Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 17 June 2016 01:39 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34B0F12DE5A; Thu, 16 Jun 2016 18:39:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GjLP6bkdhEmM; Thu, 16 Jun 2016 18:39:26 -0700 (PDT)
Received: from mail-pf0-x234.google.com (mail-pf0-x234.google.com [IPv6:2607:f8b0:400e:c00::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45BF412D8E3; Thu, 16 Jun 2016 18:39:26 -0700 (PDT)
Received: by mail-pf0-x234.google.com with SMTP id i123so21504406pfg.0; Thu, 16 Jun 2016 18:39:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=odFFwxCuq6kkO8jAxT6tY0fM0ohVaoty6Gkts7IHa+A=; b=JgWqkC+cerirZUGo79Nq5mFmK5LIWwxN+mHsxMTCQelGs0j9RRE2o6BhOs44BDm4m9 kaBdjURFLo4ITciTyz9mHRPCAoX2/0FHI+61Shz8LSEDOMN5phmgnnVn+Bt0N8YTdY/N v/g7fRq6J8WI0vuFtG4ymwQ6rXBD1GNpmm2m8Hhb3309bA9tm4d3Nkc7u0ht4jtX0IJS 0fENS9kzw4bKbhzCrR66QtFeVbpsQeucv9mpE8wpAvvEGZZYzdeARuv3AfFJA+AZL1RM V/Vc578vZ/u0r+WJyUtq2ywkRlIEr7VHLDlCcM4XUUtDQ1TF15KGIfFeWPjgFSOBBdOt zRtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=odFFwxCuq6kkO8jAxT6tY0fM0ohVaoty6Gkts7IHa+A=; b=JvtSXlaPuntVYazpg0p+Ic/rZgnIZ5b1SmiiYg1+gt+1FsCQdDiXhNNOihOubYfXOK 9DgAzoxTEPAkr5zQNG7AkwqfLbClHdpHQLgUbMDwLj2P2JyZrCEqkhh9ORuHeVUKkGD/ iG4cKT2QuRd2crCbaD2x5rIEZY/1zY277sbMOcAjnkZTv7BGsMA27RViHarTBOZhc7aP 5kiH9RCWJcQl9p8nhxm5h592BN2m+moeb5nEAJh3LeSEHvMEZqo7KfGppuuueG758Utq jy0zXyHwkTqr79qWFtAUgA8rUcuGIOT1BtgEXDmE1RT6uI+DqTfXpWGeNOj32GD26o1t 9Elw==
X-Gm-Message-State: ALyK8tKrnbkhCr22+4LLpipgjPK24XUmRhfcyJ7c0j2MEy6DhyDM1PdhrDZrtYqLPVKPWA==
X-Received: by 10.98.70.11 with SMTP id t11mr8657013pfa.16.1466127565821; Thu, 16 Jun 2016 18:39:25 -0700 (PDT)
Received: from [192.168.178.23] ([118.148.76.242]) by smtp.gmail.com with ESMTPSA id c8sm40992272pfb.33.2016.06.16.18.39.21 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 16 Jun 2016 18:39:25 -0700 (PDT)
To: Marco Ermini <Marco.Ermini@ResMed.com>, Erik Kline <ek@google.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
References: <D386FF93.75916%evyncke@cisco.com> <CAAedzxqBr=ApvGTUrjNUnRmpcamkt4OH1CchcDEWgDcXRgo8Fw@mail.gmail.com> <173d2c6b-4cbf-88da-cf20-710a90e04c7e@gmail.com> <38465846B6383D4A8688C0A13971900C48DBF82F@ge2eml2k1004>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <cb206c2c-a6ce-9ea9-4818-57c90bda3583@gmail.com>
Date: Fri, 17 Jun 2016 13:39:30 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <38465846B6383D4A8688C0A13971900C48DBF82F@ge2eml2k1004>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/xyTiePUmXF0EIy_JWYsRIfzWjd4>
Cc: "fgont@si6networks.com" <fgont@si6networks.com>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6@ietf.org" <draft-ietf-opsec-v6@ietf.org>, "linkedin@xn--debrn-nva.de" <linkedin@xn--debrn-nva.de>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] [OPSEC] Asking for a review of draft-ietf-opsec-v6-08
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2016 01:39:29 -0000
On 16/06/2016 21:15, Marco Ermini wrote:
> Well, actually, infrastructure hiding IS part of security. It is not the full picture, but it is incorrect to say that it is not.
Have you read RFC4864 recently? Section 4.4 is all about how you don't need
NAT to hide infrastructure topology in IPv6.
> I personally don't sympathize on NAT-haters. NAT has its reasons, especially for carrier-grade NAT and especially in the telco scenario, and yes, it does provide some level of security - again, not the complete picture, but it does.
That's IPv4. This is IPv6.
Brian
>
>
> Regards,
>
> Marco Ermini
>
> CISSP, CISA, CISM, CEH, ITIL, MCP, PhD
> Senior IT Security Analyst
> D +49 (0)899 901 1523 M +49 (0)175 439 5642
>
> ResMed Germany Inc
>
>
> -----Original Message-----
> From: OPSEC [mailto:opsec-bounces@ietf.org] On Behalf Of Brian E Carpenter
> Sent: Thursday, June 16, 2016 1:45 AM
> To: Erik Kline; Eric Vyncke (evyncke)
> Cc: fgont@si6networks.com; opsec@ietf.org; linkedin@xn--debrn-nva.de; draft-ietf-opsec-v6@ietf.org; v6ops@ietf.org
> Subject: Re: [OPSEC] [v6ops] Asking for a review of draft-ietf-opsec-v6-08
>
> On 16/06/2016 07:45, Erik Kline wrote:
>> Section 2.1.2 is far too permissive for my tastes. We need to be able
>> to say that ULA+IPv6 NAT is NOT RECOMMENDED by the IETF.
>
> I have strong sympathy with that statement, but I don't think this is the document to do it; the point is made in RFC4864 too. What we should do here is underline that NAT != security.
>
> While I'm here, some other points:
>
> "2.2. Extension Headers
>
> TBD, a short section referring to all Fernando's I-D & RFC."
>
> That's not the whole story ;-). Firstly, RFC 7045 has a lot of relevance to security aspects. Second, there is no reason to refer to most of the material (Fernando's or not) unless it's directly relevant to opsec. I think the reference is draft-ietf-opsec-ipv6-eh-filtering,
> but only if that document is going anywhere.
>
> "2.3.3. ND/RA Rate Limiting
> ...
> The following drafts are actively discussing methods to
> rate limit RAs and other ND messages on wifi networks in order to
> address this issue:
>
> o [I-D.thubert-savi-ra-throttler]
>
> o [I-D.chakrabarti-nordmark-6man-efficient-nd]"
>
> Neither of those drafts is in the least active (from 2012 and 2015 respectively). Dead drafts are of no help to the reader, IMHO.
>
> "4.2. Transition Mechanism
>
> SP will typically use transition mechanisms such as 6rd, 6PE, MAP,
> DS-Lite which have been analyzed in the transition Section 2.7.2
> section."
>
> Shouldn't you add RFC6877 464XLAT now?
>
> Finally, I think there should be a Privacy Considerations section.
>
> Rgds
> Brian
>
>>
>> Section 2.6.1.5 could punch up the SAVI stuff a bit more as well. We
>> should, in my opinion, make it painfully clear that DHCP (of any
>> protocol) in the absence of link-layer security/auditability features
>> does not provide any satisfactory way "to ensure audibility and
>> traceability" [Section 2.1.6].
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
>
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec
>
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Gert Doering
- Re: [v6ops] Asking for a review of draft-ietf-ops… Erik Kline
- Re: [v6ops] Asking for a review of draft-ietf-ops… Eric Vyncke (evyncke)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Eric Vyncke (evyncke)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Markus deBruen
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Fred Baker (fred)
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Andrews
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Brian E Carpenter
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Gert Doering
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Gert Doering
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] Asking for a review of draft-ietf-ops… Lorenzo Colitti
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Brian E Carpenter
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Brian E Carpenter
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Marco Ermini
- Re: [v6ops] Asking for a review of draft-ietf-ops… Brian E Carpenter
- Re: [v6ops] Asking for a review of draft-ietf-ops… Erik Kline
- Re: [v6ops] Asking for a review of draft-ietf-ops… Sleigh, Robert
- [v6ops] Asking for a review of draft-ietf-opsec-v… Eric Vyncke (evyncke)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Fred Baker (fred)
- Re: [v6ops] Asking for a review of draft-ietf-ops… Howard, Lee
- Re: [v6ops] [OPSEC] Asking for a review of draft-… Mark Smith
- Re: [v6ops] Asking for a review of draft-ietf-ops… Mark Smith