Re: [v6ops] [saag] ITU-T SG17 IPv6 security work items liaison
Joe Touch <touch@isi.edu> Wed, 15 June 2011 00:17 UTC
Return-Path: <touch@isi.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CCF81F0C5C; Tue, 14 Jun 2011 17:17:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.38
X-Spam-Level:
X-Spam-Status: No, score=-101.38 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_SORBS_WEB=0.619, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id drapnSrBNONL; Tue, 14 Jun 2011 17:17:48 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) by ietfa.amsl.com (Postfix) with ESMTP id F167E1F0C5B; Tue, 14 Jun 2011 17:17:47 -0700 (PDT)
Received: from [192.168.121.117] ([221.148.74.64]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id p5F0HIuB019915 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Tue, 14 Jun 2011 17:17:22 -0700 (PDT)
Message-ID: <4DF7FA0D.6040201@isi.edu>
Date: Tue, 14 Jun 2011 17:17:17 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <4DEA6323.4070302@cs.tcd.ie> <4DF69899.2050606@cs.tcd.ie> <4DF73138.6010009@inex.ie> <4DF740E5.4030309@cs.tcd.ie>
In-Reply-To: <4DF740E5.4030309@cs.tcd.ie>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: v6ops@ietf.org, ipv6@ietf.org, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [v6ops] [saag] ITU-T SG17 IPv6 security work items liaison
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 00:17:48 -0000
Hi, all, It'd be useful to wait until these docs (this v6ops one and the 6man one it refers) are adopted by the relevant WGs before noting them in recommendations to external parties, IMO. Some of the recommendations in these documents are akin to "if I didn't expect it, it's an attack", which I feel makes our protocols too brittle unless we are in a situation of known security compromise via other indicators. The latter doc (6man) also silently discards legitimate packets (complicating debugging), and ends up deprecating the entire extension header feature of IPv6 for all IPv6 signaling protocols - which seems like a bad idea overall. I'd prefer to see the relevant WGs endorse these as useful ways forward before adding them to this list. Joe On 6/14/2011 4:07 AM, Stephen Farrell wrote: > > Thanks Nick, > > I'll add that unless someone tells me its a bad plan. > Its a fairly fresh I-D, but I guess it looks pretty > relevant all right. > > S. > > On 14/06/11 11:00, Nick Hilliard wrote: >> On 14/06/2011 00:09, Stephen Farrell wrote: >>> * RFC 6105 – "IPv6 Router Advertisement Guard" >>> * RFC 6106 – "IPv6 Router Advertisement Options for DNS >>> Configuration", §7 in particular. >> >> maybe mention draft-gont-v6ops-ra-guard-evasion? It's not a strategic >> focused document, but gives specific advice on a specific issue which is >> relevant to ipv6 lan deployments. >> >> Nick >> > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- [v6ops] ITU-T SG17 IPv6 security work items liais… Stephen Farrell
- Re: [v6ops] ITU-T SG17 IPv6 security work items l… John Leslie
- Re: [v6ops] ITU-T SG17 IPv6 security work items l… Fred Baker
- Re: [v6ops] ITU-T SG17 IPv6 security work items l… Tina Tsou
- Re: [v6ops] ITU-T SG17 IPv6 security work items l… Fred Baker
- Re: [v6ops] ITU-T SG17 IPv6 security work items l… Arturo Servin
- Re: [v6ops] ITU-T SG17 IPv6 security work items l… Eliot Lear
- Re: [v6ops] ITU-T SG17 IPv6 security work items l… Stephen Farrell
- Re: [v6ops] ITU-T SG17 IPv6 security work items l… Williams, Marcus (Contractor)
- Re: [v6ops] ITU-T SG17 IPv6 security work items l… Fernando Gont
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Stephen Farrell
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Stephen Farrell
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Russ Housley
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Bob Hinden
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Stephen Farrell
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Nick Hilliard
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Stephen Farrell
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Suresh Krishnan
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Joe Touch
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Stephen Farrell
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Joe Touch
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Fred Baker
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Stephen Farrell
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Tim Chown
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Eliot Lear
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … t.petch
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Eliot Lear
- Re: [v6ops] [saag] ITU-T SG17 IPv6 security work … Joe Touch