Re: [v6ops] [saag] ITU-T SG17 IPv6 security work items liaison

Joe Touch <touch@isi.edu> Wed, 15 June 2011 00:17 UTC

Return-Path: <touch@isi.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CCF81F0C5C; Tue, 14 Jun 2011 17:17:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.38
X-Spam-Level:
X-Spam-Status: No, score=-101.38 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_SORBS_WEB=0.619, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id drapnSrBNONL; Tue, 14 Jun 2011 17:17:48 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) by ietfa.amsl.com (Postfix) with ESMTP id F167E1F0C5B; Tue, 14 Jun 2011 17:17:47 -0700 (PDT)
Received: from [192.168.121.117] ([221.148.74.64]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id p5F0HIuB019915 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Tue, 14 Jun 2011 17:17:22 -0700 (PDT)
Message-ID: <4DF7FA0D.6040201@isi.edu>
Date: Tue, 14 Jun 2011 17:17:17 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <4DEA6323.4070302@cs.tcd.ie> <4DF69899.2050606@cs.tcd.ie> <4DF73138.6010009@inex.ie> <4DF740E5.4030309@cs.tcd.ie>
In-Reply-To: <4DF740E5.4030309@cs.tcd.ie>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: v6ops@ietf.org, ipv6@ietf.org, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [v6ops] [saag] ITU-T SG17 IPv6 security work items liaison
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 00:17:48 -0000

Hi, all,

It'd be useful to wait until these docs (this v6ops one and the 6man one 
it refers) are adopted by the relevant WGs before noting them in 
recommendations to external parties, IMO.

Some of the recommendations in these documents are akin to "if I didn't 
expect it, it's an attack", which I feel makes our protocols too brittle 
unless we are in a situation of known security compromise via other 
indicators. The latter doc (6man) also silently discards legitimate 
packets (complicating debugging), and ends up deprecating the entire 
extension header feature of IPv6 for all IPv6 signaling protocols - 
which seems like a bad idea overall.

I'd prefer to see the relevant WGs endorse these as useful ways forward 
before adding them to this list.

Joe

On 6/14/2011 4:07 AM, Stephen Farrell wrote:
>
> Thanks Nick,
>
> I'll add that unless someone tells me its a bad plan.
> Its a fairly fresh I-D, but I guess it looks pretty
> relevant all right.
>
> S.
>
> On 14/06/11 11:00, Nick Hilliard wrote:
>> On 14/06/2011 00:09, Stephen Farrell wrote:
>>>       * RFC 6105 – "IPv6 Router Advertisement Guard"
>>>       * RFC 6106 – "IPv6 Router Advertisement Options for DNS
>>>         Configuration", §7 in particular.
>>
>> maybe mention draft-gont-v6ops-ra-guard-evasion?  It's not a strategic
>> focused document, but gives specific advice on a specific issue which is
>> relevant to ipv6 lan deployments.
>>
>> Nick
>>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag