ietf-opsec-v6-08 >> >> On 16/06/2016 07:45, Erik Kline wrote: >>> Section 2.1.2 is far too permissive for my tastes. We need to be >>> able to say that ULA+IPv6 NAT is NOT RECOMMENDED by the IETF. >> >> I have strong sympathy with that statement, but I don't think this is the document to do it; the point is made in RFC4864 too. What we should do here is underline that NAT != security. >> >> While I'm here, some other points: >> >> "2.2. Extension Headers >> >> TBD, a short section referring to all Fernando's I-D & RFC." >> >> That's not the whole story ;-). Firstly, RFC 7045 has a lot of >> relevance to security aspects. Second, there is no reason to refer to >> most of the material (Fernando's or not) unless it's directly relevant >> to opsec. I think the reference is draft-ietf-opsec-ipv6-eh-filtering, >> but only if that document is going anywhere. >> >> "2.3.3. ND/RA Rate Limiting >> ... >> The following drafts are actively discussing methods to >> rate limit RAs and other ND messages on wifi networks in order to >> address this issue: >> >> o [I-D.thubert-savi-ra-throttler] >> >> o [I-D.chakrabarti-nordmark-6man-efficient-nd]" >> >> Neither of those drafts is in the least active (from 2012 and 2015 respectively). Dead drafts are of no help to the reader, IMHO. >> >> "4.2. Transition Mechanism >> >> SP will typically use transition mechanisms such as 6rd, 6PE, MAP, >> DS-Lite which have been analyzed in the transition Section 2.7.2 >> section." >> >> Shouldn't you add RFC6877 464XLAT now? >> >> Finally, I think there should be a Privacy Considerations section. >> >> Rgds >> Brian >> >>> >>> Section 2.6.1.5 could punch up the SAVI stuff a bit more as well. We >>> should, in my opinion, make it painfully clear that DHCP (of any >>> protocol) in the absence of link-layer security/auditability features >>> does not provide any satisfactory way "to ensure audibility and >>> traceability" [Section 2.1.6]. >>> >>> _______________________________________________ >>> v6ops mailing list >>> v6ops@ietf.org >>> https://www.ietf.org/mailman/listinfo/v6ops >>> >> >> _______________________________________________ >> OPSEC mailing list >> OPSEC@ietf.org >> https://www.ietf.org/mailman/listinfo/opsec >> >
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Gert Doering
- Re: [v6ops] Asking for a review of draft-ietf-ops… Erik Kline
- Re: [v6ops] Asking for a review of draft-ietf-ops… Eric Vyncke (evyncke)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Eric Vyncke (evyncke)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Markus deBruen
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Fred Baker (fred)
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Andrews
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Brian E Carpenter
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Gert Doering
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Gert Doering
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] Asking for a review of draft-ietf-ops… Lorenzo Colitti
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Brian E Carpenter
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Brian E Carpenter
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] Asking for a review of draft-ietf-ops… Brian E Carpenter
- Re: [v6ops] Asking for a review of draft-ietf-ops… Erik Kline
- Re: [v6ops] Asking for a review of draft-ietf-ops… Sleigh, Robert
- [v6ops] Asking for a review of draft-ietf-opsec-v… Eric Vyncke (evyncke)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Fred Baker (fred)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Howard, Lee
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] Asking for a review of draft-ietf-ops… Mark Smith