Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets
"Carlos M. martinez" <carlosm3011@gmail.com> Fri, 17 August 2012 13:51 UTC
Return-Path: <carlosm3011@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCB8A21F846C for <v6ops@ietfa.amsl.com>; Fri, 17 Aug 2012 06:51:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.549
X-Spam-Level:
X-Spam-Status: No, score=-3.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xnfayTX0hFoa for <v6ops@ietfa.amsl.com>; Fri, 17 Aug 2012 06:51:53 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id CF33021F846B for <v6ops@ietf.org>; Fri, 17 Aug 2012 06:51:52 -0700 (PDT)
Received: by yenm5 with SMTP id m5so4389896yen.31 for <v6ops@ietf.org>; Fri, 17 Aug 2012 06:51:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=Na8Qm40T9TXkVLCzL5vNxcphYMXjg15LMQjil1l6uv0=; b=yhaMs1pi5H9Fq9BaXMXIoK7LJPdkqmGVydAZ4eYjpOojxEvePbR7MZn3YBXVvkfvdE VUS8T4Ddoc2N9fIHBzwlrqECxUFClROTzerITcerCrQswFZQeONLvN1KfDBvTTC37gVR ADc1ISOVXXrGmzBp+6enw+ofEvT/CfdhuQ3KGoQNmlVj+XSCrfUGWGynrlrSQVVXfl64 s89/QmVO1vLVOKhAGqIhESSS/e7LSpXJ6+LgL8EgrqyMrsXtZLbEZLri12wqAZ4bugTP TrH6jiXA2IO6BKgLLEjU3lWEwvlgXwU2PTAvKxjlaNirBEfezOawz+LJYsGNTo43PfS5 uSig==
Received: by 10.236.77.163 with SMTP id d23mr7950771yhe.75.1345211512424; Fri, 17 Aug 2012 06:51:52 -0700 (PDT)
Received: from europa.local ([200.7.85.154]) by mx.google.com with ESMTPS id o25sm13918479yhm.14.2012.08.17.06.51.50 (version=SSLv3 cipher=OTHER); Fri, 17 Aug 2012 06:51:51 -0700 (PDT)
Message-ID: <502E4C76.4000008@gmail.com>
Date: Fri, 17 Aug 2012 10:51:50 -0300
From: "Carlos M. martinez" <carlosm3011@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: v6ops@ietf.org
References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> <502AEB54.8050904@si6networks.com>
In-Reply-To: <502AEB54.8050904@si6networks.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Subject: Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Aug 2012 13:51:53 -0000
Is a third volunteer still needed ? ~Carlos On 8/14/12 9:20 PM, Fernando Gont wrote: > Hi, Eric, > > Thanks so much for your feedback! -- Please find my comments in-line... > > > On 08/14/2012 05:42 AM, Eric Vyncke (evyncke) wrote: > [...] >> Let’s start with generic: >> >> - It should not be a BCP but rather informational > > Just curious: what's the rationale for your preference? > > > >> - I also wonder whether it is worth an IETF RFC because it is well >> known topics in the security area (as you probably know) > > I disagree with both points, for a number of reasons: > > * An IETF RFC means IETF consensus on a topic. That doesn't necessarily > mean that the information is new, but rather than that's how the IETF > thinks about the problem. > > * There has been quite some talk about the implications of transition > technologies, and recommendations to "block them"... but concrete advice > on how to filter each of these technologies is not always readily > available. Try Google. > > * I generally disagree about "well known topics in the security area" > (unless you clearly define what you mean by "known" and what you mean by > "security area"). Most of the time I've seen any topic deemed as > "well-known" in the security community, it really wasn't. And when it > comes to IPv6 security in particular. there has been so much crap around > it that I'd probably deem "well known IPv6 security topic" as an > oxymoron. :-) > > >> - Missing point: awareness of IPV6 by CISO is the key problem, > > I don't necessarily disagree, but that kind of aspect seems to be out of > the scope of this particular document. > > >> should also add that IPv6 is not dangerous per se, and enabling IPv6 in >> intranet is a good way to bypass all automatic tunnels > > The focus of this document is how IPv6 affects your "IPv4-only" network. > > If you explicitly enable IPv6, then this document does not apply to your > network. -- Not to mention that lots of devices are not IPv6-capable, > which means that it shouldn't come up as a surprise if an admin cannot > enforce enforce on v6 the same policies he enforces on v4. > > > >> - Intro / title should specify ‘end-user network’ (to avoid >> confusion for ISP) > > Do we really need/want to make a difference, here? -- The generic issues > being discussed in this document apply to any network that has "dormant > IPv6 connectivity". > > > >> - IP flow (netflow), firewall log, DNS request log could also be >> monitored to detect tunnels establishments > > Could you please elaborate a bit? > > > >> - Using NAPT (and not NAT as previously commented) usually blocks >> ‘magically’ IP protocol 41 and most tunnels > > Agreed. I will add a note about this. > > > >> - If the security policy is to force all traffic through >> application proxies (done by all major organizations) then tunnels are >> not a threat > > Should I add any comments about this? If so, where? > > > >> Let’s continue with the details: >> >> - 1.0 please avoid all discussion about NAPT being >> ‘minimal/simple’ security, the days of scanning are over and have been >> replaced by malware download/email propagated > > ... yet we still use firewalls. Clearly, a NAT-PT blocks some attack > vectors, and reduces host exposure. And technologies such as Teredo > essentially eliminate any sort of protection that could be achieved by > such NAT-PT. And they do block some attacks -- not "all" or "most", but > they do block some. > > > >> - 2.0 congruent security policy indeed with the exception of RFC >> 4890 (ICMPv6) > > I'd argue that the policy is still the same -- it's just that there are > additional message types in v6 /which are not present in v4). > > It's quite unfortunate to hear in v6 circles things like "in v6, you > cannot filter all ICMP as you do in v4" -- because even in v4 you > couldn't do this without braking PMTUD. > > > >> - 2.1 filtering the IPv6 ethertype is TOO dangerous (= could break >> too many things) to be recommended in an IETF document > > Filtering EtherType 0x86DD does what it is meant to do: block native > IPv6 traffic. Note that we are not recommending that people do it, and > even less to have products ship with that filter "on by default" -- we > just note that if you want to prevent block native IPv6 traffic, that's > one possible way to do so. > > > >> - 3.1 should refer to the RFC > > Done! > > > >> - 3.3 AFAIK there is no by default implementation of 6RD in >> generic OS and it requires either manual configuration or DHCPv4 option >> => remove this section > > I'd probably argue that we should argue the comment on DHCPv4 possibly > enabling 6rd, rather than removing the whole section -- for instance, an > attacker could exploit such vector. > > That aside, removing the entire section would likely trigger feedback of > the form "hey guys, you forgot to describe 6rd!". > > >> - 3.5 leave ISATAP (automatic config through DNS) but specify that >> blocking 41 also blocks it > > The current text already notes that. > > > >> - 3.6 as noted, Teredo default port can be changed. The good >> recommendation anyway for enterprises is to block outbound UDP traffic >> (except some pin holes for DNS of course), even my employer network >> blocks them since 1997 ;-). > > This is going beyond the type of advice this document is meant to > provide. We want to provide advice on how to block Teredo... rather than > recommend to filter all UDP. > > >> Also, Microsoft implementation disables >> Teredo when personal firewall is disabled or when the host is in an >> Active Directory network > > That still leaves Windows systems with a firewall and no Active > Directory network with Teredo "on by default". > > >> - Other tunnels TSP (but also Sixxs, ...) all require explicit >> installation and configuration by end-users. They are no more a thread >> than any other covert channel (being IP over DNS or over ICMP or ...), I >> would remove this section > > TSP could allow incoming connections to the local network, which is > something quite different from an internal node being able to "send > stuff out on top of DNS or ICMP". > > Thoughts? > > Thanks! > > Best regards, >
- [v6ops] 3 Volunteers wanted - Draft: draft-gont-o… Gunter Van de Velde (gvandeve)
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Gunter Van de Velde (gvandeve)
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Smith, Donald
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Lee Howard
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Eric Vyncke (evyncke)
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Fernando Gont
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Smith, Donald
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Fernando Gont
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Smith, Donald
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Fernando Gont
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Eric Vyncke (evyncke)
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Smith, Donald
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Fernando Gont
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Warren Kumari
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Mark Andrews
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Carlos M. martinez
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Lee Howard
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Philipp Kern
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Jeroen Massar
- Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: … Warren Kumari