From joelja@bogus.com Fri Nov 6 22:42:05 2009 Return-Path: X-Original-To: opsec@core3.amsl.com Delivered-To: opsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 20F533A67EF for ; Fri, 6 Nov 2009 22:42:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.577 X-Spam-Level: X-Spam-Status: No, score=-2.577 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3l6+RIRDL4Pp for ; Fri, 6 Nov 2009 22:42:04 -0800 (PST) Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by core3.amsl.com (Postfix) with ESMTP id 2D65E3A6811 for ; Fri, 6 Nov 2009 22:42:03 -0800 (PST) Received: from [133.93.16.68] (host-16-68.meeting.ietf.org [133.93.16.68]) (authenticated bits=0) by nagasaki.bogus.com (8.14.3/8.14.3) with ESMTP id nA76g0N3097441 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 7 Nov 2009 06:42:18 GMT (envelope-from joelja@bogus.com) Message-ID: <4AF516B2.5070408@bogus.com> Date: Fri, 06 Nov 2009 22:41:54 -0800 From: Joel Jaeggli User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: "'opsec@ietf.org'" , Joe Abley X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (nagasaki.bogus.com [147.28.0.81]); Sat, 07 Nov 2009 06:42:19 +0000 (UTC) Subject: [OPSEC] WG Agenda (semi-final) X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Nov 2009 06:42:05 -0000 This is the current agenda we are operating with: 1. WG status - WG Chair 2. Nanog ISP security BOF report - WG Chair 3. Revised, draft-ietf-opsec-ip-security - Fernando Gont 4. Revised, draft-ietf-opsec-icmp-filtering - Fernando Gont 5. Revised, draft-ietf-opsec-routing-protocols-crypto-issues - WG Chair 6. Others? Meeting is Tuesday Nov 10th in afternoon session II 15:20-17:00 If anyone hass additions or corrections please note them to me, also if Fernando could send me slides so that I may include them by monday that would be greatly appreciated. From root@core3.amsl.com Wed Nov 11 00:30:01 2009 Return-Path: X-Original-To: opsec@ietf.org Delivered-To: opsec@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 6B9073A6AAD; Wed, 11 Nov 2009 00:30:01 -0800 (PST) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20091111083001.6B9073A6AAD@core3.amsl.com> Date: Wed, 11 Nov 2009 00:30:01 -0800 (PST) Cc: opsec@ietf.org Subject: [OPSEC] I-D ACTION:draft-ietf-opsec-routing-protocols-crypto-issues-02.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2009 08:30:01 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Operational Security Capabilities for IP Network Infrastructure Working Group of the IETF. Title : Issues with existing Cryptographic Protection Methods for Routing Protocols Author(s) : S. Hares, M. Bhatia, V. Manral, R. White Filename : draft-ietf-opsec-routing-protocols-crypto-issues-02.txt Pages : 17 Date : 2009-11-11 Routing protocols have over time been extended to use cryptographic mechanisms to validate data being received from a neighboring router to ensure that: o it has not been modified in transit. o actually originated from an authorized neighboring router . The cryptographic mechanisms defined to date and described in this document rely on a digest produced with a hash algorithm applied to the payload encapsulated in the routing protocol packet. This document outlines some of the limitations of the current mechanism, problems with manual keying of these cryptographic algorithms, and possible vectors for the exploitation of these limitations. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-opsec-routing-protocols-crypto-issues-02.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-opsec-routing-protocols-crypto-issues-02.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-11-11002118.I-D@ietf.org> --NextPart-- From manav.bhatia@alcatel-lucent.com Wed Nov 11 04:04:00 2009 Return-Path: X-Original-To: opsec@core3.amsl.com Delivered-To: opsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8B8A428C20E for ; Wed, 11 Nov 2009 04:04:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.209 X-Spam-Level: X-Spam-Status: No, score=-2.209 tagged_above=-999 required=5 tests=[AWL=0.390, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4iT+l9NlDSH for ; Wed, 11 Nov 2009 04:03:59 -0800 (PST) Received: from hoemail2.alcatel.com (hoemail2.alcatel.com [192.160.6.149]) by core3.amsl.com (Postfix) with ESMTP id 77AE13A6A42 for ; Wed, 11 Nov 2009 04:03:54 -0800 (PST) Received: from horh1.usa.alcatel.com (h172-22-218-55.lucent.com [172.22.218.55]) by hoemail2.alcatel.com (8.13.8/IER-o) with ESMTP id nABC4MpC029640 for ; Wed, 11 Nov 2009 06:04:22 -0600 (CST) Received: from mail.apac.alcatel-lucent.com (h202-65-2-130.alcatel.com [202.65.2.130]) by horh1.usa.alcatel.com (8.13.8/emsr) with ESMTP id nABC4KKX028846 for ; Wed, 11 Nov 2009 06:04:21 -0600 (CST) Received: from INBANSXCHHUB01.in.alcatel-lucent.com (inbansxchhub01.in.alcatel-lucent.com [135.250.12.32]) by mail.apac.alcatel-lucent.com (8.13.7/8.13.7/Alcanet1.0) with ESMTP id nABC0pwY004151 for ; Wed, 11 Nov 2009 20:02:54 +0800 Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB01.in.alcatel-lucent.com ([135.250.12.32]) with mapi; Wed, 11 Nov 2009 17:33:44 +0530 From: "Bhatia, Manav (Manav)" To: opsec wg mailing list Date: Wed, 11 Nov 2009 17:33:43 +0530 Thread-Topic: Cryptographic Authentication Algorithm Implementation Best Practices for Routing Protocols Thread-Index: AcpixwQLqcdIXFZZTP6ke0PY9BqNxg== Message-ID: <7C362EEF9C7896468B36C9B79200D8350A681DDB16@INBANSXCHMBSA1.in.alcatel-lucent.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.57 on 172.22.12.28 X-Scanned-By: MIMEDefang 2.64 on 202.65.2.130 Subject: [OPSEC] Cryptographic Authentication Algorithm Implementation Best Practices for Routing Protocols X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2009 12:04:00 -0000 Hi, We have posted the revised version based on the feedback that we had receiv= ed from the working group and its available here: http://www.ietf.org/id/draft-bhatia-manral-igp-crypto-requirements-04.txt Abstract=20 =20 The routing protocols Open Shortest Path First version 2 (OSPFv2)[RFC2328],= Intermediate System to Intermediate System (IS-IS) [ISO] [RFC1195] and Rou= ting Information Protocol (RIP) [RFC2453] currently define Clear Text and M= D5 (Message Digest 5) [RFC1321] methods for authenticating protocol packets= . Recently effort has been made to add support for the SHA (Secure Hash Alg= orithm) family of hash functions for the purpose of authenticating routing = protocol packets for RIP [RFC4822], IS-IS [RFC5310] and OSPF [RFC5709].=20 =20 To encourage interoperability between disparate implementations, it is impe= rative that we specify the expected minimal set of algorithms thereby ensur= ing that there is at least one algorithm that all implementations will have= in common. =20 =20 This document examines the current set of available algorithms with interop= erability and effective cryptographic authentication protection being the p= rinciple considerations. Cryptographic authentication of these routing prot= ocols requires the availability of the same algorithms in disparate impleme= ntations. It is desirable that newly specified algorithms should be impleme= nted and available in routing protocol implementations because they may be = promoted to requirements at some future time.=20 Cheers, Manav -- Manav Bhatia, IP Division, Alcatel-Lucent, Bangalore - India = From bruno.rohee@oppida.fr Thu Nov 12 02:50:28 2009 Return-Path: X-Original-To: opsec@core3.amsl.com Delivered-To: opsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8AD443A6A45 for ; Thu, 12 Nov 2009 02:50:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.249 X-Spam-Level: X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bxbdwBAzWknr for ; Thu, 12 Nov 2009 02:50:27 -0800 (PST) Received: from smtp06.msg.oleane.net (smtp06.msg.oleane.net [62.161.4.6]) by core3.amsl.com (Postfix) with ESMTP id 1FE943A6A13 for ; Thu, 12 Nov 2009 02:50:23 -0800 (PST) Received: from cerberum2.oppida.fr (173-118.252-81.static-ip.oleane.fr [81.252.118.173]) by smtp06.msg.oleane.net (MTA) with ESMTP id nACAokKC012969; Thu, 12 Nov 2009 11:50:46 +0100 X-Oleane-Rep: REPA Received: (from uucp@localhost) by cerberum2.oppida.fr id nACAwJ6K019506; Thu, 12 Nov 2009 11:58:19 +0100 Received: from UNKNOWN(192.168.3.250), claiming to be "PATATUM3.oppida.fr" via SMTP by cerberum2.oppida.fr, id smtpdtVeQbp; Thu, 12 Nov 2009 10:58:15 +0000 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Date: Thu, 12 Nov 2009 11:50:23 +0100 Message-ID: <72F9DD55D83BC743801AA2BCEE815AFA033169@patatum3> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [OPSEC] [Fwd: New Version Notification fordraft-ietf-opsec-ip-security-01] Thread-Index: Acohgt3cqB1Lh03YRPCT+mHwpUopIBCAEqTw From: "Bruno ROHEE" To: "Fernando Gont" , X-PMX-Spam: Probability=8% X-PFSI-Info: PMX 5.5.5.374460, Antispam-Engine: 2.7.1.369594, Antispam-Data: 2009.11.12.103624 (no antivirus check) Subject: Re: [OPSEC] [Fwd: New Version Notification fordraft-ietf-opsec-ip-security-01] X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2009 10:50:28 -0000 > Hello, folks, > > I have posted a revision of the ip-security I-D which addresses only > part of the feedback received from Andrew Yourtchenko. > > I'm still in the process of tweaking the I-D to address the thorough > review of Andrew Yourtchenko and others. > > It would be great if, in the mean time, I could get more feedback on > this document. I think section 4.3.2 should be extended to include the following IP ranges that should not ever appear in packets coming from the Internet 169.254.0.0/16 # RFC 3330 Link Local Block 192.0.2.0/24 # RFC 3330 TEST-NET 192.18.0.0/15 # RFC 2544 Benchmark Tests if Network Interconnect Devices The RFC2544 is not referenced by RFC3330, but is in the RFC3330bis draft (http://tools.ietf.org/html/draft-iana-rfc3330bis-11 ), which also references two more test nets 198.51.100.0/24 203.9.113.0/24 Or alternatively, section 4.3.2 could just point to 3330bis. From fernando.gont.netbook.win@gmail.com Sun Nov 15 08:31:10 2009 Return-Path: X-Original-To: opsec@core3.amsl.com Delivered-To: opsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E0BD53A69A4 for ; Sun, 15 Nov 2009 08:31:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.065 X-Spam-Level: X-Spam-Status: No, score=-2.065 tagged_above=-999 required=5 tests=[AWL=-0.535, BAYES_00=-2.599, DATE_IN_PAST_06_12=1.069] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6P8Tr4NW9n0 for ; Sun, 15 Nov 2009 08:31:10 -0800 (PST) Received: from mail-yx0-f124.google.com (mail-yx0-f124.google.com [209.85.210.124]) by core3.amsl.com (Postfix) with ESMTP id 21E843A68FE for ; Sun, 15 Nov 2009 08:31:10 -0800 (PST) Received: by yxe30 with SMTP id 30so1140071yxe.29 for ; Sun, 15 Nov 2009 08:31:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=zEkeqF3g0CGmqzGd56tFRl2wFTF8MSk89u1jXPG8yE8=; b=L8n7S0nSApDoM51t3gkfOS2QSll4Yr10HhzGJjQJU87IpgeyL7rualTu2RC9b8Rv2H 2NxnKmTDsEJ0cSlxXrcD3Myb/ZyMVnJeYWcep2P1ulKsiZkPE1SCfTLa8jaRuYIzLDny 3JYWYfGXGCCQ7g/fs/5gwojgt/phTMmsj/x/A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=vIH91e7m6o7c12LvOJwAh9pa1GAtrpUtnTCgK1+8tLslwG6mZPqnVOoEzvX/x8MvKr fTCWHqhT7XnBCxVFjZ7J7cw+LdP4ODJ28FaO5kvlKToVDepFZWg33ZkcdHoCxI8/0DMn O/u5GViINjHOaLKs1aAoBSn9TxkrjMzti7fEk= Received: by 10.150.26.5 with SMTP id 5mr11711074ybz.135.1258302699350; Sun, 15 Nov 2009 08:31:39 -0800 (PST) Received: from ?192.168.0.151? (129-130-17-190.fibertel.com.ar [190.17.130.129]) by mx.google.com with ESMTPS id 22sm2116575ywh.15.2009.11.15.08.31.37 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sun, 15 Nov 2009 08:31:38 -0800 (PST) Sender: Fernando Gont Message-ID: <4AFF9F69.30602@gont.com.ar> Date: Sun, 15 Nov 2009 04:27:53 -0200 From: Fernando Gont User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Bruno ROHEE References: <72F9DD55D83BC743801AA2BCEE815AFA033169@patatum3> In-Reply-To: <72F9DD55D83BC743801AA2BCEE815AFA033169@patatum3> X-Enigmail-Version: 0.96.0 OpenPGP: id=D076FFF1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: opsec@ietf.org Subject: Re: [OPSEC] [Fwd: New Version Notification fordraft-ietf-opsec-ip-security-01] X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Nov 2009 16:31:11 -0000 Hello, Bruno, Thanks so much for your feedback! Comments in-line... > I think section 4.3.2 should be extended to include the following IP > ranges > that should not ever appear in packets coming from the Internet > > 169.254.0.0/16 # RFC 3330 Link Local Block > 192.0.2.0/24 # RFC 3330 TEST-NET > 192.18.0.0/15 # RFC 2544 Benchmark Tests if Network Interconnect Devices [....] I will address your comments in the next revision of the I-D. Thanks! Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 From root@core3.amsl.com Sun Nov 15 09:30:03 2009 Return-Path: X-Original-To: opsec@ietf.org Delivered-To: opsec@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 672E83A6860; Sun, 15 Nov 2009 09:30:02 -0800 (PST) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20091115173003.672E83A6860@core3.amsl.com> Date: Sun, 15 Nov 2009 09:30:03 -0800 (PST) Cc: opsec@ietf.org Subject: [OPSEC] I-D Action:draft-ietf-opsec-efforts-11.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Nov 2009 17:30:03 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Operational Security Capabilities for IP Network Infrastructure Working Group of the IETF. Title : Security Best Practices Efforts and Documents Author(s) : C. Lonvick, D. Spak Filename : draft-ietf-opsec-efforts-11.txt Pages : 35 Date : 2009-11-15 This document provides a snapshot of the current efforts to define or apply security requirements in various Standards Developing Organizations (SDO). Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on May 19, 2010. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-opsec-efforts-11.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-opsec-efforts-11.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-11-15091558.I-D@ietf.org> --NextPart-- From joelja@bogus.com Sat Nov 21 15:42:17 2009 Return-Path: X-Original-To: opsec@core3.amsl.com Delivered-To: opsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 611513A68B1 for ; Sat, 21 Nov 2009 15:42:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.359 X-Spam-Level: X-Spam-Status: No, score=-1.359 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_LWSHORTT=1.24] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NaMnTusY83WD for ; Sat, 21 Nov 2009 15:42:16 -0800 (PST) Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by core3.amsl.com (Postfix) with ESMTP id 608933A672F for ; Sat, 21 Nov 2009 15:42:16 -0800 (PST) Received: from [192.168.2.101] (m4f0536d0.tmodns.net [208.54.5.79]) (authenticated bits=0) by nagasaki.bogus.com (8.14.3/8.14.3) with ESMTP id nALNfMqo049396 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Sat, 21 Nov 2009 23:42:11 GMT (envelope-from joelja@bogus.com) Message-ID: <4B08768A.1070903@bogus.com> Date: Sat, 21 Nov 2009 15:23:54 -0800 From: Joel Jaeggli User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: "'opsec@ietf.org'" X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (nagasaki.bogus.com [147.28.0.81]); Sat, 21 Nov 2009 23:42:11 +0000 (UTC) Subject: [OPSEC] The plan... X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2009 23:42:17 -0000 Minutes will be published shortly. planned short term events are: draft-ietf-opsec-ip-security - wglc draft-ietf-opsec-routing-protocols-crypto-issues-02 - wglc draft-bhatia-manral-igp-crypto-requirements-04 - test for inclusion as a wg document Docuement can be reviewed here: http://tools.ietf.org/html/draft-bhatia-manral-igp-crypto-requirements-04 From glen.kent@gmail.com Sat Nov 21 17:43:56 2009 Return-Path: X-Original-To: opsec@core3.amsl.com Delivered-To: opsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 328563A686B for ; Sat, 21 Nov 2009 17:43:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.359 X-Spam-Level: X-Spam-Status: No, score=-1.359 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_LWSHORTT=1.24] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OMsptzRrHB8N for ; Sat, 21 Nov 2009 17:43:55 -0800 (PST) Received: from mail-yx0-f192.google.com (mail-yx0-f192.google.com [209.85.210.192]) by core3.amsl.com (Postfix) with ESMTP id 71F593A68C6 for ; Sat, 21 Nov 2009 17:43:55 -0800 (PST) Received: by yxe30 with SMTP id 30so4866861yxe.29 for ; Sat, 21 Nov 2009 17:43:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=0oqetO0ZQPaDNADIf4IjKs26eF5JdbXyAd1dKBumbv8=; b=s7SdW4gci3qvqiZQG74CztDpgCQak+xgmm6W2UpFw50RA/pOONIEl1T9Q2lPER5cvj W9oCSR3MwIKNAHg9xpoOx10rSY0Yfi+7RFchbiT0bLXtH0wNiI9kpv+JPjMoe3lOxtT3 umCdFQO+XBmvac25lzEfUzUCbLvV1mlUkSfw8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=P9SPmVqmQm0vVga8+rJdEsH7SKl8R4ejoza15pHHw13fwaAyBeydyll+6SbXEhLLQ/ W9kldmNocds6NZEJ2oVBAM7QbImhV/reEQW7ZraCEsR2yUybgRkAvpIEDRMgH55jd8S3 zK8S5P3BXM8y7OZq9M97+3T4plEBIfHN4Ynmc= MIME-Version: 1.0 Received: by 10.101.167.30 with SMTP id u30mr3162815ano.147.1258854229422; Sat, 21 Nov 2009 17:43:49 -0800 (PST) In-Reply-To: <4B08768A.1070903@bogus.com> References: <4B08768A.1070903@bogus.com> Date: Sun, 22 Nov 2009 07:13:49 +0530 Message-ID: <92c950310911211743u4ba19447u340a1e71c2f7a981@mail.gmail.com> From: Glen Kent To: Joel Jaeggli Content-Type: text/plain; charset=ISO-8859-1 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] The plan... X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Nov 2009 01:43:56 -0000 > Minutes will be published shortly. That'll be nice. > > planned short term events are: > > draft-ietf-opsec-ip-security - wglc > > draft-ietf-opsec-routing-protocols-crypto-issues-02 - wglc I think these two documents are ready for the WGLC. > > > draft-bhatia-manral-igp-crypto-requirements-04 - test for inclusion as a > wg document > > Docuement can be reviewed here: > > http://tools.ietf.org/html/draft-bhatia-manral-igp-crypto-requirements-04 > I firmly believe that we need such a document and fully support this. Glen From joelja@bogus.com Fri Nov 27 11:18:26 2009 Return-Path: X-Original-To: opsec@core3.amsl.com Delivered-To: opsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 072773A68F2 for ; Fri, 27 Nov 2009 11:18:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EtxGtVu216ln for ; Fri, 27 Nov 2009 11:18:25 -0800 (PST) Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by core3.amsl.com (Postfix) with ESMTP id E226A3A689A for ; Fri, 27 Nov 2009 11:18:24 -0800 (PST) Received: from [192.168.11.151] (c-76-115-172-82.hsd1.wa.comcast.net [76.115.172.82]) (authenticated bits=0) by nagasaki.bogus.com (8.14.3/8.14.3) with ESMTP id nARJID4J074990 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 27 Nov 2009 19:18:15 GMT (envelope-from joelja@bogus.com) Message-ID: <4B1025F4.6030902@bogus.com> Date: Fri, 27 Nov 2009 11:18:12 -0800 From: Joel Jaeggli User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: "'opsec@ietf.org'" , Joe Abley X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (nagasaki.bogus.com [147.28.0.81]); Fri, 27 Nov 2009 19:18:15 +0000 (UTC) Subject: [OPSEC] IETF 76 draft minutes X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Nov 2009 19:18:26 -0000 Tue 10 Nov 2009 15:20:06 JST Chairs Joel Jaeggli, Joe Abley Note-taker Joe Abley 0. Agenda-Bashing No changes to the agenda 1. WG status - WG Chair Tue 10 Nov 2009 15:23:54 JST Joel Jaeggli: (per slides.) 2. Nanog ISP security BOF report - WG Chair Joel: wg activities and outreach. (per slides). Fernando Gont: Request from ron for optioned packets and port filtering? The IP security document covers some aspects about optioned packets, with some discussion of what would happen if you discarded based on presence of particular options. Joel: yes, ip security document covers some of the implications, but perhaps a little more could be done, especially in the case of internal applications for ip options that are exploitable from external sources. Fernando: separate document on optioned packets is warranted? Joel: no, not convinced of that. Ron Bonica: I think a separate document is warranted. I wanted something I could point at particularly in response to documents from people proposing new options. Fernando: I can volunteer for that one. it's related to the work that was being done with ip security draft. Ron: I will introduce you to the other two people who offered to work on it. Fernando: perfect. Joel: There are also opportunities to discuss this in the context of ipv6. Warren Kumari: (on another point of the NANOG outreach) fib management is not the only reason why people use defaults. it's also fairly commonly used to accommodate micro-convergence events. Joel: it may not help in the case of a micro-loop, but micro-loop into macro-loop means at least the packets are going somewhere. Warren: Also accidental defaults. Joel: Yes, default left over from installation, perhaps that one can be chalked up to incompetence. 3. Revised, draft-ietf-opsec-ip-security - Fernando Gont Tue 10 Nov 2009 15:48:11 JST Fernando: (per slides) Tue 10 Nov 2009 15:50:48 JST Joel: My understanding that we were aiming for this to be informational? Fernando: yes. Joel: Last call has a way of gelling peoples' ideas, plan to last- call the document soon after the next rev. Ron: I think informational is right. normally wglc then iesg then done. since the document is important, however, I think internet- wide last-call is sensible. any objection to that? Fernando: No objection to that. 4. Revised, draft-ietf-opsec-icmp-filtering - Fernando Gont Tue 10 Nov 2009 15:53:20 JST Fernando: (per slides) Ron: Informational is much easier than bcp. Benefit of bcp is that it comes with a club. if you publish a draft as bcp, a later draft that contradicts it will have trouble. in this case I can't imagine a draft that would seek to contradict this advice. recommend stay with informational. Joel: This document does not prescribe things, it aims to describe consequences. Fernando: What about how to address the problem of packets aimed at the device? Ron: I would not include that. there is other work going on in more general, not just icmp, that will cover that. Joel: Also there are corner cases, e.g. a packet aimed through with a ttl that expires, e.g. traceroute. what to do with packets that are aimed at a device is a more local policy issue. 5. Revised, draft-ietf-opsec-routing-protocols-crypto-issues Tue 10 Nov 2009 16:00:06 JST Joel: (per slides) "history", "changes" Joel: Intention to wglc the -02. 6. Others? Tue 10 Nov 2009 16:04:40 JST Meeting concludes.