From ietf@meetecho.com Wed Aug 1 11:21:46 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08AD011E81C7 for ; Wed, 1 Aug 2012 11:21:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.387 X-Spam-Level: X-Spam-Status: No, score=-0.387 tagged_above=-999 required=5 tests=[AWL=0.332, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nIM8nWpa97kZ for ; Wed, 1 Aug 2012 11:21:45 -0700 (PDT) Received: from smtplq03.aruba.it (smtplq-out5.aruba.it [62.149.158.25]) by ietfa.amsl.com (Postfix) with SMTP id 79ADE11E83A8 for ; Wed, 1 Aug 2012 11:21:44 -0700 (PDT) Received: (qmail 23761 invoked by uid 89); 1 Aug 2012 18:21:42 -0000 Received: from unknown (HELO smtp5.aruba.it) (62.149.158.225) by smtplq03.aruba.it with SMTP; 1 Aug 2012 18:21:42 -0000 Received: (qmail 23533 invoked by uid 89); 1 Aug 2012 18:21:42 -0000 Received: from unknown (HELO ?130.129.21.177?) (alex@meetecho.com@130.129.21.177) by smtp5.ad.aruba.it with ESMTPA; 1 Aug 2012 18:21:42 -0000 Message-ID: <501973B2.4090709@meetecho.com> Date: Wed, 01 Aug 2012 20:21:38 +0200 From: Meetecho IETF support User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: opsec@ietf.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Rating: smtplq03.aruba.it 1.6.2 0/1000/N Subject: [OPSEC] Meetecho support for OPSEC WG X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2012 18:21:46 -0000 Hi all, a virtual room has been reserved on the Meetecho system for Wednesday's OPSEC WG meeting session. Access to the on-line session (including audio and video streams) will be available at: http://www.meetecho.com/ietf84/opsec The Meetecho session automatically logs you into the standard IETF jabber room. So, from there, you can have an integrated experience involving all media and allowing you to interact with the room. Remote participants might also send their own voice to the room, if they want to, by either calling a landline phone number, or using our embedded VoIP applet (in this last case they are *strongly* advised to use a headset). A tutorial of interactivity features of the tool can be found at: http://www.meetecho.com/ietf84 Cheers, the Meetecho team -- Meetecho s.r.l. Web Conferencing and Collaboration Tools www.meetecho.com From marc.blanchet@viagenie.ca Wed Aug 1 14:41:43 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9F2E11E8124 for ; Wed, 1 Aug 2012 14:41:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mf-l5ZBoCIn4 for ; Wed, 1 Aug 2012 14:41:42 -0700 (PDT) Received: from jazz.viagenie.ca (unknown [IPv6:2620:0:230:8000:226:55ff:fe57:14db]) by ietfa.amsl.com (Postfix) with ESMTP id 1199911E811E for ; Wed, 1 Aug 2012 14:41:35 -0700 (PDT) Received: from [IPv6:2001:df8::80:967:97fa:7011:b28] (unknown [IPv6:2001:df8:0:80:967:97fa:7011:b28]) by jazz.viagenie.ca (Postfix) with ESMTPSA id 59843425DD for ; Wed, 1 Aug 2012 17:41:33 -0400 (EDT) From: Marc Blanchet Content-Type: multipart/alternative; boundary="Apple-Mail=_3FF49692-8160-4DAF-A30D-1245BC9C1EE2" Date: Wed, 1 Aug 2012 14:41:32 -0700 Message-Id: <5D3BC3C2-9E2D-464C-8F6A-A712F3F49157@viagenie.ca> To: opsec@ietf.org Mime-Version: 1.0 (Apple Message framework v1278) X-Mailer: Apple Mail (2.1278) Subject: [OPSEC] draft-jdurand-bgp-security comment X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2012 21:41:44 -0000 --Apple-Mail=_3FF49692-8160-4DAF-A30D-1245BC9C1EE2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hello, 4.1.1.2. IPv6 There is no equivalent of RFC5735 for IPv6. This document recalls the prefixes that MUST not cross network boundaries and therefore MUST be filtered: There is an equivalent of RFC5735 for IPv6. it is RFC5156 and touches = the same content in that section. Marc. --Apple-Mail=_3FF49692-8160-4DAF-A30D-1245BC9C1EE2 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
4.1.1.2. = IPv6
 There is no equivalent of RFC5735 for IPv6. This = document recalls the prefixes that MUST not cross network boundaries and therefore MUST be filtered:
</extract of = draft>

There is an equivalent of = RFC5735 for IPv6. it is RFC5156 and touches the same content in that = section.

Marc.


= --Apple-Mail=_3FF49692-8160-4DAF-A30D-1245BC9C1EE2-- From marc.blanchet@viagenie.ca Wed Aug 1 22:59:38 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 216F811E8151 for ; Wed, 1 Aug 2012 22:59:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id li94+fskDZ+m for ; Wed, 1 Aug 2012 22:59:37 -0700 (PDT) Received: from jazz.viagenie.ca (unknown [IPv6:2620:0:230:8000:226:55ff:fe57:14db]) by ietfa.amsl.com (Postfix) with ESMTP id 5942711E814F for ; Wed, 1 Aug 2012 22:59:37 -0700 (PDT) Received: from [IPv6:2001:df8::64:d444:d331:eb78:704d] (unknown [IPv6:2001:df8:0:64:d444:d331:eb78:704d]) by jazz.viagenie.ca (Postfix) with ESMTPSA id B28BB415E5 for ; Thu, 2 Aug 2012 01:59:36 -0400 (EDT) From: Marc Blanchet Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: multipart/alternative; boundary="Apple-Mail=_F5CAEBE7-53BC-4791-8C5C-4DABE88B5583" Date: Wed, 1 Aug 2012 22:59:35 -0700 In-Reply-To: <5D3BC3C2-9E2D-464C-8F6A-A712F3F49157@viagenie.ca> To: opsec@ietf.org References: <5D3BC3C2-9E2D-464C-8F6A-A712F3F49157@viagenie.ca> Message-Id: X-Mailer: Apple Mail (2.1278) Subject: Re: [OPSEC] draft-jdurand-bgp-security comment X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 05:59:38 -0000 --Apple-Mail=_F5CAEBE7-53BC-4791-8C5C-4DABE88B5583 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 as said on the mike today (and repeating for people not attending), = adding to what was sent below, RFC5156 is being discussed in IESG to be = put historic because the caveat of listing prefixes in a RFC is that = later, other prefixes come by and the RFC has to be revised. There are = some discussions about having a registry with some of this info, but I'm = not sure it would fit with all the "routing advice" that can be put into = a registry. There are few different classes of prefixes, some are easy: = don't announce, filter out, but others are more complicated to be put in = a column structured registry (i.e. 2002::/16 announce if you are = offering a relay service, you may accept but look at this document for = issues, =85). =20 So I don't have a clear solution or proposal yet, but I urged authors to = follow the intarea AD resolution about the = ipv6-special-prefixes-RFC5156-registry result that you may want then to = reference and cut text in yours, if the resulting registry or work is = sufficiently complete to fit what is already discussed in your document. Marc. Le 2012-08-01 =E0 14:41, Marc Blanchet a =E9crit : > Hello, >=20 > > 4.1.1.2. IPv6 >=20 > There is no equivalent of RFC5735 for IPv6. This document recalls > the prefixes that MUST not cross network boundaries and therefore > MUST be filtered: > >=20 > There is an equivalent of RFC5735 for IPv6. it is RFC5156 and touches = the same content in that section. >=20 > Marc. >=20 >=20 > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec --Apple-Mail=_F5CAEBE7-53BC-4791-8C5C-4DABE88B5583 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 as = said on the mike today (and repeating for people not attending), adding = to what was sent below, RFC5156 is being discussed in IESG to be put = historic because the caveat of listing prefixes in a RFC is that later, = other prefixes come by and the RFC has to be revised. There are some = discussions about having a registry with some of this info, but I'm not = sure it would fit with all the "routing advice" that can be put into a = registry.  There are few different classes of prefixes, some are = easy: don't announce, filter out, but others are more complicated to be = put in a column structured registry (i.e. 2002::/16 announce if you are = offering a relay service, you may accept but look at this document for = issues, =85).  

So I don't have a clear solution = or proposal yet, but I urged authors to follow the intarea AD resolution = about the ipv6-special-prefixes-RFC5156-registry result that you may = want then to reference and cut text in yours, if the resulting registry = or work is sufficiently complete to fit what is already discussed in = your document.

Marc.

Le = 2012-08-01 =E0 14:41, Marc Blanchet a =E9crit :

4.1.1.2. = IPv6
 There is no equivalent of RFC5735 for IPv6. This = document recalls the prefixes that MUST not cross network boundaries and therefore MUST be filtered:
</extract of = draft>

There is an equivalent of = RFC5735 for IPv6. it is RFC5156 and touches the same content in that = section.

Marc.


_______________________________________________
OPSEC mailing = list
OPSEC@ietf.org
https://www.ietf.org/= mailman/listinfo/opsec

= --Apple-Mail=_F5CAEBE7-53BC-4791-8C5C-4DABE88B5583-- From gert@space.net Thu Aug 2 01:01:41 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01D2F21F8E00 for ; Thu, 2 Aug 2012 01:01:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.499 X-Spam-Level: X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F9gOVEAN6d9y for ; Thu, 2 Aug 2012 01:01:40 -0700 (PDT) Received: from mobil.space.net (mobil.Space.Net [IPv6:2001:608:2:81::2]) by ietfa.amsl.com (Postfix) with ESMTP id 5B09E21F8E01 for ; Thu, 2 Aug 2012 01:01:39 -0700 (PDT) Received: from mobil.space.net (localhost [127.0.0.1]) by mobil.space.net (Postfix) with ESMTP id 24949F8D07 for ; Thu, 2 Aug 2012 10:01:38 +0200 (CEST) X-SpaceNet-Relay: true Received: from moebius3.space.net (moebius3.Space.Net [IPv6:2001:608:2:2::250]) by mobil.space.net (Postfix) with ESMTPS id 07314F8D03 for ; Thu, 2 Aug 2012 10:01:38 +0200 (CEST) Received: (qmail 1014 invoked by uid 1007); 2 Aug 2012 10:01:37 +0200 Date: Thu, 2 Aug 2012 10:01:37 +0200 From: Gert Doering To: Marc Blanchet Message-ID: <20120802080137.GM38127@Space.Net> References: <5D3BC3C2-9E2D-464C-8F6A-A712F3F49157@viagenie.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5D3BC3C2-9E2D-464C-8F6A-A712F3F49157@viagenie.ca> X-NCC-RegID: de.space User-Agent: Mutt/1.5.21 (2010-09-15) Cc: opsec@ietf.org Subject: Re: [OPSEC] draft-jdurand-bgp-security comment X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 08:01:41 -0000 Hi, On Wed, Aug 01, 2012 at 02:41:32PM -0700, Marc Blanchet wrote: > > 4.1.1.2. IPv6 > > There is no equivalent of RFC5735 for IPv6. This document recalls > the prefixes that MUST not cross network boundaries and therefore > MUST be filtered: > > > There is an equivalent of RFC5735 for IPv6. it is RFC5156 and touches the same content in that section. Thanks for pointing that out. We'll integrate the reference and adapt the text accordingly. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From gvandeve@cisco.com Mon Aug 6 01:42:55 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B048D21F8523; Mon, 6 Aug 2012 01:42:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.356 X-Spam-Level: X-Spam-Status: No, score=-10.356 tagged_above=-999 required=5 tests=[AWL=0.242, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5sqCtkXSmUOr; Mon, 6 Aug 2012 01:42:55 -0700 (PDT) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 01ACA21F8609; Mon, 6 Aug 2012 01:42:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6814; q=dns/txt; s=iport; t=1344242575; x=1345452175; h=from:to:subject:date:message-id:mime-version; bh=eO37779sF36BTfCRA2QiLQLFQFifebyNn/OOgYCtYnk=; b=D2+E6ulHtInjY+/Zo5im6LuKmWmvP8MQjRyLvCXyllYWjXMhUAHYP5ZN uCyfh4sHxY234oCmr9kEDrffNgy61/f8eB5LEe2zmEdMhji52uHaSFZ1c yF3lFO15gvp4i9AV+VLKoWV6XQnhU3ditIu8usUXiOrh3Su7IEVPrM/PG c=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av4EAAeDH1CtJV2Y/2dsb2JhbAA7CoJKtnSBB4IiAQQSARpeASpWJgEEARoMDodrm0SfU4tahhRgA6NvgWaCXw X-IronPort-AV: E=Sophos;i="4.77,718,1336348800"; d="scan'208,217";a="105728263" Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-9.cisco.com with ESMTP; 06 Aug 2012 08:42:54 +0000 Received: from xhc-rcd-x03.cisco.com (xhc-rcd-x03.cisco.com [173.37.183.77]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id q768gs0R019543 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Aug 2012 08:42:54 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-rcd-x03.cisco.com ([173.37.183.77]) with mapi id 14.02.0298.004; Mon, 6 Aug 2012 03:42:54 -0500 From: "Gunter Van de Velde (gvandeve)" To: "opsec@ietf.org" , "v6ops v6ops WG (v6ops@ietf.org)" Thread-Topic: 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: Ac1zrndn+rK+MesNRpua2q1lf71Apg== Date: Mon, 6 Aug 2012 08:42:53 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.88.65] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19088.006 x-tm-as-result: No--36.409000-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/alternative; boundary="_000_67832B1175062E48926BF3CB27C49B240674C2xmbalnx12ciscocom_" MIME-Version: 1.0 Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 08:42:55 -0000 --_000_67832B1175062E48926BF3CB27C49B240674C2xmbalnx12ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Dear all, Can I request the WG members for 3 volunteers to read the draft draft-gont-= opsec-ipv6-implications-on-ipv4-nets and provide feedback to the list? This will help the OPSEC chairs to identify if the work is ready for WG ado= ption or not. The work targets are within charter of the WG, and seems to b= e interesting work for the community. Questions we are looking answers for: 1) Should it be targeted BCP or Informational? 2) Is the work quality ok to be accepted as WG document? 3) Is the topic inline with the OPSEC charter? 4) Any missing or over-described points? Many thanks in advance, Kind Regards, OPSEC Chairs, (G/, KK, Warren) --_000_67832B1175062E48926BF3CB27C49B240674C2xmbalnx12ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Dear all,

 

Can I request the WG members for 3 volunteers to rea= d the draft draft-gont-opsec-ipv6-implications-on-ipv4-nets and provide fee= dback to the list?

 

This will help the OPSEC chairs to identify if the w= ork is ready for WG adoption or not. The work targets are within charter of= the WG, and seems to be interesting work for the community.

 

Questions we are looking answers for:

 

1)      Should it be targeted BCP or Informational?

2)      Is the work quality ok to be accepted as WG documen= t?

3)      Is the topic inline with the OPSEC charter?

4)      Any missing or over-described points?

 

Many thanks in advance,

 

Kind Regards,

OPSEC Chairs,

(G/, KK, Warren)

--_000_67832B1175062E48926BF3CB27C49B240674C2xmbalnx12ciscocom_-- From gvandeve@cisco.com Mon Aug 6 01:51:10 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD9D621F858A; Mon, 6 Aug 2012 01:51:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.396 X-Spam-Level: X-Spam-Status: No, score=-10.396 tagged_above=-999 required=5 tests=[AWL=0.202, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nZeBuqC5-C1C; Mon, 6 Aug 2012 01:51:10 -0700 (PDT) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id E490E21F8541; Mon, 6 Aug 2012 01:51:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=6187; q=dns/txt; s=iport; t=1344243070; x=1345452670; h=from:to:cc:subject:date:message-id:mime-version; bh=pv+9GhIfX8hWTTwol2z/EDfFD58lKfdRTSuh8P28L8A=; b=kq+CetO9F7KWtqbFPR3Uhb20SbRNx9sXz0nxCnc3H86T8uBVrwYYHwIW 8clNyv/jc08csYJoXNbSUHn4cGx2IyibH9LVjt9GtS8M+koDU9JT+OV/c T3h4hBr7BWa2Sx+p0BczJnPpVbjWqaPLyiyipLO607roUNjIaXit16Az9 M=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AhsFAOyEH1CtJXHA/2dsb2JhbABFgkqmFIgPAYhQgQeCIgEEEgEKEEwSASpWJgEEDg0ah2sLmzqfVJFuYAOWXY0SgWaCX4Ff X-IronPort-AV: E=Sophos;i="4.77,718,1336348800"; d="scan'208,217";a="108719066" Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-7.cisco.com with ESMTP; 06 Aug 2012 08:51:09 +0000 Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id q768p96I010708 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Aug 2012 08:51:09 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.02.0298.004; Mon, 6 Aug 2012 03:51:09 -0500 From: "Gunter Van de Velde (gvandeve)" To: "opsec@ietf.org" Thread-Topic: IPv6 OPSEC drafts need review Thread-Index: Ac1zr7XviImO0VW9ShaYOQMMM67U3A== Date: Mon, 6 Aug 2012 08:51:08 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B240674DA@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.88.65] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19088.004 x-tm-as-result: No--32.390100-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/alternative; boundary="_000_67832B1175062E48926BF3CB27C49B240674DAxmbalnx12ciscocom_" MIME-Version: 1.0 Cc: "draft-vyncke-opsec-v6@tools.ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" , "Warren Kumari \(warren@kumari.net\)" , "draft-jdurant-bgp-security-01@tools.ietf.org" Subject: [OPSEC] IPv6 OPSEC drafts need review X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 08:51:10 -0000 --_000_67832B1175062E48926BF3CB27C49B240674DAxmbalnx12ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Dear all, As mentioned during the OPSEC WG meeting, the following 2 drafts will in 3 = weeks be considered for WG documents, after a call for feedback on the emai= l list. During the WG meeting it became clear that not that many people rea= d the documents until now. Please read drafts: 1) http://datatracker.ietf.org/doc/draft-vyncke-opsec-v6/ 2) http://tools.ietf.org/html/draft-jdurand-bgp-security-01 On Monday 27th the chairs of OPSEC WG will ask the WG during a period of 7 = days for feedback on these drafts to support or deny acceptance as WG docum= ents. Kind Regards, G/, KK & Warren --_000_67832B1175062E48926BF3CB27C49B240674DAxmbalnx12ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Dear all,

 

As mentioned during the OPSEC WG meeting, the follow= ing 2 drafts will in 3 weeks be considered for WG documents, after a call f= or feedback on the email list. During the WG meeting it became clear that n= ot that many people read the documents until now.

 

Please read drafts:

 

1)      http://datatracker.ietf.org/doc/draft-vyncke-opsec-v6/<= o:p>

2)      http://tools.ietf.org/html/draft-jdurand-bgp-security-01<= /a>

 

On Monday 27th the chairs of OPSEC WG wil= l ask the WG during a period of 7 days for feedback on these drafts to supp= ort or deny acceptance as WG documents.

 

Kind Regards,

G/, KK & Warren

--_000_67832B1175062E48926BF3CB27C49B240674DAxmbalnx12ciscocom_-- From gvandeve@cisco.com Mon Aug 6 02:03:09 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C718421F84F6; Mon, 6 Aug 2012 02:03:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.397 X-Spam-Level: X-Spam-Status: No, score=-10.397 tagged_above=-999 required=5 tests=[AWL=0.201, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBSdSt036r8g; Mon, 6 Aug 2012 02:03:08 -0700 (PDT) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id 8EF5621F84E4; Mon, 6 Aug 2012 02:03:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=3394; q=dns/txt; s=iport; t=1344243788; x=1345453388; h=from:to:cc:subject:date:message-id:mime-version; bh=HBGuloKUT9SIOhAnizh6QHJPYGVtxoSt702ID6UnXGk=; b=J/7LhM0x8qIHNWnS9aFwkOsseYPvIM6qILTJC82CVgX3tVVbX2qgHSuT dohDkwyIgSSbQN71ESifFZP6o9IoOCT1bOIwH90oLxUaHRAUsi6HIkp4K vFhSE0APFIp/A5OjCTsWKozCYGvgE3ynyAPvFNxJ+/dhx7q55fEpi9VTA c=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: An4FAFWHH1CtJV2d/2dsb2JhbABFgkqCaqs5AYhQgQeCIgEEEgEaTBIBDB5WJgEEDg0ah2sLmz+fV5FuYAOWXY0SgWaCXw X-IronPort-AV: E=Sophos;i="4.77,718,1336348800"; d="scan'208,217";a="108720193" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-6.cisco.com with ESMTP; 06 Aug 2012 09:03:08 +0000 Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id q76938h2030052 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Aug 2012 09:03:08 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.02.0298.004; Mon, 6 Aug 2012 04:03:07 -0500 From: "Gunter Van de Velde (gvandeve)" To: "opsec@ietf.org" Thread-Topic: IPv6 LL-only as WG document - feedback requested Thread-Index: Ac1zsaLKu65hBuxGQ1mVPU9TRZLT7Q== Date: Mon, 6 Aug 2012 09:03:06 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.88.65] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19088.006 x-tm-as-result: No--28.972000-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/alternative; boundary="_000_67832B1175062E48926BF3CB27C49B24068549xmbalnx12ciscocom_" MIME-Version: 1.0 Cc: "v6ops v6ops WG \(v6ops@ietf.org\)" , "opsec-chairs@ietf.org" , "'draft-behringer-lla-only@tools.ietf.org' \(draft-behringer-lla-only@tools.ietf.org\)" Subject: [OPSEC] IPv6 LL-only as WG document - feedback requested X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 09:03:10 -0000 --_000_67832B1175062E48926BF3CB27C49B24068549xmbalnx12ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable (distributed to OPSEC WG and in cc v6ops) Dear all, During the OPSEC WG meeting last Wednesday there was consensus to adopt the= draft http://tools.ietf.org/html/draft-behringer-lla-only-01 as working gr= oup document with Informational status. Please read the draft, and if there is no violent objection on the list, th= e document will be requested to be submitted as WG document in 7 days. Ciao, G/, KK & Warren --_000_67832B1175062E48926BF3CB27C49B24068549xmbalnx12ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

(distributed to OPSEC WG and in cc v6ops)=

 

Dear all,

 

During the OPSEC WG meeting last Wednesday there was= consensus to adopt the draft http://t= ools.ietf.org/html/draft-behringer-lla-only-01 as working group documen= t with Informational status.

 

Please read the draft, and if there is no violent ob= jection on the list, the document will be requested to be submitted as WG d= ocument in 7 days.

 

Ciao,

G/, KK & Warren

--_000_67832B1175062E48926BF3CB27C49B24068549xmbalnx12ciscocom_-- From gvandeve@cisco.com Mon Aug 6 02:36:21 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F46221F8617; Mon, 6 Aug 2012 02:36:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.117 X-Spam-Level: X-Spam-Status: No, score=-10.117 tagged_above=-999 required=5 tests=[AWL=-0.119, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VBDutU9hycz7; Mon, 6 Aug 2012 02:36:20 -0700 (PDT) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 5E9C921F8616; Mon, 6 Aug 2012 02:36:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=4172; q=dns/txt; s=iport; t=1344245780; x=1345455380; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=HfICAQuLFJnRHlPLt0ENIRtDz42BUu17PEyrzbeVoPw=; b=Pr0EdVY5v3amqMtfSbXBiYittmWLuNNAkfLvXvzLLWiNT7PQFh6VY1F0 gmOud5L/ouQkxfm8C1O4go4KsKOOa02j4Blwz019lBXJyXpmjfMI1iATu BLxeicQeuainrAB1uWsQDMyAFMK1LMR6I8Y5/Rt/cjdBNhwiYU7JqcEud 0=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgMFAF2PH1CtJV2d/2dsb2JhbABFhXuyTXaBB4IgAQEBAwEBAQEPARAROgsFBwQCAQgRBAEBAQICBh0DAgICHwYLFAEICAEBBA4FCBqHXAMGBgubSI0ZiGgNiU6BIYlCZ4VyMmADk3aCZ4l1gx2BZoJf X-IronPort-AV: E=Sophos;i="4.77,718,1336348800"; d="scan'208";a="108731552" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-5.cisco.com with ESMTP; 06 Aug 2012 09:36:19 +0000 Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id q769aJag027302 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Aug 2012 09:36:19 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.02.0298.004; Mon, 6 Aug 2012 04:36:19 -0500 From: "Gunter Van de Velde (gvandeve)" To: Brian E Carpenter Thread-Topic: [v6ops] IPv6 LL-only as WG document - feedback requested Thread-Index: Ac1zsaLKu65hBuxGQ1mVPU9TRZLT7QALZhOAAApGAYA= Date: Mon, 6 Aug 2012 09:36:18 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B2406858F@xmb-aln-x12.cisco.com> References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> In-Reply-To: <501F8D5F.5000805@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.88.65] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19088.006 x-tm-as-result: No--44.211700-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: "opsec@ietf.org" , "opsec-chairs@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" , "'draft-behringer-lla-only@tools.ietf.org' \(draft-behringer-lla-only@tools.ietf.org\)" Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 09:36:21 -0000 QW5zd2VyIGFzIGluZGl2aWR1YWwgY29udHJpYnV0b3IuDQoNCkZyZWQgQi4gYW5kIG15c2VsZiBk aWQgYSBkcmFmdCB0byBleGFjdGx5IGFkZHJlc3MgdGhlIHRyYWNlYWJpbGl0eSBvZiBpbnRlcmZh Y2VzIHdpdGhvdXQgDQppbmNyZWFzaW5nIHRoZSBhdHRhY2sgdmVjdG9yIG9uIGludGVyZmFjZXM6 IFBhc3NpdmUgSVB2NiBhZGRyZXNzZXMNCg0KTm8gbmV3IGNsYXNzIG9mIGFkZHJlc3NlcyBhdCBh bGwuLi4gbm8gbmV3IElBTkEgYWxsb2NhdGlvbi4uLiBqdXN0IGJlaGF2aW91ciBvZiB0aGUgYWRk cmVzczoNCg0KMSkgaXQgaXMgY29uZmlndXJlZCBhcyBhIG5vcm1hbCBhZGRyZXNzDQoyKSBqdXN0 IGFuIGV4dHJhIGtleXdvcmQgYXR0YWNoZWQgdG8gdGhlIGFkZHJlc3MgaWRlbnRpZnlpbmcgaXRz IGJlaGF2aW9yDQozKSBJdCBjYW4gb25seSBiZSB1c2VkIGFzIGEgJ3NvdXJjZScgYWRkcmVzcw0K NCkgaWYgaXQgaXMgdXNlZCBhcyBkZXN0aW5hdGlvbiBhZGRyZXNzLCB0aGVuIHdoZW4gcmVhY2hp bmcgdGhlIHJvdXRlciBpdCB3aWxsIGJlIGRpcmVjdGVkIHRvIHRoZSBOdWxsMCBpbnRlcmZhY2UN Cg0KVGhpcyB3aWxsIGhlbHAgdmlzaWJpbGl0eSBvZiB0aGUgdHJhY2Utcm91dGUgaW4gY2FzZXMg b2YgTEwtb25seS4uLg0KDQpHLw0KDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9t OiBCcmlhbiBFIENhcnBlbnRlciBbbWFpbHRvOmJyaWFuLmUuY2FycGVudGVyQGdtYWlsLmNvbV0g DQpTZW50OiAwNiBBdWd1c3QgMjAxMiAxMToyNQ0KVG86IEd1bnRlciBWYW4gZGUgVmVsZGUgKGd2 YW5kZXZlKQ0KQ2M6IG9wc2VjQGlldGYub3JnOyB2Nm9wcyB2Nm9wcyBXRyAodjZvcHNAaWV0Zi5v cmcpOyBvcHNlYy1jaGFpcnNAaWV0Zi5vcmc7ICdkcmFmdC1iZWhyaW5nZXItbGxhLW9ubHlAdG9v bHMuaWV0Zi5vcmcnIChkcmFmdC1iZWhyaW5nZXItbGxhLW9ubHlAdG9vbHMuaWV0Zi5vcmcpDQpT dWJqZWN0OiBSZTogW3Y2b3BzXSBJUHY2IExMLW9ubHkgYXMgV0cgZG9jdW1lbnQgLSBmZWVkYmFj ayByZXF1ZXN0ZWQNCg0KSGksDQoNCj4gICAgbyAgTWFuYWdlbWVudCBwbGFuZSB0cmFmZmljLCBz dWNoIGFzIFNTSCwgVGVsbmV0LCBTTk1QLCBJQ01QIGVjaG8NCj4gICAgICAgcmVxdWVzdCAuLi4g Y2FuIGJlIGFkZHJlc3NlZCB0byBsb29wYmFjayBhZGRyZXNzZXMgb2Ygcm91dGVycyB3aXRoDQo+ ICAgICAgIGEgZ2xvYmFsIHNjb3BlIGFkZHJlc3MuICBSb3V0ZXIgbWFuYWdlbWVudCBjYW4gYWxz byBiZSBkb25lIG92ZXINCj4gICAgICAgb3V0LW9mLWJhbmQgY2hhbm5lbHMuDQo+IA0KPiAgICBv ICBJQ01QIGVycm9yIG1lc3NhZ2UgY2FuIGFsc28gYmUgc291cmNlZCBmcm9tIHRoZSBnbG9iYWwg c2NvcGUNCj4gICAgICAgbG9vcGJhY2sgYWRkcmVzcy4NCg0KVGhlc2Ugc3RhdGVtZW50cyBzZWVt IHRvbyB3ZWFrLiBVc2luZyBHVUFzIGZvciBJQ01QIGluIHBhcnRpY3VsYXIgbmVlZHMgdG8gaGF2 ZSBhIG5vcm1hdGl2ZSBNVVNUIHNvbWV3aGVyZSAocHJlZmVyYWJseSBpbiBhIEJDUCkuIEluIHRo ZSBjb250ZXh0IG9mIHRoaXMgSW5mb3JtYXRpb25hbCBkcmFmdCwgdGhlIGxhbmd1YWdlIG5lZWRz IHRvIHN0YXRlIGEgcmVxdWlyZW1lbnQgKCJtdXN0IiBub3QgImNhbiIpIGV2ZW4gaWYgeW91IGRv bid0IHVzZSBSRkMgMjExOSB0ZXJtaW5vbG9neS4NCg0KVGhpcyBtYXR0ZXJzIGJlY2F1c2UgcGFj a2V0cyB3aXRoIGEgTEwgc291cmNlIGFkZHJlc3MgTVVTVCBOT1QgYmUgZm9yd2FyZGVkLCBzbyBh IHJvdXRlciB0aGF0IGlzIG1pc2NvbmZpZ3VyZWQgdG8gc2VuZCBJQ01QIHJlcGxpZXMgd2l0aCBh IExMIHNvdXJjZSBhZGRyZXNzIGJyZWFrcyBib3RoIHBpbmcgYW5kIHRyYWNlcm91dGUuDQoNCkkg dGhpbmsgdGhlIHJ1bGUgaXMgdGhhdCBhbnkgcGFja2V0IHRoYXQgaXMgKm5vdCogc2VudCB0byBh IExMIGFkZHJlc3MgbXVzdCBoYXZlIGEgR1VBIGFzIHRoZSBzb3VyY2UgYWRkcmVzcy4gVGhhdCB0 YWtlcyBjYXJlIG9mIElDTVAsIGFuZCBldmVyeXRoaW5nIGVsc2UgYXMgd2VsbC4NCg0KRnVydGhl cm1vcmUsIHRoYXQgR1VBIG5lZWRzIHRvIGJlIGFzc29jaWF0ZWQgd2l0aCBhIHByZWZpeCB0aGF0 IGJlbG9uZ3MgdG8gdGhlIG9yZ2FuaXNhdGlvbiBvcGVyYXRpbmcgdGhlIHJvdXRlciBpbiBxdWVz dGlvbi4gT3RoZXJ3aXNlIHRoZSB0cmFjZXJvdXRlIHJlc3VsdHMgY2FuIGJlIHZlcnkgY29uZnVz aW5nLiBXZSBkaXNjdXNzZWQgdGhhdCBvbiB2Nm9wcyBiYWNrIGluIE1hcmNoLg0KDQpSZWdhcmRz DQogICBCcmlhbiBDYXJwZW50ZXINCg0KDQoNCg0KT24gMDYvMDgvMjAxMiAxMDowMywgR3VudGVy IFZhbiBkZSBWZWxkZSAoZ3ZhbmRldmUpIHdyb3RlOg0KPiAoZGlzdHJpYnV0ZWQgdG8gT1BTRUMg V0cgYW5kIGluIGNjIHY2b3BzKQ0KPiANCj4gRGVhciBhbGwsDQo+IA0KPiBEdXJpbmcgdGhlIE9Q U0VDIFdHIG1lZXRpbmcgbGFzdCBXZWRuZXNkYXkgdGhlcmUgd2FzIGNvbnNlbnN1cyB0byBhZG9w dCB0aGUgZHJhZnQgaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtYmVocmluZ2VyLWxs YS1vbmx5LTAxIGFzIHdvcmtpbmcgZ3JvdXAgZG9jdW1lbnQgd2l0aCBJbmZvcm1hdGlvbmFsIHN0 YXR1cy4NCj4gDQo+IFBsZWFzZSByZWFkIHRoZSBkcmFmdCwgYW5kIGlmIHRoZXJlIGlzIG5vIHZp b2xlbnQgb2JqZWN0aW9uIG9uIHRoZSBsaXN0LCB0aGUgZG9jdW1lbnQgd2lsbCBiZSByZXF1ZXN0 ZWQgdG8gYmUgc3VibWl0dGVkIGFzIFdHIGRvY3VtZW50IGluIDcgZGF5cy4NCj4gDQo+IENpYW8s DQo+IEcvLCBLSyAmIFdhcnJlbg0KPiANCj4gDQo+IA0KPiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQo+IC0tDQo+ IA0KPiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiB2 Nm9wcyBtYWlsaW5nIGxpc3QNCj4gdjZvcHNAaWV0Zi5vcmcNCj4gaHR0cHM6Ly93d3cuaWV0Zi5v cmcvbWFpbG1hbi9saXN0aW5mby92Nm9wcw0K From gvandeve@cisco.com Mon Aug 6 03:18:40 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A98BD21F8628; Mon, 6 Aug 2012 03:18:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.261 X-Spam-Level: X-Spam-Status: No, score=-10.261 tagged_above=-999 required=5 tests=[AWL=-0.262, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wceGfgQ7LHgw; Mon, 6 Aug 2012 03:18:39 -0700 (PDT) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 94D9E21F8629; Mon, 6 Aug 2012 03:18:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=6064; q=dns/txt; s=iport; t=1344248313; x=1345457913; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=+psj8CAOAOoFBOaNvKF25CMvVW/q51oshA+noCVyR/A=; b=iFiFI+F5GZC0b9EcABB/3WCvFbqZjp8V8S7FwdDF2O3Q84OrKAHHasDC 1T6vX7aVa4utHn0ZtjtQNHhN+Vzfio9hgRAsDWaMufc92gqdNSNg98IzI ZFv76Frj9aYGmDbk5M6y+OcO9dvQPov6mf35WkLSaZ7PQbl6wSZ6dbq2v Q=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgIFAEyZH1CtJXHB/2dsb2JhbABFhXuyTXaBB4IgAQEBBAEBAQ8BEBE6CwwEAgEIEQQBAQECAgYdAwICAh8GCxQBCAgBAQQOBQgah1wDDAubNo0ZiHYNiU6BIYlCZ4VyMmADk3aCZ4l1gx2BZoJf X-IronPort-AV: E=Sophos;i="4.77,718,1336348800"; d="scan'208";a="108770680" Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-4.cisco.com with ESMTP; 06 Aug 2012 10:18:33 +0000 Received: from xhc-aln-x03.cisco.com (xhc-aln-x03.cisco.com [173.36.12.77]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id q76AIWJM019737 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Aug 2012 10:18:32 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-aln-x03.cisco.com ([173.36.12.77]) with mapi id 14.02.0298.004; Mon, 6 Aug 2012 05:18:32 -0500 From: "Gunter Van de Velde (gvandeve)" To: Brian E Carpenter Thread-Topic: [v6ops] IPv6 LL-only as WG document - feedback requested Thread-Index: Ac1zsaLKu65hBuxGQ1mVPU9TRZLT7QALZhOAAApGAYD//7IZAIAASnFA Date: Mon, 6 Aug 2012 10:18:31 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B240685F6@xmb-aln-x12.cisco.com> References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <67832B1175062E48926BF3CB27C49B2406858F@xmb-aln-x12.cisco.com> <501F90F8.1050409@gmail.com> In-Reply-To: <501F90F8.1050409@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.82.146] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19088.006 x-tm-as-result: No--48.409400-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: "opsec@ietf.org" , "opsec-chairs@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" , "'draft-behringer-lla-only@tools.ietf.org' \(draft-behringer-lla-only@tools.ietf.org\)" Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 10:18:41 -0000 SSBhbSBjb25mdXNlZC4gUGxlYXNlIGNvcnJlY3QgbXkgdW5kZXJzdGFuZGluZyBpZiBwb3NzaWJs ZS4NCg0KMSkgWW91IGFyZSBvayB3aXRoIHRoZSBCZWhyaW5nZXItTEwgZHJhZnQgYmVpbmcgYW4g aW5mb3JtYXRpb25hbCBkcmFmdD8gKG5vdCBCQ1ApDQoyKSBQYXNzaXZlIGFkZHJlc3NlcyBpcyBz b21ldGhpbmcgdGhhdCBjcmVhdGVzIHBvdGVudGlhbCBpc3N1ZXMgaW4geW91ciB2aWV3Pw0KDQpG b3IgKDIpIEkgd291bGQgc2F5Li4uIEl0IGlzIGp1c3QgYXMgYSBub3JtYWwgYWRkcmVzcy4uLiBu byBuZWVkIGF0IGFsbCB0byBkaXNjYXJkIHRoZW0gb24gYW55IG90aGVyIGJveCB0aGVuIHRoZSBy ZWNlaXZpbmcgYm94IGFzIHRob3NlIGJveGVzIGp1c3Qgc2VlIHRoZSBhZGRyZXNzIGFzIGJlaW5n IGEgbm9ybWFsIElQdjYgYWRkcmVzcy4gTm90aGluZyBzcGVjaWFsIGFib3V0IGl0LiBJdCBpcyBq dXN0IGEgbm9ybWFsIGFkZHJlc3MuIFRoZSBiZWhhdmlvdXIgb2YgcGFzc2l2ZSBhZGRyZXNzZXMg aXMgdG8gZG8gd2l0aCB0aGUgd2F5IHRoZSByZWNpcGllbnQgZGV2aWNlIGRlYWxzIHdpdGggdGhp cyBhZGRyZXNzLg0KDQpHLw0KDQoNCg0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJv bTogQnJpYW4gRSBDYXJwZW50ZXIgW21haWx0bzpicmlhbi5lLmNhcnBlbnRlckBnbWFpbC5jb21d IA0KU2VudDogMDYgQXVndXN0IDIwMTIgMTE6NDANClRvOiBHdW50ZXIgVmFuIGRlIFZlbGRlIChn dmFuZGV2ZSkNCkNjOiBvcHNlY0BpZXRmLm9yZzsgdjZvcHMgdjZvcHMgV0cgKHY2b3BzQGlldGYu b3JnKTsgb3BzZWMtY2hhaXJzQGlldGYub3JnOyAnZHJhZnQtYmVocmluZ2VyLWxsYS1vbmx5QHRv b2xzLmlldGYub3JnJyAoZHJhZnQtYmVocmluZ2VyLWxsYS1vbmx5QHRvb2xzLmlldGYub3JnKQ0K U3ViamVjdDogUmU6IFt2Nm9wc10gSVB2NiBMTC1vbmx5IGFzIFdHIGRvY3VtZW50IC0gZmVlZGJh Y2sgcmVxdWVzdGVkDQoNCkhpIEd1bnRlciwNCg0KSSBoYXZlIG5vIHByb2JsZW0gd2l0aCB0aGUg cGFzc2l2ZSBhZGRyZXNzIGlkZWEsIGJ1dCB0aGUgaW1tZWRpYXRlIGlzc3VlIGlzIHRoYXQgcm91 dGVycyBtdXN0IG5vdCBzb3VyY2UgSUNNUCBwYWNrZXRzIHRoYXQgb3RoZXIgcm91dGVycyBtdXN0 IGRpc2NhcmQgLSBoZW5jZSBubyBMTCBzb3VyY2UgYWRkcmVzc2VzLg0KDQogICAgQnJpYW4NCg0K T24gMDYvMDgvMjAxMiAxMDozNiwgR3VudGVyIFZhbiBkZSBWZWxkZSAoZ3ZhbmRldmUpIHdyb3Rl Og0KPiBBbnN3ZXIgYXMgaW5kaXZpZHVhbCBjb250cmlidXRvci4NCj4gDQo+IEZyZWQgQi4gYW5k IG15c2VsZiBkaWQgYSBkcmFmdCB0byBleGFjdGx5IGFkZHJlc3MgdGhlIHRyYWNlYWJpbGl0eSBv ZiANCj4gaW50ZXJmYWNlcyB3aXRob3V0IGluY3JlYXNpbmcgdGhlIGF0dGFjayB2ZWN0b3Igb24g aW50ZXJmYWNlczogUGFzc2l2ZSANCj4gSVB2NiBhZGRyZXNzZXMNCj4gDQo+IE5vIG5ldyBjbGFz cyBvZiBhZGRyZXNzZXMgYXQgYWxsLi4uIG5vIG5ldyBJQU5BIGFsbG9jYXRpb24uLi4ganVzdCBi ZWhhdmlvdXIgb2YgdGhlIGFkZHJlc3M6DQo+IA0KPiAxKSBpdCBpcyBjb25maWd1cmVkIGFzIGEg bm9ybWFsIGFkZHJlc3MNCj4gMikganVzdCBhbiBleHRyYSBrZXl3b3JkIGF0dGFjaGVkIHRvIHRo ZSBhZGRyZXNzIGlkZW50aWZ5aW5nIGl0cyANCj4gYmVoYXZpb3INCj4gMykgSXQgY2FuIG9ubHkg YmUgdXNlZCBhcyBhICdzb3VyY2UnIGFkZHJlc3MNCj4gNCkgaWYgaXQgaXMgdXNlZCBhcyBkZXN0 aW5hdGlvbiBhZGRyZXNzLCB0aGVuIHdoZW4gcmVhY2hpbmcgdGhlIHJvdXRlciANCj4gaXQgd2ls bCBiZSBkaXJlY3RlZCB0byB0aGUgTnVsbDAgaW50ZXJmYWNlDQo+IA0KPiBUaGlzIHdpbGwgaGVs cCB2aXNpYmlsaXR5IG9mIHRoZSB0cmFjZS1yb3V0ZSBpbiBjYXNlcyBvZiBMTC1vbmx5Li4uDQo+ IA0KPiBHLw0KPiANCj4gDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+IEZyb206IEJy aWFuIEUgQ2FycGVudGVyIFttYWlsdG86YnJpYW4uZS5jYXJwZW50ZXJAZ21haWwuY29tXQ0KPiBT ZW50OiAwNiBBdWd1c3QgMjAxMiAxMToyNQ0KPiBUbzogR3VudGVyIFZhbiBkZSBWZWxkZSAoZ3Zh bmRldmUpDQo+IENjOiBvcHNlY0BpZXRmLm9yZzsgdjZvcHMgdjZvcHMgV0cgKHY2b3BzQGlldGYu b3JnKTsgDQo+IG9wc2VjLWNoYWlyc0BpZXRmLm9yZzsgJ2RyYWZ0LWJlaHJpbmdlci1sbGEtb25s eUB0b29scy5pZXRmLm9yZycgDQo+IChkcmFmdC1iZWhyaW5nZXItbGxhLW9ubHlAdG9vbHMuaWV0 Zi5vcmcpDQo+IFN1YmplY3Q6IFJlOiBbdjZvcHNdIElQdjYgTEwtb25seSBhcyBXRyBkb2N1bWVu dCAtIGZlZWRiYWNrIHJlcXVlc3RlZA0KPiANCj4gSGksDQo+IA0KPj4gICAgbyAgTWFuYWdlbWVu dCBwbGFuZSB0cmFmZmljLCBzdWNoIGFzIFNTSCwgVGVsbmV0LCBTTk1QLCBJQ01QIGVjaG8NCj4+ ICAgICAgIHJlcXVlc3QgLi4uIGNhbiBiZSBhZGRyZXNzZWQgdG8gbG9vcGJhY2sgYWRkcmVzc2Vz IG9mIHJvdXRlcnMgd2l0aA0KPj4gICAgICAgYSBnbG9iYWwgc2NvcGUgYWRkcmVzcy4gIFJvdXRl ciBtYW5hZ2VtZW50IGNhbiBhbHNvIGJlIGRvbmUgb3Zlcg0KPj4gICAgICAgb3V0LW9mLWJhbmQg Y2hhbm5lbHMuDQo+Pg0KPj4gICAgbyAgSUNNUCBlcnJvciBtZXNzYWdlIGNhbiBhbHNvIGJlIHNv dXJjZWQgZnJvbSB0aGUgZ2xvYmFsIHNjb3BlDQo+PiAgICAgICBsb29wYmFjayBhZGRyZXNzLg0K PiANCj4gVGhlc2Ugc3RhdGVtZW50cyBzZWVtIHRvbyB3ZWFrLiBVc2luZyBHVUFzIGZvciBJQ01Q IGluIHBhcnRpY3VsYXIgbmVlZHMgdG8gaGF2ZSBhIG5vcm1hdGl2ZSBNVVNUIHNvbWV3aGVyZSAo cHJlZmVyYWJseSBpbiBhIEJDUCkuIEluIHRoZSBjb250ZXh0IG9mIHRoaXMgSW5mb3JtYXRpb25h bCBkcmFmdCwgdGhlIGxhbmd1YWdlIG5lZWRzIHRvIHN0YXRlIGEgcmVxdWlyZW1lbnQgKCJtdXN0 IiBub3QgImNhbiIpIGV2ZW4gaWYgeW91IGRvbid0IHVzZSBSRkMgMjExOSB0ZXJtaW5vbG9neS4N Cj4gDQo+IFRoaXMgbWF0dGVycyBiZWNhdXNlIHBhY2tldHMgd2l0aCBhIExMIHNvdXJjZSBhZGRy ZXNzIE1VU1QgTk9UIGJlIGZvcndhcmRlZCwgc28gYSByb3V0ZXIgdGhhdCBpcyBtaXNjb25maWd1 cmVkIHRvIHNlbmQgSUNNUCByZXBsaWVzIHdpdGggYSBMTCBzb3VyY2UgYWRkcmVzcyBicmVha3Mg Ym90aCBwaW5nIGFuZCB0cmFjZXJvdXRlLg0KPiANCj4gSSB0aGluayB0aGUgcnVsZSBpcyB0aGF0 IGFueSBwYWNrZXQgdGhhdCBpcyAqbm90KiBzZW50IHRvIGEgTEwgYWRkcmVzcyBtdXN0IGhhdmUg YSBHVUEgYXMgdGhlIHNvdXJjZSBhZGRyZXNzLiBUaGF0IHRha2VzIGNhcmUgb2YgSUNNUCwgYW5k IGV2ZXJ5dGhpbmcgZWxzZSBhcyB3ZWxsLg0KPiANCj4gRnVydGhlcm1vcmUsIHRoYXQgR1VBIG5l ZWRzIHRvIGJlIGFzc29jaWF0ZWQgd2l0aCBhIHByZWZpeCB0aGF0IGJlbG9uZ3MgdG8gdGhlIG9y Z2FuaXNhdGlvbiBvcGVyYXRpbmcgdGhlIHJvdXRlciBpbiBxdWVzdGlvbi4gT3RoZXJ3aXNlIHRo ZSB0cmFjZXJvdXRlIHJlc3VsdHMgY2FuIGJlIHZlcnkgY29uZnVzaW5nLiBXZSBkaXNjdXNzZWQg dGhhdCBvbiB2Nm9wcyBiYWNrIGluIE1hcmNoLg0KPiANCj4gUmVnYXJkcw0KPiAgICBCcmlhbiBD YXJwZW50ZXINCj4gDQo+IA0KPiANCj4gDQo+IE9uIDA2LzA4LzIwMTIgMTA6MDMsIEd1bnRlciBW YW4gZGUgVmVsZGUgKGd2YW5kZXZlKSB3cm90ZToNCj4+IChkaXN0cmlidXRlZCB0byBPUFNFQyBX RyBhbmQgaW4gY2MgdjZvcHMpDQo+Pg0KPj4gRGVhciBhbGwsDQo+Pg0KPj4gRHVyaW5nIHRoZSBP UFNFQyBXRyBtZWV0aW5nIGxhc3QgV2VkbmVzZGF5IHRoZXJlIHdhcyBjb25zZW5zdXMgdG8gYWRv cHQgdGhlIGRyYWZ0IGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWJlaHJpbmdlci1s bGEtb25seS0wMSBhcyB3b3JraW5nIGdyb3VwIGRvY3VtZW50IHdpdGggSW5mb3JtYXRpb25hbCBz dGF0dXMuDQo+Pg0KPj4gUGxlYXNlIHJlYWQgdGhlIGRyYWZ0LCBhbmQgaWYgdGhlcmUgaXMgbm8g dmlvbGVudCBvYmplY3Rpb24gb24gdGhlIGxpc3QsIHRoZSBkb2N1bWVudCB3aWxsIGJlIHJlcXVl c3RlZCB0byBiZSBzdWJtaXR0ZWQgYXMgV0cgZG9jdW1lbnQgaW4gNyBkYXlzLg0KPj4NCj4+IENp YW8sDQo+PiBHLywgS0sgJiBXYXJyZW4NCj4+DQo+Pg0KPj4NCj4+IC0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KPj4g LQ0KPj4gLS0NCj4+DQo+PiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fXw0KPj4gdjZvcHMgbWFpbGluZyBsaXN0DQo+PiB2Nm9wc0BpZXRmLm9yZw0KPj4gaHR0 cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby92Nm9wcw0K From gvandeve@cisco.com Mon Aug 6 03:57:18 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FBAC21F8634; Mon, 6 Aug 2012 03:57:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.107 X-Spam-Level: X-Spam-Status: No, score=-10.107 tagged_above=-999 required=5 tests=[AWL=-0.108, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xHpeIgnN1Gg6; Mon, 6 Aug 2012 03:57:17 -0700 (PDT) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id EA70521F8602; Mon, 6 Aug 2012 03:57:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=7740; q=dns/txt; s=iport; t=1344250637; x=1345460237; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Qv0GRkQRMulI7noWw5c+aoKqJ1ZpjlAPDFtzUOQHRec=; b=Lsrn+d4eIvrXv7OOoKI202G5+39/jrzbo2qOPOU9DkcBNX16p4j3M2PD EgLw3GyDw0OfYQ6LeqiiMU/KyX0Uot94Ao4WpuhAUm2Rp/BgB9tmrkAVU 31Q3qzluU+U9adiP6Dx0ZhiVDwytOL5emPdryAAABqquF/kowFLFHr9PB g=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgIFAFuiH1CtJXHA/2dsb2JhbABFhXuyTXaBB4IgAQEBAwEBAQEPARAROgsFBwQCAQgRBAEBAQICBh0DAgICHwYLFAEICAIEDgUIGodcAwYGC5s0jRmIdw2JToEhiUJnhXIyYAOTdoJniXWDHYFmgl8 X-IronPort-AV: E=Sophos;i="4.77,718,1336348800"; d="scan'208";a="108781353" Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-3.cisco.com with ESMTP; 06 Aug 2012 10:57:16 +0000 Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id q76AvGeY015840 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Aug 2012 10:57:16 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.02.0298.004; Mon, 6 Aug 2012 05:57:15 -0500 From: "Gunter Van de Velde (gvandeve)" To: Brian E Carpenter Thread-Topic: [v6ops] IPv6 LL-only as WG document - feedback requested Thread-Index: Ac1zsaLKu65hBuxGQ1mVPU9TRZLT7QALZhOAAApGAYD//7IZAIAASnFA///J44CAAFMmwA== Date: Mon, 6 Aug 2012 10:57:15 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B2406878F@xmb-aln-x12.cisco.com> References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <67832B1175062E48926BF3CB27C49B2406858F@xmb-aln-x12.cisco.com> <501F90F8.1050409@gmail.com> <67832B1175062E48926BF3CB27C49B240685F6@xmb-aln-x12.cisco.com> <501FA205.1020203@gmail.com> In-Reply-To: <501FA205.1020203@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.82.146] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19088.006 x-tm-as-result: No--53.889300-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: "opsec@ietf.org" , "opsec-chairs@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" , "'draft-behringer-lla-only@tools.ietf.org' \(draft-behringer-lla-only@tools.ietf.org\)" Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 10:57:18 -0000 SSBhZ3JlZS4uLiBwYWNrZXRzIHdpdGggTEwgc291cmNlLWFkZHJlc3Mgc2hvdWxkIG5vdCBsZWF2 ZSB0aGUgbGluayBpbmRlZWQuDQoNCkkgZXhwZWN0IHRoZSBCZWhyaW5nZXIgZWRpdG9yIHRlYW0g dG8gbWFrZSB0aGF0IG1vcmUgc3BlY2lmaWMgaW4gdGhlIGRyYWZ0IHRleHQuDQoNCkcvDQoNCi0t LS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBCcmlhbiBFIENhcnBlbnRlciBbbWFpbHRv OmJyaWFuLmUuY2FycGVudGVyQGdtYWlsLmNvbV0gDQpTZW50OiAwNiBBdWd1c3QgMjAxMiAxMjo1 Mw0KVG86IEd1bnRlciBWYW4gZGUgVmVsZGUgKGd2YW5kZXZlKQ0KQ2M6IG9wc2VjQGlldGYub3Jn OyB2Nm9wcyB2Nm9wcyBXRyAodjZvcHNAaWV0Zi5vcmcpOyBvcHNlYy1jaGFpcnNAaWV0Zi5vcmc7 ICdkcmFmdC1iZWhyaW5nZXItbGxhLW9ubHlAdG9vbHMuaWV0Zi5vcmcnIChkcmFmdC1iZWhyaW5n ZXItbGxhLW9ubHlAdG9vbHMuaWV0Zi5vcmcpDQpTdWJqZWN0OiBSZTogW3Y2b3BzXSBJUHY2IExM LW9ubHkgYXMgV0cgZG9jdW1lbnQgLSBmZWVkYmFjayByZXF1ZXN0ZWQNCg0KT24gMDYvMDgvMjAx MiAxMToxOCwgR3VudGVyIFZhbiBkZSBWZWxkZSAoZ3ZhbmRldmUpIHdyb3RlOg0KPiBJIGFtIGNv bmZ1c2VkLiBQbGVhc2UgY29ycmVjdCBteSB1bmRlcnN0YW5kaW5nIGlmIHBvc3NpYmxlLg0KPiAN Cj4gMSkgWW91IGFyZSBvayB3aXRoIHRoZSBCZWhyaW5nZXItTEwgZHJhZnQgYmVpbmcgYW4gaW5m b3JtYXRpb25hbCANCj4gZHJhZnQ/IChub3QgQkNQKQ0KDQpZZXMuIEFsbCBJJ20gc2F5aW5nIGlz IHRoYXQgaXQgc2hvdWxkIGluc2lzdCBvbiBhIHZhbGlkIHNvdXJjZSBhZGRyZXNzLCB3aGljaCBt ZWFucyB0aGF0IGEgTEwgc291cmNlIGFkZHJlc3MgaXMgbm90IGFsbG93ZWQgZm9yIHBhY2tldHMg dGhhdCBsZWF2ZSB0aGUgbG9jYWwgbGluay4NCg0KU2VjdGlvbiAyLjUuNiBvZiBSRkMgNDI5MSBt YWtlcyB0aGlzIGNsZWFyIGJ1dCBwZW9wbGUgc2VlbSB0byBpZ25vcmUgaXQ6DQoiTGluay1Mb2Nh bCBhZGRyZXNzZXMgYXJlIGZvciB1c2Ugb24gYSBzaW5nbGUgbGluay4iDQoNCk9idmlvdXNseSwg dGhlcmVmb3JlLCBwYWNrZXRzIHdob3NlIGRlc3RpbmF0aW9uIGlzIG5vdCBMTCBtdXN0IG5vdCBo YXZlIGEgTEwgc291cmNlIGFkZHJlc3MuDQoNCj4gMikgUGFzc2l2ZSBhZGRyZXNzZXMgaXMgc29t ZXRoaW5nIHRoYXQgY3JlYXRlcyBwb3RlbnRpYWwgaXNzdWVzIGluIHlvdXIgdmlldz8NCg0KSSBz YWlkIEkgaGF2ZSBubyBwcm9ibGVtIHdpdGggdGhhdC4gSXQgZG9lc24ndCBhZmZlY3QgdGhlIGFi b3ZlIHBvaW50Lg0KDQogICBCcmlhbg0KPiANCj4gRm9yICgyKSBJIHdvdWxkIHNheS4uLiBJdCBp cyBqdXN0IGFzIGEgbm9ybWFsIGFkZHJlc3MuLi4gbm8gbmVlZCBhdCBhbGwgdG8gZGlzY2FyZCB0 aGVtIG9uIGFueSBvdGhlciBib3ggdGhlbiB0aGUgcmVjZWl2aW5nIGJveCBhcyB0aG9zZSBib3hl cyBqdXN0IHNlZSB0aGUgYWRkcmVzcyBhcyBiZWluZyBhIG5vcm1hbCBJUHY2IGFkZHJlc3MuIE5v dGhpbmcgc3BlY2lhbCBhYm91dCBpdC4gSXQgaXMganVzdCBhIG5vcm1hbCBhZGRyZXNzLiBUaGUg YmVoYXZpb3VyIG9mIHBhc3NpdmUgYWRkcmVzc2VzIGlzIHRvIGRvIHdpdGggdGhlIHdheSB0aGUg cmVjaXBpZW50IGRldmljZSBkZWFscyB3aXRoIHRoaXMgYWRkcmVzcy4NCj4gDQo+IEcvDQo+IA0K PiANCj4gDQo+IA0KPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBCcmlhbiBF IENhcnBlbnRlciBbbWFpbHRvOmJyaWFuLmUuY2FycGVudGVyQGdtYWlsLmNvbV0NCj4gU2VudDog MDYgQXVndXN0IDIwMTIgMTE6NDANCj4gVG86IEd1bnRlciBWYW4gZGUgVmVsZGUgKGd2YW5kZXZl KQ0KPiBDYzogb3BzZWNAaWV0Zi5vcmc7IHY2b3BzIHY2b3BzIFdHICh2Nm9wc0BpZXRmLm9yZyk7 IA0KPiBvcHNlYy1jaGFpcnNAaWV0Zi5vcmc7ICdkcmFmdC1iZWhyaW5nZXItbGxhLW9ubHlAdG9v bHMuaWV0Zi5vcmcnIA0KPiAoZHJhZnQtYmVocmluZ2VyLWxsYS1vbmx5QHRvb2xzLmlldGYub3Jn KQ0KPiBTdWJqZWN0OiBSZTogW3Y2b3BzXSBJUHY2IExMLW9ubHkgYXMgV0cgZG9jdW1lbnQgLSBm ZWVkYmFjayByZXF1ZXN0ZWQNCj4gDQo+IEhpIEd1bnRlciwNCj4gDQo+IEkgaGF2ZSBubyBwcm9i bGVtIHdpdGggdGhlIHBhc3NpdmUgYWRkcmVzcyBpZGVhLCBidXQgdGhlIGltbWVkaWF0ZSBpc3N1 ZSBpcyB0aGF0IHJvdXRlcnMgbXVzdCBub3Qgc291cmNlIElDTVAgcGFja2V0cyB0aGF0IG90aGVy IHJvdXRlcnMgbXVzdCBkaXNjYXJkIC0gaGVuY2Ugbm8gTEwgc291cmNlIGFkZHJlc3Nlcy4NCj4g DQo+ICAgICBCcmlhbg0KPiANCj4gT24gMDYvMDgvMjAxMiAxMDozNiwgR3VudGVyIFZhbiBkZSBW ZWxkZSAoZ3ZhbmRldmUpIHdyb3RlOg0KPj4gQW5zd2VyIGFzIGluZGl2aWR1YWwgY29udHJpYnV0 b3IuDQo+Pg0KPj4gRnJlZCBCLiBhbmQgbXlzZWxmIGRpZCBhIGRyYWZ0IHRvIGV4YWN0bHkgYWRk cmVzcyB0aGUgdHJhY2VhYmlsaXR5IG9mIA0KPj4gaW50ZXJmYWNlcyB3aXRob3V0IGluY3JlYXNp bmcgdGhlIGF0dGFjayB2ZWN0b3Igb24gaW50ZXJmYWNlczogDQo+PiBQYXNzaXZlDQo+PiBJUHY2 IGFkZHJlc3Nlcw0KPj4NCj4+IE5vIG5ldyBjbGFzcyBvZiBhZGRyZXNzZXMgYXQgYWxsLi4uIG5v IG5ldyBJQU5BIGFsbG9jYXRpb24uLi4ganVzdCBiZWhhdmlvdXIgb2YgdGhlIGFkZHJlc3M6DQo+ Pg0KPj4gMSkgaXQgaXMgY29uZmlndXJlZCBhcyBhIG5vcm1hbCBhZGRyZXNzDQo+PiAyKSBqdXN0 IGFuIGV4dHJhIGtleXdvcmQgYXR0YWNoZWQgdG8gdGhlIGFkZHJlc3MgaWRlbnRpZnlpbmcgaXRz IA0KPj4gYmVoYXZpb3INCj4+IDMpIEl0IGNhbiBvbmx5IGJlIHVzZWQgYXMgYSAnc291cmNlJyBh ZGRyZXNzDQo+PiA0KSBpZiBpdCBpcyB1c2VkIGFzIGRlc3RpbmF0aW9uIGFkZHJlc3MsIHRoZW4g d2hlbiByZWFjaGluZyB0aGUgDQo+PiByb3V0ZXIgaXQgd2lsbCBiZSBkaXJlY3RlZCB0byB0aGUg TnVsbDAgaW50ZXJmYWNlDQo+Pg0KPj4gVGhpcyB3aWxsIGhlbHAgdmlzaWJpbGl0eSBvZiB0aGUg dHJhY2Utcm91dGUgaW4gY2FzZXMgb2YgTEwtb25seS4uLg0KPj4NCj4+IEcvDQo+Pg0KPj4NCj4+ IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+PiBGcm9tOiBCcmlhbiBFIENhcnBlbnRlciBb bWFpbHRvOmJyaWFuLmUuY2FycGVudGVyQGdtYWlsLmNvbV0NCj4+IFNlbnQ6IDA2IEF1Z3VzdCAy MDEyIDExOjI1DQo+PiBUbzogR3VudGVyIFZhbiBkZSBWZWxkZSAoZ3ZhbmRldmUpDQo+PiBDYzog b3BzZWNAaWV0Zi5vcmc7IHY2b3BzIHY2b3BzIFdHICh2Nm9wc0BpZXRmLm9yZyk7IA0KPj4gb3Bz ZWMtY2hhaXJzQGlldGYub3JnOyAnZHJhZnQtYmVocmluZ2VyLWxsYS1vbmx5QHRvb2xzLmlldGYu b3JnJw0KPj4gKGRyYWZ0LWJlaHJpbmdlci1sbGEtb25seUB0b29scy5pZXRmLm9yZykNCj4+IFN1 YmplY3Q6IFJlOiBbdjZvcHNdIElQdjYgTEwtb25seSBhcyBXRyBkb2N1bWVudCAtIGZlZWRiYWNr IHJlcXVlc3RlZA0KPj4NCj4+IEhpLA0KPj4NCj4+PiAgICBvICBNYW5hZ2VtZW50IHBsYW5lIHRy YWZmaWMsIHN1Y2ggYXMgU1NILCBUZWxuZXQsIFNOTVAsIElDTVAgZWNobw0KPj4+ICAgICAgIHJl cXVlc3QgLi4uIGNhbiBiZSBhZGRyZXNzZWQgdG8gbG9vcGJhY2sgYWRkcmVzc2VzIG9mIHJvdXRl cnMgd2l0aA0KPj4+ICAgICAgIGEgZ2xvYmFsIHNjb3BlIGFkZHJlc3MuICBSb3V0ZXIgbWFuYWdl bWVudCBjYW4gYWxzbyBiZSBkb25lIG92ZXINCj4+PiAgICAgICBvdXQtb2YtYmFuZCBjaGFubmVs cy4NCj4+Pg0KPj4+ICAgIG8gIElDTVAgZXJyb3IgbWVzc2FnZSBjYW4gYWxzbyBiZSBzb3VyY2Vk IGZyb20gdGhlIGdsb2JhbCBzY29wZQ0KPj4+ICAgICAgIGxvb3BiYWNrIGFkZHJlc3MuDQo+PiBU aGVzZSBzdGF0ZW1lbnRzIHNlZW0gdG9vIHdlYWsuIFVzaW5nIEdVQXMgZm9yIElDTVAgaW4gcGFy dGljdWxhciBuZWVkcyB0byBoYXZlIGEgbm9ybWF0aXZlIE1VU1Qgc29tZXdoZXJlIChwcmVmZXJh Ymx5IGluIGEgQkNQKS4gSW4gdGhlIGNvbnRleHQgb2YgdGhpcyBJbmZvcm1hdGlvbmFsIGRyYWZ0 LCB0aGUgbGFuZ3VhZ2UgbmVlZHMgdG8gc3RhdGUgYSByZXF1aXJlbWVudCAoIm11c3QiIG5vdCAi Y2FuIikgZXZlbiBpZiB5b3UgZG9uJ3QgdXNlIFJGQyAyMTE5IHRlcm1pbm9sb2d5Lg0KPj4NCj4+ IFRoaXMgbWF0dGVycyBiZWNhdXNlIHBhY2tldHMgd2l0aCBhIExMIHNvdXJjZSBhZGRyZXNzIE1V U1QgTk9UIGJlIGZvcndhcmRlZCwgc28gYSByb3V0ZXIgdGhhdCBpcyBtaXNjb25maWd1cmVkIHRv IHNlbmQgSUNNUCByZXBsaWVzIHdpdGggYSBMTCBzb3VyY2UgYWRkcmVzcyBicmVha3MgYm90aCBw aW5nIGFuZCB0cmFjZXJvdXRlLg0KPj4NCj4+IEkgdGhpbmsgdGhlIHJ1bGUgaXMgdGhhdCBhbnkg cGFja2V0IHRoYXQgaXMgKm5vdCogc2VudCB0byBhIExMIGFkZHJlc3MgbXVzdCBoYXZlIGEgR1VB IGFzIHRoZSBzb3VyY2UgYWRkcmVzcy4gVGhhdCB0YWtlcyBjYXJlIG9mIElDTVAsIGFuZCBldmVy eXRoaW5nIGVsc2UgYXMgd2VsbC4NCj4+DQo+PiBGdXJ0aGVybW9yZSwgdGhhdCBHVUEgbmVlZHMg dG8gYmUgYXNzb2NpYXRlZCB3aXRoIGEgcHJlZml4IHRoYXQgYmVsb25ncyB0byB0aGUgb3JnYW5p c2F0aW9uIG9wZXJhdGluZyB0aGUgcm91dGVyIGluIHF1ZXN0aW9uLiBPdGhlcndpc2UgdGhlIHRy YWNlcm91dGUgcmVzdWx0cyBjYW4gYmUgdmVyeSBjb25mdXNpbmcuIFdlIGRpc2N1c3NlZCB0aGF0 IG9uIHY2b3BzIGJhY2sgaW4gTWFyY2guDQo+Pg0KPj4gUmVnYXJkcw0KPj4gICAgQnJpYW4gQ2Fy cGVudGVyDQo+Pg0KPj4NCj4+DQo+Pg0KPj4gT24gMDYvMDgvMjAxMiAxMDowMywgR3VudGVyIFZh biBkZSBWZWxkZSAoZ3ZhbmRldmUpIHdyb3RlOg0KPj4+IChkaXN0cmlidXRlZCB0byBPUFNFQyBX RyBhbmQgaW4gY2MgdjZvcHMpDQo+Pj4NCj4+PiBEZWFyIGFsbCwNCj4+Pg0KPj4+IER1cmluZyB0 aGUgT1BTRUMgV0cgbWVldGluZyBsYXN0IFdlZG5lc2RheSB0aGVyZSB3YXMgY29uc2Vuc3VzIHRv IGFkb3B0IHRoZSBkcmFmdCBodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1iZWhyaW5n ZXItbGxhLW9ubHktMDEgYXMgd29ya2luZyBncm91cCBkb2N1bWVudCB3aXRoIEluZm9ybWF0aW9u YWwgc3RhdHVzLg0KPj4+DQo+Pj4gUGxlYXNlIHJlYWQgdGhlIGRyYWZ0LCBhbmQgaWYgdGhlcmUg aXMgbm8gdmlvbGVudCBvYmplY3Rpb24gb24gdGhlIGxpc3QsIHRoZSBkb2N1bWVudCB3aWxsIGJl IHJlcXVlc3RlZCB0byBiZSBzdWJtaXR0ZWQgYXMgV0cgZG9jdW1lbnQgaW4gNyBkYXlzLg0KPj4+ DQo+Pj4gQ2lhbywNCj4+PiBHLywgS0sgJiBXYXJyZW4NCj4+Pg0KPj4+DQo+Pj4NCj4+PiAtLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLQ0KPj4+IC0NCj4+PiAtDQo+Pj4gLS0NCj4+Pg0KPj4+IF9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+Pj4gdjZvcHMgbWFpbGluZyBsaXN0DQo+ Pj4gdjZvcHNAaWV0Zi5vcmcNCj4+PiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3Rp bmZvL3Y2b3BzDQo= From brian.e.carpenter@gmail.com Mon Aug 6 02:24:53 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB31921F84F6; Mon, 6 Aug 2012 02:24:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.174 X-Spam-Level: X-Spam-Status: No, score=-101.174 tagged_above=-999 required=5 tests=[AWL=-0.083, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zgAooLVCf3Di; Mon, 6 Aug 2012 02:24:53 -0700 (PDT) Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 4F01521F85FC; Mon, 6 Aug 2012 02:24:52 -0700 (PDT) Received: by eekb45 with SMTP id b45so676373eek.31 for ; Mon, 06 Aug 2012 02:24:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=LFnCaHZ+L8Wxy4qp6VWlcXQumJVNZ6p0hyWaTVI1NjQ=; b=uxe9vpEs8cK6m22aScM5f+v3PH1zzUFSSmD/2HxqRLKXZrV/nfI8iT2Ci1n1RqaYaD 3vIXe/lBJyH6YL7bR5o9dbkjtHh5SXp48hIISo7ydRU2NBnmN6Jxu/6VIXNtqiVEuvf/ fx0oj8KBZcTziSaGJZ4FxGyPBbL2l3J1uhjZgZe1ZLm2Tp9mfglU3Dee0j5VL4tFxiBx 1apWzOj5UfF16m0MMYhnDYfKmfgPbER+Bh81uWfuh/qSvJBMpBB9/C2CqcCLzjNe3E0j UPS0pKOx9VYVHNhgD0zBzDHHxURrogiQaC3wVtgVH7lmdWD9oqJ2ybWp082Hc/BBzzi+ JCHg== Received: by 10.14.210.197 with SMTP id u45mr12174953eeo.42.1344245091552; Mon, 06 Aug 2012 02:24:51 -0700 (PDT) Received: from [192.168.1.65] (host-2-102-216-73.as13285.net. [2.102.216.73]) by mx.google.com with ESMTPS id o47sm45916015eem.0.2012.08.06.02.24.49 (version=SSLv3 cipher=OTHER); Mon, 06 Aug 2012 02:24:50 -0700 (PDT) Message-ID: <501F8D5F.5000805@gmail.com> Date: Mon, 06 Aug 2012 10:24:47 +0100 From: Brian E Carpenter Organization: University of Auckland User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: "Gunter Van de Velde (gvandeve)" References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 06 Aug 2012 09:50:03 -0700 Cc: "opsec@ietf.org" , "opsec-chairs@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" , "'draft-behringer-lla-only@tools.ietf.org' \(draft-behringer-lla-only@tools.ietf.org\)" Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 09:24:53 -0000 Hi, > o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo > request ... can be addressed to loopback addresses of routers with > a global scope address. Router management can also be done over > out-of-band channels. > > o ICMP error message can also be sourced from the global scope > loopback address. These statements seem too weak. Using GUAs for ICMP in particular needs to have a normative MUST somewhere (preferably in a BCP). In the context of this Informational draft, the language needs to state a requirement ("must" not "can") even if you don't use RFC 2119 terminology. This matters because packets with a LL source address MUST NOT be forwarded, so a router that is misconfigured to send ICMP replies with a LL source address breaks both ping and traceroute. I think the rule is that any packet that is *not* sent to a LL address must have a GUA as the source address. That takes care of ICMP, and everything else as well. Furthermore, that GUA needs to be associated with a prefix that belongs to the organisation operating the router in question. Otherwise the traceroute results can be very confusing. We discussed that on v6ops back in March. Regards Brian Carpenter On 06/08/2012 10:03, Gunter Van de Velde (gvandeve) wrote: > (distributed to OPSEC WG and in cc v6ops) > > Dear all, > > During the OPSEC WG meeting last Wednesday there was consensus to adopt the draft http://tools.ietf.org/html/draft-behringer-lla-only-01 as working group document with Informational status. > > Please read the draft, and if there is no violent objection on the list, the document will be requested to be submitted as WG document in 7 days. > > Ciao, > G/, KK & Warren > > > > ------------------------------------------------------------------------ > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops From brian.e.carpenter@gmail.com Mon Aug 6 02:40:14 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A23521F861E; Mon, 6 Aug 2012 02:40:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.173 X-Spam-Level: X-Spam-Status: No, score=-101.173 tagged_above=-999 required=5 tests=[AWL=-0.082, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C64FxvvADQXS; Mon, 6 Aug 2012 02:40:13 -0700 (PDT) Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1771121F861D; Mon, 6 Aug 2012 02:40:12 -0700 (PDT) Received: by eekb45 with SMTP id b45so682168eek.31 for ; Mon, 06 Aug 2012 02:40:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=2LaRKJdTNNVsXpj7M7bVjuOdd9bi09s+FibsRyrlbjQ=; b=PnXkLWkeWW0rYz8e97lsYmNM1etasaluy9AR7ylJlLJxd59oPYK0IORVIeexC+LX3i 6PWl7vSnlS7+0uXC37N/hP1IJkP28Kf78w2eGENyb0W6JNuwtLJ7C9HUgp0m9x8yxGNX kjVlqGKmu69mz2pdMD8++FLnBetEiH3vI8Gk28h15+taxLrBwcGYc4+pRUYNh1NSsfXh aOEYrCVWPRd7pUqn+PqqeuSXDXts1zNTJD9s1CaTUGLLY2MKX/bNSbIP6YnGilUQUOV5 oDE36j7CVDHDDkWUfoaPq5339L/54kjsUB9AERgYqCVWyg1Ks1BJD1/Fl2SaSWTKO/fp 1V/A== Received: by 10.14.179.71 with SMTP id g47mr12234086eem.21.1344246012266; Mon, 06 Aug 2012 02:40:12 -0700 (PDT) Received: from [192.168.1.65] (host-2-102-216-73.as13285.net. [2.102.216.73]) by mx.google.com with ESMTPS id u47sm13583324eeo.9.2012.08.06.02.40.10 (version=SSLv3 cipher=OTHER); Mon, 06 Aug 2012 02:40:11 -0700 (PDT) Message-ID: <501F90F8.1050409@gmail.com> Date: Mon, 06 Aug 2012 10:40:08 +0100 From: Brian E Carpenter Organization: University of Auckland User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: "Gunter Van de Velde (gvandeve)" References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <67832B1175062E48926BF3CB27C49B2406858F@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B2406858F@xmb-aln-x12.cisco.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 06 Aug 2012 09:50:03 -0700 Cc: "opsec@ietf.org" , "opsec-chairs@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" , "'draft-behringer-lla-only@tools.ietf.org' \(draft-behringer-lla-only@tools.ietf.org\)" Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 09:40:14 -0000 Hi Gunter, I have no problem with the passive address idea, but the immediate issue is that routers must not source ICMP packets that other routers must discard - hence no LL source addresses. Brian On 06/08/2012 10:36, Gunter Van de Velde (gvandeve) wrote: > Answer as individual contributor. > > Fred B. and myself did a draft to exactly address the traceability of interfaces without > increasing the attack vector on interfaces: Passive IPv6 addresses > > No new class of addresses at all... no new IANA allocation... just behaviour of the address: > > 1) it is configured as a normal address > 2) just an extra keyword attached to the address identifying its behavior > 3) It can only be used as a 'source' address > 4) if it is used as destination address, then when reaching the router it will be directed to the Null0 interface > > This will help visibility of the trace-route in cases of LL-only... > > G/ > > > -----Original Message----- > From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] > Sent: 06 August 2012 11:25 > To: Gunter Van de Velde (gvandeve) > Cc: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org); opsec-chairs@ietf.org; 'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-lla-only@tools.ietf.org) > Subject: Re: [v6ops] IPv6 LL-only as WG document - feedback requested > > Hi, > >> o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo >> request ... can be addressed to loopback addresses of routers with >> a global scope address. Router management can also be done over >> out-of-band channels. >> >> o ICMP error message can also be sourced from the global scope >> loopback address. > > These statements seem too weak. Using GUAs for ICMP in particular needs to have a normative MUST somewhere (preferably in a BCP). In the context of this Informational draft, the language needs to state a requirement ("must" not "can") even if you don't use RFC 2119 terminology. > > This matters because packets with a LL source address MUST NOT be forwarded, so a router that is misconfigured to send ICMP replies with a LL source address breaks both ping and traceroute. > > I think the rule is that any packet that is *not* sent to a LL address must have a GUA as the source address. That takes care of ICMP, and everything else as well. > > Furthermore, that GUA needs to be associated with a prefix that belongs to the organisation operating the router in question. Otherwise the traceroute results can be very confusing. We discussed that on v6ops back in March. > > Regards > Brian Carpenter > > > > > On 06/08/2012 10:03, Gunter Van de Velde (gvandeve) wrote: >> (distributed to OPSEC WG and in cc v6ops) >> >> Dear all, >> >> During the OPSEC WG meeting last Wednesday there was consensus to adopt the draft http://tools.ietf.org/html/draft-behringer-lla-only-01 as working group document with Informational status. >> >> Please read the draft, and if there is no violent objection on the list, the document will be requested to be submitted as WG document in 7 days. >> >> Ciao, >> G/, KK & Warren >> >> >> >> ---------------------------------------------------------------------- >> -- >> >> _______________________________________________ >> v6ops mailing list >> v6ops@ietf.org >> https://www.ietf.org/mailman/listinfo/v6ops From brian.e.carpenter@gmail.com Mon Aug 6 03:52:59 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BBB821F8619; Mon, 6 Aug 2012 03:52:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.172 X-Spam-Level: X-Spam-Status: No, score=-101.172 tagged_above=-999 required=5 tests=[AWL=-0.081, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uHdeFn-Qndsp; Mon, 6 Aug 2012 03:52:58 -0700 (PDT) Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3267021F8602; Mon, 6 Aug 2012 03:52:58 -0700 (PDT) Received: by eaai11 with SMTP id i11so710784eaa.31 for ; Mon, 06 Aug 2012 03:52:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=sB7v0yztQMGVJuKGn+qC0C04JBFWnoaZj3kVbdvPb0U=; b=RcAnTffIBhwFj3e+K1niJ8GsNSe/RpOLxP8kiQ1Z9u/R4xXl6Y4uBFCYLc+lrSR+Y9 LZov8AIf8A4lCEGRSYUs/LPyo0SQ3sHCE7YUmFejVtA62SPKxIUtI19qAzsQV0STfDUo irwQ+M4HEDCqo8lhcc9RFj+NyxYbhX2TPg4SI+b+jCWdjznzWR5NP0v8yzTsa7VqFE+B TOUp2E2mEtJpaUKM/cMPHQnWSe/OjwXV9zOPhG4O4H8Ja+FwPpjZHyTW1vuo1xCqGGwO EujsGkvMaci7Uq31U1mT1QW2lNzkjp8TYIktI9TbnH65Rc+Ocnf7C9OEXr4pj7rcWXeS gPbw== Received: by 10.14.206.200 with SMTP id l48mr12262978eeo.41.1344250377348; Mon, 06 Aug 2012 03:52:57 -0700 (PDT) Received: from [192.168.1.65] (host-2-102-216-73.as13285.net. [2.102.216.73]) by mx.google.com with ESMTPS id j4sm46507358eeo.11.2012.08.06.03.52.54 (version=SSLv3 cipher=OTHER); Mon, 06 Aug 2012 03:52:55 -0700 (PDT) Message-ID: <501FA205.1020203@gmail.com> Date: Mon, 06 Aug 2012 11:52:53 +0100 From: Brian E Carpenter Organization: University of Auckland User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: "Gunter Van de Velde (gvandeve)" References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <67832B1175062E48926BF3CB27C49B2406858F@xmb-aln-x12.cisco.com> <501F90F8.1050409@gmail.com> <67832B1175062E48926BF3CB27C49B240685F6@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B240685F6@xmb-aln-x12.cisco.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 06 Aug 2012 09:50:03 -0700 Cc: "opsec@ietf.org" , "opsec-chairs@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" , "'draft-behringer-lla-only@tools.ietf.org' \(draft-behringer-lla-only@tools.ietf.org\)" Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 10:52:59 -0000 On 06/08/2012 11:18, Gunter Van de Velde (gvandeve) wrote: > I am confused. Please correct my understanding if possible. > > 1) You are ok with the Behringer-LL draft being an informational draft? (not BCP) Yes. All I'm saying is that it should insist on a valid source address, which means that a LL source address is not allowed for packets that leave the local link. Section 2.5.6 of RFC 4291 makes this clear but people seem to ignore it: "Link-Local addresses are for use on a single link." Obviously, therefore, packets whose destination is not LL must not have a LL source address. > 2) Passive addresses is something that creates potential issues in your view? I said I have no problem with that. It doesn't affect the above point. Brian > > For (2) I would say... It is just as a normal address... no need at all to discard them on any other box then the receiving box as those boxes just see the address as being a normal IPv6 address. Nothing special about it. It is just a normal address. The behaviour of passive addresses is to do with the way the recipient device deals with this address. > > G/ > > > > > -----Original Message----- > From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] > Sent: 06 August 2012 11:40 > To: Gunter Van de Velde (gvandeve) > Cc: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org); opsec-chairs@ietf.org; 'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-lla-only@tools.ietf.org) > Subject: Re: [v6ops] IPv6 LL-only as WG document - feedback requested > > Hi Gunter, > > I have no problem with the passive address idea, but the immediate issue is that routers must not source ICMP packets that other routers must discard - hence no LL source addresses. > > Brian > > On 06/08/2012 10:36, Gunter Van de Velde (gvandeve) wrote: >> Answer as individual contributor. >> >> Fred B. and myself did a draft to exactly address the traceability of >> interfaces without increasing the attack vector on interfaces: Passive >> IPv6 addresses >> >> No new class of addresses at all... no new IANA allocation... just behaviour of the address: >> >> 1) it is configured as a normal address >> 2) just an extra keyword attached to the address identifying its >> behavior >> 3) It can only be used as a 'source' address >> 4) if it is used as destination address, then when reaching the router >> it will be directed to the Null0 interface >> >> This will help visibility of the trace-route in cases of LL-only... >> >> G/ >> >> >> -----Original Message----- >> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] >> Sent: 06 August 2012 11:25 >> To: Gunter Van de Velde (gvandeve) >> Cc: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org); >> opsec-chairs@ietf.org; 'draft-behringer-lla-only@tools.ietf.org' >> (draft-behringer-lla-only@tools.ietf.org) >> Subject: Re: [v6ops] IPv6 LL-only as WG document - feedback requested >> >> Hi, >> >>> o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo >>> request ... can be addressed to loopback addresses of routers with >>> a global scope address. Router management can also be done over >>> out-of-band channels. >>> >>> o ICMP error message can also be sourced from the global scope >>> loopback address. >> These statements seem too weak. Using GUAs for ICMP in particular needs to have a normative MUST somewhere (preferably in a BCP). In the context of this Informational draft, the language needs to state a requirement ("must" not "can") even if you don't use RFC 2119 terminology. >> >> This matters because packets with a LL source address MUST NOT be forwarded, so a router that is misconfigured to send ICMP replies with a LL source address breaks both ping and traceroute. >> >> I think the rule is that any packet that is *not* sent to a LL address must have a GUA as the source address. That takes care of ICMP, and everything else as well. >> >> Furthermore, that GUA needs to be associated with a prefix that belongs to the organisation operating the router in question. Otherwise the traceroute results can be very confusing. We discussed that on v6ops back in March. >> >> Regards >> Brian Carpenter >> >> >> >> >> On 06/08/2012 10:03, Gunter Van de Velde (gvandeve) wrote: >>> (distributed to OPSEC WG and in cc v6ops) >>> >>> Dear all, >>> >>> During the OPSEC WG meeting last Wednesday there was consensus to adopt the draft http://tools.ietf.org/html/draft-behringer-lla-only-01 as working group document with Informational status. >>> >>> Please read the draft, and if there is no violent objection on the list, the document will be requested to be submitted as WG document in 7 days. >>> >>> Ciao, >>> G/, KK & Warren >>> >>> >>> >>> --------------------------------------------------------------------- >>> - >>> -- >>> >>> _______________________________________________ >>> v6ops mailing list >>> v6ops@ietf.org >>> https://www.ietf.org/mailman/listinfo/v6ops From mbehring@cisco.com Mon Aug 6 04:27:07 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4FDF21F85FC; Mon, 6 Aug 2012 04:27:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.999 X-Spam-Level: X-Spam-Status: No, score=-9.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nTVVE0oxBluX; Mon, 6 Aug 2012 04:27:00 -0700 (PDT) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 66A1321F85FF; Mon, 6 Aug 2012 04:27:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mbehring@cisco.com; l=8962; q=dns/txt; s=iport; t=1344252420; x=1345462020; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=D4HHGlZP+1lg8u0t4YIUd53wsbRnOz+/5UoAvJL/Yus=; b=OJmNLUZMALr9rzz7K+bxwJB/4Ul32x7H+5avichSFscEQVAS+eModzaS LVfT9dLXk43Nbr7IJwD3CJyBaeNJg+tpWYK/e2xRVbOpJwpAvLshq/SC+ qpA+lVf83bXi3KJw/ofnh9d31s2QAPgwoTH0LACIacT9xuFPbMATK9neT 8=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgIFAIepH1CtJXG8/2dsb2JhbABEhXuyTXaBB4IgAQEBAwEBAQEPARAROgsMBAIBCBEEAQEBAgIGHQMCAgIfBgsUAQgIAgQBDQUIGodcAwYGC5spjRmIeA2JToEhiUJnhXIyYAOTdoJniXWDHYFmgl8 X-IronPort-AV: E=Sophos;i="4.77,718,1336348800"; d="scan'208";a="108787187" Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-4.cisco.com with ESMTP; 06 Aug 2012 11:26:59 +0000 Received: from xhc-rcd-x06.cisco.com (xhc-rcd-x06.cisco.com [173.37.183.80]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id q76BQx7K007296 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Aug 2012 11:26:59 GMT Received: from xmb-rcd-x14.cisco.com ([169.254.4.3]) by xhc-rcd-x06.cisco.com ([173.37.183.80]) with mapi id 14.02.0298.004; Mon, 6 Aug 2012 06:26:59 -0500 From: "Michael Behringer (mbehring)" To: "Gunter Van de Velde (gvandeve)" , Brian E Carpenter Thread-Topic: [v6ops] IPv6 LL-only as WG document - feedback requested Thread-Index: Ac1zsaLKu65hBuxGQ1mVPU9TRZLT7QALZhOAAApGAYD//7IZAIAASnFA///J44CAAFMmwIAAnfCw Date: Mon, 6 Aug 2012 11:26:58 +0000 Message-ID: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4E1300@xmb-rcd-x14.cisco.com> References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <67832B1175062E48926BF3CB27C49B2406858F@xmb-aln-x12.cisco.com> <501F90F8.1050409@gmail.com> <67832B1175062E48926BF3CB27C49B240685F6@xmb-aln-x12.cisco.com> <501FA205.1020203@gmail.com> <67832B1175062E48926BF3CB27C49B2406878F@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B2406878F@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.92.37] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19088.006 x-tm-as-result: No--65.578700-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 06 Aug 2012 09:50:03 -0700 Cc: "opsec@ietf.org" , "opsec-chairs@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" , "'draft-behringer-lla-only@tools.ietf.org' \(draft-behringer-lla-only@tools.ietf.org\)" Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 11:27:07 -0000 PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBHdW50ZXIgVmFuIGRlIFZlbGRl IChndmFuZGV2ZSkNCj4gU2VudDogMDYgQXVndXN0IDIwMTIgMTE6NTcNCj4gVG86IEJyaWFuIEUg Q2FycGVudGVyDQo+IENjOiBvcHNlY0BpZXRmLm9yZzsgdjZvcHMgdjZvcHMgV0cgKHY2b3BzQGll dGYub3JnKTsgb3BzZWMtDQo+IGNoYWlyc0BpZXRmLm9yZzsgJ2RyYWZ0LWJlaHJpbmdlci1sbGEt b25seUB0b29scy5pZXRmLm9yZycgKGRyYWZ0LWJlaHJpbmdlci0NCj4gbGxhLW9ubHlAdG9vbHMu aWV0Zi5vcmcpDQo+IFN1YmplY3Q6IFJFOiBbdjZvcHNdIElQdjYgTEwtb25seSBhcyBXRyBkb2N1 bWVudCAtIGZlZWRiYWNrIHJlcXVlc3RlZA0KPiANCj4gSSBhZ3JlZS4uLiBwYWNrZXRzIHdpdGgg TEwgc291cmNlLWFkZHJlc3Mgc2hvdWxkIG5vdCBsZWF2ZSB0aGUgbGluayBpbmRlZWQuDQo+IA0K PiBJIGV4cGVjdCB0aGUgQmVocmluZ2VyIGVkaXRvciB0ZWFtIHRvIG1ha2UgdGhhdCBtb3JlIHNw ZWNpZmljIGluIHRoZSBkcmFmdA0KPiB0ZXh0Lg0KDQpUaGlzIHdhcyBzb3J0IG9mIGltcGxpZWQg KGFuZCBtZW50aW9uZWQgZHVyaW5nIHByZXNlbnRhdGlvbnMpLCBidXQgbmVlZHMgdG8gYmUgbWFk ZSBjbGVhcmVyLCBhZ3JlZWQuIFdlJ2xsIGluY2x1ZGUgdGhpcyBpbiB0aGUgbmV4dCByZXZpc2lv bi4gDQoNClRoYW5rcyBmb3IgdGhlIGZlZWRiYWNrIEJyaWFuISANCg0KTWljaGFlbA0KDQoNCj4g DQo+IEcvDQo+IA0KPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBCcmlhbiBF IENhcnBlbnRlciBbbWFpbHRvOmJyaWFuLmUuY2FycGVudGVyQGdtYWlsLmNvbV0NCj4gU2VudDog MDYgQXVndXN0IDIwMTIgMTI6NTMNCj4gVG86IEd1bnRlciBWYW4gZGUgVmVsZGUgKGd2YW5kZXZl KQ0KPiBDYzogb3BzZWNAaWV0Zi5vcmc7IHY2b3BzIHY2b3BzIFdHICh2Nm9wc0BpZXRmLm9yZyk7 IG9wc2VjLQ0KPiBjaGFpcnNAaWV0Zi5vcmc7ICdkcmFmdC1iZWhyaW5nZXItbGxhLW9ubHlAdG9v bHMuaWV0Zi5vcmcnIChkcmFmdC1iZWhyaW5nZXItDQo+IGxsYS1vbmx5QHRvb2xzLmlldGYub3Jn KQ0KPiBTdWJqZWN0OiBSZTogW3Y2b3BzXSBJUHY2IExMLW9ubHkgYXMgV0cgZG9jdW1lbnQgLSBm ZWVkYmFjayByZXF1ZXN0ZWQNCj4gDQo+IE9uIDA2LzA4LzIwMTIgMTE6MTgsIEd1bnRlciBWYW4g ZGUgVmVsZGUgKGd2YW5kZXZlKSB3cm90ZToNCj4gPiBJIGFtIGNvbmZ1c2VkLiBQbGVhc2UgY29y cmVjdCBteSB1bmRlcnN0YW5kaW5nIGlmIHBvc3NpYmxlLg0KPiA+DQo+ID4gMSkgWW91IGFyZSBv ayB3aXRoIHRoZSBCZWhyaW5nZXItTEwgZHJhZnQgYmVpbmcgYW4gaW5mb3JtYXRpb25hbA0KPiA+ IGRyYWZ0PyAobm90IEJDUCkNCj4gDQo+IFllcy4gQWxsIEknbSBzYXlpbmcgaXMgdGhhdCBpdCBz aG91bGQgaW5zaXN0IG9uIGEgdmFsaWQgc291cmNlIGFkZHJlc3MsIHdoaWNoDQo+IG1lYW5zIHRo YXQgYSBMTCBzb3VyY2UgYWRkcmVzcyBpcyBub3QgYWxsb3dlZCBmb3IgcGFja2V0cyB0aGF0IGxl YXZlIHRoZQ0KPiBsb2NhbCBsaW5rLg0KPiANCj4gU2VjdGlvbiAyLjUuNiBvZiBSRkMgNDI5MSBt YWtlcyB0aGlzIGNsZWFyIGJ1dCBwZW9wbGUgc2VlbSB0byBpZ25vcmUgaXQ6DQo+ICJMaW5rLUxv Y2FsIGFkZHJlc3NlcyBhcmUgZm9yIHVzZSBvbiBhIHNpbmdsZSBsaW5rLiINCj4gDQo+IE9idmlv dXNseSwgdGhlcmVmb3JlLCBwYWNrZXRzIHdob3NlIGRlc3RpbmF0aW9uIGlzIG5vdCBMTCBtdXN0 IG5vdCBoYXZlIGEgTEwNCj4gc291cmNlIGFkZHJlc3MuDQo+IA0KPiA+IDIpIFBhc3NpdmUgYWRk cmVzc2VzIGlzIHNvbWV0aGluZyB0aGF0IGNyZWF0ZXMgcG90ZW50aWFsIGlzc3VlcyBpbiB5b3Vy DQo+IHZpZXc/DQo+IA0KPiBJIHNhaWQgSSBoYXZlIG5vIHByb2JsZW0gd2l0aCB0aGF0LiBJdCBk b2Vzbid0IGFmZmVjdCB0aGUgYWJvdmUgcG9pbnQuDQo+IA0KPiAgICBCcmlhbg0KPiA+DQo+ID4g Rm9yICgyKSBJIHdvdWxkIHNheS4uLiBJdCBpcyBqdXN0IGFzIGEgbm9ybWFsIGFkZHJlc3MuLi4g bm8gbmVlZCBhdCBhbGwgdG8NCj4gZGlzY2FyZCB0aGVtIG9uIGFueSBvdGhlciBib3ggdGhlbiB0 aGUgcmVjZWl2aW5nIGJveCBhcyB0aG9zZSBib3hlcyBqdXN0DQo+IHNlZSB0aGUgYWRkcmVzcyBh cyBiZWluZyBhIG5vcm1hbCBJUHY2IGFkZHJlc3MuIE5vdGhpbmcgc3BlY2lhbCBhYm91dCBpdC4g SXQNCj4gaXMganVzdCBhIG5vcm1hbCBhZGRyZXNzLiBUaGUgYmVoYXZpb3VyIG9mIHBhc3NpdmUg YWRkcmVzc2VzIGlzIHRvIGRvIHdpdGgNCj4gdGhlIHdheSB0aGUgcmVjaXBpZW50IGRldmljZSBk ZWFscyB3aXRoIHRoaXMgYWRkcmVzcy4NCj4gPg0KPiA+IEcvDQo+ID4NCj4gPg0KPiA+DQo+ID4N Cj4gPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiA+IEZyb206IEJyaWFuIEUgQ2FycGVu dGVyIFttYWlsdG86YnJpYW4uZS5jYXJwZW50ZXJAZ21haWwuY29tXQ0KPiA+IFNlbnQ6IDA2IEF1 Z3VzdCAyMDEyIDExOjQwDQo+ID4gVG86IEd1bnRlciBWYW4gZGUgVmVsZGUgKGd2YW5kZXZlKQ0K PiA+IENjOiBvcHNlY0BpZXRmLm9yZzsgdjZvcHMgdjZvcHMgV0cgKHY2b3BzQGlldGYub3JnKTsN Cj4gPiBvcHNlYy1jaGFpcnNAaWV0Zi5vcmc7ICdkcmFmdC1iZWhyaW5nZXItbGxhLW9ubHlAdG9v bHMuaWV0Zi5vcmcnDQo+ID4gKGRyYWZ0LWJlaHJpbmdlci1sbGEtb25seUB0b29scy5pZXRmLm9y ZykNCj4gPiBTdWJqZWN0OiBSZTogW3Y2b3BzXSBJUHY2IExMLW9ubHkgYXMgV0cgZG9jdW1lbnQg LSBmZWVkYmFjayByZXF1ZXN0ZWQNCj4gPg0KPiA+IEhpIEd1bnRlciwNCj4gPg0KPiA+IEkgaGF2 ZSBubyBwcm9ibGVtIHdpdGggdGhlIHBhc3NpdmUgYWRkcmVzcyBpZGVhLCBidXQgdGhlIGltbWVk aWF0ZSBpc3N1ZQ0KPiBpcyB0aGF0IHJvdXRlcnMgbXVzdCBub3Qgc291cmNlIElDTVAgcGFja2V0 cyB0aGF0IG90aGVyIHJvdXRlcnMgbXVzdCBkaXNjYXJkDQo+IC0gaGVuY2Ugbm8gTEwgc291cmNl IGFkZHJlc3Nlcy4NCj4gPg0KPiA+ICAgICBCcmlhbg0KPiA+DQo+ID4gT24gMDYvMDgvMjAxMiAx MDozNiwgR3VudGVyIFZhbiBkZSBWZWxkZSAoZ3ZhbmRldmUpIHdyb3RlOg0KPiA+PiBBbnN3ZXIg YXMgaW5kaXZpZHVhbCBjb250cmlidXRvci4NCj4gPj4NCj4gPj4gRnJlZCBCLiBhbmQgbXlzZWxm IGRpZCBhIGRyYWZ0IHRvIGV4YWN0bHkgYWRkcmVzcyB0aGUgdHJhY2VhYmlsaXR5IG9mDQo+ID4+ IGludGVyZmFjZXMgd2l0aG91dCBpbmNyZWFzaW5nIHRoZSBhdHRhY2sgdmVjdG9yIG9uIGludGVy ZmFjZXM6DQo+ID4+IFBhc3NpdmUNCj4gPj4gSVB2NiBhZGRyZXNzZXMNCj4gPj4NCj4gPj4gTm8g bmV3IGNsYXNzIG9mIGFkZHJlc3NlcyBhdCBhbGwuLi4gbm8gbmV3IElBTkEgYWxsb2NhdGlvbi4u LiBqdXN0DQo+IGJlaGF2aW91ciBvZiB0aGUgYWRkcmVzczoNCj4gPj4NCj4gPj4gMSkgaXQgaXMg Y29uZmlndXJlZCBhcyBhIG5vcm1hbCBhZGRyZXNzDQo+ID4+IDIpIGp1c3QgYW4gZXh0cmEga2V5 d29yZCBhdHRhY2hlZCB0byB0aGUgYWRkcmVzcyBpZGVudGlmeWluZyBpdHMNCj4gPj4gYmVoYXZp b3INCj4gPj4gMykgSXQgY2FuIG9ubHkgYmUgdXNlZCBhcyBhICdzb3VyY2UnIGFkZHJlc3MNCj4g Pj4gNCkgaWYgaXQgaXMgdXNlZCBhcyBkZXN0aW5hdGlvbiBhZGRyZXNzLCB0aGVuIHdoZW4gcmVh Y2hpbmcgdGhlDQo+ID4+IHJvdXRlciBpdCB3aWxsIGJlIGRpcmVjdGVkIHRvIHRoZSBOdWxsMCBp bnRlcmZhY2UNCj4gPj4NCj4gPj4gVGhpcyB3aWxsIGhlbHAgdmlzaWJpbGl0eSBvZiB0aGUgdHJh Y2Utcm91dGUgaW4gY2FzZXMgb2YgTEwtb25seS4uLg0KPiA+Pg0KPiA+PiBHLw0KPiA+Pg0KPiA+ Pg0KPiA+PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiA+PiBGcm9tOiBCcmlhbiBFIENh cnBlbnRlciBbbWFpbHRvOmJyaWFuLmUuY2FycGVudGVyQGdtYWlsLmNvbV0NCj4gPj4gU2VudDog MDYgQXVndXN0IDIwMTIgMTE6MjUNCj4gPj4gVG86IEd1bnRlciBWYW4gZGUgVmVsZGUgKGd2YW5k ZXZlKQ0KPiA+PiBDYzogb3BzZWNAaWV0Zi5vcmc7IHY2b3BzIHY2b3BzIFdHICh2Nm9wc0BpZXRm Lm9yZyk7DQo+ID4+IG9wc2VjLWNoYWlyc0BpZXRmLm9yZzsgJ2RyYWZ0LWJlaHJpbmdlci1sbGEt b25seUB0b29scy5pZXRmLm9yZycNCj4gPj4gKGRyYWZ0LWJlaHJpbmdlci1sbGEtb25seUB0b29s cy5pZXRmLm9yZykNCj4gPj4gU3ViamVjdDogUmU6IFt2Nm9wc10gSVB2NiBMTC1vbmx5IGFzIFdH IGRvY3VtZW50IC0gZmVlZGJhY2sgcmVxdWVzdGVkDQo+ID4+DQo+ID4+IEhpLA0KPiA+Pg0KPiA+ Pj4gICAgbyAgTWFuYWdlbWVudCBwbGFuZSB0cmFmZmljLCBzdWNoIGFzIFNTSCwgVGVsbmV0LCBT Tk1QLCBJQ01QIGVjaG8NCj4gPj4+ICAgICAgIHJlcXVlc3QgLi4uIGNhbiBiZSBhZGRyZXNzZWQg dG8gbG9vcGJhY2sgYWRkcmVzc2VzIG9mIHJvdXRlcnMgd2l0aA0KPiA+Pj4gICAgICAgYSBnbG9i YWwgc2NvcGUgYWRkcmVzcy4gIFJvdXRlciBtYW5hZ2VtZW50IGNhbiBhbHNvIGJlIGRvbmUgb3Zl cg0KPiA+Pj4gICAgICAgb3V0LW9mLWJhbmQgY2hhbm5lbHMuDQo+ID4+Pg0KPiA+Pj4gICAgbyAg SUNNUCBlcnJvciBtZXNzYWdlIGNhbiBhbHNvIGJlIHNvdXJjZWQgZnJvbSB0aGUgZ2xvYmFsIHNj b3BlDQo+ID4+PiAgICAgICBsb29wYmFjayBhZGRyZXNzLg0KPiA+PiBUaGVzZSBzdGF0ZW1lbnRz IHNlZW0gdG9vIHdlYWsuIFVzaW5nIEdVQXMgZm9yIElDTVAgaW4gcGFydGljdWxhcg0KPiBuZWVk cyB0byBoYXZlIGEgbm9ybWF0aXZlIE1VU1Qgc29tZXdoZXJlIChwcmVmZXJhYmx5IGluIGEgQkNQ KS4gSW4gdGhlDQo+IGNvbnRleHQgb2YgdGhpcyBJbmZvcm1hdGlvbmFsIGRyYWZ0LCB0aGUgbGFu Z3VhZ2UgbmVlZHMgdG8gc3RhdGUgYQ0KPiByZXF1aXJlbWVudCAoIm11c3QiIG5vdCAiY2FuIikg ZXZlbiBpZiB5b3UgZG9uJ3QgdXNlIFJGQyAyMTE5IHRlcm1pbm9sb2d5Lg0KPiA+Pg0KPiA+PiBU aGlzIG1hdHRlcnMgYmVjYXVzZSBwYWNrZXRzIHdpdGggYSBMTCBzb3VyY2UgYWRkcmVzcyBNVVNU IE5PVCBiZQ0KPiBmb3J3YXJkZWQsIHNvIGEgcm91dGVyIHRoYXQgaXMgbWlzY29uZmlndXJlZCB0 byBzZW5kIElDTVAgcmVwbGllcyB3aXRoIGEgTEwNCj4gc291cmNlIGFkZHJlc3MgYnJlYWtzIGJv dGggcGluZyBhbmQgdHJhY2Vyb3V0ZS4NCj4gPj4NCj4gPj4gSSB0aGluayB0aGUgcnVsZSBpcyB0 aGF0IGFueSBwYWNrZXQgdGhhdCBpcyAqbm90KiBzZW50IHRvIGEgTEwgYWRkcmVzcyBtdXN0DQo+ IGhhdmUgYSBHVUEgYXMgdGhlIHNvdXJjZSBhZGRyZXNzLiBUaGF0IHRha2VzIGNhcmUgb2YgSUNN UCwgYW5kIGV2ZXJ5dGhpbmcNCj4gZWxzZSBhcyB3ZWxsLg0KPiA+Pg0KPiA+PiBGdXJ0aGVybW9y ZSwgdGhhdCBHVUEgbmVlZHMgdG8gYmUgYXNzb2NpYXRlZCB3aXRoIGEgcHJlZml4IHRoYXQgYmVs b25ncw0KPiB0byB0aGUgb3JnYW5pc2F0aW9uIG9wZXJhdGluZyB0aGUgcm91dGVyIGluIHF1ZXN0 aW9uLiBPdGhlcndpc2UgdGhlDQo+IHRyYWNlcm91dGUgcmVzdWx0cyBjYW4gYmUgdmVyeSBjb25m dXNpbmcuIFdlIGRpc2N1c3NlZCB0aGF0IG9uIHY2b3BzIGJhY2sgaW4NCj4gTWFyY2guDQo+ID4+ DQo+ID4+IFJlZ2FyZHMNCj4gPj4gICAgQnJpYW4gQ2FycGVudGVyDQo+ID4+DQo+ID4+DQo+ID4+ DQo+ID4+DQo+ID4+IE9uIDA2LzA4LzIwMTIgMTA6MDMsIEd1bnRlciBWYW4gZGUgVmVsZGUgKGd2 YW5kZXZlKSB3cm90ZToNCj4gPj4+IChkaXN0cmlidXRlZCB0byBPUFNFQyBXRyBhbmQgaW4gY2Mg djZvcHMpDQo+ID4+Pg0KPiA+Pj4gRGVhciBhbGwsDQo+ID4+Pg0KPiA+Pj4gRHVyaW5nIHRoZSBP UFNFQyBXRyBtZWV0aW5nIGxhc3QgV2VkbmVzZGF5IHRoZXJlIHdhcyBjb25zZW5zdXMgdG8NCj4g YWRvcHQgdGhlIGRyYWZ0IGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWJlaHJpbmdl ci1sbGEtb25seS0wMSBhcw0KPiB3b3JraW5nIGdyb3VwIGRvY3VtZW50IHdpdGggSW5mb3JtYXRp b25hbCBzdGF0dXMuDQo+ID4+Pg0KPiA+Pj4gUGxlYXNlIHJlYWQgdGhlIGRyYWZ0LCBhbmQgaWYg dGhlcmUgaXMgbm8gdmlvbGVudCBvYmplY3Rpb24gb24gdGhlIGxpc3QsIHRoZQ0KPiBkb2N1bWVu dCB3aWxsIGJlIHJlcXVlc3RlZCB0byBiZSBzdWJtaXR0ZWQgYXMgV0cgZG9jdW1lbnQgaW4gNyBk YXlzLg0KPiA+Pj4NCj4gPj4+IENpYW8sDQo+ID4+PiBHLywgS0sgJiBXYXJyZW4NCj4gPj4+DQo+ ID4+Pg0KPiA+Pj4NCj4gPj4+IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQo+ID4+PiAtDQo+ID4+PiAtDQo+ID4+PiAt LQ0KPiA+Pj4NCj4gPj4+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fDQo+ID4+PiB2Nm9wcyBtYWlsaW5nIGxpc3QNCj4gPj4+IHY2b3BzQGlldGYub3JnDQo+ ID4+PiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3Y2b3BzDQo= From Donald.Smith@CenturyLink.com Mon Aug 6 10:48:43 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D83121F8526; Mon, 6 Aug 2012 10:48:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.135 X-Spam-Level: X-Spam-Status: No, score=-2.135 tagged_above=-999 required=5 tests=[AWL=-0.136, BAYES_00=-2.599, J_CHICKENPOX_13=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4IDKudoNKVyV; Mon, 6 Aug 2012 10:48:42 -0700 (PDT) Received: from sudnp799.qwest.com (sudnp799.qwest.com [155.70.32.99]) by ietfa.amsl.com (Postfix) with ESMTP id 9E1B921F8523; Mon, 6 Aug 2012 10:48:42 -0700 (PDT) Received: from lxomavmpc030.qintra.com (lxomavmpc030.qintra.com [151.117.207.30]) by sudnp799.qwest.com (8.14.4/8.14.4) with ESMTP id q76Hmfe5011470 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 6 Aug 2012 11:48:41 -0600 (MDT) Received: from lxomavmpc030.qintra.com (unknown [127.0.0.1]) by IMSA (Postfix) with ESMTP id CF9661E0065; Mon, 6 Aug 2012 12:48:35 -0500 (CDT) Received: from suomp61i.qintra.com (unknown [10.6.10.61]) by lxomavmpc030.qintra.com (Postfix) with ESMTP id B52211E004D; Mon, 6 Aug 2012 12:48:35 -0500 (CDT) Received: from suomp61i.qintra.com (localhost [127.0.0.1]) by suomp61i.qintra.com (8.14.4/8.14.4) with ESMTP id q76HmZDt023658; Mon, 6 Aug 2012 12:48:35 -0500 (CDT) Received: from vddcwhubex502.ctl.intranet (vddcwhubex502.qintra.com [151.119.128.29]) by suomp61i.qintra.com (8.14.4/8.14.4) with ESMTP id q76HmYoO023655 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Aug 2012 12:48:35 -0500 (CDT) Received: from PDDCWMBXEX503.ctl.intranet ([fe80::9033:ef22:df02:32a9]) by vddcwhubex502.ctl.intranet ([2002:9777:801d::9777:801d]) with mapi id 14.02.0283.003; Mon, 6 Aug 2012 11:48:34 -0600 From: "Smith, Donald" To: "'Gunter Van de Velde (gvandeve)'" , "'opsec@ietf.org'" , "'v6ops v6ops WG (v6ops@ietf.org)'" Thread-Topic: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: Ac1zrndn+rK+MesNRpua2q1lf71ApgATRZrw Date: Mon, 6 Aug 2012 17:48:33 +0000 Message-ID: <68EFACB32CF4464298EA2779B058889D05B7E2@PDDCWMBXEX503.ctl.intranet> References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [151.119.128.7] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Reflected Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 17:48:43 -0000 I will volunteer. With the understanding that my review would be technical = not a "IETF nit" review. When packets collide the controllers cease transmission AND wait a random t= ime before retransmission (mostly)! Donald.Smith@CenturyLink.com=20 > -----Original Message----- > From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf > Of Gunter Van de Velde (gvandeve) > Sent: Monday, August 06, 2012 2:43 AM > To: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org) > Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6- > implications-on-ipv4-nets >=20 > Dear all, >=20 >=20 >=20 > Can I request the WG members for 3 volunteers to read the draft draft- > gont-opsec-ipv6-implications-on-ipv4-nets and provide feedback to the > list? >=20 >=20 >=20 > This will help the OPSEC chairs to identify if the work is ready for WG > adoption or not. The work targets are within charter of the WG, and > seems to be interesting work for the community. >=20 >=20 >=20 > Questions we are looking answers for: >=20 >=20 >=20 > 1) Should it be targeted BCP or Informational? >=20 > 2) Is the work quality ok to be accepted as WG document? >=20 > 3) Is the topic inline with the OPSEC charter? >=20 > 4) Any missing or over-described points? >=20 >=20 >=20 > Many thanks in advance, >=20 >=20 >=20 > Kind Regards, >=20 > OPSEC Chairs, >=20 > (G/, KK, Warren) From simoneng56@gmail.com Mon Aug 6 19:18:59 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C191A21F8680 for ; Mon, 6 Aug 2012 19:18:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.533 X-Spam-Level: X-Spam-Status: No, score=-3.533 tagged_above=-999 required=5 tests=[AWL=0.065, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6+rAbHQtqymG for ; Mon, 6 Aug 2012 19:18:59 -0700 (PDT) Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id B652721F8679 for ; Mon, 6 Aug 2012 19:18:58 -0700 (PDT) Received: by vcbfo14 with SMTP id fo14so3816998vcb.31 for ; Mon, 06 Aug 2012 19:18:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=I0tuHsAy+Cn0RzaO2bKxcJMoCgbAyAMisvDwP3QlbgQ=; b=CNDoVnpp75gq+IB5O6ZU0uOGUyYjOsP37gcpnIe4cl9tqUwTj5a0iU+4uPMKnoRS7p 3xru/qogQRDFm/Kx6S7sINxruGjoIMSu86OYniIcalhK31HeDyY2XmkXFHSYHzbVckZZ nUrVtJHq5dAWP7Pql+GAhLVHZ8JXyDPtTMhLcPzDbQ5td346nzxYDqKTdEoFb2EU4kWd WaJxAJJCBDS8gOf9Az7xdvBpEtQAdWceWe2u9s/0QjggVI1YRGVUPk2N0RPdux5AgOR5 lAadThwz8ZboiB45mPw6B30fUHxbUBJiGZRronsAJRSfIzWCtXe6vQy0KDpFxeH25A81 v9Dw== MIME-Version: 1.0 Received: by 10.58.91.148 with SMTP id ce20mr11089360veb.16.1344305938182; Mon, 06 Aug 2012 19:18:58 -0700 (PDT) Received: by 10.58.29.82 with HTTP; Mon, 6 Aug 2012 19:18:58 -0700 (PDT) In-Reply-To: <5016292D.8000500@si6networks.com> References: <5016292D.8000500@si6networks.com> Date: Tue, 7 Aug 2012 10:18:58 +0800 Message-ID: From: Simon Eng To: Fernando Gont Content-Type: multipart/alternative; boundary=047d7b624e3eea32e304c6a39d98 Cc: opsec@ietf.org Subject: Re: [OPSEC] Security Implications of IPv6 on IPv4 Networks X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2012 02:18:59 -0000 --047d7b624e3eea32e304c6a39d98 Content-Type: text/plain; charset=ISO-8859-1 Hi, Apologies for the late reply. Please see comments inline. Regards. Simon On Mon, Jul 30, 2012 at 2:26 PM, Fernando Gont wrote: > Hi, Simon, > > Thanks so much for your feedback! -- Please find my comments inline... > > > On 07/30/2012 01:02 AM, Simon Eng wrote: > > a) In Section 2, attacks related to Layer 2 (e.g. IPv6 Router > > Advertisements) are mentioned discussed. In my humble opinion, > > in networks meant for IPv4 only (but with IPv6 turned on), Layer 2 > > attacks/mis-configurations will be the greatest to carry out. Perhaps > > more can be used to discuss ICMPv6 traffic filtering (especially since > > it will replace other Layer 2 protocols, such as ARP) and also other > > relevant Layer 2 protocols? > > Do you mean mentioning things like RA-guard, ND-Shield, and > DHCPv6-Shield? Or something else? > Simon: Yes, or security technologies (especially Layer 2??) that should be highlighted to defend IPv4-only network. > > > > b) DNS security is not mentioned (e.g. turning off AAAA). It may be good > > to discuss the implications of enabling default IPv6 on for DNS > > deployment. > > Are you referring to enabling AAAA queries? Or something else? > Simon: yes, AAAA queries. On IPv4-only networks, we should not deal with AAAA queries right? > > > > Since Section 2 & 3 describes more about Layer 2 & 3 > > respectively, perhaps a new Section 4 on "Application/Others" can > > discuss about DNS or even DHCPv6 filtering? > > Yep, this is a possible way to go... although in the specific case of > DHCPv6-filtering, one my want to discuss it along RA-filtering > (RA-guard), since they complement each other... > > Thanks! > > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > --047d7b624e3eea32e304c6a39d98 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi,

Apologies for the late reply. =A0Please see comments= inline.

Regards.

Simon

On Mon, Jul 30, 2012 at 2:26 PM, Fernando Gont <= fgont@si6networks.com> wrote:
Hi, Simon,

Thanks so much for your feedback! -- Please find my comments inline...


On 07/30/2012 01:02 AM, Simon Eng wrote:
> a) In Section 2, attacks related to Layer 2 (e.g. IPv6 Router
> Advertisements) are mentioned discussed. =A0In my humble opinion,
> in networks meant for IPv4 only (but with IPv6 turned on), Layer 2
> attacks/mis-configurations will be the greatest to carry out. =A0Perha= ps
> more can be used to discuss ICMPv6 traffic filtering (especially since=
> it will replace other Layer 2 protocols, such as ARP) and also other > relevant Layer 2 protocols?

Do you mean mentioning things like RA-guard, ND-Shield, and
DHCPv6-Shield? Or something else?

Simon= : Yes, or security technologies (especially Layer 2??) that should be highl= ighted to defend IPv4-only network.=A0


> b) DNS security is not mentioned (e.g. turning off AAAA). It may be go= od
> to discuss the implications of enabling default IPv6 on for DNS
> deployment.

Are you referring to enabling AAAA queries? Or something else?

Simon: yes, AAAA queries. =A0On IPv4-only net= works, we should not deal with AAAA queries right?=A0


> Since Section 2 & 3 describes more about Layer 2 & 3
> respectively, perhaps a new Section 4 on "Application/Others"= ; can
> discuss about DNS or even DHCPv6 filtering?

Yep, this is a possible way to go... although in the specific case of=
DHCPv6-filtering, one my want to discuss it along RA-filtering
(RA-guard), since they complement each other...

Thanks!

Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com<= br> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492




--047d7b624e3eea32e304c6a39d98-- From ietfc@btconnect.com Tue Aug 7 02:59:25 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E948621F85C5; Tue, 7 Aug 2012 02:59:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.399 X-Spam-Level: X-Spam-Status: No, score=-3.399 tagged_above=-999 required=5 tests=[AWL=-0.400, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N12TEdBoUsrv; Tue, 7 Aug 2012 02:59:24 -0700 (PDT) Received: from db3outboundpool.messaging.microsoft.com (db3ehsobe001.messaging.microsoft.com [213.199.154.139]) by ietfa.amsl.com (Postfix) with ESMTP id D06D321F85DF; Tue, 7 Aug 2012 02:59:23 -0700 (PDT) Received: from mail112-db3-R.bigfish.com (10.3.81.239) by DB3EHSOBE009.bigfish.com (10.3.84.29) with Microsoft SMTP Server id 14.1.225.23; Tue, 7 Aug 2012 09:59:22 +0000 Received: from mail112-db3 (localhost [127.0.0.1]) by mail112-db3-R.bigfish.com (Postfix) with ESMTP id 53CE8C031A; Tue, 7 Aug 2012 09:59:22 +0000 (UTC) X-Forefront-Antispam-Report: CIP:157.55.224.141; KIP:(null); UIP:(null); IPV:NLI; H:DB3PRD0702HT003.eurprd07.prod.outlook.com; RD:none; EFVD:NLI X-SpamScore: -23 X-BigFish: PS-23(zz9371I1be0I542Mzz1202hzz1033IL8275bh8275dhz2dh2a8h5a9h668h839hd24hf0ah107ah304l) Received: from mail112-db3 (localhost.localdomain [127.0.0.1]) by mail112-db3 (MessageSwitch) id 1344333560458261_25474; Tue, 7 Aug 2012 09:59:20 +0000 (UTC) Received: from DB3EHSMHS002.bigfish.com (unknown [10.3.81.231]) by mail112-db3.bigfish.com (Postfix) with ESMTP id 6DB5B1A00BB; Tue, 7 Aug 2012 09:59:20 +0000 (UTC) Received: from DB3PRD0702HT003.eurprd07.prod.outlook.com (157.55.224.141) by DB3EHSMHS002.bigfish.com (10.3.87.102) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 7 Aug 2012 09:59:19 +0000 Received: from DBXPRD0510HT005.eurprd05.prod.outlook.com (157.56.252.165) by pod51017.outlook.com (10.3.4.151) with Microsoft SMTP Server (TLS) id 14.15.108.4; Tue, 7 Aug 2012 09:59:19 +0000 Message-ID: <039d01cd7482$b1b65720$4001a8c0@gateway.2wire.net> From: t.petch To: "Gunter Van de Velde (gvandeve)" , References: <67832B1175062E48926BF3CB27C49B240674DA@xmb-aln-x12.cisco.com> Date: Tue, 7 Aug 2012 10:54:19 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Originating-IP: [157.56.252.165] X-OriginatorOrg: btconnect.com Cc: draft-vyncke-opsec-v6@tools.ietf.org, v6ops@ietf.org, draft-jdurant-bgp-security-01@tools.ietf.org Subject: Re: [OPSEC] [v6ops] IPv6 OPSEC drafts need review X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2012 09:59:25 -0000 ----- Original Message ----- From: "Gunter Van de Velde (gvandeve)" To: Cc: ; ; Sent: Monday, August 06, 2012 9:51 AM Dear all, As mentioned during the OPSEC WG meeting, the following 2 drafts will in 3 weeks be considered for WG documents, after a call for feedback on the email list. During the WG meeting it became clear that not that many people read the documents until now. Please read drafts: 2) http://tools.ietf.org/html/draft-jdurand-bgp-security-01 Why OPSEC, when we have GROW or even IDR, neither of whom are copied on this e-mail? What do the chairs of those WGs say? Tom Petch On Monday 27th the chairs of OPSEC WG will ask the WG during a period of 7 days for feedback on these drafts to support or deny acceptance as WG documents. Kind Regards, G/, KK & Warren ------------------------------------------------------------------------ -------- > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops > From gvandeve@cisco.com Tue Aug 7 07:25:12 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0B4921F86DA; Tue, 7 Aug 2012 07:25:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.09 X-Spam-Level: X-Spam-Status: No, score=-10.09 tagged_above=-999 required=5 tests=[AWL=-0.092, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m0drFfIYdyBO; Tue, 7 Aug 2012 07:25:11 -0700 (PDT) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 544FA21F86C5; Tue, 7 Aug 2012 07:25:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=8884; q=dns/txt; s=iport; t=1344349511; x=1345559111; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=S0TuV3z8aZumqzHe8b4WWvLWlh33I2tNKif9qJiwpxc=; b=JE86AvYuVqF3Mo752Tu9Mg0ftXs7TMAyOLnxol3VVs/WFErR1eo6i/MZ nffsNdMxEn9ZkpynuhaGa5wuP8auzJI3FOit/kegmYUKUN3m/CUeUBuk1 H00xc2HlgdKkwbfiVc5JgBfpWtdiaAz5VyNiuyI3Iu23cKE2vMUtyQo32 w=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAFAKIkIVCtJXHB/2dsb2JhbAA7CoJKtnyBB4IgAQEBBBIBGkwQAgEIEQQBAQsdBzIUCQgBAQQBDQUIDA6Ha5tXoFaLDxCFfWADo26BZoJf X-IronPort-AV: E=Sophos;i="4.77,727,1336348800"; d="scan'208,217";a="109176836" Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-7.cisco.com with ESMTP; 07 Aug 2012 14:25:10 +0000 Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id q77EPA6X015508 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 7 Aug 2012 14:25:10 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.02.0298.004; Tue, 7 Aug 2012 09:25:10 -0500 From: "Gunter Van de Velde (gvandeve)" To: "opsec@ietf.org" , "v6ops v6ops WG (v6ops@ietf.org)" Thread-Topic: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: Ac1zrndn+rK+MesNRpua2q1lf71ApgA+bzKA Date: Tue, 7 Aug 2012 14:25:09 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B2406BE1F@xmb-aln-x12.cisco.com> References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.99.43] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19090.005 x-tm-as-result: No--38.664700-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/alternative; boundary="_000_67832B1175062E48926BF3CB27C49B2406BE1Fxmbalnx12ciscocom_" MIME-Version: 1.0 Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2012 14:25:12 -0000 --_000_67832B1175062E48926BF3CB27C49B2406BE1Fxmbalnx12ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I received a note that Eric Vyncke volunteered to review this draft. A 3rd candidate is still looked for. Kind Regards, G/ From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of G= unter Van de Velde (gvandeve) Sent: 06 August 2012 10:43 To: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org) Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implica= tions-on-ipv4-nets Dear all, Can I request the WG members for 3 volunteers to read the draft draft-gont-= opsec-ipv6-implications-on-ipv4-nets and provide feedback to the list? This will help the OPSEC chairs to identify if the work is ready for WG ado= ption or not. The work targets are within charter of the WG, and seems to b= e interesting work for the community. Questions we are looking answers for: 1) Should it be targeted BCP or Informational? 2) Is the work quality ok to be accepted as WG document? 3) Is the topic inline with the OPSEC charter? 4) Any missing or over-described points? Many thanks in advance, Kind Regards, OPSEC Chairs, (G/, KK, Warren) --_000_67832B1175062E48926BF3CB27C49B2406BE1Fxmbalnx12ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I received a note that= Eric Vyncke volunteered to review this draft.

 

A 3rd candi= date is still looked for.

 

Kind Regards,

G/

 

From:= opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of Gunter Van de Velde (g= vandeve)
Sent: 06 August 2012 10:43
To: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org)
Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-= implications-on-ipv4-nets

 

Dear all,

 

Can I request the WG members for 3 volunteers to rea= d the draft draft-gont-opsec-ipv6-implications-on-ipv4-nets and provide fee= dback to the list?

 

This will help the OPSEC chairs to identify if the w= ork is ready for WG adoption or not. The work targets are within charter of= the WG, and seems to be interesting work for the community.

 

Questions we are looking answers for:

 

1)      Should it be targeted BCP or Informational?

2)      Is the work quality ok to be accepted as WG documen= t?

3)      Is the topic inline with the OPSEC charter?

4)      Any missing or over-described points?

 

Many thanks in advance,

 

Kind Regards,

OPSEC Chairs,

(G/, KK, Warren)

--_000_67832B1175062E48926BF3CB27C49B2406BE1Fxmbalnx12ciscocom_-- From rbonica@juniper.net Tue Aug 7 07:40:34 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E06B21F853D for ; Tue, 7 Aug 2012 07:40:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.575 X-Spam-Level: X-Spam-Status: No, score=-106.575 tagged_above=-999 required=5 tests=[AWL=0.024, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VXlgeAqrLLzw for ; Tue, 7 Aug 2012 07:40:33 -0700 (PDT) Received: from exprod7og126.obsmtp.com (exprod7og126.obsmtp.com [64.18.2.206]) by ietfa.amsl.com (Postfix) with ESMTP id DCA0F21F8532 for ; Tue, 7 Aug 2012 07:40:32 -0700 (PDT) Received: from P-EMHUB01-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob126.postini.com ([64.18.6.12]) with SMTP ID DSNKUCEo3/b0rY1kHsQDA0dhBKHC26Q3EIQx@postini.com; Tue, 07 Aug 2012 07:40:32 PDT Received: from p-emfe02-wf.jnpr.net (172.28.145.25) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server (TLS) id 8.3.213.0; Tue, 7 Aug 2012 07:38:34 -0700 Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe02-wf.jnpr.net ([fe80::c126:c633:d2dc:8090%11]) with mapi; Tue, 7 Aug 2012 10:38:33 -0400 From: Ronald Bonica To: "opsec@ietf.org" Date: Tue, 7 Aug 2012 10:38:32 -0400 Thread-Topic: Comments on draft-jdurand-bgp-security Thread-Index: Ac10qlFrY5+NYzLkQSyU572HanPu5g== Message-ID: <13205C286662DE4387D9AF3AC30EF456D77178BB80@EMBX01-WF.jnpr.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [OPSEC] Comments on draft-jdurand-bgp-security X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2012 14:40:34 -0000 Authors, Thanks for writing draft-jdurand-bgp-security. On the whole, it is a very w= ell written document. The following are a few comments: Section 2.5 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Somewhere between Section 2 and Section 3, you should mention that the BGP = process needs to be protected from stray packets. Protection can be achieve= d by applying a forwarding plane ACL. The ACL accepts all packets that meet= the following criteria: - directed to TCP port 179 on the local device - sourced from a known BGP neighbor It discards all packets directed to TCP port 179 on the local device and so= urced from an address not known to be a BGP neighbor. Section 3.1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D In Section 3.1, you talk about MD5 Password Protection. This make the reade= r think that you are talking about RFC 2385. However, the reference is to R= FC 5925 (TCP-AO). Please be clear about which you are recommending. In this regard, we have a dilemma. The IETF has obsoleted RFC 2385 and repl= aced it with RFC 5925. However, to the best of my knowledge, there are no c= ommercially available implementations. Section 4.1.1.1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Rather than listing every IPv4 special-use address, you might want to simpl= y refer the reader to RFC 5735 and 5736. Section 4.1.1.2 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Rather than listing every IPv6 special-use address, you might want to refer= the reader to http://www.iana.org/assignments/iana-ipv6-special-registry/i= ana-ipv6-special-registry.xml. It might be better to refer the reader to th= e registry, because it will be kept up to date in the future. Section 4.1.3 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D It is true that most ISPs will not accept advertisements beyond a certain l= evel of specificity. However, this is an issue to be worked out between the= operators, and not an issue for standardization. -------------------------- Ron Bonica vcard: www.bonica.org/ron/ronbonica.vcf From gvandeve@cisco.com Tue Aug 7 07:47:31 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D80021F873B; Tue, 7 Aug 2012 07:47:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.784 X-Spam-Level: X-Spam-Status: No, score=-9.784 tagged_above=-999 required=5 tests=[AWL=-0.385, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b5GBCXkcDs7L; Tue, 7 Aug 2012 07:47:30 -0700 (PDT) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id AFA4B21F873A; Tue, 7 Aug 2012 07:47:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=1847; q=dns/txt; s=iport; t=1344350850; x=1345560450; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=3BMGJjdAMOv9Bl8mXByeEvq7oIFJKG40Vu0J5/1WvwI=; b=Ur7TpJu8+u5uqo7HolRAR30Tty9QbXLDhm1h2mDiLDOlVkZiikpaitEx AqUn9ssSNIX1wHxXYv7WfnK+HO6hOEYgwB307mh6rzeQnvF4U1W81Zcgu KLn8LExNXaMpVQlIgS2eBz+T4TP+qUoAoNtRTsWK1skz/1K48aiweFgIt I=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAAoqIVCtJV2b/2dsb2JhbABFuUaBB4IgAQEBBAEBAQ8BCh00CwUHBAIBCBEEAQELFAkHJwsUCQgBAQQBDQUIGodrC5tWoFmLDxqFc2ADllyNEoFmgl+BXw X-IronPort-AV: E=Sophos;i="4.77,727,1336348800"; d="scan'208";a="109167149" Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-2.cisco.com with ESMTP; 07 Aug 2012 14:47:29 +0000 Received: from xhc-rcd-x09.cisco.com (xhc-rcd-x09.cisco.com [173.37.183.83]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id q77ElTVW003660 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 7 Aug 2012 14:47:29 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-rcd-x09.cisco.com ([173.37.183.83]) with mapi id 14.02.0298.004; Tue, 7 Aug 2012 09:47:28 -0500 From: "Gunter Van de Velde (gvandeve)" To: "t.petch" , "opsec@ietf.org" , "idr@ietf.org" , "grow@ietf.org" Thread-Topic: [v6ops] IPv6 OPSEC drafts need review Thread-Index: Ac1zr7XviImO0VW9ShaYOQMMM67U3AA059NkAAn2Y+A= Date: Tue, 7 Aug 2012 14:47:28 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B2406BF8D@xmb-aln-x12.cisco.com> References: <67832B1175062E48926BF3CB27C49B240674DA@xmb-aln-x12.cisco.com> <039d01cd7482$b1b65720$4001a8c0@gateway.2wire.net> In-Reply-To: <039d01cd7482$b1b65720$4001a8c0@gateway.2wire.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.99.43] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19090.005 x-tm-as-result: No--36.613900-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "draft-vyncke-opsec-v6@tools.ietf.org" , "v6ops@ietf.org" , "draft-jdurant-bgp-security-01@tools.ietf.org" Subject: Re: [OPSEC] [v6ops] IPv6 OPSEC drafts need review X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2012 14:47:31 -0000 Hi Tom, Good question. Added idr and grow for their feedback on this work. Reason for OPSEC is as it deals with operational security on BGP deployment= s. If general consensus is that other WG is more appropriate, then that is = ok for me also. I will leave that to the IAD's to decide. G/ -----Original Message----- From: t.petch [mailto:ietfc@btconnect.com]=20 Sent: 07 August 2012 11:54 To: Gunter Van de Velde (gvandeve); opsec@ietf.org Cc: draft-vyncke-opsec-v6@tools.ietf.org; v6ops@ietf.org; draft-jdurant-bgp= -security-01@tools.ietf.org Subject: Re: [v6ops] IPv6 OPSEC drafts need review ----- Original Message ----- From: "Gunter Van de Velde (gvandeve)" To: Cc: ; ; Sent: Monday, August 06, 2012 9:51 AM Dear all, As mentioned during the OPSEC WG meeting, the following 2 drafts will in 3 weeks be considered for WG documents, after a call for feedback on the em= ail list. During the WG meeting it became clear that not that many people r= ead the documents until now. Please read drafts: 2) http://tools.ietf.org/html/draft-jdurand-bgp-security-01 Why OPSEC, when we have GROW or even IDR, neither of whom are copied on thi= s e-mail? What do the chairs of those WGs say? Tom Petch On Monday 27th the chairs of OPSEC WG will ask the WG during a period of 7 days for feedback on these drafts to support or deny acceptance as WG doc= uments. Kind Regards, G/, KK & Warren ------------------------------------------------------------------------ -------- > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops > From ietf@meetecho.com Tue Aug 7 15:48:45 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA66021F8667 for ; Tue, 7 Aug 2012 15:48:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.229 X-Spam-Level: X-Spam-Status: No, score=-0.229 tagged_above=-999 required=5 tests=[AWL=0.490, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CrxNrd2Rnhhr for ; Tue, 7 Aug 2012 15:48:44 -0700 (PDT) Received: from smtplq02.aruba.it (smtplqs-out17.aruba.it [62.149.158.57]) by ietfa.amsl.com (Postfix) with SMTP id BFB6E21F8644 for ; Tue, 7 Aug 2012 15:48:43 -0700 (PDT) Received: (qmail 28274 invoked by uid 89); 7 Aug 2012 22:48:42 -0000 Received: from unknown (HELO smtp1.aruba.it) (62.149.158.221) by smtplq02.aruba.it with SMTP; 7 Aug 2012 22:48:42 -0000 Received: (qmail 29062 invoked by uid 89); 7 Aug 2012 22:48:42 -0000 Received: from unknown (HELO ?192.168.1.154?) (alex@meetecho.com@87.11.150.210) by smtp1.ad.aruba.it with ESMTPA; 7 Aug 2012 22:48:42 -0000 Message-ID: <50219B3B.9060502@meetecho.com> Date: Wed, 08 Aug 2012 00:48:27 +0200 From: Meetecho IETF support User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: opsec@ietf.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Rating: smtplq02.aruba.it 1.6.2 0/1000/N Subject: [OPSEC] Meetecho session recording available X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2012 22:48:45 -0000 Dear all, the full recording (synchronized video, audio, slides and jabber room) of OPSEC session at IETF-84 is available. You can watch it by accessing the following URL: http://ietf84.conf.meetecho.com/index.php/Recorded_Sessions#IETF84_OPSEC For the chair(s): please feel free to put the link to the recording in the minutes, if you think this might be useful. In case of problems with the playout, just drop an e-mail to team@meetecho.com. Cheers, the Meetecho team -- Meetecho s.r.l. Web Conferencing and Collaboration Tools www.meetecho.com From pkampana@cisco.com Thu Aug 9 10:48:50 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 472F521F86C4 for ; Thu, 9 Aug 2012 10:48:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.298 X-Spam-Level: X-Spam-Status: No, score=-10.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UqU79wt3Z-RE for ; Thu, 9 Aug 2012 10:48:49 -0700 (PDT) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 3EFFB21F869F for ; Thu, 9 Aug 2012 10:48:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pkampana@cisco.com; l=11797; q=dns/txt; s=iport; t=1344534529; x=1345744129; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=xWaWClAKsbKbr8H7rjr17TcO0sSMGmsrt3irJc4XUoU=; b=A9uSsM2fc3Hfcy+RO6BpTC4rHN11p/4mpl43EEE0nCAHpS3qL0KPAEy1 /Wb56m3x3CFErhpzKqbVwjohTfo+Jl3QEy/lxJTEVrE65lDxGb9W5otQI sw/OFkZ+b5w4aZB1F/ireLKiw5JkDYVpa2BVG3sVxV3etn9gK9zVujzmq c=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAFAIzgI1CtJXG9/2dsb2JhbAA7CoJKtxiBB4IgAQEBBBIBGlwCAQgRBAEBCx0HMhQJCAEBBAESCAwOh2ubBqBtiw8QhXRgA6NygWaCXw X-IronPort-AV: E=Sophos;i="4.77,741,1336348800"; d="scan'208,217";a="110042316" Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by rcdn-iport-7.cisco.com with ESMTP; 09 Aug 2012 17:48:48 +0000 Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id q79HmmkP031825 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Thu, 9 Aug 2012 17:48:48 GMT Received: from xmb-rcd-x10.cisco.com ([169.254.15.216]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.02.0298.004; Thu, 9 Aug 2012 12:48:47 -0500 From: "Panos Kampanakis (pkampana)" To: "Gunter Van de Velde (gvandeve)" , "opsec@ietf.org" Thread-Topic: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: Ac1zrndn+rK+MesNRpua2q1lf71ApgA+bzKAAGuq0lA= Date: Thu, 9 Aug 2012 17:48:46 +0000 Message-ID: <1C9F17D1873AFA47A969C4DD98F98A7504E928@xmb-rcd-x10.cisco.com> References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <67832B1175062E48926BF3CB27C49B2406BE1F@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B2406BE1F@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [64.102.89.106] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19096.006 x-tm-as-result: No--37.671400-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/alternative; boundary="_000_1C9F17D1873AFA47A969C4DD98F98A7504E928xmbrcdx10ciscocom_" MIME-Version: 1.0 Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Aug 2012 17:48:50 -0000 --_000_1C9F17D1873AFA47A969C4DD98F98A7504E928xmbrcdx10ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I can look at it unless you have 3 already. Panos From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of G= unter Van de Velde (gvandeve) Sent: Tuesday, August 07, 2012 10:25 AM To: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org) Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-imp= lications-on-ipv4-nets I received a note that Eric Vyncke volunteered to review this draft. A 3rd candidate is still looked for. Kind Regards, G/ From: opsec-bounces@ietf.org [mailto:opsec-b= ounces@ietf.org] On Behalf Of Gunter Van de Velde (gvandeve) Sent: 06 August 2012 10:43 To: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org) Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implica= tions-on-ipv4-nets Dear all, Can I request the WG members for 3 volunteers to read the draft draft-gont-= opsec-ipv6-implications-on-ipv4-nets and provide feedback to the list? This will help the OPSEC chairs to identify if the work is ready for WG ado= ption or not. The work targets are within charter of the WG, and seems to b= e interesting work for the community. Questions we are looking answers for: 1) Should it be targeted BCP or Informational? 2) Is the work quality ok to be accepted as WG document? 3) Is the topic inline with the OPSEC charter? 4) Any missing or over-described points? Many thanks in advance, Kind Regards, OPSEC Chairs, (G/, KK, Warren) --_000_1C9F17D1873AFA47A969C4DD98F98A7504E928xmbrcdx10ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I can look at it unles= s you have 3 already.

Panos

 

 

From: opsec-bo= unces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of Gunter Van de Velde (gvandeve)
Sent: Tuesday, August 07, 2012 10:25 AM
To: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org)
Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-i= pv6-implications-on-ipv4-nets

 

I recei= ved a note that Eric Vyncke volunteered to review this draft.

&n= bsp;

A 3rd candidate is still looked for.

&n= bsp;

Kind Re= gards,

G/=

&n= bsp;

From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of Gunter Van de Velde (gvandeve)
Sent: 06 August 2012 10:43
To: opsec@ietf.org; v6ops v6op= s WG (v6ops@ietf.org)
Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-= implications-on-ipv4-nets

 

Dear all,

 

Can I request the WG members fo= r 3 volunteers to read the draft draft-gont-opsec-ipv6-implications-on-ipv4= -nets and provide feedback to the list?

 

This will help the OPSEC chairs= to identify if the work is ready for WG adoption or not. The work targets = are within charter of the WG, and seems to be interesting work for the comm= unity.

 

Questions we are looking answer= s for:

 

1)  = ;    Should it be targeted B= CP or Informational?

2)  = ;    Is the work quality ok = to be accepted as WG document?

3)  = ;    Is the topic inline wit= h the OPSEC charter?

4)  = ;    Any missing or over-des= cribed points?

 

Many thanks in advance,

 

Kind Regards,=

OPSEC Chairs,=

(G/, KK, Warren)

--_000_1C9F17D1873AFA47A969C4DD98F98A7504E928xmbrcdx10ciscocom_-- From evyncke@cisco.com Mon Aug 13 09:11:33 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9E321F86E1; Mon, 13 Aug 2012 09:11:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.089 X-Spam-Level: X-Spam-Status: No, score=-10.089 tagged_above=-999 required=5 tests=[AWL=-0.091, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kYwPhQv0FD7u; Mon, 13 Aug 2012 09:11:32 -0700 (PDT) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 3221821F86DC; Mon, 13 Aug 2012 09:11:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=evyncke@cisco.com; l=8872; q=dns/txt; s=iport; t=1344874292; x=1346083892; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=tWEaruPxZ5ZCWJr5u3bHIbrvi3Kqea38zCs5Mhu6tU4=; b=k96qV502cPWP30jl0IXJPmx41tLLXNCmfrATAYY9l/gaM8vP2f+TA3rE Jv+OcdEdwHWNUKp/PsohPe3xiLDzl92uiorbwxO00wBTBrTUwiYMHhs6d NNrd6StYAGDr3OH2Dq9L0RnBe9wk5+VpB9i8Ji5uzyqS1SPrImxY6pDTU E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAFAPQmKVCtJV2Z/2dsb2JhbAA7CoJKtzuBB4IgAQEBBBIBGlwCAQgRBAEBCx0HMhQJCAEBBAESCAwOh2uYJKAoixIQhUFgA4gZm1yBZoJf X-IronPort-AV: E=Sophos;i="4.77,761,1336348800"; d="scan'208,217";a="111063676" Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-5.cisco.com with ESMTP; 13 Aug 2012 16:11:29 +0000 Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id q7DGBTbQ021398 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 13 Aug 2012 16:11:29 GMT Received: from xmb-aln-x02.cisco.com ([169.254.5.72]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.02.0298.004; Mon, 13 Aug 2012 11:11:28 -0500 From: "Eric Vyncke (evyncke)" To: "Gunter Van de Velde (gvandeve)" , "opsec@ietf.org" , "v6ops v6ops WG (v6ops@ietf.org)" Thread-Topic: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: Ac1zrndn+rK+MesNRpua2q1lf71ApgFv8/bw Date: Mon, 13 Aug 2012 16:11:28 +0000 Message-ID: <97EB7536A2B2C549846804BBF3FD47E10C2DE3@xmb-aln-x02.cisco.com> References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.185.71] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19108.006 x-tm-as-result: No--37.783500-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/alternative; boundary="_000_97EB7536A2B2C549846804BBF3FD47E10C2DE3xmbalnx02ciscocom_" MIME-Version: 1.0 Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 16:11:33 -0000 --_000_97EB7536A2B2C549846804BBF3FD47E10C2DE3xmbalnx02ciscocom_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Count me in From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of G= unter Van de Velde (gvandeve) Sent: lundi 6 ao=FBt 2012 10:43 To: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org) Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implica= tions-on-ipv4-nets Dear all, Can I request the WG members for 3 volunteers to read the draft draft-gont-= opsec-ipv6-implications-on-ipv4-nets and provide feedback to the list? This will help the OPSEC chairs to identify if the work is ready for WG ado= ption or not. The work targets are within charter of the WG, and seems to b= e interesting work for the community. Questions we are looking answers for: 1) Should it be targeted BCP or Informational? 2) Is the work quality ok to be accepted as WG document? 3) Is the topic inline with the OPSEC charter? 4) Any missing or over-described points? Many thanks in advance, Kind Regards, OPSEC Chairs, (G/, KK, Warren) --_000_97EB7536A2B2C549846804BBF3FD47E10C2DE3xmbalnx02ciscocom_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Count me in

 

From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org= ] On Behalf Of Gunter Van de Velde (gvandeve)
Sent: lundi 6 ao=FBt 2012 10:43
To: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org)
Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-= implications-on-ipv4-nets

 

Dear all,

 

Can I request the WG members fo= r 3 volunteers to read the draft draft-gont-opsec-ipv6-implications-on-ipv4= -nets and provide feedback to the list?

 

This will help the OPSEC chairs= to identify if the work is ready for WG adoption or not. The work targets = are within charter of the WG, and seems to be interesting work for the comm= unity.

 

Questions we are looking answer= s for:

 

1) &nbs= p;    Should it be targeted B= CP or Informational?

2) &nbs= p;    Is the work quality ok = to be accepted as WG document?

3) &nbs= p;    Is the topic inline wit= h the OPSEC charter?

4) &nbs= p;    Any missing or over-des= cribed points?

 

Many thanks in advance,

 

Kind Regards,=

OPSEC Chairs,=

(G/, KK, Warren)

--_000_97EB7536A2B2C549846804BBF3FD47E10C2DE3xmbalnx02ciscocom_-- From fgont@si6networks.com Mon Aug 13 09:12:55 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4816D21F8751 for ; Mon, 13 Aug 2012 09:12:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.555 X-Spam-Level: X-Spam-Status: No, score=-2.555 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_03_06=0.044] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bos3-Ipy3UiR for ; Mon, 13 Aug 2012 09:12:54 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id ACC7721F8703 for ; Mon, 13 Aug 2012 09:12:54 -0700 (PDT) Received: from 9-161-231-201.fibertel.com.ar ([201.231.161.9] helo=[192.168.0.155]) by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1T0xG6-0004B4-4O; Mon, 13 Aug 2012 18:12:50 +0200 Message-ID: <5028F27A.5070404@si6networks.com> Date: Mon, 13 Aug 2012 09:26:34 -0300 From: Fernando Gont Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "Panos Kampanakis (pkampana)" References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <67832B1175062E48926BF3CB27C49B2406BE1F@xmb-aln-x12.cisco.com> <1C9F17D1873AFA47A969C4DD98F98A7504E928@xmb-rcd-x10.cisco.com> In-Reply-To: <1C9F17D1873AFA47A969C4DD98F98A7504E928@xmb-rcd-x10.cisco.com> X-Enigmail-Version: 1.5a1pre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "opsec@ietf.org" Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 16:12:55 -0000 HI, Panos, On 08/09/2012 02:48 PM, Panos Kampanakis (pkampana) wrote: > I can look at it unless you have 3 already. Please do. Any comments will be really welcome. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From fgont@si6networks.com Mon Aug 13 12:58:39 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D355C21F8629; Mon, 13 Aug 2012 12:58:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BYLklb+9a4wb; Mon, 13 Aug 2012 12:58:39 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 5CFFF21F8627; Mon, 13 Aug 2012 12:58:39 -0700 (PDT) Received: from [190.245.182.195] (helo=[192.168.1.128]) by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1T10mY-0001u5-RI; Mon, 13 Aug 2012 21:58:35 +0200 Message-ID: <50295C33.7070606@si6networks.com> Date: Mon, 13 Aug 2012 16:57:39 -0300 From: Fernando Gont Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "Eric Vyncke (evyncke)" References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C2DE3@xmb-aln-x02.cisco.com> In-Reply-To: <97EB7536A2B2C549846804BBF3FD47E10C2DE3@xmb-aln-x02.cisco.com> X-Enigmail-Version: 1.5a1pre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "opsec@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 19:58:39 -0000 On 08/13/2012 01:11 PM, Eric Vyncke (evyncke) wrote: > Count me in Great! -- Thanks so much for volunteering.. I look forward to your feedback! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From pkampana@cisco.com Mon Aug 13 13:52:53 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EFB321F8650 for ; Mon, 13 Aug 2012 13:52:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.538 X-Spam-Level: X-Spam-Status: No, score=-10.538 tagged_above=-999 required=5 tests=[AWL=0.061, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MaVHEmTgCmZZ for ; Mon, 13 Aug 2012 13:52:52 -0700 (PDT) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id A7BFD21F8661 for ; Mon, 13 Aug 2012 13:52:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pkampana@cisco.com; l=2371; q=dns/txt; s=iport; t=1344891172; x=1346100772; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=nrlGrx+E55zOBJ+L5ALFfDYVEf/grHUtkagmCIpudgw=; b=LtDGTFRykDPdwD3QdFJVr3jzeBgOZ0/zMr4FJWnjs7LneynPF5RI/dKX aUr1Kx6ARI3V4r9hL9Xh+8dsWTOI86bVu4Q9yft1gpe4SektObLwTQoYt okeg2B58w25X8lQYp0a0y/TEm+hSV5q1X7ogZjW/Uk3sy1KFadxxiPrO1 c=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAGloKVCtJXG9/2dsb2JhbABFugaBB4IgAQEBBBIBJz8MBAIBCA4DBAEBAQoUCQcyFAkIAgQOBQgah2sLmCWgW4sSGoU3YAOWX40WgWaCX4Ff X-IronPort-AV: E=Sophos;i="4.77,762,1336348800"; d="scan'208";a="111154836" Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by rcdn-iport-6.cisco.com with ESMTP; 13 Aug 2012 20:52:52 +0000 Received: from xhc-aln-x07.cisco.com (xhc-aln-x07.cisco.com [173.36.12.81]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id q7DKqpQC015529 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 13 Aug 2012 20:52:51 GMT Received: from xmb-rcd-x10.cisco.com ([169.254.15.216]) by xhc-aln-x07.cisco.com ([173.36.12.81]) with mapi id 14.02.0298.004; Mon, 13 Aug 2012 15:52:51 -0500 From: "Panos Kampanakis (pkampana)" To: Fernando Gont Thread-Topic: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review Thread-Index: AQHNeZWaKR05kIY63U21DsJOzlc22A== Date: Mon, 13 Aug 2012 20:52:51 +0000 Message-ID: <1C9F17D1873AFA47A969C4DD98F98A75051261@xmb-rcd-x10.cisco.com> References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <67832B1175062E48926BF3CB27C49B2406BE1F@xmb-aln-x12.cisco.com> <1C9F17D1873AFA47A969C4DD98F98A7504E928@xmb-rcd-x10.cisco.com> <5028F27A.5070404@si6networks.com> In-Reply-To: <5028F27A.5070404@si6networks.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [64.102.89.107] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19112.000 x-tm-as-result: No--42.484500-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 20:52:53 -0000 Hi Fernando, Useful I-D. Some initial thoughts:=20 - I see that you are mentioning RA-Guard for SLAAC-based attacks. Is the ND= -Shield worth mentioning for L2 attacks? - For 6to4, maybe it would be worth to mention http://tools.ietf.org/html/r= fc3964=20 - In 6to4 subsection, a couple of protections state "(embedded in the IPv4 = payload)". This is not our traditional ACL filtering. It requires equipment= that can look and inspect the encapsulated packet, or match on specific fi= elds of the packet payload, or actually understand 6 in 4 encapsulation in = order to be able to filter. Maybe it would be worth the put a sentence to c= larify that to prevent readers from think this is traditional ACL filtering= . - For Teredo, would it be worth mentioning that blocking UDP packets with e= mbedded IPv6 addresses 2001::/32 on a device that can match/"understand"/in= spect Teredo encapsulation is another mitigation option (as in 6to4 "(embed= ded in the IPv4 payload)")? - ISATAP section suggests that it can be blocked as described in Section 3.= Can you add blocking " isatap..com" in DNS A record as in Teredo? - Section "3. Security Implications of tunneling Mechanisms". Would it be = worth to break up the tunneling mechanisms to Client and ISP? The protectio= ns would then be employed in tACL and iACLs (For example, blocking 6rd shou= ld be done on me iACL). This is not a technical correction, but rather a su= ggestion for the semantics. - Would it be worth to have a table in the end, as you had for the ICMP fil= tering I-D, that says=20 "Teredo block this" "ISATAP block that" "6rd block this" It would be a good summary table. Rgs, Panos -----Original Message----- From: Fernando Gont [mailto:fgont@si6networks.com]=20 Sent: Monday, August 13, 2012 8:27 AM To: Panos Kampanakis (pkampana) Cc: Gunter Van de Velde (gvandeve); opsec@ietf.org Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-imp= lications-on-ipv4-nets HI, Panos, On 08/09/2012 02:48 PM, Panos Kampanakis (pkampana) wrote: > I can look at it unless you have 3 already. Please do. Any comments will be really welcome. Thanks! Best regards, --=20 Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From pkampana@cisco.com Mon Aug 13 13:54:10 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC0D21F866A for ; Mon, 13 Aug 2012 13:54:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.248 X-Spam-Level: X-Spam-Status: No, score=-10.248 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3jF8d5+GrKyQ for ; Mon, 13 Aug 2012 13:54:08 -0700 (PDT) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id A346421F865E for ; Mon, 13 Aug 2012 13:54:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pkampana@cisco.com; l=12721; q=dns/txt; s=iport; t=1344891248; x=1346100848; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=R1gJu3rpM0OlURJVN/n9Y79fMoF5QmBqVAIsAvLAdUg=; b=Y789BGH8tYRCK3KbNfgxH5RRLR5p5uZbqXZXPxCPrairkOJMsMSdLOMP QncSqoIt3KdhDLpqQTdIcikU3Pf//OVSvdUuxx/Lvs8dyU4SKZAncCfZt wnTJTE2PRqumk9RbwigZ7hMIPkZ9n0k+eDSKdz68XAk4PupXDHnaA2mJt E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAFAC9oKVCtJXG+/2dsb2JhbAA7CoJKtzyBB4IgAQEBBBIBGlwCAQgRBAEBCx0HMhQJCAEBBAESCAwOh2uYL6BbixIQhUFgA6N1gWaCX4Ff X-IronPort-AV: E=Sophos;i="4.77,762,1336348800"; d="scan'208,217";a="111158138" Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-5.cisco.com with ESMTP; 13 Aug 2012 20:54:08 +0000 Received: from xhc-aln-x09.cisco.com (xhc-aln-x09.cisco.com [173.36.12.83]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id q7DKs847026932 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Mon, 13 Aug 2012 20:54:08 GMT Received: from xmb-rcd-x10.cisco.com ([169.254.15.216]) by xhc-aln-x09.cisco.com ([173.36.12.83]) with mapi id 14.02.0298.004; Mon, 13 Aug 2012 15:54:07 -0500 From: "Panos Kampanakis (pkampana)" To: "Gunter Van de Velde (gvandeve)" , "opsec@ietf.org" Thread-Topic: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: Ac1zrndn+rK+MesNRpua2q1lf71ApgF3xIZA Date: Mon, 13 Aug 2012 20:54:06 +0000 Message-ID: <1C9F17D1873AFA47A969C4DD98F98A75051279@xmb-rcd-x10.cisco.com> References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [64.102.89.107] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19112.000 x-tm-as-result: No--48.271300-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/alternative; boundary="_000_1C9F17D1873AFA47A969C4DD98F98A75051279xmbrcdx10ciscocom_" MIME-Version: 1.0 Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 20:54:10 -0000 --_000_1C9F17D1873AFA47A969C4DD98F98A75051279xmbrcdx10ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable This are my thoughts on the questions for this I-D: 1) Should it be targeted BCP or Informational? My opinion is that it is Informational, since it is explaining the co= ncerns and the protection options. If the protections in the doc are good p= ractices or not depends on the network specifics, so I think Info is better= than BCP. 2) Is the work quality ok to be accepted as WG document? Yes, the doc is useful and detailed enough to be a WG doc. 3) Is the topic inline with the OPSEC charter? Yes, it doesn't describe new protocols, but it explains security impl= ications and how to protect against them 4) Any missing or over-described points? I sent thoughts to Fernando in a separate email in the WG alias title= d "Re: Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review" Thanks, Panos From: opsec-bounces@ietf.org [mailto:opsec-b= ounces@ietf.org] On Behalf Of Gunter Van de Velde (gvandeve) Sent: Monday, August 06, 2012 4:43 AM To: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org) Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implica= tions-on-ipv4-nets Dear all, Can I request the WG members for 3 volunteers to read the draft draft-gont-= opsec-ipv6-implications-on-ipv4-nets and provide feedback to the list? This will help the OPSEC chairs to identify if the work is ready for WG ado= ption or not. The work targets are within charter of the WG, and seems to b= e interesting work for the community. Questions we are looking answers for: 1) Should it be targeted BCP or Informational? 2) Is the work quality ok to be accepted as WG document? 3) Is the topic inline with the OPSEC charter? 4) Any missing or over-described points? Many thanks in advance, Kind Regards, OPSEC Chairs, (G/, KK, Warren) --_000_1C9F17D1873AFA47A969C4DD98F98A75051279xmbrcdx10ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

 

This are my thoughts on the questions for this I-= D:

 

1)    Should it be targeted BCP or= Informational?

      My opinion is that= it is Informational, since it is explaining the concerns and the protectio= n options. If the protections in the doc are good practices or not depends = on the network specifics, so I think Info is better than BCP.

 

2)    Is the work quality ok to be= accepted as WG document?

      Yes, the doc is us= eful and detailed enough to be a WG doc.

 

3)    Is the topic inline with the= OPSEC charter?

      Yes, it doesn̵= 7;t describe new protocols, but it explains security implications and how t= o protect against them

 

4)    Any missing or over-describe= d points?

      I sent thoughts to= Fernando in a separate email in the WG alias titled “Re: Draft: draf= t-gont-opsec-ipv6-implications-on-ipv4-nets Review”

 

Thanks,

Panos

 

 

 

 

From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of Gunter Van de Velde (gvandeve)
Sent: Monday, August 06, 2012 4:43 AM
To: opsec@ietf.org; v6ops v6op= s WG (v6ops@ietf.org)
Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-= implications-on-ipv4-nets

 

Dear all,

 

Can I request the WG members fo= r 3 volunteers to read the draft draft-gont-opsec-ipv6-implications-on-ipv4= -nets and provide feedback to the list?

 

This will help the OPSEC chairs= to identify if the work is ready for WG adoption or not. The work targets = are within charter of the WG, and seems to be interesting work for the comm= unity.

 

Questions we are looking answer= s for:

 

1)  = ;    Should it be targeted B= CP or Informational?

2)  = ;    Is the work quality ok = to be accepted as WG document?

3)  = ;    Is the topic inline wit= h the OPSEC charter?

4)  = ;    Any missing or over-des= cribed points?

 

Many thanks in advance,

 

Kind Regards,=

OPSEC Chairs,=

(G/, KK, Warren)

--_000_1C9F17D1873AFA47A969C4DD98F98A75051279xmbrcdx10ciscocom_-- From Donald.Smith@CenturyLink.com Mon Aug 13 13:57:43 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 892FB21F866B; Mon, 13 Aug 2012 13:57:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.123 X-Spam-Level: X-Spam-Status: No, score=-2.123 tagged_above=-999 required=5 tests=[AWL=-0.124, BAYES_00=-2.599, J_CHICKENPOX_13=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iufhXqAtWTFU; Mon, 13 Aug 2012 13:57:43 -0700 (PDT) Received: from suomp64i.qwest.com (suomp64i.qwest.com [155.70.16.237]) by ietfa.amsl.com (Postfix) with ESMTP id 03B9221F865F; Mon, 13 Aug 2012 13:57:42 -0700 (PDT) Received: from lxomavmpc030.qintra.com (lxomavmpc030.qintra.com [151.117.207.30]) by suomp64i.qwest.com (8.14.4/8.14.4) with ESMTP id q7DKvfBP003236 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 13 Aug 2012 15:57:41 -0500 (CDT) Received: from lxomavmpc030.qintra.com (unknown [127.0.0.1]) by IMSA (Postfix) with ESMTP id 28F621E0053; Mon, 13 Aug 2012 15:57:36 -0500 (CDT) Received: from sudnp796.qintra.com (unknown [10.6.10.61]) by lxomavmpc030.qintra.com (Postfix) with ESMTP id EC9C21E0086; Mon, 13 Aug 2012 15:57:35 -0500 (CDT) Received: from sudnp796.qintra.com (localhost [127.0.0.1]) by sudnp796.qintra.com (8.14.4/8.14.4) with ESMTP id q7DKvZLl015559; Mon, 13 Aug 2012 14:57:35 -0600 (MDT) Received: from vddcwhubex502.ctl.intranet (vddcwhubex502.qintra.com [151.119.128.29]) by sudnp796.qintra.com (8.14.4/8.14.4) with ESMTP id q7DKvZg9015556 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 13 Aug 2012 14:57:35 -0600 (MDT) Received: from PDDCWMBXEX501.ctl.intranet ([fe80::409c:426a:5818:95bc]) by vddcwhubex502.ctl.intranet ([2002:9777:801d::9777:801d]) with mapi id 14.02.0283.003; Mon, 13 Aug 2012 14:57:35 -0600 From: "Smith, Donald" To: Fernando Gont , "Eric Vyncke (evyncke)" Thread-Topic: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: AQHNeY4L0zidHynrsUS/d4UYUcJKBJdYNfPC Date: Mon, 13 Aug 2012 20:57:34 +0000 Message-ID: <68EFACB32CF4464298EA2779B058889D0832E8D2@PDDCWMBXEX501.ctl.intranet> References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C2DE3@xmb-aln-x02.cisco.com>, <50295C33.7070606@si6networks.com> In-Reply-To: <50295C33.7070606@si6networks.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [151.119.128.8] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Reflected Cc: "opsec@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 20:57:43 -0000 In 3.1 Grammer nit this: As discussed in Section 3, all IPv6-in-IPv4 traffic, including 6to4, could be easily blocked by filtering IPv4 that contain their Protocol field set to 41. This is the most effective way of filtering such traffic. Should be this: As discussed in Section 3, all IPv6-in-IPv4 traffic, including 6to4, could be easily blocked by filtering IPv4 that has the Protocol field set to 41. This is the most effective way of filtering such traffic. in 3.1 you state: Filter incoming IPv4 packets that have their Source Address set to an address that belongs to the prefix 192.88.99.0/24. It has been suggested that 6to4 relays send their packets with their IPv4 Source Address set to 192.88.99.1. So should the blocking recommendation be 192.88.99.0/24 or the .1/32? Other than that this looks pretty good. Thanks. (coffee !=3D sleep) & (!coffee =3D=3D sleep) Donald.Smith@centurylink.com ________________________________________ From: opsec-bounces@ietf.org [opsec-bounces@ietf.org] on behalf of Fernando= Gont [fgont@si6networks.com] Sent: Monday, August 13, 2012 1:57 PM To: Eric Vyncke (evyncke) Cc: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org) Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-= opsec-ipv6-implications-on-ipv4-nets On 08/13/2012 01:11 PM, Eric Vyncke (evyncke) wrote: > Count me in Great! -- Thanks so much for volunteering.. I look forward to your feedback! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec= From fgont@si6networks.com Mon Aug 13 14:33:51 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E56B21F853B for ; Mon, 13 Aug 2012 14:33:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y8LFLQMyAJpV for ; Mon, 13 Aug 2012 14:33:50 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 69ED421F8517 for ; Mon, 13 Aug 2012 14:33:50 -0700 (PDT) Received: from [190.245.182.195] (helo=[192.168.1.128]) by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1T12Ge-0005SQ-W8; Mon, 13 Aug 2012 23:33:46 +0200 Message-ID: <50297271.7030609@si6networks.com> Date: Mon, 13 Aug 2012 18:32:33 -0300 From: Fernando Gont Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "Panos Kampanakis (pkampana)" References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <67832B1175062E48926BF3CB27C49B2406BE1F@xmb-aln-x12.cisco.com> <1C9F17D1873AFA47A969C4DD98F98A7504E928@xmb-rcd-x10.cisco.com> <5028F27A.5070404@si6networks.com> <1C9F17D1873AFA47A969C4DD98F98A75051261@xmb-rcd-x10.cisco.com> In-Reply-To: <1C9F17D1873AFA47A969C4DD98F98A75051261@xmb-rcd-x10.cisco.com> X-Enigmail-Version: 1.5a1pre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "opsec@ietf.org" Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 21:33:51 -0000 Hi, Panos, Thanks so much for your feedback! -- Please find my comments in-line... On 08/13/2012 05:52 PM, Panos Kampanakis (pkampana) wrote: > - I see that you are mentioning RA-Guard for SLAAC-based attacks. Is > the ND-Shield worth mentioning for L2 attacks? Yes. I should also check what they are doing at the SAVI WG, since apparently they have standardized something along the lines of ND-Shield.... > - For 6to4, maybe it would be worth to mention > http://tools.ietf.org/html/rfc3964 Good point. Will do! > - In 6to4 subsection, a couple of protections state "(embedded in the > IPv4 payload)". This is not our traditional ACL filtering. It > requires equipment that can look and inspect the encapsulated packet, > or match on specific fields of the packet payload, or actually > understand 6 in 4 encapsulation in order to be able to filter. Maybe > it would be worth the put a sentence to clarify that to prevent > readers from think this is traditional ACL filtering. Agreed. Will do. > - For Teredo, > would it be worth mentioning that blocking UDP packets with embedded > IPv6 addresses 2001::/32 on a device that can > match/"understand"/inspect Teredo encapsulation is another mitigation > option (as in 6to4 "(embedded in the IPv4 payload)")? Good point. Will do! > - ISATAP > section suggests that it can be blocked as described in Section 3. > Can you add blocking " isatap..com" in DNS A record as in > Teredo? Makes sense. Will do. -- BTW, one should also add that some systems (Windows :-) ) not only try to resolve these names with DNS, but sometimes they also try things such as LLNMR... which means that you may have to filter at layer-2 if you want to prevent a local atacker to enable Teredo or ISATAP. > - Section "3. Security Implications of tunneling > Mechanisms". Would it be worth to break up the tunneling mechanisms > to Client and ISP? The protections would then be employed in tACL and > iACLs (For example, blocking 6rd should be done on me iACL). This is > not a technical correction, but rather a suggestion for the > semantics. I don't have a strong opinion one way or another -- just wondering whether making that differentiation would make things clearer, or not (talk about whether people is used to that terminology). > - Would it be worth to have a table in the end, as you had > for the ICMP filtering I-D, that says "Teredo block this" "ISATAP > block that" "6rd block this" It would be a good summary table. You mean a summary of the filtering rules (e.g., "block packets of type X with ipproto Y, destined to UDP port X") or a summary of what transition technologies you should probably block by default? Thanks so much! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From pkampana@cisco.com Mon Aug 13 14:36:01 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB70621F84CD for ; Mon, 13 Aug 2012 14:36:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.513 X-Spam-Level: X-Spam-Status: No, score=-10.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8P7ToZduvBsw for ; Mon, 13 Aug 2012 14:36:01 -0700 (PDT) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 13AA421F84B6 for ; Mon, 13 Aug 2012 14:36:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pkampana@cisco.com; l=3592; q=dns/txt; s=iport; t=1344893761; x=1346103361; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=6m3XFK/2tg+/xou6IL2Fe5vR3hUm5fC3w2ju4tKE8Iw=; b=dp2VijGBf6jo86oq0sUR/UKKdC5b+zgyJKj8wA0DTat44byM9ystw6Gr 4GfuAe52z/X0QCJsrKcCX+wSphNYy40kRxmH+4JQnt2qO1Z+RdNaQnEMs CHQbGclgFaA0o5tO0YMwn7oFSMzJ19LgHy5fcPHIx50zf3Zj0RgjBuRN4 4=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAPdxKVCtJXG8/2dsb2JhbABFugqBB4IgAQEBAwESASc/BQcEAgEIDgMEAQEBChQJBzIUCQgCBA4FCBqHZQYLmB2gX4sSGoU3YAOWX40WgWaCX4Ff X-IronPort-AV: E=Sophos;i="4.77,762,1336348800"; d="scan'208";a="111167707" Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-7.cisco.com with ESMTP; 13 Aug 2012 21:36:00 +0000 Received: from xhc-aln-x05.cisco.com (xhc-aln-x05.cisco.com [173.36.12.79]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id q7DLa0nI004416 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 13 Aug 2012 21:36:00 GMT Received: from xmb-rcd-x10.cisco.com ([169.254.15.216]) by xhc-aln-x05.cisco.com ([173.36.12.79]) with mapi id 14.02.0298.004; Mon, 13 Aug 2012 16:36:00 -0500 From: "Panos Kampanakis (pkampana)" To: Fernando Gont Thread-Topic: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review Thread-Index: AQHNeZtWKAihI0nLXEGP+Jgg0GmpWpdYQ1Jg Date: Mon, 13 Aug 2012 21:36:00 +0000 Message-ID: <1C9F17D1873AFA47A969C4DD98F98A750512F6@xmb-rcd-x10.cisco.com> References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <67832B1175062E48926BF3CB27C49B2406BE1F@xmb-aln-x12.cisco.com> <1C9F17D1873AFA47A969C4DD98F98A7504E928@xmb-rcd-x10.cisco.com> <5028F27A.5070404@si6networks.com> <1C9F17D1873AFA47A969C4DD98F98A75051261@xmb-rcd-x10.cisco.com> <50297271.7030609@si6networks.com> In-Reply-To: <50297271.7030609@si6networks.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [64.102.89.107] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19108.004 x-tm-as-result: No--52.984300-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 21:36:02 -0000 Thanks Fernando, agreed. > You mean a summary of the filtering rules (e.g., "block packets of type X= with ipproto Y, destined to UDP port X") or a summary of what transition t= echnologies you should probably block by default? I meant the former. Just a summary of what to block if you want to disable = each mechanism. Panos -----Original Message----- From: Fernando Gont [mailto:fgont@si6networks.com]=20 Sent: Monday, August 13, 2012 5:33 PM To: Panos Kampanakis (pkampana) Cc: opsec@ietf.org Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets= Review Hi, Panos, Thanks so much for your feedback! -- Please find my comments in-line... On 08/13/2012 05:52 PM, Panos Kampanakis (pkampana) wrote: > - I see that you are mentioning RA-Guard for SLAAC-based attacks. Is=20 > the ND-Shield worth mentioning for L2 attacks? Yes. I should also check what they are doing at the SAVI WG, since apparent= ly they have standardized something along the lines of ND-Shield.... > - For 6to4, maybe it would be worth to mention > http://tools.ietf.org/html/rfc3964 Good point. Will do! > - In 6to4 subsection, a couple of protections state "(embedded in the > IPv4 payload)". This is not our traditional ACL filtering. It requires=20 > equipment that can look and inspect the encapsulated packet, or match=20 > on specific fields of the packet payload, or actually understand 6 in=20 > 4 encapsulation in order to be able to filter. Maybe it would be worth=20 > the put a sentence to clarify that to prevent readers from think this=20 > is traditional ACL filtering. Agreed. Will do. > - For Teredo, > would it be worth mentioning that blocking UDP packets with embedded > IPv6 addresses 2001::/32 on a device that can=20 > match/"understand"/inspect Teredo encapsulation is another mitigation=20 > option (as in 6to4 "(embedded in the IPv4 payload)")? Good point. Will do! > - ISATAP > section suggests that it can be blocked as described in Section 3. > Can you add blocking " isatap..com" in DNS A record as in=20 > Teredo? Makes sense. Will do. -- BTW, one should also add that some systems (Window= s :-) ) not only try to resolve these names with DNS, but sometimes they al= so try things such as LLNMR... which means that you may have to filter at l= ayer-2 if you want to prevent a local atacker to enable Teredo or ISATAP. > - Section "3. Security Implications of tunneling Mechanisms". Would=20 > it be worth to break up the tunneling mechanisms to Client and ISP?=20 > The protections would then be employed in tACL and iACLs (For example,=20 > blocking 6rd should be done on me iACL). This is not a technical=20 > correction, but rather a suggestion for the semantics. I don't have a strong opinion one way or another -- just wondering whether = making that differentiation would make things clearer, or not (talk about w= hether people is used to that terminology). > - Would it be worth to have a table in the end, as you had > for the ICMP filtering I-D, that says "Teredo block this" "ISATAP > block that" "6rd block this" It would be a good summary table. You mean a summary of the filtering rules (e.g., "block packets of type X w= ith ipproto Y, destined to UDP port X") or a summary of what transition tec= hnologies you should probably block by default? Thanks so much! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From fgont@si6networks.com Mon Aug 13 14:39:00 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D640E21F85F7 for ; Mon, 13 Aug 2012 14:39:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fdtXdgUBQZmP for ; Mon, 13 Aug 2012 14:39:00 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 5C06021F85F3 for ; Mon, 13 Aug 2012 14:39:00 -0700 (PDT) Received: from [190.245.182.195] (helo=[192.168.1.128]) by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1T12Lg-0005at-SI; Mon, 13 Aug 2012 23:38:57 +0200 Message-ID: <502973B9.7060304@si6networks.com> Date: Mon, 13 Aug 2012 18:38:01 -0300 From: Fernando Gont Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "Panos Kampanakis (pkampana)" References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <67832B1175062E48926BF3CB27C49B2406BE1F@xmb-aln-x12.cisco.com> <1C9F17D1873AFA47A969C4DD98F98A7504E928@xmb-rcd-x10.cisco.com> <5028F27A.5070404@si6networks.com> <1C9F17D1873AFA47A969C4DD98F98A75051261@xmb-rcd-x10.cisco.com> <50297271.7030609@si6networks.com> <1C9F17D1873AFA47A969C4DD98F98A750512F6@xmb-rcd-x10.cisco.com> In-Reply-To: <1C9F17D1873AFA47A969C4DD98F98A750512F6@xmb-rcd-x10.cisco.com> X-Enigmail-Version: 1.5a1pre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "opsec@ietf.org" Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 21:39:00 -0000 On 08/13/2012 06:36 PM, Panos Kampanakis (pkampana) wrote: > Thanks Fernando, agreed. > >> You mean a summary of the filtering rules (e.g., "block packets of >> type X with ipproto Y, destined to UDP port X") or a summary of >> what transition technologies you should probably block by default? > > I meant the former. Just a summary of what to block if you want to > disable each mechanism. Yep, makes sense. -- Will do! Thanks so much! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From fgont@si6networks.com Mon Aug 13 15:01:32 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D27A521F8697; Mon, 13 Aug 2012 15:01:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UGiPT1qIwqkW; Mon, 13 Aug 2012 15:01:32 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 277E721F8694; Mon, 13 Aug 2012 15:01:32 -0700 (PDT) Received: from [190.245.182.195] (helo=[192.168.1.128]) by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1T12hR-0006Fm-9y; Tue, 14 Aug 2012 00:01:26 +0200 Message-ID: <502978FB.2070303@si6networks.com> Date: Mon, 13 Aug 2012 19:00:27 -0300 From: Fernando Gont Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "Smith, Donald" References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C2DE3@xmb-aln-x02.cisco.com>, <50295C33.7070606@si6networks.com> <68EFACB32CF4464298EA2779B058889D0832E8D2@PDDCWMBXEX501.ctl.intranet> In-Reply-To: <68EFACB32CF4464298EA2779B058889D0832E8D2@PDDCWMBXEX501.ctl.intranet> X-Enigmail-Version: 1.5a1pre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "opsec@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 22:01:32 -0000 Hi, Donald, Thanks so much for your feedback! -- Please find my comments in-line.... On 08/13/2012 05:57 PM, Smith, Donald wrote: > In 3.1 Grammer nit this: > As discussed in Section 3, all IPv6-in-IPv4 traffic, including 6to4, > could be easily blocked by filtering IPv4 that contain their Protocol > field set to 41. This is the most effective way of filtering such > traffic. > Should be this: > As discussed in Section 3, all IPv6-in-IPv4 traffic, including 6to4, > could be easily blocked by filtering IPv4 that has the Protocol > field set to 41. This is the most effective way of filtering such > traffic. How about: As discussed in Section 3, all IPv6-in-IPv4 traffic, including 6to4, could be easily blocked by filtering IPv4 packets that have their Protocol field set to 41. This is the most effective way of filtering such traffic. ? :-) > in 3.1 you state: > Filter incoming IPv4 packets that have their Source Address set to > an address that belongs to the prefix 192.88.99.0/24. > It has been suggested that 6to4 relays send their packets with > their IPv4 Source Address set to 192.88.99.1. > > So should the blocking recommendation be 192.88.99.0/24 or the .1/32? Well, at least in theory, any of such addresses could be used for the same purpose -- one could do the experiment of using, say, 192.168.99.40 and see if 6to4 still works. That said, and in retrospective, I think that the filtering rules that consider the Src/Dst Addr should be collapsed with those mentioned as "Apply these rules if you want to filter 6to4 while still allowing other ip-proto 41 tunnels" (specified later in the same section). After all, if you don't have the requirement of filtering 6to4 while allowing other ip-proto 41 tunnels, you'd simply filter 6to4 based on the ip-proto value, without even examining the IPv4 Src/Dst addresses. Thoughts? > Other than that this looks pretty good. Thanks so much! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From Donald.Smith@CenturyLink.com Mon Aug 13 15:17:05 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 668AB21F8697; Mon, 13 Aug 2012 15:17:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.112 X-Spam-Level: X-Spam-Status: No, score=-2.112 tagged_above=-999 required=5 tests=[AWL=-0.113, BAYES_00=-2.599, J_CHICKENPOX_13=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sYwo6TYuC42Z; Mon, 13 Aug 2012 15:17:04 -0700 (PDT) Received: from sudnp799.qwest.com (sudnp799.qwest.com [155.70.32.99]) by ietfa.amsl.com (Postfix) with ESMTP id 7CAE021F8698; Mon, 13 Aug 2012 15:17:04 -0700 (PDT) Received: from lxdenvmpc030.qintra.com (lxdenvmpc030.qintra.com [10.1.51.30]) by sudnp799.qwest.com (8.14.4/8.14.4) with ESMTP id q7DMH1RL024435 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 13 Aug 2012 16:17:02 -0600 (MDT) Received: from lxdenvmpc030.qintra.com (unknown [127.0.0.1]) by IMSA (Postfix) with ESMTP id D08DB1E0058; Mon, 13 Aug 2012 16:16:56 -0600 (MDT) Received: from sudnp796.qintra.com (unknown [151.119.91.93]) by lxdenvmpc030.qintra.com (Postfix) with ESMTP id B35651E0055; Mon, 13 Aug 2012 16:16:56 -0600 (MDT) Received: from sudnp796.qintra.com (localhost [127.0.0.1]) by sudnp796.qintra.com (8.14.4/8.14.4) with ESMTP id q7DMGu4J006080; Mon, 13 Aug 2012 16:16:56 -0600 (MDT) Received: from vddcwhubex502.ctl.intranet (vddcwhubex502.qintra.com [151.119.128.29]) by sudnp796.qintra.com (8.14.4/8.14.4) with ESMTP id q7DMGuFX006074 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 13 Aug 2012 16:16:56 -0600 (MDT) Received: from PDDCWMBXEX501.ctl.intranet ([fe80::409c:426a:5818:95bc]) by vddcwhubex502.ctl.intranet ([2002:9777:801d::9777:801d]) with mapi id 14.02.0283.003; Mon, 13 Aug 2012 16:16:56 -0600 From: "Smith, Donald" To: Fernando Gont Thread-Topic: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: AQHNeZ8zMd6inTyoKkejV+ZW0oHQ3JdYTImK Date: Mon, 13 Aug 2012 22:16:54 +0000 Message-ID: <68EFACB32CF4464298EA2779B058889D0832E9C9@PDDCWMBXEX501.ctl.intranet> References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C2DE3@xmb-aln-x02.cisco.com>, <50295C33.7070606@si6networks.com> <68EFACB32CF4464298EA2779B058889D0832E8D2@PDDCWMBXEX501.ctl.intranet>, <502978FB.2070303@si6networks.com> In-Reply-To: <502978FB.2070303@si6networks.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [151.119.128.8] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Reflected Cc: "opsec@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 22:17:05 -0000 (coffee !=3D sleep) & (!coffee =3D=3D sleep) Donald.Smith@centurylink.com ________________________________________ From: Fernando Gont [fgont@si6networks.com] Sent: Monday, August 13, 2012 4:00 PM To: Smith, Donald Cc: Eric Vyncke (evyncke); opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org) Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-= ipv6-implications-on-ipv4-nets >Hi, Donald, >Thanks so much for your feedback! -- Please find my comments in-line.... >On 08/13/2012 05:57 PM, Smith, Donald wrote: >> In 3.1 Grammer nit this: >> As discussed in Section 3, all IPv6-in-IPv4 traffic, including 6to4, >> could be easily blocked by filtering IPv4 that contain their Protocol >> field set to 41. This is the most effective way of filtering such >> traffic. >> Should be this: >> As discussed in Section 3, all IPv6-in-IPv4 traffic, including 6to4, >> could be easily blocked by filtering IPv4 that has the Protocol >> field set to 41. This is the most effective way of filtering such >> >How about: > > As discussed in Section 3, all IPv6-in-IPv4 traffic, including 6to4, > could be easily blocked by filtering IPv4 packets that have their > Protocol field set to 41. This is the most effective way of > filtering such traffic. >? :-) Actually you use this in the 6to4 discussion. 6in4 tunnels can be blocked by blocking IPv4 packets with a Protocol field of 41. That seems better as "their" is seen as possive in english and tends to "hu= manize" things not human :) >> in 3.1 you state: >> Filter incoming IPv4 packets that have their Source Address set to >> an address that belongs to the prefix 192.88.99.0/24. >> It has been suggested that 6to4 relays send their packets with >> their IPv4 Source Address set to 192.88.99.1. >> >> So should the blocking recommendation be 192.88.99.0/24 or the .1/32? >Well, at least in theory, any of such addresses could be used for the >same purpose -- one could do the experiment of using, say, 192.168.99.40 >and see if 6to4 still works. >That said, and in retrospective, I think that the filtering rules that >consider the Src/Dst Addr should be collapsed with those mentioned as >"Apply these rules if you want to filter 6to4 while still allowing other >ip-proto 41 tunnels" (specified later in the same section). After all, >if you don't have the requirement of filtering 6to4 while allowing other >ip-proto 41 tunnels, you'd simply filter 6to4 based on the ip-proto >value, without even examining the IPv4 Src/Dst addresses. >Thoughts? I saw the other comments and this makes sense. I can revisit it once you ha= ve that done. It is certainly easier to block based on the protocol field in most systems= . > Other than that this looks pretty good. Thanks so much! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492= From fgont@si6networks.com Mon Aug 13 15:24:59 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A2F921F86F6; Mon, 13 Aug 2012 15:24:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e5In9nYyNBiR; Mon, 13 Aug 2012 15:24:59 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id D210221F86F2; Mon, 13 Aug 2012 15:24:58 -0700 (PDT) Received: from [190.245.182.195] (helo=[192.168.1.128]) by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1T1347-0007qv-2X; Tue, 14 Aug 2012 00:24:53 +0200 Message-ID: <50297E71.7070109@si6networks.com> Date: Mon, 13 Aug 2012 19:23:45 -0300 From: Fernando Gont Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "Smith, Donald" References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C2DE3@xmb-aln-x02.cisco.com>, <50295C33.7070606@si6networks.com> <68EFACB32CF4464298EA2779B058889D0832E8D2@PDDCWMBXEX501.ctl.intranet>, <502978FB.2070303@si6networks.com> <68EFACB32CF4464298EA2779B058889D0832E9C9@PDDCWMBXEX501.ctl.intranet> In-Reply-To: <68EFACB32CF4464298EA2779B058889D0832E9C9@PDDCWMBXEX501.ctl.intranet> X-Enigmail-Version: 1.5a1pre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "opsec@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 22:24:59 -0000 On 08/13/2012 07:16 PM, Smith, Donald wrote: [....] >>> Should be this: >>> As discussed in Section 3, all IPv6-in-IPv4 traffic, including 6to4, >>> could be easily blocked by filtering IPv4 that has the Protocol >>> field set to 41. This is the most effective way of filtering such >>> >> How about: >> >> As discussed in Section 3, all IPv6-in-IPv4 traffic, including 6to4, >> could be easily blocked by filtering IPv4 packets that have their >> Protocol field set to 41. This is the most effective way of >> filtering such traffic. > >> ? :-) > > Actually you use this in the 6to4 discussion. > 6in4 tunnels can be blocked by blocking IPv4 packets with a Protocol > field of 41. > > That seems better as "their" is seen as possive in english and tends to "humanize" things not human :) Oh, sorry... I missed that one -- must admit that I should now go back to study a bit of English grammar, since I use this kind of "construction" a lot... Will fix this. :-) Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From evyncke@cisco.com Tue Aug 14 01:42:50 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E86E21F85F4; Tue, 14 Aug 2012 01:42:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.143 X-Spam-Level: X-Spam-Status: No, score=-10.143 tagged_above=-999 required=5 tests=[AWL=-0.145, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I2E7zjEgcvTE; Tue, 14 Aug 2012 01:42:47 -0700 (PDT) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id 6635521F85FC; Tue, 14 Aug 2012 01:42:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=evyncke@cisco.com; l=23704; q=dns/txt; s=iport; t=1344933767; x=1346143367; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=3CbcGoBYiEPBX4HIjQIEuJ5N0OUtnyusKF6I8rBzGiI=; b=Dv1uSAQxmUbWsjsDzkvXAkzIYYFL/I849B4iJj6+eqWx+Vib0nqMaPZy s1jwdQkGlvxzmEIax0Chk9HvHuf7PwFSSnmqzE0qbXvdIN6aaYLTxa25K iZTxARJbRDqH0LepSqG2smJNSbmBGZVSDCR2rvGWqgVOfFONl/251/KvU M=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAFAP4OKlCtJV2c/2dsb2JhbAA6CoJKt0SBB4IgAQEBBBIBGkwQAgEIEQQBAQsWBwcyFAkIAQEEAQ0FCAwOh2uYJaEJiwUQhUFgA4gZm1yBZoJfgV8 X-IronPort-AV: E=Sophos;i="4.77,765,1336348800"; d="scan'208,217";a="111360488" Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-3.cisco.com with ESMTP; 14 Aug 2012 08:42:44 +0000 Received: from xhc-aln-x09.cisco.com (xhc-aln-x09.cisco.com [173.36.12.83]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id q7E8ghlA004571 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 14 Aug 2012 08:42:44 GMT Received: from xmb-aln-x02.cisco.com ([169.254.5.72]) by xhc-aln-x09.cisco.com ([173.36.12.83]) with mapi id 14.02.0298.004; Tue, 14 Aug 2012 03:42:43 -0500 From: "Eric Vyncke (evyncke)" To: "Gunter Van de Velde (gvandeve)" , "opsec@ietf.org" , "v6ops v6ops WG (v6ops@ietf.org)" Thread-Topic: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: Ac1zrndn+rK+MesNRpua2q1lf71ApgGSKfgw Date: Tue, 14 Aug 2012 08:42:42 +0000 Message-ID: <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.185.71] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19112.003 x-tm-as-result: No--57.735900-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/alternative; boundary="_000_97EB7536A2B2C549846804BBF3FD47E10C3A2Axmbalnx02ciscocom_" MIME-Version: 1.0 Cc: Fernando Gont Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2012 08:42:50 -0000 --_000_97EB7536A2B2C549846804BBF3FD47E10C3A2Axmbalnx02ciscocom_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Fernando and Gunter, Sorry for belated comments... I agree with most comments from other reviewe= rs of course (esp Panos). I have two classes of comments: generic and deta= ils. Let's start with generic: - It should not be a BCP but rather informational - I also wonder whether it is worth an IETF RFC because it is well kn= own topics in the security area (as you probably know) - Missing point: awareness of IPV6 by CISO is the key problem, should= also add that IPv6 is not dangerous per se, and enabling IPv6 in intranet = is a good way to bypass all automatic tunnels - Intro / title should specify 'end-user network' (to avoid confusion= for ISP) - IP flow (netflow), firewall log, DNS request log could also be moni= tored to detect tunnels establishments - Using NAPT (and not NAT as previously commented) usually blocks 'ma= gically' IP protocol 41 and most tunnels - If the security policy is to force all traffic through application = proxies (done by all major organizations) then tunnels are not a threat Let's continue with the details: - 1.0 please avoid all discussion about NAPT being 'minimal/simple' s= ecurity, the days of scanning are over and have been replaced by malware do= wnload/email propagated - 2.0 congruent security policy indeed with the exception of RFC 4890= (ICMPv6) - 2.1 filtering the IPv6 ethertype is TOO dangerous (=3D could break = too many things) to be recommended in an IETF document - 3.1 should refer to the RFC - 3.3 AFAIK there is no by default implementation of 6RD in generic O= S and it requires either manual configuration or DHCPv4 option =3D> remove = this section - 3.5 leave ISATAP (automatic config through DNS) but specify that bl= ocking 41 also blocks it - 3.6 as noted, Teredo default port can be changed. The good recommen= dation anyway for enterprises is to block outbound UDP traffic (except some= pin holes for DNS of course), even my employer network blocks them since 1= 997 ;-). Also, Microsoft implementation disables Teredo when personal firew= all is disabled or when the host is in an Active Directory network - Other tunnels TSP (but also Sixxs, ...) all require explicit instal= lation and configuration by end-users. They are no more a thread than any o= ther covert channel (being IP over DNS or over ICMP or ...), I would remove= this section Hope this helps -=E9ric From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of G= unter Van de Velde (gvandeve) Sent: lundi 6 ao=FBt 2012 10:43 To: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org) Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implica= tions-on-ipv4-nets Dear all, Can I request the WG members for 3 volunteers to read the draft draft-gont-= opsec-ipv6-implications-on-ipv4-nets and provide feedback to the list? This will help the OPSEC chairs to identify if the work is ready for WG ado= ption or not. The work targets are within charter of the WG, and seems to b= e interesting work for the community. Questions we are looking answers for: 1) Should it be targeted BCP or Informational? 2) Is the work quality ok to be accepted as WG document? 3) Is the topic inline with the OPSEC charter? 4) Any missing or over-described points? Many thanks in advance, Kind Regards, OPSEC Chairs, (G/, KK, Warren) --_000_97EB7536A2B2C549846804BBF3FD47E10C3A2Axmbalnx02ciscocom_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Fernando and Gunter,

 

Sorry for belated comments.= .. I agree with most comments from other reviewers of course (esp Panos). &= nbsp;I have two classes of comments: generic and details.=

 

Let’s start with gene= ric:

- &= nbsp;     It should not be a = BCP but rather informational

- &= nbsp;     I also wonder wheth= er it is worth an IETF RFC because it is well known topics in the security = area (as you probably know)

- &= nbsp;     Missing point: awar= eness of IPV6 by CISO is the key problem, should also add that IPv6 is not = dangerous per se, and enabling IPv6 in intranet is a good way to bypass all automatic tunnels

- &= nbsp;     Intro / title shoul= d specify ‘end-user network’ (to avoid confusion for ISP)<= /o:p>

- &= nbsp;     IP flow (netflow), = firewall log, DNS request log could also be monitored to detect tunnels est= ablishments

- &= nbsp;     Using NAPT (and not= NAT as previously commented) usually blocks ‘magically’ IP pro= tocol 41 and most tunnels

- &= nbsp;     If the security pol= icy is to force all traffic through application proxies (done by all major = organizations) then tunnels are not a threat

 

Let’s continue with t= he details:

- &= nbsp;     1.0 please avoid al= l discussion about NAPT being ‘minimal/simple’ security, the da= ys of scanning are over and have been replaced by malware download/email propagated

- &= nbsp;     2.0 congruent secur= ity policy indeed with the exception of RFC 4890 (ICMPv6)=

- &= nbsp;     2.1 filtering the I= Pv6 ethertype is TOO dangerous (=3D could break too many things) to be reco= mmended in an IETF document

- &= nbsp;     3.1 should refer to= the RFC

- &= nbsp;     3.3 AFAIK there is = no by default implementation of 6RD in generic OS and it requires either ma= nual configuration or DHCPv4 option =3D> remove this section

- &= nbsp;     3.5 leave ISATAP (a= utomatic config through DNS) but specify that blocking 41 also blocks it

- &= nbsp;     3.6 as noted, Tered= o default port can be changed. The good recommendation anyway for enterpris= es is to block outbound UDP traffic (except some pin holes for DNS of course), even my employer network blocks them since 1= 997 ;-). Also, Microsoft implementation disables Teredo when personal firew= all is disabled or when the host is in an Active Directory network

- &= nbsp;     Other tunnels TSP (= but also Sixxs, ...) all require explicit installation and configuration by= end-users. They are no more a thread than any other covert channel (being IP over DNS or over ICMP or ...), I would remo= ve this section

 

Hope this helps<= /span>

 

-=E9ric

 

From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org= ] On Behalf Of Gunter Van de Velde (gvandeve)
Sent: lundi 6 ao=FBt 2012 10:43
To: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org)
Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-= implications-on-ipv4-nets

 

Dear all,

 

Can I request the WG members fo= r 3 volunteers to read the draft draft-gont-opsec-ipv6-implications-on-ipv4= -nets and provide feedback to the list?

 

This will help the OPSEC chairs= to identify if the work is ready for WG adoption or not. The work targets = are within charter of the WG, and seems to be interesting work for the comm= unity.

 

Questions we are looking answer= s for:

 

1) &nbs= p;    Should it be targeted B= CP or Informational?

2) &nbs= p;    Is the work quality ok = to be accepted as WG document?

3) &nbs= p;    Is the topic inline wit= h the OPSEC charter?

4) &nbs= p;    Any missing or over-des= cribed points?

 

Many thanks in advance,

 

Kind Regards,=

OPSEC Chairs,=

(G/, KK, Warren)

--_000_97EB7536A2B2C549846804BBF3FD47E10C3A2Axmbalnx02ciscocom_-- From fgont@si6networks.com Tue Aug 14 05:03:22 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0108621F8678 for ; Tue, 14 Aug 2012 05:03:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oCv11yrO-3jh for ; Tue, 14 Aug 2012 05:03:21 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 58B8021F8674 for ; Tue, 14 Aug 2012 05:03:21 -0700 (PDT) Received: from [190.245.182.195] (helo=[192.168.1.128]) by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1T1Fq8-0007tj-Qj; Tue, 14 Aug 2012 14:03:17 +0200 Message-ID: <502A3E54.1030102@si6networks.com> Date: Tue, 14 Aug 2012 09:02:28 -0300 From: Fernando Gont Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "Panos Kampanakis (pkampana)" References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <67832B1175062E48926BF3CB27C49B2406BE1F@xmb-aln-x12.cisco.com> <1C9F17D1873AFA47A969C4DD98F98A7504E928@xmb-rcd-x10.cisco.com> <5028F27A.5070404@si6networks.com> <1C9F17D1873AFA47A969C4DD98F98A75051261@xmb-rcd-x10.cisco.com> In-Reply-To: <1C9F17D1873AFA47A969C4DD98F98A75051261@xmb-rcd-x10.cisco.com> X-Enigmail-Version: 1.5a1pre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "opsec@ietf.org" Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2012 12:03:22 -0000 Hi, Panos, While trying to address your feedback, I came up with additional comments. Please do let me know what you think... On 08/13/2012 05:52 PM, Panos Kampanakis (pkampana) wrote: > - I see that you are mentioning RA-Guard for SLAAC-based attacks. Is > the ND-Shield worth mentioning for L2 attacks? I ended up referencing DHCPv6-Shield rather than ND-Shield, since the goal here is to prevent attackers from enabling "global IPv6 connectivity" -- ND-Shield, on the other hand mitigates Neighbor Cache sppofing attacks, which is not the subject of this section. > - In 6to4 subsection, a couple of protections state "(embedded in the > IPv4 payload)". This is not our traditional ACL filtering. It > requires equipment that can look and inspect the encapsulated packet, > or match on specific fields of the packet payload, or actually > understand 6 in 4 encapsulation in order to be able to filter. Maybe > it would be worth the put a sentence to clarify that to prevent > readers from think this is traditional ACL filtering. I've added a clarification about this. Additionally, I added a note mentioning that an attacker might fragment its 6to4 packets into tiny fragments such that the filtering device does not really have access to the embedded IPv6 Addresses. > - For Teredo, would it be worth mentioning that blocking UDP packets > with embedded IPv6 addresses 2001::/32 on a device that can > match/"understand"/inspect Teredo encapsulation is another mitigation > option (as in 6to4 "(embedded in the IPv4 payload)")? The problem here is that, IIRC (and of the top of my head), no specific UDP port numbers are used for the "data" packets, and hence you cannot really tell to which UDP packets you should apply these filtering rules. Does this make sense? As a result, I have not yet added any text regarding filtering Teredo packets based on the embedded IPv6 addresses. But please do let me know if you feel otherwise. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From evyncke@cisco.com Tue Aug 14 05:32:55 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA6EE21F8682 for ; Tue, 14 Aug 2012 05:32:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.419 X-Spam-Level: X-Spam-Status: No, score=-10.419 tagged_above=-999 required=5 tests=[AWL=0.180, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dUeln4i50TPH for ; Tue, 14 Aug 2012 05:32:55 -0700 (PDT) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 041C821F86A7 for ; Tue, 14 Aug 2012 05:32:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=evyncke@cisco.com; l=3137; q=dns/txt; s=iport; t=1344947575; x=1346157175; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=4ZNmm4J151CesAggFYS0tqu09/1KKupQoRDulOWOHBU=; b=ZJFFWDgXlgVdAog9QEO4F6GiTk7xaoAViTbJPXgZD5VzEm4pVjF1zelN tOD+P3VSZ1HDA7I3XF7yugEuY1G6234VLUsuei0LPlukBFZE1VhZhRh/F 48I+8ToqiSBIcoZgUg+/PEQSZMp+qWgVnSX2JzobvbwcM2BU2RuZ4lZS6 0=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EADZEKlCtJV2c/2dsb2JhbABEuhCBB4IgAQEBBAEBAQ8BWwsMBAIBCA4DBAEBAQodBycLFAkIAgQBDQUIGoVvgXwLmCShBgSLBRqFN2ADiBmbXIFmgl+BXw X-IronPort-AV: E=Sophos;i="4.77,766,1336348800"; d="scan'208";a="111407919" Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-8.cisco.com with ESMTP; 14 Aug 2012 12:32:54 +0000 Received: from xhc-aln-x09.cisco.com (xhc-aln-x09.cisco.com [173.36.12.83]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id q7ECWsLF022640 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 14 Aug 2012 12:32:54 GMT Received: from xmb-aln-x02.cisco.com ([169.254.5.72]) by xhc-aln-x09.cisco.com ([173.36.12.83]) with mapi id 14.02.0298.004; Tue, 14 Aug 2012 07:32:54 -0500 From: "Eric Vyncke (evyncke)" To: Fernando Gont , "Panos Kampanakis (pkampana)" Thread-Topic: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review Thread-Index: AQHNehTRuV3KNKdQu0KndP1+5av25JdZPTFA Date: Tue, 14 Aug 2012 12:32:53 +0000 Message-ID: <97EB7536A2B2C549846804BBF3FD47E10C4473@xmb-aln-x02.cisco.com> References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <67832B1175062E48926BF3CB27C49B2406BE1F@xmb-aln-x12.cisco.com> <1C9F17D1873AFA47A969C4DD98F98A7504E928@xmb-rcd-x10.cisco.com> <5028F27A.5070404@si6networks.com> <1C9F17D1873AFA47A969C4DD98F98A75051261@xmb-rcd-x10.cisco.com> <502A3E54.1030102@si6networks.com> In-Reply-To: <502A3E54.1030102@si6networks.com> Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.185.71] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19112.005 x-tm-as-result: No--54.392900-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2012 12:32:56 -0000 Regarding the filtering of Teredo 'data' packets, several IPS are actually = dropping all UDPv4 packets where 2001:0::/32 appears at the right place wit= h also another IPv6 address as well as the IPv6 version indicator. So, this= is one way to block Teredo But, the most efficient (often used unknowingly) is to use only application= proxies ;) > -----Original Message----- > From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of > Fernando Gont > Sent: mardi 14 ao=FBt 2012 14:02 > To: Panos Kampanakis (pkampana) > Cc: opsec@ietf.org > Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-ne= ts > Review >=20 > Hi, Panos, >=20 > While trying to address your feedback, I came up with additional comments= . > Please do let me know what you think... >=20 > On 08/13/2012 05:52 PM, Panos Kampanakis (pkampana) wrote: > > - I see that you are mentioning RA-Guard for SLAAC-based attacks. Is > > the ND-Shield worth mentioning for L2 attacks? >=20 > I ended up referencing DHCPv6-Shield rather than ND-Shield, since the goa= l > here is to prevent attackers from enabling "global IPv6 connectivity" -- = ND- > Shield, on the other hand mitigates Neighbor Cache sppofing attacks, whic= h > is not the subject of this section. >=20 >=20 > > - In 6to4 subsection, a couple of protections state "(embedded in the > > IPv4 payload)". This is not our traditional ACL filtering. It requires > > equipment that can look and inspect the encapsulated packet, or match > > on specific fields of the packet payload, or actually understand 6 in > > 4 encapsulation in order to be able to filter. Maybe it would be worth > > the put a sentence to clarify that to prevent readers from think this > > is traditional ACL filtering. >=20 > I've added a clarification about this. Additionally, I added a note > mentioning that an attacker might fragment its 6to4 packets into tiny > fragments such that the filtering device does not really have access to t= he > embedded IPv6 Addresses. >=20 >=20 >=20 > > - For Teredo, would it be worth mentioning that blocking UDP packets > > with embedded IPv6 addresses 2001::/32 on a device that can > > match/"understand"/inspect Teredo encapsulation is another mitigation > > option (as in 6to4 "(embedded in the IPv4 payload)")? >=20 > The problem here is that, IIRC (and of the top of my head), no specific U= DP > port numbers are used for the "data" packets, and hence you cannot really > tell to which UDP packets you should apply these filtering rules. >=20 > Does this make sense? >=20 > As a result, I have not yet added any text regarding filtering Teredo > packets based on the embedded IPv6 addresses. But please do let me know i= f > you feel otherwise. >=20 > Thanks! >=20 > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 >=20 >=20 >=20 > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec From pkampana@cisco.com Tue Aug 14 06:16:40 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD73021F86D8 for ; Tue, 14 Aug 2012 06:16:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.524 X-Spam-Level: X-Spam-Status: No, score=-10.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i4pZ+0h0R6Ne for ; Tue, 14 Aug 2012 06:16:38 -0700 (PDT) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id D4E6621F86BD for ; Tue, 14 Aug 2012 06:16:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pkampana@cisco.com; l=3042; q=dns/txt; s=iport; t=1344950199; x=1346159799; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=qTrUD5hVAMn70p2MF5KVZeJo4sj/mRE4vCLCHXro96E=; b=eg5JIohc6F0LSJsk3PqzHla/4EuqHc9Vhcx3STlAQSKnROhF4qiIWlFz TCB4sARL8zvp+CPxBfo4oCzbjW5nIQ15/Z/V2OIyxBLJo3KKq8/iI138m FzChe2cziOCaGHD/AHfd337zOapTn87fM5IZcMyRkj3ULMmqXT5UM4hb2 A=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAHhOKlCtJXG+/2dsb2JhbABEuhCBB4IgAQEBAwESASc/BQcEAgEIDgMEAQEBChQJBzIUCQgCBA4FCBqFb4F2BpguoQiLBRqFN2ADo3WBZoJfgV8 X-IronPort-AV: E=Sophos;i="4.77,766,1336348800"; d="scan'208";a="111443830" Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-3.cisco.com with ESMTP; 14 Aug 2012 13:16:38 +0000 Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id q7EDGcFj021825 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 14 Aug 2012 13:16:38 GMT Received: from xmb-rcd-x10.cisco.com ([169.254.15.216]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.02.0298.004; Tue, 14 Aug 2012 08:16:38 -0500 From: "Panos Kampanakis (pkampana)" To: Fernando Gont Thread-Topic: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review Thread-Index: AQHNehTOs9TmPTqGR0GvKCKzqIghaZdZR+Rg Date: Tue, 14 Aug 2012 13:16:37 +0000 Message-ID: <1C9F17D1873AFA47A969C4DD98F98A75051723@xmb-rcd-x10.cisco.com> References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <67832B1175062E48926BF3CB27C49B2406BE1F@xmb-aln-x12.cisco.com> <1C9F17D1873AFA47A969C4DD98F98A7504E928@xmb-rcd-x10.cisco.com> <5028F27A.5070404@si6networks.com> <1C9F17D1873AFA47A969C4DD98F98A75051261@xmb-rcd-x10.cisco.com> <502A3E54.1030102@si6networks.com> In-Reply-To: <502A3E54.1030102@si6networks.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [64.102.89.107] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19112.005 x-tm-as-result: No--43.880200-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2012 13:16:40 -0000 Thank Fernando. > I ended up referencing DHCPv6-Shield rather than ND-Shield, since the goa= l here is to prevent attackers from enabling "global IPv6 connectivity" -- = ND-Shield, on the other hand mitigates Neighbor Cache sppofing attacks, whi= ch is not the subject of this section. Agreed. For Teredo, as also Eric Vyncke pointed out, I was thinking IPS or Pattern = type matching in UDP payloads. Or even proxies that can understand and insp= ect the Teredo communication. These are not the traditional ACL filtering o= f course. Rgs, Panos -----Original Message----- From: Fernando Gont [mailto:fgont@si6networks.com]=20 Sent: Tuesday, August 14, 2012 8:02 AM To: Panos Kampanakis (pkampana) Cc: opsec@ietf.org Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets= Review Hi, Panos, While trying to address your feedback, I came up with additional comments. = Please do let me know what you think... On 08/13/2012 05:52 PM, Panos Kampanakis (pkampana) wrote: > - I see that you are mentioning RA-Guard for SLAAC-based attacks. Is=20 > the ND-Shield worth mentioning for L2 attacks? I ended up referencing DHCPv6-Shield rather than ND-Shield, since the goal = here is to prevent attackers from enabling "global IPv6 connectivity" -- ND= -Shield, on the other hand mitigates Neighbor Cache sppofing attacks, which= is not the subject of this section. > - In 6to4 subsection, a couple of protections state "(embedded in the > IPv4 payload)". This is not our traditional ACL filtering. It requires=20 > equipment that can look and inspect the encapsulated packet, or match=20 > on specific fields of the packet payload, or actually understand 6 in=20 > 4 encapsulation in order to be able to filter. Maybe it would be worth=20 > the put a sentence to clarify that to prevent readers from think this=20 > is traditional ACL filtering. I've added a clarification about this. Additionally, I added a note mention= ing that an attacker might fragment its 6to4 packets into tiny fragments su= ch that the filtering device does not really have access to the embedded IP= v6 Addresses. > - For Teredo, would it be worth mentioning that blocking UDP packets=20 > with embedded IPv6 addresses 2001::/32 on a device that can=20 > match/"understand"/inspect Teredo encapsulation is another mitigation=20 > option (as in 6to4 "(embedded in the IPv4 payload)")? The problem here is that, IIRC (and of the top of my head), no specific UDP= port numbers are used for the "data" packets, and hence you cannot really = tell to which UDP packets you should apply these filtering rules. Does this make sense? As a result, I have not yet added any text regarding filtering Teredo packe= ts based on the embedded IPv6 addresses. But please do let me know if you f= eel otherwise. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From Donald.Smith@CenturyLink.com Tue Aug 14 08:54:04 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72A3621F8644; Tue, 14 Aug 2012 08:54:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.103 X-Spam-Level: X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[AWL=-0.105, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EkGzOOoH2uGX; Tue, 14 Aug 2012 08:54:02 -0700 (PDT) Received: from sudnp799.qwest.com (sudnp799.qwest.com [155.70.32.99]) by ietfa.amsl.com (Postfix) with ESMTP id 3B9E321F85AC; Tue, 14 Aug 2012 08:54:00 -0700 (PDT) Received: from lxdenvmpc030.qintra.com (lxdenvmpc030.qintra.com [10.1.51.30]) by sudnp799.qwest.com (8.14.4/8.14.4) with ESMTP id q7EFruan021184 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Aug 2012 09:53:57 -0600 (MDT) Received: from lxdenvmpc030.qintra.com (unknown [127.0.0.1]) by IMSA (Postfix) with ESMTP id 389C91E00C7; Tue, 14 Aug 2012 09:53:47 -0600 (MDT) Received: from suomp60i.qintra.com (unknown [151.119.91.93]) by lxdenvmpc030.qintra.com (Postfix) with ESMTP id 0F9BF1E00CC; Tue, 14 Aug 2012 09:53:47 -0600 (MDT) Received: from suomp60i.qintra.com (localhost [127.0.0.1]) by suomp60i.qintra.com (8.14.4/8.14.4) with ESMTP id q7EFqZNm002689; Tue, 14 Aug 2012 10:52:35 -0500 (CDT) Received: from vddcwhubex502.ctl.intranet (vddcwhubex502.qintra.com [151.119.128.29]) by suomp60i.qintra.com (8.14.4/8.14.4) with ESMTP id q7EFqYGW002675 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 14 Aug 2012 10:52:35 -0500 (CDT) Received: from PDDCWMBXEX501.ctl.intranet ([fe80::409c:426a:5818:95bc]) by vddcwhubex502.ctl.intranet ([2002:9777:801d::9777:801d]) with mapi id 14.02.0283.003; Tue, 14 Aug 2012 09:52:34 -0600 From: "Smith, Donald" To: "Eric Vyncke (evyncke)" , "Gunter Van de Velde (gvandeve)" , "opsec@ietf.org" , "v6ops v6ops WG (v6ops@ietf.org)" Thread-Topic: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: Ac1zrndn+rK+MesNRpua2q1lf71ApgGSKfgwAA3PG14= Date: Tue, 14 Aug 2012 15:52:34 +0000 Message-ID: <68EFACB32CF4464298EA2779B058889D08330DD7@PDDCWMBXEX501.ctl.intranet> References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com>, <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> In-Reply-To: <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [151.119.128.8] Content-Type: multipart/alternative; boundary="_000_68EFACB32CF4464298EA2779B058889D08330DD7PDDCWMBXEX501ct_" MIME-Version: 1.0 X-CFilter-Loop: Reflected Cc: Fernando Gont Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2012 15:54:04 -0000 --_000_68EFACB32CF4464298EA2779B058889D08330DD7PDDCWMBXEX501ct_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable (coffee !=3D sleep) & (!coffee =3D=3D sleep) Donald.Smith@centurylink.com ________________________________ From: opsec-bounces@ietf.org [opsec-bounces@ietf.org] on behalf of Eric Vyn= cke (evyncke) [evyncke@cisco.com] Sent: Tuesday, August 14, 2012 2:42 AM To: Gunter Van de Velde (gvandeve); opsec@ietf.org; v6ops v6ops WG (v6ops@i= etf.org) Cc: Fernando Gont Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-imp= lications-on-ipv4-nets > Fernando and Gunter, > > Sorry for belated comments... I agree with most comments from other= reviewers of course (esp Panos). I have two classes of comments: generic = and details. > > Let=92s start with generic: > - It should not be a BCP but rather informational I support as informational. > - I also wonder whether it is worth an IETF RFC because it is= well known topics in the security area (as you probably know) I think it helps to spell things like this out. So believe it is worthy of = being an IETF RFC. > - Missing point: awareness of IPV6 by CISO is the key problem= , should also add that IPv6 is not dangerous per se, and enabling IPv6 in i= ntranet is a good way to bypass all automatic tunnels Enabling IPv6 in the intranet doesn't stop the tunnels. That is the systems= that support tunnels can for the most part still do the tunneling even wit= h IPv6 enabled. > - Intro / title should specify =91end-user network=92 (to avo= id confusion for ISP) > - IP flow (netflow), firewall log, DNS request log could also= be monitored to detect tunnels establishments > - Using NAPT (and not NAT as previously commented) usually bl= ocks =91magically=92 IP protocol 41 and most tunnels > - If the security policy is to force all traffic through appl= ication proxies (done by all major organizations) then tunnels are not a th= reat I don't know many major organization that forces ALL TRAFFIC through applic= ation proxies. Most have various proxies and force http and some other well= known protocols through their proxies but nearly every network I have ever= seen had various pinholes for non-proxied traffic. > > Let=92s continue with the details: > - 1.0 please avoid all discussion about NAPT being =91minimal= /simple=92 security, the days of scanning are over and have been replaced b= y malware download/email propagated Conficker is still one of the largest infections out there. It spread prima= rily via scanning for open ports. Check netflow today and 445 is still the = most commonly seen ports in darknets and honey pots.. So scanning hasn't gone away. It is still very common. I would agree other = methods have been adopted by some but "scan and spolit" worms continue to f= lorish. Take a look a public sites such as atlas. http://atlas.arbor.net/ 2nd most popular port is 445. 4th is 139 also attributable to worms (confic= ker included). It also shows outbound teredo in the top attacks:) > - 2.0 congruent security policy indeed with the exception of = RFC 4890 (ICMPv6) > - 2.1 filtering the IPv6 ethertype is TOO dangerous (=3D coul= d break too many things) to be recommended in an IETF document > - 3.1 should refer to the RFC > - 3.3 AFAIK there is no by default implementation of 6RD in g= eneric OS and it requires either manual configuration or DHCPv4 option =3D>= remove this section > - 3.5 leave ISATAP (automatic config through DNS) but specify= that blocking 41 also blocks it > - 3.6 as noted, Teredo default port can be changed. The good = recommendation anyway for enterprises is to block outbound UDP traffic (exc= ept some pin holes for DNS of course), even my employer network blocks them= since 1997 ;-). Also, Microsoft implementation disables Teredo when person= al firewall is disabled or when the host is in an Active Directory network > - Other tunnels TSP (but also Sixxs, ...) all require explici= t installation and configuration by end-users. They are no more a thread th= an any other covert channel (being IP over DNS or over ICMP or ...), I woul= d remove this section > > Hope this helps > From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of G= unter Van de Velde (gvandeve) Sent: lundi 6 ao=FBt 2012 10:43 To: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org) Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implica= tions-on-ipv4-nets Dear all, Can I request the WG members for 3 volunteers to read the draft draft-gont-= opsec-ipv6-implications-on-ipv4-nets and provide feedback to the list? This will help the OPSEC chairs to identify if the work is ready for WG ado= ption or not. The work targets are within charter of the WG, and seems to b= e interesting work for the community. Questions we are looking answers for: 1) Should it be targeted BCP or Informational? 2) Is the work quality ok to be accepted as WG document? 3) Is the topic inline with the OPSEC charter? 4) Any missing or over-described points? Many thanks in advance, Kind Regards, OPSEC Chairs, (G/, KK, Warren) --_000_68EFACB32CF4464298EA2779B058889D08330DD7PDDCWMBXEX501ct_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

 

 

(coffee !=3D sleep) & (!coffee =3D=3D sleep)
 Donald.Smith@centuryl= ink.com
From: opsec-bounces@ietf.org [opsec-bounce= s@ietf.org] on behalf of Eric Vyncke (evyncke) [evyncke@cisco.com]
Sent: Tuesday, August 14, 2012 2:42 AM
To: Gunter Van de Velde (gvandeve); opsec@ietf.org; v6ops v6ops WG (= v6ops@ietf.org)
Cc: Fernando Gont
Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-i= pv6-implications-on-ipv4-nets

>       Fernando= and Gunter,
>
>       Sorry for belated comments... I ag= ree with most comments from other reviewers of course (esp Panos).  I = have two classes of comments: generic and details.
>
>       Let=92s start with generic:
>       -     &nb= sp; It should not be a BCP but rather informational

I support as informational.


>       -     &nb= sp; I also wonder whether it is worth an IETF RFC because it is well known = topics in the security area (as you probably know)

I think it h= elps to spell things like this out. So believe it is worthy of being an IET= F RFC.


>       -     &nb= sp; Missing point: awareness of IPV6 by CISO is the key problem, should als= o add that IPv6 is not dangerous per se, and enabling IPv6 in intranet is a= good way to bypass all automatic tunnels

Enabling IPv6 in the intranet doesn't stop the tunne= ls. That is the systems that support tunnels can for the most part still do= the tunneling even with IPv6 enabled.

 


>       -     &nb= sp; Intro / title should specify =91end-user network=92 (to avoid confusion= for ISP)
>       -     &nb= sp; IP flow (netflow), firewall log, DNS request log could also be monitore= d to detect tunnels establishments
>       -     &nb= sp; Using NAPT (and not NAT as previously commented) usually blocks =91magi= cally=92 IP protocol 41 and most tunnels
>       -     &nb= sp; If the security policy is to force all traffic through application prox= ies (done by all major organizations) then tunnels are not a threat

I don't know many major organization that forces ALL= TRAFFIC through application proxies. Most have various proxies and force h= ttp and some other well known protocols through their proxies but nearly ev= ery network I have ever seen had various pinholes for non-proxied traffic.


>
>       Let=92s continue with the details:=
>       -     &nb= sp; 1.0 please avoid all discussion about NAPT being =91minimal/simple=92 s= ecurity, the days of scanning are over and have been replaced by malware do= wnload/email propagated

Conficker is still one of the largest infections out= there. It spread primarily via scanning for open ports. Check netflow toda= y and 445 is still the most commonly seen ports in darknets and honey pots.= .

So scanning hasn't gone away. It is still very commo= n. I would agree other methods have been adopted by some but "scan and= spolit" worms continue to florish.

Take a look a public sites such as atlas.

http://atlas.arb= or.net/

 

2nd most popular port is 445. 4th is 139 also attrib= utable to worms (conficker included).

 

It also shows outbound teredo in the top attacks:)

 


>       -     &nb= sp; 2.0 congruent security policy indeed with the exception of RFC 4890 (IC= MPv6)
>       -     &nb= sp; 2.1 filtering the IPv6 ethertype is TOO dangerous (=3D could break too = many things) to be recommended in an IETF document
>       -     &nb= sp; 3.1 should refer to the RFC
>       -     &nb= sp; 3.3 AFAIK there is no by default implementation of 6RD in generic OS an= d it requires either manual configuration or DHCPv4 option =3D> remove t= his section
>       -     &nb= sp; 3.5 leave ISATAP (automatic config through DNS) but specify that blocki= ng 41 also blocks it
>       -     &nb= sp; 3.6 as noted, Teredo default port can be changed. The good recommendati= on anyway for enterprises is to block outbound UDP traffic (except some pin= holes for DNS of course), even my employer network blocks them since 1997 = ;-). Also, Microsoft implementation disables Teredo when personal firewall is disabled or when = the host is in an Active Directory network
>       -     &nb= sp; Other tunnels TSP (but also Sixxs, ...) all require explicit installati= on and configuration by end-users. They are no more a thread than any other= covert channel (being IP over DNS or over ICMP or ...), I would remove thi= s section
>
>       Hope this helps
>

 

From: opsec-bounces@ie= tf.org [mailto:opsec-bounces@ietf.org] On Behalf Of Gunter Van de Velde (gvandeve)
Sent: lundi 6 ao=FBt 2012 10:43
To: opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org)
Subject: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-= implications-on-ipv4-nets

 

Dear all,

 

Can I request the WG members fo= r 3 volunteers to read the draft draft-gont-opsec-ipv6-implications-on-ipv4= -nets and provide feedback to the list?

 

This will help the OPSEC chairs= to identify if the work is ready for WG adoption or not. The work targets = are within charter of the WG, and seems to be interesting work for the comm= unity.

 

Questions we are looking answer= s for:

 

1)   =    Should it be targeted BCP or Info= rmational?

2)   =    Is the work quality ok to be acce= pted as WG document?

3)   =    Is the topic inline with the OPSE= C charter?

4)   =    Any missing or over-described poi= nts?

 

Many thanks in advance,<= /p>

 

Kind Regards,

OPSEC Chairs,

(G/, KK, Warren)

--_000_68EFACB32CF4464298EA2779B058889D08330DD7PDDCWMBXEX501ct_-- From lee@asgard.org Tue Aug 14 11:58:41 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B89F21F8569 for ; Tue, 14 Aug 2012 11:58:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.454 X-Spam-Level: X-Spam-Status: No, score=-0.454 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_05=-1.11, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yzgPp2uaUFlr for ; Tue, 14 Aug 2012 11:58:40 -0700 (PDT) Received: from omr4.networksolutionsemail.com (omr4.networksolutionsemail.com [205.178.146.54]) by ietfa.amsl.com (Postfix) with ESMTP id 3D2EB21F8794 for ; Tue, 14 Aug 2012 11:58:39 -0700 (PDT) Received: from cm-omr7 (mail.networksolutionsemail.com [205.178.146.50]) by omr4.networksolutionsemail.com (8.14.4/8.14.4) with ESMTP id q7EIwcxV028910 for ; Tue, 14 Aug 2012 14:58:38 -0400 Authentication-Results: cm-omr7 smtp.user=lee@asgard.org; auth=pass (LOGIN) X-Authenticated-UID: lee@asgard.org Received: from [204.235.115.163] ([204.235.115.163:34569] helo=HDC00042402) by cm-omr7 (envelope-from ) (ecelerity 2.2.2.41 r(31179/31189)) with ESMTPA id CE/32-21064-EDF9A205; Tue, 14 Aug 2012 14:58:38 -0400 From: "Lee Howard" To: "'Eric Vyncke \(evyncke\)'" , "'Gunter Van de Velde \(gvandeve\)'" , , "'v6ops v6ops WG'" References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> In-Reply-To: <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> Date: Tue, 14 Aug 2012 14:58:37 -0400 Message-ID: <001f01cd7a4e$d05c7390$71155ab0$@asgard.org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0020_01CD7A2D.494D4490" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQGGlPLakFxZCTrqhE95LHJwbjJ3AQK/mXl8l9F08BA= Content-Language: en-us X-Mailman-Approved-At: Tue, 14 Aug 2012 12:18:29 -0700 Cc: 'Fernando Gont' Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2012 18:58:41 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0020_01CD7A2D.494D4490 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit From: v6ops-bounces@ietf.org [mailto:v6ops-bounces@ietf.org] On Behalf Of Eric Vyncke (evyncke) Sent: Tuesday, August 14, 2012 4:43 AM To: Gunter Van de Velde (gvandeve); opsec@ietf.org; v6ops v6ops WG (v6ops@ietf.org) Cc: Fernando Gont Subject: Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets - 1.0 please avoid all discussion about NAPT being 'minimal/simple' security, the days of scanning are over and have been replaced by malware download/email propagated This is demonstrably false, and I can send you logs of scanning attempts foiled by NAPT. NAT is crap security, but it's not zero security. Lee ------=_NextPart_000_0020_01CD7A2D.494D4490 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

 

 

From:= = v6ops-bounces@ietf.org [mailto:v6ops-bounces@ietf.org] On Behalf Of = Eric Vyncke (evyncke)
Sent: Tuesday, August 14, 2012 4:43 = AM
To: Gunter Van de Velde (gvandeve); opsec@ietf.org; v6ops = v6ops WG (v6ops@ietf.org)
Cc: Fernando Gont
Subject: = Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: = draft-gont-opsec-ipv6-implications-on-ipv4-nets

 

-       = 1.0 = please avoid all discussion about NAPT being = ‘minimal/simple’ security, the days of scanning are over and = have been replaced by malware download/email = propagated

 

 

This is demonstrably false, and I can send = you logs of scanning attempts foiled by NAPT.  NAT is crap = security, but it’s not zero security.  =

 

Lee

<= /html> ------=_NextPart_000_0020_01CD7A2D.494D4490-- From cpignata@cisco.com Tue Aug 14 14:08:59 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BA3721F8630; Tue, 14 Aug 2012 14:08:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -110.465 X-Spam-Level: X-Spam-Status: No, score=-110.465 tagged_above=-999 required=5 tests=[AWL=-0.467, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZTgI5zy2-+i; Tue, 14 Aug 2012 14:08:58 -0700 (PDT) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id 398E221F861E; Tue, 14 Aug 2012 14:08:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=cpignata@cisco.com; l=8395; q=dns/txt; s=iport; t=1344978538; x=1346188138; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=4XoNrR/vSmcCOEsvQbCFpWgLcOcYiz0Rh2MW9xu+aJ4=; b=C6ZwB61KVoTNFcc5emGlA2LewbWjB9wla/zOTj/Xy57/CqLubRCDFwXk 7+Kh6zYYRMNHZcL+ssqmQt9jEJnTBYKgkxHBQEudL+hlzd1ZAqRyUmkAZ pAYdoA1Jd+EFrCbPSA6xq1ZngsSqFqvKgvHeV1Ea2mOAzylg5733kHsvX 4=; X-Files: signature.asc : 203 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AkUFABS+KlCtJV2d/2dsb2JhbABFsVwBiEuBB4IgAQEBAwEBAQEPAVsLBQsCAQgYLicLJQEBBA4FDg0Hh2UGC5gXoGuLBYVRYAOOWoEghVGBFI0WgWaCXw X-IronPort-AV: E=Sophos;i="4.77,769,1336348800"; d="asc'?scan'208,217";a="111615365" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-3.cisco.com with ESMTP; 14 Aug 2012 21:08:57 +0000 Received: from xhc-aln-x04.cisco.com (xhc-aln-x04.cisco.com [173.36.12.78]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id q7EL8vRX008199 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 14 Aug 2012 21:08:57 GMT Received: from xmb-aln-x02.cisco.com ([169.254.5.72]) by xhc-aln-x04.cisco.com ([173.36.12.78]) with mapi id 14.02.0298.004; Tue, 14 Aug 2012 16:08:57 -0500 From: "Carlos Pignataro (cpignata)" To: Brian E Carpenter Thread-Topic: [v6ops] IPv6 LL-only as WG document - feedback requested Thread-Index: Ac1zsaLKu65hBuxGQ1mVPU9TRZLT7QALZhOAAarsawA= Date: Tue, 14 Aug 2012 21:08:56 +0000 Message-ID: <724010AF-C8BA-4D97-BE5D-48A53AAB960A@cisco.com> References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> In-Reply-To: <501F8D5F.5000805@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [10.81.8.2] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19114.001 x-tm-as-result: No--37.489300-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/signed; boundary="Apple-Mail=_D2B117C1-4AC3-4D54-BD4B-52CA24B79CEC"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 Cc: "'draft-behringer-lla-only@tools.ietf.org' \(draft-behringer-lla-only@tools.ietf.org\)" , "opsec-chairs@ietf.org" , "opsec@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Aug 2012 21:08:59 -0000 --Apple-Mail=_D2B117C1-4AC3-4D54-BD4B-52CA24B79CEC Content-Type: multipart/alternative; boundary="Apple-Mail=_5D9BD657-EF4B-46A5-A340-B78EFC131FB5" --Apple-Mail=_5D9BD657-EF4B-46A5-A340-B78EFC131FB5 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Michael, Brian, Should "The Suggested Approach" = http://tools.ietf.org/html/draft-behringer-lla-only-01#section-2.1 also = include some prescriptiveness or specific recommendation regarding the = use of RFC 5837, instead of including that solution to interface = identification as a "Caveats and Possible Workarounds" only? Thanks, -- Carlos. On Aug 6, 2012, at 5:24 AM, Brian E Carpenter wrote: > Hi, >=20 >> o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo >> request ... can be addressed to loopback addresses of routers = with >> a global scope address. Router management can also be done over >> out-of-band channels. >>=20 >> o ICMP error message can also be sourced from the global scope >> loopback address. >=20 > These statements seem too weak. Using GUAs for ICMP in particular > needs to have a normative MUST somewhere (preferably in a BCP). In the > context of this Informational draft, the language needs to state a = requirement > ("must" not "can") even if you don't use RFC 2119 terminology. >=20 > This matters because packets with a LL source address MUST NOT be = forwarded, > so a router that is misconfigured to send ICMP replies with a LL = source > address breaks both ping and traceroute. >=20 > I think the rule is that any packet that is *not* sent to a LL address = must > have a GUA as the source address. That takes care of ICMP, and = everything else > as well. >=20 > Furthermore, that GUA needs to be associated with a prefix that = belongs to > the organisation operating the router in question. Otherwise the = traceroute > results can be very confusing. We discussed that on v6ops back in = March. >=20 > Regards > Brian Carpenter >=20 >=20 >=20 >=20 > On 06/08/2012 10:03, Gunter Van de Velde (gvandeve) wrote: >> (distributed to OPSEC WG and in cc v6ops) >>=20 >> Dear all, >>=20 >> During the OPSEC WG meeting last Wednesday there was consensus to = adopt the draft http://tools.ietf.org/html/draft-behringer-lla-only-01 = as working group document with Informational status. >>=20 >> Please read the draft, and if there is no violent objection on the = list, the document will be requested to be submitted as WG document in 7 = days. >>=20 >> Ciao, >> G/, KK & Warren >>=20 >>=20 >>=20 >> = ------------------------------------------------------------------------ >>=20 >> _______________________________________________ >> v6ops mailing list >> v6ops@ietf.org >> https://www.ietf.org/mailman/listinfo/v6ops > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >=20 --Apple-Mail=_5D9BD657-EF4B-46A5-A340-B78EFC131FB5 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii http://tools.ietf.org/html/draft-behringer-lla-only-01#section-2.1&n= bsp;also include some prescriptiveness or specific recommendation = regarding the use of RFC 5837, instead of including that solution to = interface identification as a "Caveats and Possible Workarounds" = only?

Thanks,

-- = Carlos.

On Aug 6, 2012, at 5:24 AM, Brian E = Carpenter wrote:

Hi,

  o =  Management plane traffic, such as SSH, Telnet, SNMP, ICMP = echo
=      request ... can be addressed to loopback = addresses of routers with
=      a global scope address.  Router = management can also be done over
     out-of-band = channels.

  o =  ICMP error message can also be sourced from the global = scope
=      loopback = address.

These statements seem too weak. Using GUAs = for ICMP in particular
needs to have a normative MUST somewhere = (preferably in a BCP). In the
context of this Informational draft, = the language needs to state a requirement
("must" not "can") even if = you don't use RFC 2119 terminology.

This matters because packets = with a LL source address MUST NOT be forwarded,
so a router that is = misconfigured to send ICMP replies with a LL source
address breaks = both ping and traceroute.

I think the rule is that any packet = that is *not* sent to a LL address must
have a GUA as the source = address. That takes care of ICMP, and everything else
as = well.

Furthermore, that GUA needs to be associated with a prefix = that belongs to
the organisation operating the router in question. = Otherwise the traceroute
results can be very confusing. We discussed = that on v6ops back in March.

Regards
  Brian = Carpenter




On 06/08/2012 10:03, Gunter Van de Velde = (gvandeve) wrote:
(distributed to OPSEC WG = and in cc v6ops)

Dear = all,

During the = OPSEC WG meeting last Wednesday there was consensus to adopt the draft = http://too= ls.ietf.org/html/draft-behringer-lla-only-01 as working group = document with Informational status.

Please read the = draft, and if there is no violent objection on the list, the document = will be requested to be submitted as WG document in 7 = days.

Ciao,
G/, KK = & Warren



------------------------------------------------------------= ------------

_______________________________________________
v6ops mailing = list
v6ops@ietf.org
https://www.ietf.org/= mailman/listinfo/v6ops
_______________________________= ________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/= mailman/listinfo/v6ops


= --Apple-Mail=_5D9BD657-EF4B-46A5-A340-B78EFC131FB5-- --Apple-Mail=_D2B117C1-4AC3-4D54-BD4B-52CA24B79CEC Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="signature.asc" Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iEYEARECAAYFAlAqvmgACgkQtfDPGTp3USzTowCcC8PfguDU5gRCgYJOJmn5VbKx lNEAnRtYq9qzsHwi7K/Ae3rakte0UCSl =20r1 -----END PGP SIGNATURE----- --Apple-Mail=_D2B117C1-4AC3-4D54-BD4B-52CA24B79CEC-- From fgont@si6networks.com Tue Aug 14 18:14:20 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 772C321F870A; Tue, 14 Aug 2012 18:14:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aE9LWfZYm1us; Tue, 14 Aug 2012 18:14:19 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 74FF921F8702; Tue, 14 Aug 2012 18:14:19 -0700 (PDT) Received: from [186.134.26.60] (helo=[192.168.123.104]) by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1T1SBa-0008Ud-FF; Wed, 15 Aug 2012 03:14:15 +0200 Message-ID: <502AEB54.8050904@si6networks.com> Date: Tue, 14 Aug 2012 21:20:36 -0300 From: Fernando Gont Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "Eric Vyncke (evyncke)" References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> In-Reply-To: <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> X-Enigmail-Version: 1.5a1pre Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Cc: "opsec@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" Subject: Re: [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2012 01:14:20 -0000 Hi, Eric, Thanks so much for your feedback! -- Please find my comments in-line... On 08/14/2012 05:42 AM, Eric Vyncke (evyncke) wrote: [...] > Let’s start with generic: > > - It should not be a BCP but rather informational Just curious: what's the rationale for your preference? > - I also wonder whether it is worth an IETF RFC because it is well > known topics in the security area (as you probably know) I disagree with both points, for a number of reasons: * An IETF RFC means IETF consensus on a topic. That doesn't necessarily mean that the information is new, but rather than that's how the IETF thinks about the problem. * There has been quite some talk about the implications of transition technologies, and recommendations to "block them"... but concrete advice on how to filter each of these technologies is not always readily available. Try Google. * I generally disagree about "well known topics in the security area" (unless you clearly define what you mean by "known" and what you mean by "security area"). Most of the time I've seen any topic deemed as "well-known" in the security community, it really wasn't. And when it comes to IPv6 security in particular. there has been so much crap around it that I'd probably deem "well known IPv6 security topic" as an oxymoron. :-) > - Missing point: awareness of IPV6 by CISO is the key problem, I don't necessarily disagree, but that kind of aspect seems to be out of the scope of this particular document. > should also add that IPv6 is not dangerous per se, and enabling IPv6 in > intranet is a good way to bypass all automatic tunnels The focus of this document is how IPv6 affects your "IPv4-only" network. If you explicitly enable IPv6, then this document does not apply to your network. -- Not to mention that lots of devices are not IPv6-capable, which means that it shouldn't come up as a surprise if an admin cannot enforce enforce on v6 the same policies he enforces on v4. > - Intro / title should specify ‘end-user network’ (to avoid > confusion for ISP) Do we really need/want to make a difference, here? -- The generic issues being discussed in this document apply to any network that has "dormant IPv6 connectivity". > - IP flow (netflow), firewall log, DNS request log could also be > monitored to detect tunnels establishments Could you please elaborate a bit? > - Using NAPT (and not NAT as previously commented) usually blocks > ‘magically’ IP protocol 41 and most tunnels Agreed. I will add a note about this. > - If the security policy is to force all traffic through > application proxies (done by all major organizations) then tunnels are > not a threat Should I add any comments about this? If so, where? > Let’s continue with the details: > > - 1.0 please avoid all discussion about NAPT being > ‘minimal/simple’ security, the days of scanning are over and have been > replaced by malware download/email propagated ... yet we still use firewalls. Clearly, a NAT-PT blocks some attack vectors, and reduces host exposure. And technologies such as Teredo essentially eliminate any sort of protection that could be achieved by such NAT-PT. And they do block some attacks -- not "all" or "most", but they do block some. > - 2.0 congruent security policy indeed with the exception of RFC > 4890 (ICMPv6) I'd argue that the policy is still the same -- it's just that there are additional message types in v6 /which are not present in v4). It's quite unfortunate to hear in v6 circles things like "in v6, you cannot filter all ICMP as you do in v4" -- because even in v4 you couldn't do this without braking PMTUD. > - 2.1 filtering the IPv6 ethertype is TOO dangerous (= could break > too many things) to be recommended in an IETF document Filtering EtherType 0x86DD does what it is meant to do: block native IPv6 traffic. Note that we are not recommending that people do it, and even less to have products ship with that filter "on by default" -- we just note that if you want to prevent block native IPv6 traffic, that's one possible way to do so. > - 3.1 should refer to the RFC Done! > - 3.3 AFAIK there is no by default implementation of 6RD in > generic OS and it requires either manual configuration or DHCPv4 option > => remove this section I'd probably argue that we should argue the comment on DHCPv4 possibly enabling 6rd, rather than removing the whole section -- for instance, an attacker could exploit such vector. That aside, removing the entire section would likely trigger feedback of the form "hey guys, you forgot to describe 6rd!". > - 3.5 leave ISATAP (automatic config through DNS) but specify that > blocking 41 also blocks it The current text already notes that. > - 3.6 as noted, Teredo default port can be changed. The good > recommendation anyway for enterprises is to block outbound UDP traffic > (except some pin holes for DNS of course), even my employer network > blocks them since 1997 ;-). This is going beyond the type of advice this document is meant to provide. We want to provide advice on how to block Teredo... rather than recommend to filter all UDP. > Also, Microsoft implementation disables > Teredo when personal firewall is disabled or when the host is in an > Active Directory network That still leaves Windows systems with a firewall and no Active Directory network with Teredo "on by default". > - Other tunnels TSP (but also Sixxs, ...) all require explicit > installation and configuration by end-users. They are no more a thread > than any other covert channel (being IP over DNS or over ICMP or ...), I > would remove this section TSP could allow incoming connections to the local network, which is something quite different from an internal node being able to "send stuff out on top of DNS or ICMP". Thoughts? Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From brian.e.carpenter@gmail.com Wed Aug 15 00:49:51 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AC5521F86F9; Wed, 15 Aug 2012 00:49:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.205 X-Spam-Level: X-Spam-Status: No, score=-101.205 tagged_above=-999 required=5 tests=[AWL=-0.114, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yv0ZJL7AE4hh; Wed, 15 Aug 2012 00:49:50 -0700 (PDT) Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id D0C9121F86F4; Wed, 15 Aug 2012 00:49:43 -0700 (PDT) Received: by wgbdr13 with SMTP id dr13so770719wgb.13 for ; Wed, 15 Aug 2012 00:49:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=qNW3F+b6iZPt2Xe+CpdpbVkEFSTN0r+Hu/4rtyyF/DE=; b=GWZppTwJNQoAbKd7bJX2S8tmsJZMOOw3RVJEfYHQGNU3Gtyn7yPabAWkhB64pBXE6Y dIabxXEKb9BKUnMGJqBqHJfbpyBUSHC19lbs1QqgNl+3zgCXl91t0uVKww3aYTYPSzrS FX47Tc76ex/FGGUxSoaAStSLZi1ZcsCL4bnNXTJO9OmXEma4hAdhPnoIBodyrKG8SOmd G/Ag6b05HZo/8QlufUVMutrvb+JeTlaEPho0SkSjAQcriOuCjJMB2vTMkxz71IhXUEyz CXsvRxm6zYR5JfHhORpSPix79U92OOeBrs9oDCzonP/299qsXVT6JRObhrsjQgWqt185 MlmA== Received: by 10.180.82.39 with SMTP id f7mr35011356wiy.2.1345016982841; Wed, 15 Aug 2012 00:49:42 -0700 (PDT) Received: from [192.168.1.65] (host-2-102-218-63.as13285.net. [2.102.218.63]) by mx.google.com with ESMTPS id fr4sm2366457wib.8.2012.08.15.00.49.41 (version=SSLv3 cipher=OTHER); Wed, 15 Aug 2012 00:49:41 -0700 (PDT) Message-ID: <502B549A.4010708@gmail.com> Date: Wed, 15 Aug 2012 08:49:46 +0100 From: Brian E Carpenter Organization: University of Auckland User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: "Carlos Pignataro (cpignata)" References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <724010AF-C8BA-4D97-BE5D-48A53AAB960A@cisco.com> In-Reply-To: <724010AF-C8BA-4D97-BE5D-48A53AAB960A@cisco.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: "'draft-behringer-lla-only@tools.ietf.org' \(draft-behringer-lla-only@tools.ietf.org\)" , "opsec-chairs@ietf.org" , "opsec@ietf.org" , "v6ops v6ops WG \(v6ops@ietf.org\)" Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2012 07:49:51 -0000 Carlos, On 14/08/2012 22:08, Carlos Pignataro (cpignata) wrote: > Michael, Brian, > > Should "The Suggested Approach" http://tools.ietf.org/html/draft-behringer-lla-only-01#section-2.1 also include some prescriptiveness or specific recommendation regarding the use of RFC 5837, instead of including that solution to interface identification as a "Caveats and Possible Workarounds" only? I have no strong opinion on this. Just indicating the existence of 5837 seems OK, though. Looking at the current text, it says that the loopback GUA MUST be used for all ICMPv6 messages, which is good, but it also says "ICMP error message can also be sourced from the global scope loopback address." That seems unnecessary in view of the MUST, but in any case, s/can/will/. Actually my main comment on the draft is on this text in the Introduction: "We propose to configure neither globally routable IPv6 addresses nor unique local addresses on infrastructure links of routers, wherever possible. We recommend to use exclusively link-local addresses on such links." I suggest a more neutral approach, since some operators clearly prefer to use GUAs: It is possible to configure neither globally routable IPv6 addresses nor unique local addresses on infrastructure links of routers. This document describes how to use exclusively link-local addresses on such links. (and s/proposes/describes how/ in the Abstract) Thanks Brian > Thanks, > > -- Carlos. > > On Aug 6, 2012, at 5:24 AM, Brian E Carpenter wrote: > >> Hi, >> >>> o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo >>> request ... can be addressed to loopback addresses of routers with >>> a global scope address. Router management can also be done over >>> out-of-band channels. >>> >>> o ICMP error message can also be sourced from the global scope >>> loopback address. >> These statements seem too weak. Using GUAs for ICMP in particular >> needs to have a normative MUST somewhere (preferably in a BCP). In the >> context of this Informational draft, the language needs to state a requirement >> ("must" not "can") even if you don't use RFC 2119 terminology. >> >> This matters because packets with a LL source address MUST NOT be forwarded, >> so a router that is misconfigured to send ICMP replies with a LL source >> address breaks both ping and traceroute. >> >> I think the rule is that any packet that is *not* sent to a LL address must >> have a GUA as the source address. That takes care of ICMP, and everything else >> as well. >> >> Furthermore, that GUA needs to be associated with a prefix that belongs to >> the organisation operating the router in question. Otherwise the traceroute >> results can be very confusing. We discussed that on v6ops back in March. >> >> Regards >> Brian Carpenter >> >> >> >> >> On 06/08/2012 10:03, Gunter Van de Velde (gvandeve) wrote: >>> (distributed to OPSEC WG and in cc v6ops) >>> >>> Dear all, >>> >>> During the OPSEC WG meeting last Wednesday there was consensus to adopt the draft http://tools.ietf.org/html/draft-behringer-lla-only-01 as working group document with Informational status. >>> >>> Please read the draft, and if there is no violent objection on the list, the document will be requested to be submitted as WG document in 7 days. >>> >>> Ciao, >>> G/, KK & Warren >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> v6ops mailing list >>> v6ops@ietf.org >>> https://www.ietf.org/mailman/listinfo/v6ops >> _______________________________________________ >> v6ops mailing list >> v6ops@ietf.org >> https://www.ietf.org/mailman/listinfo/v6ops >> > > From fgont@si6networks.com Wed Aug 15 06:42:02 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5592321F8821 for ; Wed, 15 Aug 2012 06:42:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kn-Pjd+xh5RJ for ; Wed, 15 Aug 2012 06:42:02 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id C78A021F8820 for ; Wed, 15 Aug 2012 06:42:01 -0700 (PDT) Received: from [190.245.182.195] (helo=[192.168.1.128]) by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1T1dr1-0004nm-PE; Wed, 15 Aug 2012 15:41:57 +0200 Message-ID: <502BA6CB.9020405@si6networks.com> Date: Wed, 15 Aug 2012 10:40:27 -0300 From: Fernando Gont Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "'opsec@ietf.org'" X-Enigmail-Version: 1.5a1pre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [OPSEC] draft-opsec-ipv6-implications-on-ipv4-nets: BCP vs. Info X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2012 13:42:02 -0000 Folks, The current version of the aforementioned I-D targets BCP, and essentially does two things: 1) Recommends that: * The same security policies currently enforced on v4 are enforce on v6 * Transition/co-existence technologies be blocked by default 2) Provides advice on how to filter each of the different transition/co-existence technologies. "1)" (above) is probably the "BCP part" of the document. Some folks have commented on whether they prefer this document to target the Informational track (as opposed to the BCP it is currently targeting). Can other please weigh in and share their thoughts regarding the proper target for this I-D? P.S.: I'm currently working on a rev that addresses the feedback that I have received so far, and this is probably the only remaining item that I may possibly need to address -- but would appreciate if more folks shared their thoughts about it. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From markzzzsmith@yahoo.com.au Wed Aug 15 02:42:00 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3BC421F877E for ; Wed, 15 Aug 2012 02:42:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.52 X-Spam-Level: X-Spam-Status: No, score=-1.52 tagged_above=-999 required=5 tests=[AWL=-0.020, BAYES_00=-2.599, FROM_LOCAL_NOVOWEL=0.5, J_CHICKENPOX_13=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MTIEqJgukz-b for ; Wed, 15 Aug 2012 02:42:00 -0700 (PDT) Received: from nm38-vm7.bullet.mail.ne1.yahoo.com (nm38-vm7.bullet.mail.ne1.yahoo.com [98.138.229.151]) by ietfa.amsl.com (Postfix) with SMTP id 75C1D21F877D for ; Wed, 15 Aug 2012 02:41:58 -0700 (PDT) Received: from [98.138.90.56] by nm38.bullet.mail.ne1.yahoo.com with NNFMP; 15 Aug 2012 09:41:55 -0000 Received: from [98.138.89.174] by tm9.bullet.mail.ne1.yahoo.com with NNFMP; 15 Aug 2012 09:41:55 -0000 Received: from [127.0.0.1] by omp1030.mail.ne1.yahoo.com with NNFMP; 15 Aug 2012 09:41:55 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 507826.48534.bm@omp1030.mail.ne1.yahoo.com Received: (qmail 39869 invoked by uid 60001); 15 Aug 2012 09:41:55 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.au; s=s1024; t=1345023714; bh=uYG+K4zsvXGEkYbjZ7k+lExGaJTspkQEOzKok4XlLFg=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=KKkhb8bqFmJPNdDshsdvtLzspDHyeD/+P9anKAe03TLEvMvgz1xnybpgniEmYWxi1m8lhy9LJtz0D+OYGCxw04huP5gsrzymQRKfJHPS3lKxf5QD8gHJ1/ukYUeeBcr3skwaEY5ys4zj3k1TaSpEc6dQegmX1nyAmqeGXH9i9Z4= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.au; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=5Eu4Jz/K1XZE3oURnKl0u+qGxqap06rIpti9Tq4OmEbGrl869BylnDtk22pHuGmX3vu+e7A9CgvLG7lp6b0TN7SWO/h/SMjjHLCmYNu/LQ+o6UW9YNyLrW2YgJU0HtkSXFAeVzsztSGWpoblJQLWdTyDN7sd+TUbxio8eXlxZwU=; X-YMail-OSG: oINOGdkVM1ng3yN4FzeGsfdIXRLhY9lwee0QXF4ZXy76eWx ixzQDybtF1tRJdRMTnWMOWfavxUe6Ej8N7bnI2VOwvy.YCN0WT46IyHSCmBF Ktc45HAvXAYoAvKyDGyku9CMmuEJ6gI_96jN1fulvEzITac1dfPexYitA1pq FGbNi4QjY7GL5Gt7zV8xrWG8M1PEG4Rb8LNekzitQT7RaX4tyukxfNEscIda E5KDj5H_exs8l_Q9upMRjh6hBERdGNfAZOqBcGMXZc_0InFZ8JS0qHf3WP4o zdfhFoRFXR6JxIoqM9gzUINLMFmqvVoIz5qHJZRVs.L1gmCEUpq.7hOjsWJ1 KdYNNFtG.UC7P7ox.R.mVo2b4_7VnaTJGtjs_e0HT4cuKuPcUw3ykugoiaaT cLLrwPL6xm205FAAh3KUDXqhQtwEncdzBZ93_nHKO3pWoIGeqKlvEcR5tgf1 BYoRQtG2v0aXzr_.0Cu.ohEvNwj1QcdOCAlj0_UPErAS.tEmsyQu_uawZzBW SVYg- Received: from [150.101.221.237] by web32507.mail.mud.yahoo.com via HTTP; Wed, 15 Aug 2012 02:41:54 PDT X-Mailer: YahooMailWebService/0.8.120.356233 References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <724010AF-C8BA-4D97-BE5D-48A53AAB960A@cisco.com> <502B549A.4010708@gmail.com> Message-ID: <1345023714.38595.YahooMailNeo@web32507.mail.mud.yahoo.com> Date: Wed, 15 Aug 2012 02:41:54 -0700 (PDT) From: Mark ZZZ Smith To: Brian E Carpenter , "Carlos Pignataro \(cpignata\)" In-Reply-To: <502B549A.4010708@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Wed, 15 Aug 2012 08:03:50 -0700 Cc: "opsec@ietf.org" , "opsec-chairs@ietf.org" , "'draft-behringer-lla-only@tools.ietf.org' \(draft-behringer-lla-only@tools.ietf.org\)" , "v6ops v6ops WG \(v6ops@ietf.org\)" Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: Mark ZZZ Smith List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2012 09:42:01 -0000 Hi,=0A=0A=0A----- Original Message -----=0A> From: Brian E Carpenter =0A> To: Carlos Pignataro (cpignata) =0A> Cc: "'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-l= la-only@tools.ietf.org)" ; "opsec-= chairs@ietf.org" ; "opsec@ietf.org" = ; "v6ops v6ops WG (v6ops@ietf.org)" =0A> Sent: Wednesday, 1= 5 August 2012 5:49 PM=0A> Subject: Re: [v6ops] IPv6 LL-only as WG document = - feedback requested=0A> =0A> Carlos,=0A> =0A> On 14/08/2012 22:08, Carlos = Pignataro (cpignata) wrote:=0A>> Michael, Brian,=0A>> =0A>> Should "The S= uggested Approach" =0A> http://tools.ietf.org/html/draft-behringer-lla-only= -01#section-2.1 also include =0A> some prescriptiveness or specific recomme= ndation regarding the use of RFC 5837, =0A> instead of including that solut= ion to interface identification as a =0A> "Caveats and Possible Workarounds= " only?=0A> =0A> I have no strong opinion on this. Just indicating the exis= tence of 5837=0A> seems OK, though.=0A> =0A> Looking at the current text, i= t says that the loopback GUA MUST be used for all=0A> ICMPv6 messages, whic= h is good, but it also says=0A> "ICMP error message can also be sourced fro= m the global scope loopback =0A> address."=0A=0APerhaps it would be better = to be even more general, and just say ICMPv6 messages must come from addres= ses with a scope greater than link local? Restricting to GUAs suggests the = idea in this draft can only be used when GUAs are available, yet I'd think = it could also be useful in a private, non-Internet connected network too.= =0A=0A=0A=0ARegards,=0AMark. From mbehring@cisco.com Wed Aug 15 08:39:45 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7667821E80E7; Wed, 15 Aug 2012 08:39:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GoXtX6N3kR7A; Wed, 15 Aug 2012 08:39:44 -0700 (PDT) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 9885521E80D9; Wed, 15 Aug 2012 08:39:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mbehring@cisco.com; l=2718; q=dns/txt; s=iport; t=1345045184; x=1346254784; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=pUkPCuUGEpst2is2LSWbdFDHqOSWRz/LJ1pZweJooU0=; b=DyND0yQBDzoe5OWiSK5Nvu5QDuHKjfCA+vQvjOduC6aw1vWsg4vqJOGm isIoWrJ/f3nzhTY4eZxz7ah1B8hMCLGx0I+9dWiJi1C4GC1h0wiarEHsL 3plE5xkVXYTF2qtbDLoJz5ZjcElZT4pVBS9ZmV8TLVqRCdpZ/3WAY2g9z A=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgEFAPTBK1CtJV2Y/2dsb2JhbABFhgGzL2eBB4IgAQEBAwESARARRQwEAgEIFQMCAgYdAwICAh8RFAEQAgQBDQUIEweHXAMGBguZZ40ZiVkNiU6BIYkDZIVFMmADk3wDgmSJeIMggWaCXw X-IronPort-AV: E=Sophos;i="4.77,773,1336348800"; d="scan'208";a="111637137" Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-1.cisco.com with ESMTP; 15 Aug 2012 15:39:44 +0000 Received: from xhc-aln-x02.cisco.com (xhc-aln-x02.cisco.com [173.36.12.76]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id q7FFdh6n024121 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 15 Aug 2012 15:39:43 GMT Received: from xmb-rcd-x14.cisco.com ([169.254.4.3]) by xhc-aln-x02.cisco.com ([173.36.12.76]) with mapi id 14.02.0298.004; Wed, 15 Aug 2012 10:39:43 -0500 From: "Michael Behringer (mbehring)" To: Mark ZZZ Smith , Brian E Carpenter , "Carlos Pignataro (cpignata)" Thread-Topic: [v6ops] IPv6 LL-only as WG document - feedback requested Thread-Index: AQHNeso8h2La8Dr8HUyqWkjByeNkFJda/iEw Date: Wed, 15 Aug 2012 15:39:42 +0000 Message-ID: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EC3BB@xmb-rcd-x14.cisco.com> References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <724010AF-C8BA-4D97-BE5D-48A53AAB960A@cisco.com> <502B549A.4010708@gmail.com> <1345023714.38595.YahooMailNeo@web32507.mail.mud.yahoo.com> In-Reply-To: <1345023714.38595.YahooMailNeo@web32507.mail.mud.yahoo.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.83.60] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19114.006 x-tm-as-result: No--49.660200-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: "opsec@ietf.org" , "opsec-chairs@ietf.org" , "'draft-behringer-lla-only@tools.ietf.org' \(draft-behringer-lla-only@tools.ietf.org\)" , "v6ops v6ops WG \(v6ops@ietf.org\)" Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2012 15:39:45 -0000 PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBNYXJrIFpaWiBTbWl0aCBbbWFp bHRvOm1hcmt6enpzbWl0aEB5YWhvby5jb20uYXVdDQpbLi4uXQ0KPiAtLS0tLSBPcmlnaW5hbCBN ZXNzYWdlIC0tLS0tDQo+ID4gRnJvbTogQnJpYW4gRSBDYXJwZW50ZXIgPGJyaWFuLmUuY2FycGVu dGVyQGdtYWlsLmNvbT4NClsuLi5dDQo+ID4NCj4gPiBDYXJsb3MsDQo+ID4NCj4gPiBPbiAxNC8w OC8yMDEyIDIyOjA4LCBDYXJsb3MgUGlnbmF0YXJvIChjcGlnbmF0YSkgd3JvdGU6DQo+ID4+ICBN aWNoYWVsLCBCcmlhbiwNCj4gPj4NCj4gPj4gIFNob3VsZCAiVGhlIFN1Z2dlc3RlZCBBcHByb2Fj aCINCj4gPiBodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1iZWhyaW5nZXItbGxhLW9u bHktMDEjc2VjdGlvbi0yLjENCj4gPiBhbHNvIGluY2x1ZGUgc29tZSBwcmVzY3JpcHRpdmVuZXNz IG9yIHNwZWNpZmljIHJlY29tbWVuZGF0aW9uDQo+ID4gcmVnYXJkaW5nIHRoZSB1c2Ugb2YgUkZD IDU4MzcsIGluc3RlYWQgb2YgaW5jbHVkaW5nIHRoYXQgc29sdXRpb24gdG8NCj4gPiBpbnRlcmZh Y2UgaWRlbnRpZmljYXRpb24gYXMgYSAiQ2F2ZWF0cyBhbmQgUG9zc2libGUgV29ya2Fyb3VuZHMi IG9ubHk/DQo+ID4NCj4gPiBJIGhhdmUgbm8gc3Ryb25nIG9waW5pb24gb24gdGhpcy4gSnVzdCBp bmRpY2F0aW5nIHRoZSBleGlzdGVuY2Ugb2YNCj4gPiA1ODM3IHNlZW1zIE9LLCB0aG91Z2guDQoN ClR3byBjb21tZW50czogDQotIHRoZSB3b3JkaW5nICJzdWdnZXN0ZWQgYXBwcm9hY2giIGlzIGEg bGVmdC1vdmVyIGZyb20gdGhlIHRpbWVzIHdoZW4gd2Ugd2VyZSB0YXJnZXRpbmcgQkNQLiBOb3cg YXMgaW5mb3JtYXRpb25hbCB3ZSdsbCByZW1vdmUgdGhlICJzdWdnZXN0ZWQiLiANCi0gdGhlIGlu dGVudGlvbiBvZiB0aGUgZG9jIGlzIHRvIGdpdmUgZ3VpZGFuY2UgdG8gYSBuZXR3b3JrIG9wZXJh dG9yIG9uIHdoZXRoZXIgbGluayBsb2NhbCBpcyBhIGdvb2QgaWRlYSBpbiBoaXMgZW52aXJvbm1l bnQgb3Igbm90LiBTaW5jZSB0aGUgdGFyZ2V0IGlzIHRoZSBuZXR3b3JrIG9wZXJhdG9yLCBJIGRv buKAmXQgdGhpbmsgd2Ugc2hvdWxkIHJlY29tbWVuZCB0aGUgdXNlIC0gdGhlIG9wZXJhdG9yIGNh bid0IGRvIGFueXRoaW5nIGFib3V0IGl0LiBTbyBteSBzdWdnZXN0aW9uIHdvdWxkIGJlIHRvIGxl YXZlIGl0IHdoZXJlIGl0IGlzLiANCg0KVW5sZXNzIHdlIHdhbnQgdG8gd2lkZW4gdGhlIHNjb3Bl PyAoTm90IG15IHByZWZlcnJlZCBhcHByb2FjaCB0aG91Z2ggLSBpdCdzIG5pY2UgdG8gaGF2ZSBh IGNsZWFyIHNjb3BlKQ0KDQo+ID4gTG9va2luZyBhdCB0aGUgY3VycmVudCB0ZXh0LCBpdCBzYXlz IHRoYXQgdGhlIGxvb3BiYWNrIEdVQSBNVVNUIGJlDQo+ID4gdXNlZCBmb3IgYWxsDQo+ID4gSUNN UHY2IG1lc3NhZ2VzLCB3aGljaCBpcyBnb29kLCBidXQgaXQgYWxzbyBzYXlzICJJQ01QIGVycm9y IG1lc3NhZ2UNCj4gPiBjYW4gYWxzbyBiZSBzb3VyY2VkIGZyb20gdGhlIGdsb2JhbCBzY29wZSBs b29wYmFjayBhZGRyZXNzLiINCj4gDQo+IFBlcmhhcHMgaXQgd291bGQgYmUgYmV0dGVyIHRvIGJl IGV2ZW4gbW9yZSBnZW5lcmFsLCBhbmQganVzdCBzYXkgSUNNUHY2DQo+IG1lc3NhZ2VzIG11c3Qg Y29tZSBmcm9tIGFkZHJlc3NlcyB3aXRoIGEgc2NvcGUgZ3JlYXRlciB0aGFuIGxpbmsgbG9jYWw/ DQo+IFJlc3RyaWN0aW5nIHRvIEdVQXMgc3VnZ2VzdHMgdGhlIGlkZWEgaW4gdGhpcyBkcmFmdCBj YW4gb25seSBiZSB1c2VkIHdoZW4NCj4gR1VBcyBhcmUgYXZhaWxhYmxlLCB5ZXQgSSdkIHRoaW5r IGl0IGNvdWxkIGFsc28gYmUgdXNlZnVsIGluIGEgcHJpdmF0ZSwgbm9uLQ0KPiBJbnRlcm5ldCBj b25uZWN0ZWQgbmV0d29yayB0b28uDQoNCkdvb2QgcG9pbnQuIEknbGwgY2hhbmdlIHRoYXQuIA0K DQpUaGFua3MgZm9yIHRoZSBmZWVkYmFjayEgDQpNaWNoYWVsDQoNClsuLi5dDQo= From evyncke@cisco.com Thu Aug 16 05:23:04 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8C7421F849C; Thu, 16 Aug 2012 05:23:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.113 X-Spam-Level: X-Spam-Status: No, score=-10.113 tagged_above=-999 required=5 tests=[AWL=-0.114, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y-z1JXHl9w-k; Thu, 16 Aug 2012 05:23:04 -0700 (PDT) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 66BB421F8462; Thu, 16 Aug 2012 05:23:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=evyncke@cisco.com; l=4837; q=dns/txt; s=iport; t=1345119783; x=1346329383; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=FPxUUunk3PWelemJlhABuUmFNYpZiz85FHUsHzPrDIA=; b=QhS0IE5cWHTZ8PuIFZ1ENdIKIfutDG6JhhNKX6RqZAuu5zryVvbSb/El Cgy4ajva64vNB5ZHVe70C2hiYcuXdgAI8ndSfiaEm8oVXZhrR+9J02wy5 lRbWUS/msSPf13x3xip7ftz/IPphg953ffKyo4rvozsyTgzyDALY11TkU c=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAOXkLFCtJXG+/2dsb2JhbABFuiKBB4IgAQEBAwEBAQEPAVsLDAQCAQgRBAEBAQodBycLFAkIAQEEDgUIEweHZQYLmjegHYsJhXdgA4gZjkqNGIFmgl8 X-IronPort-AV: E=Sophos;i="4.77,778,1336348800"; d="scan'208";a="112178436" Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-5.cisco.com with ESMTP; 16 Aug 2012 12:23:02 +0000 Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id q7GCN2sk006558 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 16 Aug 2012 12:23:02 GMT Received: from xmb-aln-x02.cisco.com ([169.254.5.72]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.02.0298.004; Thu, 16 Aug 2012 07:23:01 -0500 From: "Eric Vyncke (evyncke)" To: Brian E Carpenter Thread-Topic: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested Thread-Index: Ac1zsaLKu65hBuxGQ1mVPU9TRZLT7QALZhOAAarsawAAFmF/AAAxVTWA Date: Thu, 16 Aug 2012 12:23:01 +0000 Message-ID: <97EB7536A2B2C549846804BBF3FD47E10C6555@xmb-aln-x02.cisco.com> References: <67832B1175062E48926BF3CB27C49B24068549@xmb-aln-x12.cisco.com> <501F8D5F.5000805@gmail.com> <724010AF-C8BA-4D97-BE5D-48A53AAB960A@cisco.com> <502B549A.4010708@gmail.com> In-Reply-To: <502B549A.4010708@gmail.com> Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.185.71] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19116.000 x-tm-as-result: No--58.110100-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "opsec@ietf.org" , "opsec-chairs@ietf.org" , "'draft-behringer-lla-only@tools.ietf.org' \(draft-behringer-lla-only@tools.ietf.org\)" , "v6ops v6ops WG \(v6ops@ietf.org\)" Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback requested X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Aug 2012 12:23:05 -0000 Brian Thanks for your suggestion about wording. I think we agree on the content a= nd your format is better :-) -=E9ric > -----Original Message----- > From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of > Brian E Carpenter > Sent: mercredi 15 ao=FBt 2012 09:50 > To: Carlos Pignataro (cpignata) > Cc: 'draft-behringer-lla-only@tools.ietf.org' (draft-behringer-lla- > only@tools.ietf.org); opsec-chairs@ietf.org; opsec@ietf.org; v6ops v6ops = WG > (v6ops@ietf.org) > Subject: Re: [OPSEC] [v6ops] IPv6 LL-only as WG document - feedback > requested >=20 > Carlos, >=20 > On 14/08/2012 22:08, Carlos Pignataro (cpignata) wrote: > > Michael, Brian, > > > > Should "The Suggested Approach" http://tools.ietf.org/html/draft- > behringer-lla-only-01#section-2.1 also include some prescriptiveness or > specific recommendation regarding the use of RFC 5837, instead of includi= ng > that solution to interface identification as a "Caveats and Possible > Workarounds" only? >=20 > I have no strong opinion on this. Just indicating the existence of 5837 > seems OK, though. >=20 > Looking at the current text, it says that the loopback GUA MUST be used f= or > all > ICMPv6 messages, which is good, but it also says "ICMP error message can > also be sourced from the global scope loopback address." > That seems unnecessary in view of the MUST, but in any case, s/can/will/. >=20 > Actually my main comment on the draft is on this text in the Introduction= : >=20 > "We propose to configure neither globally routable IPv6 addresses nor > unique local addresses on infrastructure links of routers, wherever > possible. We recommend to use exclusively link-local addresses on such > links." >=20 > I suggest a more neutral approach, since some operators clearly prefer to > use GUAs: >=20 > It is possible to configure neither globally routable IPv6 addresses nor > unique local addresses on infrastructure links of routers. This document > describes how to use exclusively link-local addresses on such links. >=20 > (and s/proposes/describes how/ in the Abstract) >=20 > Thanks > Brian >=20 > > Thanks, > > > > -- Carlos. > > > > On Aug 6, 2012, at 5:24 AM, Brian E Carpenter wrote: > > > >> Hi, > >> > >>> o Management plane traffic, such as SSH, Telnet, SNMP, ICMP echo > >>> request ... can be addressed to loopback addresses of routers wi= th > >>> a global scope address. Router management can also be done over > >>> out-of-band channels. > >>> > >>> o ICMP error message can also be sourced from the global scope > >>> loopback address. > >> These statements seem too weak. Using GUAs for ICMP in particular > >> needs to have a normative MUST somewhere (preferably in a BCP). In > >> the context of this Informational draft, the language needs to state > >> a requirement ("must" not "can") even if you don't use RFC 2119 > terminology. > >> > >> This matters because packets with a LL source address MUST NOT be > >> forwarded, so a router that is misconfigured to send ICMP replies > >> with a LL source address breaks both ping and traceroute. > >> > >> I think the rule is that any packet that is *not* sent to a LL > >> address must have a GUA as the source address. That takes care of > >> ICMP, and everything else as well. > >> > >> Furthermore, that GUA needs to be associated with a prefix that > >> belongs to the organisation operating the router in question. > >> Otherwise the traceroute results can be very confusing. We discussed t= hat > on v6ops back in March. > >> > >> Regards > >> Brian Carpenter > >> > >> > >> > >> > >> On 06/08/2012 10:03, Gunter Van de Velde (gvandeve) wrote: > >>> (distributed to OPSEC WG and in cc v6ops) > >>> > >>> Dear all, > >>> > >>> During the OPSEC WG meeting last Wednesday there was consensus to ado= pt > the draft http://tools.ietf.org/html/draft-behringer-lla-only-01 as worki= ng > group document with Informational status. > >>> > >>> Please read the draft, and if there is no violent objection on the li= st, > the document will be requested to be submitted as WG document in 7 days. > >>> > >>> Ciao, > >>> G/, KK & Warren > >>> > >>> > >>> > >>> -------------------------------------------------------------------- > >>> ---- > >>> > >>> _______________________________________________ > >>> v6ops mailing list > >>> v6ops@ietf.org > >>> https://www.ietf.org/mailman/listinfo/v6ops > >> _______________________________________________ > >> v6ops mailing list > >> v6ops@ietf.org > >> https://www.ietf.org/mailman/listinfo/v6ops > >> > > > > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec From warren@kumari.net Thu Aug 16 12:40:21 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E154A21F852C; Thu, 16 Aug 2012 12:40:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.299 X-Spam-Level: X-Spam-Status: No, score=-106.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BbC0TuujoB4g; Thu, 16 Aug 2012 12:40:21 -0700 (PDT) Received: from vimes.kumari.net (vimes.kumari.net [198.186.192.250]) by ietfa.amsl.com (Postfix) with ESMTP id 68DC521F84F7; Thu, 16 Aug 2012 12:40:21 -0700 (PDT) Received: from [192.168.1.118] (unknown [66.84.81.72]) by vimes.kumari.net (Postfix) with ESMTPSA id 61E371B4017A; Thu, 16 Aug 2012 15:40:16 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset=windows-1252 From: Warren Kumari In-Reply-To: <001f01cd7a4e$d05c7390$71155ab0$@asgard.org> Date: Thu, 16 Aug 2012 15:40:15 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> <001f01cd7a4e$d05c7390$71155ab0$@asgard.org> To: Lee Howard X-Mailer: Apple Mail (2.1278) Cc: 'v6ops v6ops WG' , opsec@ietf.org, 'Fernando Gont' , Warren Kumari Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Aug 2012 19:40:22 -0000 On Aug 14, 2012, at 2:58 PM, Lee Howard wrote: > =20 > =20 > From: v6ops-bounces@ietf.org [mailto:v6ops-bounces@ietf.org] On Behalf = Of Eric Vyncke (evyncke) > Sent: Tuesday, August 14, 2012 4:43 AM > To: Gunter Van de Velde (gvandeve); opsec@ietf.org; v6ops v6ops WG = (v6ops@ietf.org) > Cc: Fernando Gont > Subject: Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: = draft-gont-opsec-ipv6-implications-on-ipv4-nets > =20 > - 1.0 please avoid all discussion about NAPT being = =91minimal/simple=92 security, the days of scanning are over and have = been replaced by malware download/email propagated > =20 > =20 > This is demonstrably false, and I can send you logs of scanning = attempts foiled by NAPT. NAT is crap security, but it=92s not zero = security.=20 >=20 Heretic! Actually, I'd go so far as to drop the "crap" from the above -- while it = isn't "real" security (whatever that means) it has become cool to simply = beat on the NAT.=20 Yes, it's not awesome, but it *does* help prevent the secretary's = desktop from getting owned quite as often. Yes, he should have it = patched, yes it should be capable of protecting itself, yes, there = should be a "real" security widget in front of it, but, well=85=20 W > Lee > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec --=20 With Feudalism, it's your Count that votes. From marka@isc.org Thu Aug 16 17:11:36 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7849621F854D; Thu, 16 Aug 2012 17:11:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.149 X-Spam-Level: X-Spam-Status: No, score=-1.149 tagged_above=-999 required=5 tests=[AWL=-1.450, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, MANGLED_FROM=2.3] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vdh0bm-+u6-x; Thu, 16 Aug 2012 17:11:36 -0700 (PDT) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id F39AA21F84D1; Thu, 16 Aug 2012 17:11:35 -0700 (PDT) Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS id 17E51C95E8; Fri, 17 Aug 2012 00:11:28 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:cfc:a4ca:b051:82cf]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id C9D05216C6B; Fri, 17 Aug 2012 00:11:27 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id AA2D123ABFA7; Fri, 17 Aug 2012 10:11:16 +1000 (EST) To: Warren Kumari From: Mark Andrews References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> <001f01cd7a4e$d05c7390$71155ab0$@asgard.org> In-reply-to: Your message of "Thu, 16 Aug 2012 15:40:15 -0400." Date: Fri, 17 Aug 2012 10:11:16 +1000 Message-Id: <20120817001116.AA2D123ABFA7@drugs.dv.isc.org> X-Mailman-Approved-At: Thu, 16 Aug 2012 21:52:52 -0700 Cc: 'Fernando Gont' , Lee Howard , opsec@ietf.org, 'v6ops v6ops WG' Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 00:11:36 -0000 In message , Warren Kumari writes: > > On Aug 14, 2012, at 2:58 PM, Lee Howard wrote: > > > > > > > > > From: v6ops-bounces@ietf.org [mailto:v6ops-bounces@ietf.org] On Behalf Of > Eric Vyncke (evyncke) > > Sent: Tuesday, August 14, 2012 4:43 AM > > To: Gunter Van de Velde (gvandeve); opsec@ietf.org; v6ops v6ops WG (v6ops > @ietf.org) > > Cc: Fernando Gont > > Subject: Re: [v6ops] [OPSEC] 3 Volunteers wanted - Draft: draft-gont-opse > c-ipv6-implications-on-ipv4-nets > > > > > - 1.0 please avoid all discussion about NAPT being =91minimal/simpl > e=92 security, the days of scanning are over and have been replaced by malw > are download/email propagated > > > This is demonstrably false, and I can send you logs of scanning attempts > foiled by NAPT. NAT is crap security, but it=92s not zero security. > > Heretic! > > Actually, I'd go so far as to drop the "crap" from the above -- while it is > n't "real" security (whatever that means) it has become cool to simply beat > on the NAT. > > > Yes, it's not awesome, but it *does* help prevent the secretary's desktop f > rom getting owned quite as often. Yes, he should have it patched, yes it sh > ould be capable of protecting itself, yes, there should be a "real" securit > y widget in front of it, but, well=85 > > > W But the problem is that people think they need "NAT" as opposed to a "stateful firewall with default allow out all, block in all". NAPT effectively establishes the latter + munges with addresses and ports. It's the state table not the address/port translation that stops scans. Stateless NAT44 or NAT66 doesn't stop scans. As for the secretary's desktop how many of them would be owned if LSR was being used to scan 192.168/16 though the NAT box? Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From gvandeve@cisco.com Fri Aug 17 01:10:03 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67B5E21F853E for ; Fri, 17 Aug 2012 01:10:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.414 X-Spam-Level: X-Spam-Status: No, score=-10.414 tagged_above=-999 required=5 tests=[AWL=0.184, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id On8Ddqp5UdYa for ; Fri, 17 Aug 2012 01:10:02 -0700 (PDT) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id 49DDE21F853A for ; Fri, 17 Aug 2012 01:10:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=2990; q=dns/txt; s=iport; t=1345191002; x=1346400602; h=from:to:cc:subject:date:message-id:mime-version; bh=tSUL6MuVv1dkbZo0EXq32UmlnNtNdrFPzHdskF16d28=; b=lVLLy9A8Q4BzcvzKT6YGAxZKGvsns1GMA2ukglRmDIAQJHbJrstjnsLz 9QcHfthGDFEmFAS/w43eqqSD05+FpJNWwkHxRVeIBvkhz8vmPvLE06QrI 5fTwaV2CUeQvYU37Uyw6ghTnCTT60LgsaWp4yDz9ej73O2QZ1rcMSDL6i U=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAA/8LVCtJXG9/2dsb2JhbABFgkq3aoEHgiIBBBIBChBMEgEMHlYmAQQODRqHa5oFoD2RJWADo3uBZoJfgV8 X-IronPort-AV: E=Sophos;i="4.77,783,1336348800"; d="scan'208,217";a="112581566" Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by rcdn-iport-3.cisco.com with ESMTP; 17 Aug 2012 08:10:01 +0000 Received: from xhc-aln-x12.cisco.com (xhc-aln-x12.cisco.com [173.36.12.86]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id q7H8A1cC031662 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 17 Aug 2012 08:10:01 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-aln-x12.cisco.com ([173.36.12.86]) with mapi id 14.02.0298.004; Fri, 17 Aug 2012 03:10:01 -0500 From: "Gunter Van de Velde (gvandeve)" To: "Fernando Gont (fgont@si6networks.com)" Thread-Topic: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: Ac18T01ACwflm2isSWu2MfBRi7t6fA== Date: Fri, 17 Aug 2012 08:10:00 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B240761BE@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.94.161] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19120.004 x-tm-as-result: No--35.412000-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/alternative; boundary="_000_67832B1175062E48926BF3CB27C49B240761BExmbalnx12ciscocom_" MIME-Version: 1.0 Cc: "opsec@ietf.org" Subject: [OPSEC] draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 08:10:03 -0000 --_000_67832B1175062E48926BF3CB27C49B240761BExmbalnx12ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Fernando, I have seen more supportive messages as un-supportive messages on this draf= t. Once you have updated the draft, we will do a 2 week call for WG adoption o= n the email list. If then there is no objection we will ask you to resubmit as WG document. Kind Regards, G/ --_000_67832B1175062E48926BF3CB27C49B240761BExmbalnx12ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Fernando,

 

I have seen more supportive messages as un-supportiv= e messages on this draft.

Once you have updated the draft, we will do a 2 week= call for WG adoption on the email list.

 

If then there is no objection we will ask you to res= ubmit as WG document.

 

Kind Regards,

G/

--_000_67832B1175062E48926BF3CB27C49B240761BExmbalnx12ciscocom_-- From gvandeve@cisco.com Fri Aug 17 01:22:30 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50BB721F853B for ; Fri, 17 Aug 2012 01:22:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.42 X-Spam-Level: X-Spam-Status: No, score=-10.42 tagged_above=-999 required=5 tests=[AWL=0.178, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1eZnzrPTkxpa for ; Fri, 17 Aug 2012 01:22:29 -0700 (PDT) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id A272A21F8535 for ; Fri, 17 Aug 2012 01:22:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=2492; q=dns/txt; s=iport; t=1345191749; x=1346401349; h=from:to:cc:subject:date:message-id:mime-version; bh=IUE7ekn2kkeD8bSIXDQssUE+tehI8oy+GI4+F8+NbYo=; b=B1cLS7uhSvx7ZnUKIS8vFPxaKjeLOdtUqpPuiHkse0T5Au5zo2TbYQbq io/xUS0qzLiFVvFqVClp1HlAWIr1CD/hGiGijrQzxBZXRANo6L1twVH1B UOph5J9elR2yBAFJDUBIZ4IP08a3M9oBXS+wXsIhZ+dG95Jd/5eBdG7mG w=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAJX+LVCtJV2d/2dsb2JhbABFgkq3aoEHgiIBBBIBGkwSAQweViYBBAENDRqHa5oFoECRJWADo3uBZoJf X-IronPort-AV: E=Sophos;i="4.77,783,1336348800"; d="scan'208,217";a="112536023" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-2.cisco.com with ESMTP; 17 Aug 2012 08:22:29 +0000 Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id q7H8MT8w012910 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Fri, 17 Aug 2012 08:22:29 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.02.0298.004; Fri, 17 Aug 2012 03:22:28 -0500 From: "Gunter Van de Velde (gvandeve)" To: "Eric Vyncke (evyncke)" , "Michael Behringer (mbehring)" Thread-Topic: draft-behringer-lla-only Thread-Index: Ac18UUVuc98JUysMTCG64w3a7Vwg8Q== Date: Fri, 17 Aug 2012 08:22:28 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B240762C6@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.94.161] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19120.004 x-tm-as-result: No--32.917500-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/alternative; boundary="_000_67832B1175062E48926BF3CB27C49B240762C6xmbalnx12ciscocom_" MIME-Version: 1.0 Cc: "opsec@ietf.org" Subject: [OPSEC] draft-behringer-lla-only X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 08:22:30 -0000 --_000_67832B1175062E48926BF3CB27C49B240762C6xmbalnx12ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable As there was no formal objection on the list wrt this draft, please submit = the new updated version as OPSEC WG document. Kind Regards, G/ --_000_67832B1175062E48926BF3CB27C49B240762C6xmbalnx12ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

As there was no formal objection on the list wrt thi= s draft, please submit the new updated version as OPSEC WG document.

 

Kind Regards,

G/

--_000_67832B1175062E48926BF3CB27C49B240762C6xmbalnx12ciscocom_-- From internet-drafts@ietf.org Fri Aug 17 01:55:33 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94CDF21F84F4; Fri, 17 Aug 2012 01:55:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.489 X-Spam-Level: X-Spam-Status: No, score=-102.489 tagged_above=-999 required=5 tests=[AWL=0.110, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y3wrBGJRRnUe; Fri, 17 Aug 2012 01:55:33 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C06FE21F8459; Fri, 17 Aug 2012 01:55:32 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.33 Message-ID: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> Date: Fri, 17 Aug 2012 01:55:32 -0700 Cc: opsec@ietf.org Subject: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 08:55:34 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Operational Security Capabilities for IP = Network Infrastructure Working Group of the IETF. Title : Using Only Link-Local Addressing Inside an IPv6 Network Author(s) : Michael Behringer Eric Vyncke Filename : draft-ietf-opsec-lla-only-00.txt Pages : 7 Date : 2012-08-17 Abstract: This document proposes to use only IPv6 link-local addresses on infrastructure links between routers, wherever possible. It discusses the advantages and disadvantages of this approach to aide the decision process for a given network, The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-opsec-lla-only There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-opsec-lla-only-00 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From mbehring@cisco.com Fri Aug 17 02:00:19 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B5BA21F845C for ; Fri, 17 Aug 2012 02:00:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.448 X-Spam-Level: X-Spam-Status: No, score=-10.448 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k9VMEgVfcjgO for ; Fri, 17 Aug 2012 02:00:18 -0700 (PDT) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id 5B32521F8456 for ; Fri, 17 Aug 2012 02:00:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mbehring@cisco.com; l=4463; q=dns/txt; s=iport; t=1345194018; x=1346403618; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=k9rxY0EIOz7vp3i7IM0VHeazYXMTmm3v3MCNtPlTCj4=; b=UfQE8vRjBjcjFeGY170NV8EvdcKuSi5EmU0vFa98V+BD4OV8w2d+SVkH YU9WoPbyccPRjVqgIPM0Ek4GnbBPL8Jht5v53LcgrllCeHnCpzBEyMlOA ThubY99tQjm/WPA73KXAM0gxAMwJrS96GuKRhOA5jpJhmOTUWUrMOHiYl Q=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AiAFABAHLlCtJXHB/2dsb2JhbABFgkqCcLR6gQeCIAEBAQQSARpMEAIBCBEEAQELCxkyHQgBAQQBDQUIGodrmgigPosKg1OCSGADo3uBZoJf X-IronPort-AV: E=Sophos;i="4.77,783,1336348800"; d="scan'208,217";a="112546808" Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-2.cisco.com with ESMTP; 17 Aug 2012 09:00:17 +0000 Received: from xhc-rcd-x15.cisco.com (xhc-rcd-x15.cisco.com [173.37.183.89]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id q7H90HcG030699 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Fri, 17 Aug 2012 09:00:17 GMT Received: from xmb-rcd-x14.cisco.com ([169.254.4.3]) by xhc-rcd-x15.cisco.com ([173.37.183.89]) with mapi id 14.02.0298.004; Fri, 17 Aug 2012 04:00:16 -0500 From: "Michael Behringer (mbehring)" To: "Gunter Van de Velde (gvandeve)" , "Eric Vyncke (evyncke)" Thread-Topic: draft-behringer-lla-only Thread-Index: Ac18UUVuc98JUysMTCG64w3a7Vwg8QABSllg Date: Fri, 17 Aug 2012 09:00:15 +0000 Message-ID: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EDA3D@xmb-rcd-x14.cisco.com> References: <67832B1175062E48926BF3CB27C49B240762C6@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B240762C6@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.194.30] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19120.005 x-tm-as-result: No--31.742100-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/alternative; boundary="_000_3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EDA3Dxmbrcdx14ciscoc_" MIME-Version: 1.0 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] draft-behringer-lla-only X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 09:00:19 -0000 --_000_3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EDA3Dxmbrcdx14ciscoc_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable We just posted the draft under opsec. This version does NOT take into account the comments we've received since t= he IETF. We'll post a 01 version in due course. Michael From: Gunter Van de Velde (gvandeve) Sent: 17 August 2012 10:22 To: Eric Vyncke (evyncke); Michael Behringer (mbehring) Cc: opsec@ietf.org Subject: draft-behringer-lla-only As there was no formal objection on the list wrt this draft, please submit = the new updated version as OPSEC WG document. Kind Regards, G/ --_000_3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EDA3Dxmbrcdx14ciscoc_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

We just posted the dra= ft under opsec.

 

This version does NOT = take into account the comments we’ve received since the IETF. We̵= 7;ll post a 01 version in due course.

 

Michael

 

From:= Gunter Van de Velde (gvandeve)
Sent: 17 August 2012 10:22
To: Eric Vyncke (evyncke); Michael Behringer (mbehring)
Cc: opsec@ietf.org
Subject: draft-behringer-lla-only

 

As there was no formal objection on the list wrt thi= s draft, please submit the new updated version as OPSEC WG document.

 

Kind Regards,

G/

--_000_3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EDA3Dxmbrcdx14ciscoc_-- From jerduran@cisco.com Fri Aug 17 02:07:10 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6708321F846E for ; Fri, 17 Aug 2012 02:07:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.178 X-Spam-Level: X-Spam-Status: No, score=-8.178 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, SARE_GIF_ATTACH=1.42] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHiXFLBROiVM for ; Fri, 17 Aug 2012 02:07:09 -0700 (PDT) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id E888321F8463 for ; Fri, 17 Aug 2012 02:07:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=jerduran@cisco.com; l=17373; q=dns/txt; s=iport; t=1345194429; x=1346404029; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=pfxEDmdRcwxt4gfSJc8Q73nLyewiOt1p+1f1xwPfc/4=; b=L8YTHpuxtOv/BWAoaSHiEQ9Q0WR7YiKevVP91ufR+UwurhosbcRw+EFM AWF8Ea6jCEMm2/Cih9dBbkOwW4jXLlMAdE4XTwPS6ElbjYfEXNzNuesBL kepCNrUMJsJsLEtok2ywD4t5OU+NgjSuIr12lJj3NILhMfEtvCcnUckQ6 E=; X-Files: logo.gif, green.gif : 837, 87 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Aq0FAJ0ILlCtJV2b/2dsb2JhbABFgkqmYIg9AYhMgQeCIQEBBAEBAQIHBgEbGxsKCxACAQgODwEBARAPBwIFEA8BCxQRAQEEDgQBCQUUh2sLmXegPosfBYNHgjpgA4gZh2EBhVSBFI0YgWaCX4FXCA X-IronPort-AV: E=Sophos;i="4.77,783,1336348800"; d="gif'147?scan'147,208,217,147";a="112594676" Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-4.cisco.com with ESMTP; 17 Aug 2012 09:07:08 +0000 Received: from xhc-rcd-x08.cisco.com (xhc-rcd-x08.cisco.com [173.37.183.82]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id q7H9784Z031086 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 17 Aug 2012 09:07:08 GMT Received: from xmb-rcd-x01.cisco.com ([169.254.1.248]) by xhc-rcd-x08.cisco.com ([173.37.183.82]) with mapi id 14.02.0298.004; Fri, 17 Aug 2012 04:07:08 -0500 From: "Jerome Durand (jerduran)" To: Ronald Bonica Thread-Topic: [OPSEC] Comments on draft-jdurand-bgp-security Thread-Index: Ac10qlFrY5+NYzLkQSyU572HanPu5gH10KgA Date: Fri, 17 Aug 2012 09:07:07 +0000 Message-ID: <6356B324-1065-4305-BBA7-CFDDF7740239@cisco.com> References: <13205C286662DE4387D9AF3AC30EF456D77178BB80@EMBX01-WF.jnpr.net> In-Reply-To: <13205C286662DE4387D9AF3AC30EF456D77178BB80@EMBX01-WF.jnpr.net> Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [10.61.94.165] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19120.005 x-tm-as-result: No--57.290000-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/related; boundary="_005_6356B32410654305BBA7CFDDF7740239ciscocom_"; type="multipart/alternative" MIME-Version: 1.0 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] Comments on draft-jdurand-bgp-security X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 09:07:10 -0000 --_005_6356B32410654305BBA7CFDDF7740239ciscocom_ Content-Type: multipart/alternative; boundary="_000_6356B32410654305BBA7CFDDF7740239ciscocom_" --_000_6356B32410654305BBA7CFDDF7740239ciscocom_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thank you Ron for this great feedback. Comments in-line: Thanks for writing draft-jdurand-bgp-security. On the whole, it is a very w= ell written document. The following are a few comments: Section 2.5 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Somewhere between Section 2 and Section 3, you should mention that the BGP = process needs to be protected from stray packets. Protection can be achieve= d by applying a forwarding plane ACL. The ACL accepts all packets that meet= the following criteria: - directed to TCP port 179 on the local device - sourced from a known BGP neighbor It discards all packets directed to TCP port 179 on the local device and so= urced from an address not known to be a BGP neighbor. Yes. Will be added in next version. Section 3.1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D In Section 3.1, you talk about MD5 Password Protection. This make the reade= r think that you are talking about RFC 2385. However, the reference is to R= FC 5925 (TCP-AO). Please be clear about which you are recommending. In this regard, we have a dilemma. The IETF has obsoleted RFC 2385 and repl= aced it with RFC 5925. However, to the best of my knowledge, there are no c= ommercially available implementations. Already integrated but not published yet :-) Section 4.1.1.1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Rather than listing every IPv4 special-use address, you might want to simpl= y refer the reader to RFC 5735 and 5736. Section 4.1.1.2 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Rather than listing every IPv6 special-use address, you might want to refer= the reader to http://www.iana.org/assignments/iana-ipv6-special-registry/i= ana-ipv6-special-registry.xml. It might be better to refer the reader to th= e registry, because it will be kept up to date in the future. Yes we have progress to make for these 2 points. From your comments and the= ones from Marc Blanchet we'll propose new text here. Section 4.1.3 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D It is true that most ISPs will not accept advertisements beyond a certain l= evel of specificity. However, this is an issue to be worked out between the= operators, and not an issue for standardization. Indeed. Of course we don't intend to standardize anything or to mandate any= operator to do what is said in the document. We just want to describe what= are the BCP's so we have somehow to say that it's BCP to think about a lim= it (quickly recalling reasons for that), that each domain is free to decide= its limit (that can change accross peerings for sure) , and that some comm= unities have documented what limit is usually adopted. Thanks again. Jerome -------------------------- Ron Bonica vcard: www.bonica.org/ron/ronbonica.vcf _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec [cid:64A2AD8F-2887-4ECC-AD2A-E695929D6837@cisco.com] J=E9r=F4me Durand Consulting Systems Engineer Routing & Switching jerduran@cisco.com Mobile :+33 6 35 11 60 50 http://reseauxblog.cisco.fr http://ipv6blog.cisco.fr Cisco France 11, rue Camille Desmoulins 92782 Issy les Moulineaux Cedex 9 France www.cisco.fr [cid:7248AA9E-F798-45B3-9917-F1BBD75CD002@cisco.com] Think before you print. This e-mail may contain confidential and privileged material for the sole u= se of the intended recipient. Any review, use, distribution or disclosure b= y others is strictly prohibited. If you are not the intended recipient (or = authorized to receive for the recipient), please contact the sender by repl= y e-mail and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html --_000_6356B32410654305BBA7CFDDF7740239ciscocom_ Content-Type: text/html; charset="iso-8859-1" Content-ID: Content-Transfer-Encoding: quoted-printable
Thank you Ron for this great feedback.
Comments in-line:

Thanks for writing draft-jdurand-bgp-security. On the whole, it is a v= ery well written document. The following are a few comments:

Section 2.5
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Somewhere between Section 2 and Section 3, you should mention that the BGP = process needs to be protected from stray packets. Protection can be achieve= d by applying a forwarding plane ACL. The ACL accepts all packets that meet= the following criteria:

- directed to TCP port 179 on the local device
- sourced from a known BGP neighbor

It discards all packets directed to TCP port 179 on the local device and so= urced from an address not known to be a BGP neighbor.

Yes. Will be added in next version.

Section 3.1
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
In Section 3.1, you talk about MD5 Password Protection. This make the reade= r think that you are talking about RFC 2385. However, the reference is to R= FC 5925 (TCP-AO). Please be clear about which you are recommending.

In this regard, we have a dilemma. The IETF has obsoleted RFC 2385 and repl= aced it with RFC 5925. However, to the best of my knowledge, there are no c= ommercially available implementations.

Already integrated but not published yet :-)

Section 4.1.1.1
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Rather than listing every IPv4 special-use address, you might want to simpl= y refer the reader to RFC 5735 and 5736.
Section 4.1.1.2
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Rather than listing every IPv6 special-use address, you might want to refer= the reader to http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-specia= l-registry.xml. It might be better to refer the reader to the registry,= because it will be kept up to date in the future.

Yes we have progress to make for these 2 points. From your comments an= d the ones from Marc Blanchet we'll propose new text here.

Section 4.1.3
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
It is true that most ISPs will not accept advertisements beyond a certain l= evel of specificity. However, this is an issue to be worked out between the= operators, and not an issue for standardization.

Indeed. Of course we don't intend to standardize anything or to mandat= e any operator to do what is said in the document. We just want to describe= what are the BCP's so we have somehow to say that it's BCP to think about = a limit (quickly recalling reasons for that), that each domain is free to decide its limit (that can change a= ccross peerings for sure) , and that some communities have documented what = limit is usually adopted.

Thanks again.

Jerome








--------------------------
Ron Bonica
vcard:       www.bonica.org/ron/ronbonica.vcf

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec


J=E9r=F4me Durand
Consulting Systems Engineer
Routing & Switching

jerduran@cisco.com
Mobile :+33 6 35 11 60 50

http://reseauxblog.cisco.fr<= /a>

http://ipv6blog.cisco.fr

Cisco France
11, rue Camille Desmoulins
92782 Issy les Moulineaux
Cedex 9
France
www.c= isco.fr

  


 Think before you print.
This e-mail may contain confidential and privileged material for the sole u= se of the intended recipient. Any review, use, distribution or disclosure b= y others is strictly prohibited. If you are not the intended recipient (or = authorized to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this me= ssage.
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html<= /td>

--_000_6356B32410654305BBA7CFDDF7740239ciscocom_-- --_005_6356B32410654305BBA7CFDDF7740239ciscocom_ Content-Type: image/gif; name="logo.gif" Content-Description: logo.gif Content-Disposition: inline; filename="logo.gif"; size=837; creation-date="Fri, 17 Aug 2012 09:07:07 GMT"; modification-date="Fri, 17 Aug 2012 09:07:07 GMT" Content-ID: <64A2AD8F-2887-4ECC-AD2A-E695929D6837@cisco.com> Content-Transfer-Encoding: base64 R0lGODlhbgBJAMQAAP///3OXqtapqq1MTcmRki9mgZkAALpqbMl/f6g5O/Xq6+vX2OTIyaMqK/nz 9OW/v5sVFsbV3Nfh5p0PD5kFBf78/P38/Pz6+v/+/rZdXpcKDKAhIvv396QvMO/g4Ny4uSH5BAAA AAAALAAAAABuAEkAQAX/ICCOZGmeaKqubOu+cCzPdG3feK6nkln8pp5LSPoVgrucsbQsAp1HKPM5 alapImtyy+16SwKDmJBCiBEWgMUsPgg8JMHEQCGTMACP2HDgiBQZYglfOQ+GDy2HhiqKKI2EkJGS k5SVlpeYmZpfWkpYmypEV1GjU6QjolmfnZ0AqZWvrj6fski2UiWxsZkcHxkNYg0IABUibAjFIgsH wAYNBwokvb8QEMIOJAwICQYQCQgLoCgLHWIdHwoKCwzExmdpGBwcxRgDYhkXAOTm6OoMfg4CiRGg wAOBOXzEKVzIsKHDhxAjSpxIsaKNCAEibMGo0WKLVjdAVgxQIICpEiRN/7JIeZIEy4WsVsk8BSAm TZstLb0csVMVzZ4AgALtJLQkRY4bM3pcupDAHgMduA1Q484AGmJO7x04kCCaCAIaxFCISmGAVwZP u+1pEK5hVgPYUBxLQ4yBvacfvlIwMCFuCbRi2I34sHfDQ0BpDUyFNxfABTZPGwgGACjsU7MiLLx9 ukEA08+gQ4seTbq06dOoU6tezbq169evd92QHRooDtujRdbQDZr3DN8RkeIaIXxFcZ8ljkPEOVwF 81ILlT9HTkL6zJwilE+aXvN68+43vUO3xL28eOrj0VdSbp0me6XV4acH8L6jRNw28IumXYM/7P8k PJLIISkIWIKBD3GwmcIYiwGAQWP6cJMWHCIoCEFamInwQTNPdYCIQwqUM8YCC3zgWTKNOXAAg14p kA9lIkJAAIkmYsPBim0YcsBeVjn0llcnQAjYHh14phdfQGazx2QAEGaAYQ2FMVAZ75BggTZ7HFCM HHQYWcICeyAjgormPASZYgN00CAAjV0gwAEEEACZlsbwCMEAaWb4wFMJJMDjBkwypAABErbRzoNn FFPBghnkRcKgCVimwQF+VSDAXXw1CuCmnHbq6aeghirqqDiEAAA7 --_005_6356B32410654305BBA7CFDDF7740239ciscocom_ Content-Type: image/gif; name="green.gif" Content-Description: green.gif Content-Disposition: inline; filename="green.gif"; size=87; creation-date="Fri, 17 Aug 2012 09:07:07 GMT"; modification-date="Fri, 17 Aug 2012 09:07:07 GMT" Content-ID: <7248AA9E-F798-45B3-9917-F1BBD75CD002@cisco.com> Content-Transfer-Encoding: base64 R0lGODlhEgATAJEAAAAAAP///wCZAP///yH5BAEAAAMALAAAAAASABMAAAIojI+pGyK8nINqUiTf bVnfvHEg1UmhdZRqaawu6XZVjKb0/CYxo8JOAQA7 --_005_6356B32410654305BBA7CFDDF7740239ciscocom_-- From fgont@si6networks.com Fri Aug 17 02:24:18 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80AD121F855E for ; Fri, 17 Aug 2012 02:24:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ezuKwwJCJIOb for ; Fri, 17 Aug 2012 02:24:18 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id E3F4721F852C for ; Fri, 17 Aug 2012 02:24:17 -0700 (PDT) Received: from [2001:5c0:1400:a::1edd] by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1T2Iml-0004T4-IP; Fri, 17 Aug 2012 11:24:12 +0200 Message-ID: <502E0D7C.3080504@si6networks.com> Date: Fri, 17 Aug 2012 06:23:08 -0300 From: Fernando Gont Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "Gunter Van de Velde (gvandeve)" References: <67832B1175062E48926BF3CB27C49B240761BE@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B240761BE@xmb-aln-x12.cisco.com> X-Enigmail-Version: 1.5a1pre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "opsec@ietf.org" Subject: Re: [OPSEC] draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 09:24:18 -0000 Hi, Gunter, On 08/17/2012 05:10 AM, Gunter Van de Velde (gvandeve) wrote: > I have seen more supportive messages as un-supportive messages on this > draft. > > Once you have updated the draft, we will do a 2 week call for WG > adoption on the email list. The only remaining bit to act/decide upon is the track. I've seen mixed opinions on the subject. Should the wg be polled about adoption on the document, and then decide on the track? Should the poll be about adopting the document *and* about the desired track? Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From manav.bhatia@alcatel-lucent.com Fri Aug 17 03:49:10 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDE9221F8517 for ; Fri, 17 Aug 2012 03:49:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.399 X-Spam-Level: X-Spam-Status: No, score=-7.399 tagged_above=-999 required=5 tests=[AWL=-0.800, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tRaCqt4s8YtP for ; Fri, 17 Aug 2012 03:49:09 -0700 (PDT) Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by ietfa.amsl.com (Postfix) with ESMTP id D355121F84C2 for ; Fri, 17 Aug 2012 03:49:09 -0700 (PDT) Received: from ihemail2.lucent.com (h135-245-2-35.lucent.com [135.245.2.35]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id q7HAn99X011052 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 17 Aug 2012 05:49:09 -0500 (CDT) Received: from inbansmailrelay1.in.alcatel-lucent.com (h135-250-11-31.lucent.com [135.250.11.31]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id q7HAn6aM007318 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 17 Aug 2012 05:49:08 -0500 (CDT) Received: from INBANSXCHHUB01.in.alcatel-lucent.com (inbansxchhub01.in.alcatel-lucent.com [135.250.12.32]) by inbansmailrelay1.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q7HAn5i2015586 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for ; Fri, 17 Aug 2012 16:19:05 +0530 Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB01.in.alcatel-lucent.com ([135.250.12.32]) with mapi; Fri, 17 Aug 2012 16:19:05 +0530 From: "Bhatia, Manav (Manav)" To: "opsec@ietf.org" Date: Fri, 17 Aug 2012 16:19:23 +0530 Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt Thread-Index: Ac18VizctzTyUtGJSkSPkgtY2EPJGwACs8OQ Message-ID: <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> In-Reply-To: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37 X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35 Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 10:49:10 -0000 Hi, It seems its common for duplicate MAC addresses to appear in the network. I= n that case more than one router would end up with having the same link loc= al address. Will this not be an issue? I was also wondering why the draft suggests using loose sequence of IPv6 pr= efixes to identify the complete path in RSVP-TE. Cheers, Manav > -----Original Message----- > From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org]=20 > On Behalf Of internet-drafts@ietf.org > Sent: Friday, August 17, 2012 2:26 PM > To: i-d-announce@ietf.org > Cc: opsec@ietf.org > Subject: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt >=20 >=20 > A New Internet-Draft is available from the on-line=20 > Internet-Drafts directories. > This draft is a work item of the Operational Security=20 > Capabilities for IP Network Infrastructure Working Group of the IETF. >=20 > Title : Using Only Link-Local Addressing=20 > Inside an IPv6 Network > Author(s) : Michael Behringer > Eric Vyncke > Filename : draft-ietf-opsec-lla-only-00.txt > Pages : 7 > Date : 2012-08-17 >=20 > Abstract: > This document proposes to use only IPv6 link-local addresses on > infrastructure links between routers, wherever possible. It > discusses the advantages and disadvantages of this approach to aide > the decision process for a given network, >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-opsec-lla-only >=20 > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-opsec-lla-only-00 >=20 >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ >=20 > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec > = From simoneng56@gmail.com Fri Aug 17 04:15:59 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5403621F8508 for ; Fri, 17 Aug 2012 04:15:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.555 X-Spam-Level: X-Spam-Status: No, score=-3.555 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ctThRxq3-yz8 for ; Fri, 17 Aug 2012 04:15:57 -0700 (PDT) Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8551E21F8505 for ; Fri, 17 Aug 2012 04:15:57 -0700 (PDT) Received: by qcac10 with SMTP id c10so3301612qca.31 for ; Fri, 17 Aug 2012 04:15:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=+r5PHZksDrITvSuCTOM0wkrZq3wKBRQ/c5KEyNq9/L0=; b=0LITXQ6twWzXjVbzY9Jb4Ro4lVG4lEIG4vvCR/DZavs9I9iE3Lp7y3lL5NNlAApfxj SeSk8RbFb+8nAsEu9x6rIdQK/1OyJiBgyFOL76fAoZ2igavv5AQvNJLoJEs9cokHgmKu CYKlSZSZDBuB9dYLUQ3EZ0nyscu4yXDbO/HLzXCAzJ7ODnqO5EDYhxuTaiIg1PIEA69y B9fztzREXQQHcYYm0oPy90SXMQ0ypxbBF0DQt6VESAyOwOuYvOQ3fpy2yqJEMrmw9hYK NnnNkDB4xe9v4gkCcwYTlgw1lKDyJtkjdYWBo2LT5jvDnuAr3ArBTl5fGxVyPLmdQwI4 4KMg== MIME-Version: 1.0 Received: by 10.58.189.69 with SMTP id gg5mr2325471vec.6.1345202156816; Fri, 17 Aug 2012 04:15:56 -0700 (PDT) Received: by 10.58.253.137 with HTTP; Fri, 17 Aug 2012 04:15:56 -0700 (PDT) In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> Date: Fri, 17 Aug 2012 19:15:56 +0800 Message-ID: From: Simon Eng To: "opsec@ietf.org" Content-Type: multipart/alternative; boundary=047d7b672956b5495f04c7744892 Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 11:15:59 -0000 --047d7b672956b5495f04c7744892 Content-Type: text/plain; charset=ISO-8859-1 Hi, Minor point: there is a typo on page 3 (third bullet) "IICMP error ". Under Section 2.2 (page 4), it was mentioned "Simpler DNS: Less address space in use also means less DNS mappings to maintain." Is it assumed that DNS will not be used for LLA on infrastructure links? If an ISP networker is managing several routers, I don't think he/she will be able to remember all the LLAs used on the routers right (especially IPv6 addresses with 128-bit)? Perhaps, DNS will still be used?? Regards. Simon > > -----Original Message----- > > From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] > > On Behalf Of internet-drafts@ietf.org > > Sent: Friday, August 17, 2012 2:26 PM > > To: i-d-announce@ietf.org > > Cc: opsec@ietf.org > > Subject: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt > > > > > > A New Internet-Draft is available from the on-line > > Internet-Drafts directories. > > This draft is a work item of the Operational Security > > Capabilities for IP Network Infrastructure Working Group of the IETF. > > > > Title : Using Only Link-Local Addressing > > Inside an IPv6 Network > > Author(s) : Michael Behringer > > Eric Vyncke > > Filename : draft-ietf-opsec-lla-only-00.txt > > Pages : 7 > > Date : 2012-08-17 > > > > Abstract: > > This document proposes to use only IPv6 link-local addresses on > > infrastructure links between routers, wherever possible. It > > discusses the advantages and disadvantages of this approach to aide > > the decision process for a given network, > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-opsec-lla-only > > > > There's also a htmlized version available at: > > http://tools.ietf.org/html/draft-ietf-opsec-lla-only-00 > > > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > _______________________________________________ > > OPSEC mailing list > > OPSEC@ietf.org > > https://www.ietf.org/mailman/listinfo/opsec > > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec > --047d7b672956b5495f04c7744892 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi,

Minor point: there is a typo on page 3 (third bullet) "IICM= P error ".

Under Section 2.2 (page 4), it was mentioned "S= impler DNS: Less address space in use also means less DNS mappings to maintain."

Is it assumed that DNS will not be used for LL= A on infrastructure links?=A0 If an ISP networker is managing several route= rs, I don't think he/she will be able to remember all the LLAs used on = the routers right (especially IPv6 addresses with 128-bit)?=A0 Perhaps, DNS= will still be used??

Regards.

Simon


> -----Original Message-----
> From: opsec-bounces@ietf.org= [mailto:opsec-bounces@ietf.o= rg]
> On Behalf Of internet-draf= ts@ietf.org
> Sent: Friday, August 17, 2012 2:26 PM
> To: i-d-announce@ietf.org=
> Cc: opsec@ietf.org
> Subject: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt
>
>
> A New Internet-Draft is available from the on-line
> Internet-Drafts directories.
> =A0This draft is a work item of the Operational Security
> Capabilities for IP Network Infrastructure Working Group of the IETF.<= br> >
> =A0 =A0 =A0 Title =A0 =A0 =A0 =A0 =A0 : Using Only Link-Local Addressi= ng
> Inside an IPv6 Network
> =A0 =A0 =A0 Author(s) =A0 =A0 =A0 : Michael Behringer
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Eric Vyncke
> =A0 =A0 =A0 Filename =A0 =A0 =A0 =A0: draft-ietf-opsec-lla-only-00.txt=
> =A0 =A0 =A0 Pages =A0 =A0 =A0 =A0 =A0 : 7
> =A0 =A0 =A0 Date =A0 =A0 =A0 =A0 =A0 =A0: 2012-08-17
>
> Abstract:
> =A0 =A0This document proposes to use only IPv6 link-local addresses on=
> =A0 =A0infrastructure links between routers, wherever possible. =A0It<= br> > =A0 =A0discusses the advantages and disadvantages of this approach to = aide
> =A0 =A0the decision process for a given network,
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-opsec-lla-on= ly
>
> There's also a htmlized version available at:
> http://tools.ietf.org/html/draft-ietf-opsec-lla-only-00=
>
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp:= //ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec
>
_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/opsec


--047d7b672956b5495f04c7744892-- From gert@space.net Fri Aug 17 05:11:24 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FE7E21F853E for ; Fri, 17 Aug 2012 05:11:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.449 X-Spam-Level: X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FcpcGLCPWs9y for ; Fri, 17 Aug 2012 05:11:23 -0700 (PDT) Received: from mobil.space.net (mobil.Space.Net [IPv6:2001:608:2:81::2]) by ietfa.amsl.com (Postfix) with ESMTP id 8D45921F8535 for ; Fri, 17 Aug 2012 05:11:22 -0700 (PDT) Received: from mobil.space.net (localhost [127.0.0.1]) by mobil.space.net (Postfix) with ESMTP id 66452F8C9C for ; Fri, 17 Aug 2012 14:11:21 +0200 (CEST) X-SpaceNet-Relay: true Received: from moebius3.space.net (moebius3.Space.Net [IPv6:2001:608:2:2::250]) by mobil.space.net (Postfix) with ESMTPS id 5383FF8C34 for ; Fri, 17 Aug 2012 14:11:21 +0200 (CEST) Received: (qmail 92058 invoked by uid 1007); 17 Aug 2012 14:11:21 +0200 Date: Fri, 17 Aug 2012 14:11:21 +0200 From: Gert Doering To: "Bhatia, Manav \(Manav\)" Message-ID: <20120817121121.GJ38127@Space.Net> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> X-NCC-RegID: de.space User-Agent: Mutt/1.5.21 (2010-09-15) Cc: "opsec@ietf.org" Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 12:11:24 -0000 Hi, On Fri, Aug 17, 2012 at 04:19:23PM +0530, Bhatia, Manav (Manav) wrote: > It seems its common for duplicate MAC addresses to appear in the network. If that happens to you, you have way bigger problems. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 From mbehring@cisco.com Fri Aug 17 05:37:51 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C497421F8517 for ; Fri, 17 Aug 2012 05:37:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RCJnzjVWaP3r for ; Fri, 17 Aug 2012 05:37:51 -0700 (PDT) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 3A82221F847D for ; Fri, 17 Aug 2012 05:37:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mbehring@cisco.com; l=1363; q=dns/txt; s=iport; t=1345207071; x=1346416671; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=MME04bEldoR0YPbHGgRM/KNkx/VPr/mO8oCZdK43rPs=; b=amsUOA/bAljPcTQRxcUDWvRSF/oN5kYuvPzFVFupatxNYL12MlpHlM5y kKViXa1cUOh6be9wJNtytaSfzpfO1xHcc49hzuMjVmsDLo3AXrzr3rFfA GTC7QGBK2NzVaZOXBmqKqWkzXfGtf8txA8JwTY2g8aB49xS3o3Tj7FvyU k=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av4EAFk6LlCtJV2Z/2dsb2JhbABFujqBB4IgAQEBAwESAWsLAgEIIiQyJQIEARoah2UGmV+gQosfhgdgA4gZm2KBZoJggVg X-IronPort-AV: E=Sophos;i="4.77,784,1336348800"; d="scan'208";a="112409506" Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-1.cisco.com with ESMTP; 17 Aug 2012 12:37:50 +0000 Received: from xhc-aln-x13.cisco.com (xhc-aln-x13.cisco.com [173.36.12.87]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id q7HCboNQ026587 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 17 Aug 2012 12:37:50 GMT Received: from xmb-rcd-x14.cisco.com ([169.254.4.3]) by xhc-aln-x13.cisco.com ([173.36.12.87]) with mapi id 14.02.0298.004; Fri, 17 Aug 2012 07:37:50 -0500 From: "Michael Behringer (mbehring)" To: Simon Eng , "opsec@ietf.org" Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt Thread-Index: AQHNfFYrLW6Iov7LYkm03FyyQsg8r5deJxKAgAAHawD//7/e4A== Date: Fri, 17 Aug 2012 12:37:49 +0000 Message-ID: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EE160@xmb-rcd-x14.cisco.com> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.194.30] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19120.005 x-tm-as-result: No--25.450100-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 12:37:52 -0000 Simon,=20 [...] > Minor point: there is a typo on page 3 (third bullet) "IICMP error ". Noted, thanks.=20 > Under Section 2.2 (page 4), it was mentioned "Simpler DNS: Less=20 > address space in use also means less DNS mappings to maintain." > Is it assumed that DNS will not be used for LLA on infrastructure links?= =A0 Yes. That's the point. We should point that out more clearly I guess. Someo= ne else proposed a scheme where you could enter link local addresses for re= verse resolution; I think it is fair to say that consensus was this is not = a good idea.=20 > If an ISP networker is managing several routers, I don't think he/she=20 > will be able to remember all the LLAs used on the routers right > (especially IPv6 addresses with 128-bit)?=A0 Perhaps, DNS will still be u= sed?? My feeling: No, it shouldn't. A link local address has its scope very clear= ly limited to the link. DNS is generally used with a global scope. In my mi= nd, the two don't go together. While, using MAC addresses, you could genera= lly assume LL addresses to be unique in a network (or even globally), there= is no guarantee, and we'll run into trouble later if we allow DNS mappings= for link local addresses.=20 Somewhere, someone must have written this down explicitly? Can we refer to = something here?=20 Michael [...] From manav.bhatia@alcatel-lucent.com Fri Aug 17 06:59:17 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2B021F8526 for ; Fri, 17 Aug 2012 06:59:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.326 X-Spam-Level: X-Spam-Status: No, score=-7.326 tagged_above=-999 required=5 tests=[AWL=-0.727, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FBZtkEX9Bflp for ; Fri, 17 Aug 2012 06:59:16 -0700 (PDT) Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by ietfa.amsl.com (Postfix) with ESMTP id BAC0C21F84D1 for ; Fri, 17 Aug 2012 06:59:16 -0700 (PDT) Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id q7HDxATx015672 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 17 Aug 2012 08:59:12 -0500 (CDT) Received: from INBANSXCHHUB01.in.alcatel-lucent.com (inbansxchhub01.in.alcatel-lucent.com [135.250.12.32]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q7HDx8nE022987 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Fri, 17 Aug 2012 19:29:09 +0530 Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB01.in.alcatel-lucent.com ([135.250.12.32]) with mapi; Fri, 17 Aug 2012 19:29:08 +0530 From: "Bhatia, Manav (Manav)" To: Gert Doering Date: Fri, 17 Aug 2012 19:29:07 +0530 Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt Thread-Index: Ac18cXN79D2jri4lRqCsbXeFWZ0trgADtdaw Message-ID: <7C362EEF9C7896468B36C9B79200D8350D063A0F90@INBANSXCHMBSA1.in.alcatel-lucent.com> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> <20120817121121.GJ38127@Space.Net> In-Reply-To: <20120817121121.GJ38127@Space.Net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 13:59:17 -0000 Oh, it happens all the time. Any proposal that relies on MACs being unique = in the network lies on tenuous grounds. You might want to look at this thread going on in the 6man mailing list. http://www.ietf.org/mail-archive/web/ipv6/current/msg16222.html Cheers, Manav=20 > -----Original Message----- > From: Gert Doering [mailto:gert@space.net]=20 > Sent: Friday, August 17, 2012 5:41 PM > To: Bhatia, Manav (Manav) > Cc: opsec@ietf.org > Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt >=20 > Hi, >=20 > On Fri, Aug 17, 2012 at 04:19:23PM +0530, Bhatia, Manav (Manav) wrote: > > It seems its common for duplicate MAC addresses to appear=20 > in the network.=20 >=20 > If that happens to you, you have way bigger problems. >=20 > Gert Doering > -- NetMaster > -- > have you enabled IPv6 on something today...? >=20 > SpaceNet AG Vorstand: Sebastian v. Bomhard > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A.=20 > Grundner-Culemann > D-80807 Muenchen HRB: 136055 (AG Muenchen) > Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 > = From gert@space.net Fri Aug 17 07:11:32 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD73C21F84D1 for ; Fri, 17 Aug 2012 07:11:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.456 X-Spam-Level: X-Spam-Status: No, score=-2.456 tagged_above=-999 required=5 tests=[AWL=0.143, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y9uI9Ki1x1je for ; Fri, 17 Aug 2012 07:11:32 -0700 (PDT) Received: from mobil.space.net (mobil.Space.Net [IPv6:2001:608:2:81::2]) by ietfa.amsl.com (Postfix) with ESMTP id F096E21F84C2 for ; Fri, 17 Aug 2012 07:11:31 -0700 (PDT) Received: from mobil.space.net (localhost [127.0.0.1]) by mobil.space.net (Postfix) with ESMTP id 1365CF8CAC for ; Fri, 17 Aug 2012 16:11:29 +0200 (CEST) X-SpaceNet-Relay: true Received: from moebius3.space.net (moebius3.Space.Net [IPv6:2001:608:2:2::250]) by mobil.space.net (Postfix) with ESMTPS id B74FAF8CA7 for ; Fri, 17 Aug 2012 16:11:28 +0200 (CEST) Received: (qmail 56913 invoked by uid 1007); 17 Aug 2012 16:11:28 +0200 Date: Fri, 17 Aug 2012 16:11:28 +0200 From: Gert Doering To: "Bhatia, Manav \(Manav\)" Message-ID: <20120817141128.GR38127@Space.Net> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> <20120817121121.GJ38127@Space.Net> <7C362EEF9C7896468B36C9B79200D8350D063A0F90@INBANSXCHMBSA1.in.alcatel-lucent.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="msuMhlVPES9Pz2Dp" Content-Disposition: inline In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D063A0F90@INBANSXCHMBSA1.in.alcatel-lucent.com> X-NCC-RegID: de.space User-Agent: Mutt/1.5.21 (2010-09-15) Cc: "opsec@ietf.org" Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 14:11:32 -0000 --msuMhlVPES9Pz2Dp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Fri, Aug 17, 2012 at 07:29:07PM +0530, Bhatia, Manav (Manav) wrote: > Oh, it happens all the time.=20 Most certainly not. > Any proposal that relies on MACs being unique in the network lies on tenu= ous grounds. >=20 > You might want to look at this thread going on in the 6man mailing list. >=20 > http://www.ietf.org/mail-archive/web/ipv6/current/msg16222.html As explained in the thread, that's different interfaces of the *same* machine - and if you hook two of them to two switchports in the same VLAN, you'll immediately have lots of weird effects, without any IPv6 in the mix. So nobody sane does that (... without some sort of=20 active/passive or bonding configuration). Gert Doering -- NetMaster --=20 have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 --msuMhlVPES9Pz2Dp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (FreeBSD) iQCVAwUBUC5REKkuBuNlUUl1AQJE7QP9Gp93IdafZDF1SR1JUs8jVslsKdSAGYcy aekl3f7Sj/6KPwfUb1amlc8tY0UWcfiGCm8NWVcAoHs/drAmcsgg57hCa1HUt3eW lI/zj5qp380tExrr80kwpApyPhnDyv5y1Gk7gz1N5B1KFp4l66UdlrzYLB+sl0k5 xComqj+aztc= =amXz -----END PGP SIGNATURE----- --msuMhlVPES9Pz2Dp-- From manav.bhatia@alcatel-lucent.com Fri Aug 17 07:13:37 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D73A21F852C for ; Fri, 17 Aug 2012 07:13:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.266 X-Spam-Level: X-Spam-Status: No, score=-9.266 tagged_above=-999 required=5 tests=[AWL=1.333, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A48R-sH2FwD0 for ; Fri, 17 Aug 2012 07:13:37 -0700 (PDT) Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by ietfa.amsl.com (Postfix) with ESMTP id 1189A21F84FA for ; Fri, 17 Aug 2012 07:13:37 -0700 (PDT) Received: from inbansmailrelay1.in.alcatel-lucent.com (h135-250-11-31.lucent.com [135.250.11.31]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id q7HEDX8G002153 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 17 Aug 2012 09:13:35 -0500 (CDT) Received: from INBANSXCHHUB03.in.alcatel-lucent.com (inbansxchhub03.in.alcatel-lucent.com [135.250.12.80]) by inbansmailrelay1.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q7HEDVTB031300 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Fri, 17 Aug 2012 19:43:32 +0530 Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB03.in.alcatel-lucent.com ([135.250.12.80]) with mapi; Fri, 17 Aug 2012 19:43:31 +0530 From: "Bhatia, Manav (Manav)" To: Gert Doering Date: Fri, 17 Aug 2012 19:43:30 +0530 Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt Thread-Index: Ac18gjZx6Jj4nZElT8edNX5bNKZN0wAACVKg Message-ID: <7C362EEF9C7896468B36C9B79200D8350D063A0F96@INBANSXCHMBSA1.in.alcatel-lucent.com> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> <20120817121121.GJ38127@Space.Net> <7C362EEF9C7896468B36C9B79200D8350D063A0F90@INBANSXCHMBSA1.in.alcatel-lucent.com> <20120817141128.GR38127@Space.Net> In-Reply-To: <20120817141128.GR38127@Space.Net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 14:13:37 -0000 Hi, I believe the thread also says that for various reasons different machines/= ports in the network can end up with the same MAC. Its this point that I wa= s alluding to. Cheers, Manav > -----Original Message----- > From: Gert Doering [mailto:gert@space.net]=20 > Sent: Friday, August 17, 2012 7:41 PM > To: Bhatia, Manav (Manav) > Cc: Gert Doering; opsec@ietf.org > Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt >=20 > Hi, >=20 > On Fri, Aug 17, 2012 at 07:29:07PM +0530, Bhatia, Manav (Manav) wrote: > > Oh, it happens all the time.=20 >=20 > Most certainly not. >=20 > > Any proposal that relies on MACs being unique in the=20 > network lies on tenuous grounds. > >=20 > > You might want to look at this thread going on in the 6man=20 > mailing list. > >=20 > > http://www.ietf.org/mail-archive/web/ipv6/current/msg16222.html >=20 > As explained in the thread, that's different interfaces of=20 > the *same* machine - and if you hook two of them to two=20 > switchports in the same VLAN, you'll immediately have lots of=20 > weird effects, without any IPv6 in the mix. So nobody sane=20 > does that (... without some sort of active/passive or bonding=20 > configuration). >=20 > Gert Doering > -- NetMaster > -- > have you enabled IPv6 on something today...? >=20 > SpaceNet AG Vorstand: Sebastian v. Bomhard > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A.=20 > Grundner-Culemann > D-80807 Muenchen HRB: 136055 (AG Muenchen) > Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 > = From gert@space.net Fri Aug 17 07:17:17 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 238BA21F842E for ; Fri, 17 Aug 2012 07:17:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.462 X-Spam-Level: X-Spam-Status: No, score=-2.462 tagged_above=-999 required=5 tests=[AWL=0.137, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id anqlyxSAAzZN for ; Fri, 17 Aug 2012 07:17:16 -0700 (PDT) Received: from mobil.space.net (mobil.Space.Net [IPv6:2001:608:2:81::2]) by ietfa.amsl.com (Postfix) with ESMTP id 6270E21F842B for ; Fri, 17 Aug 2012 07:17:15 -0700 (PDT) Received: from mobil.space.net (localhost [127.0.0.1]) by mobil.space.net (Postfix) with ESMTP id AEF06F8CA5 for ; Fri, 17 Aug 2012 16:17:14 +0200 (CEST) X-SpaceNet-Relay: true Received: from moebius3.space.net (moebius3.Space.Net [IPv6:2001:608:2:2::250]) by mobil.space.net (Postfix) with ESMTPS id 5D4B6F8CAA for ; Fri, 17 Aug 2012 16:17:14 +0200 (CEST) Received: (qmail 65362 invoked by uid 1007); 17 Aug 2012 16:17:14 +0200 Date: Fri, 17 Aug 2012 16:17:14 +0200 From: Gert Doering To: "Bhatia, Manav \(Manav\)" Message-ID: <20120817141714.GS38127@Space.Net> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> <20120817121121.GJ38127@Space.Net> <7C362EEF9C7896468B36C9B79200D8350D063A0F90@INBANSXCHMBSA1.in.alcatel-lucent.com> <20120817141128.GR38127@Space.Net> <7C362EEF9C7896468B36C9B79200D8350D063A0F96@INBANSXCHMBSA1.in.alcatel-lucent.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="75BZgslUCqt1raBP" Content-Disposition: inline In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D063A0F96@INBANSXCHMBSA1.in.alcatel-lucent.com> X-NCC-RegID: de.space User-Agent: Mutt/1.5.21 (2010-09-15) Cc: "opsec@ietf.org" Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 14:17:17 -0000 --75BZgslUCqt1raBP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Fri, Aug 17, 2012 at 07:43:30PM +0530, Bhatia, Manav (Manav) wrote: > I believe the thread also says that for various reasons different machine= s/ports in the network can end up with the same MAC. Its this point that I = was alluding to. That would always be a misconfiguration. (Not that it does not happen, but it will cause massive breakage in other parts, and thus needs fixing, so it makes no sense to accept "duplicate MAC" as valid scenario here). Gert Doering -- NetMaster --=20 have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 --75BZgslUCqt1raBP Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (FreeBSD) iQCVAwUBUC5SaqkuBuNlUUl1AQJccAQAqST7LrSUZK/iGxuRe6wjfoHLALYIpyWQ QJqv3eiX5EPZcZYXN3iPe/e3DqhFsPrLGpOxeeK5l3gcIzVoUnxslVDjZwh6iFSo NVhGnLPEBHrQ4MAU2efM7r0/ZB3VAw1pg84EArFCnSYqpaDXyPOafV/iQUsK35sx +uLCAKrKqp4= =tuTo -----END PGP SIGNATURE----- --75BZgslUCqt1raBP-- From manav.bhatia@alcatel-lucent.com Fri Aug 17 07:22:57 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C618F11E80D2 for ; Fri, 17 Aug 2012 07:22:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.368 X-Spam-Level: X-Spam-Status: No, score=-9.368 tagged_above=-999 required=5 tests=[AWL=1.231, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O2MKgmOU01zC for ; Fri, 17 Aug 2012 07:22:57 -0700 (PDT) Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by ietfa.amsl.com (Postfix) with ESMTP id E7BC921F84D1 for ; Fri, 17 Aug 2012 07:22:56 -0700 (PDT) Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id q7HEMrKE006305 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 17 Aug 2012 09:22:55 -0500 (CDT) Received: from INBANSXCHHUB02.in.alcatel-lucent.com (inbansxchhub02.in.alcatel-lucent.com [135.250.12.35]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q7HEMp25024017 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Fri, 17 Aug 2012 19:52:52 +0530 Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB02.in.alcatel-lucent.com ([135.250.12.35]) with mapi; Fri, 17 Aug 2012 19:52:51 +0530 From: "Bhatia, Manav (Manav)" To: Gert Doering Date: Fri, 17 Aug 2012 19:52:50 +0530 Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt Thread-Index: Ac18gwLjpSF2Y6zVSPOkOeCUWTinMwAALM9w Message-ID: <7C362EEF9C7896468B36C9B79200D8350D063A0F97@INBANSXCHMBSA1.in.alcatel-lucent.com> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> <20120817121121.GJ38127@Space.Net> <7C362EEF9C7896468B36C9B79200D8350D063A0F90@INBANSXCHMBSA1.in.alcatel-lucent.com> <20120817141128.GR38127@Space.Net> <7C362EEF9C7896468B36C9B79200D8350D063A0F96@INBANSXCHMBSA1.in.alcatel-lucent.com> <20120817141714.GS38127@Space.Net> In-Reply-To: <20120817141714.GS38127@Space.Net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 14:22:57 -0000 It may not always be misconfiguration as suggested by this post. http://www.ietf.org/mail-archive/web/ipv6/current/msg16245.html Cheers, Manav=20 > -----Original Message----- > From: Gert Doering [mailto:gert@space.net]=20 > Sent: Friday, August 17, 2012 7:47 PM > To: Bhatia, Manav (Manav) > Cc: Gert Doering; opsec@ietf.org > Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt >=20 > Hi, >=20 > On Fri, Aug 17, 2012 at 07:43:30PM +0530, Bhatia, Manav (Manav) wrote: > > I believe the thread also says that for various reasons=20 > different machines/ports in the network can end up with the=20 > same MAC. Its this point that I was alluding to. >=20 > That would always be a misconfiguration. >=20 > (Not that it does not happen, but it will cause massive=20 > breakage in other parts, and thus needs fixing, so it makes=20 > no sense to accept "duplicate MAC" as valid scenario here). >=20 > Gert Doering > -- NetMaster > -- > have you enabled IPv6 on something today...? >=20 > SpaceNet AG Vorstand: Sebastian v. Bomhard > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A.=20 > Grundner-Culemann > D-80807 Muenchen HRB: 136055 (AG Muenchen) > Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 > = From gert@space.net Fri Aug 17 07:28:59 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68BCB21F8530 for ; Fri, 17 Aug 2012 07:28:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.467 X-Spam-Level: X-Spam-Status: No, score=-2.467 tagged_above=-999 required=5 tests=[AWL=0.132, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1am9ocwPchjh for ; Fri, 17 Aug 2012 07:28:58 -0700 (PDT) Received: from mobil.space.net (mobil.Space.Net [IPv6:2001:608:2:81::2]) by ietfa.amsl.com (Postfix) with ESMTP id 7E6CE21F852C for ; Fri, 17 Aug 2012 07:28:58 -0700 (PDT) Received: from mobil.space.net (localhost [127.0.0.1]) by mobil.space.net (Postfix) with ESMTP id 6ACEBF8CB2 for ; Fri, 17 Aug 2012 16:28:57 +0200 (CEST) X-SpaceNet-Relay: true Received: from moebius3.space.net (moebius3.Space.Net [IPv6:2001:608:2:2::250]) by mobil.space.net (Postfix) with ESMTPS id 320C4F8CAC for ; Fri, 17 Aug 2012 16:28:57 +0200 (CEST) Received: (qmail 68317 invoked by uid 1007); 17 Aug 2012 16:28:57 +0200 Date: Fri, 17 Aug 2012 16:28:57 +0200 From: Gert Doering To: "Bhatia, Manav \(Manav\)" Message-ID: <20120817142857.GU38127@Space.Net> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> <20120817121121.GJ38127@Space.Net> <7C362EEF9C7896468B36C9B79200D8350D063A0F90@INBANSXCHMBSA1.in.alcatel-lucent.com> <20120817141128.GR38127@Space.Net> <7C362EEF9C7896468B36C9B79200D8350D063A0F96@INBANSXCHMBSA1.in.alcatel-lucent.com> <20120817141714.GS38127@Space.Net> <7C362EEF9C7896468B36C9B79200D8350D063A0F97@INBANSXCHMBSA1.in.alcatel-lucent.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AV6bwGDIl1DgWyaJ" Content-Disposition: inline In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D063A0F97@INBANSXCHMBSA1.in.alcatel-lucent.com> X-NCC-RegID: de.space User-Agent: Mutt/1.5.21 (2010-09-15) Cc: "opsec@ietf.org" Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 14:28:59 -0000 --AV6bwGDIl1DgWyaJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Fri, Aug 17, 2012 at 07:52:50PM +0530, Bhatia, Manav (Manav) wrote: > It may not always be misconfiguration as suggested by this post. >=20 > http://www.ietf.org/mail-archive/web/ipv6/current/msg16245.html If it's different Layer2 networks (which is "different BRAS boxes in widely different locations") it won't do harm. But the very same article that you quote clearly speaks about "explicit manufacturing mistakes" and "software errors" - those might not bei "misconfigurations by an human operator", but as far as the network segment as a whole goes, it's still misconfiguration. Better to bring them to the open by machines complaining about duplicate addresses than to think up elaborate schemes to hide the problems, only to have them show up less clearly in other places. (We've had duplicate MACs in one of our networks just last month -=20 misconfiguration of two ESX hosts. Caused performance problems to no end, and it was not obvious right away what caused the issue,=20 as the ESX had no v6, and didn't notice the duplicate) Gert Doering -- NetMaster --=20 have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 --AV6bwGDIl1DgWyaJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (FreeBSD) iQCVAwUBUC5VKakuBuNlUUl1AQJJXQP/VEW9JDW0sz0WzNa6g/thxIL2uQgJDwQn u/TIx/r0lDi/YFHp769r5nMc28pgfU5cBO/r75SNz7ODJypBnBlspQT5EMXivI3U LyPs/Y1IqzbVAeOB05akeW+OaXnOo5S6UFKDm8T0vkw+CHkxgU8y/1gv4yBxS1sP nfaujdJ/WfI= =vT7g -----END PGP SIGNATURE----- --AV6bwGDIl1DgWyaJ-- From evyncke@cisco.com Fri Aug 17 08:00:21 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B8C721F865F for ; Fri, 17 Aug 2012 08:00:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.423 X-Spam-Level: X-Spam-Status: No, score=-10.423 tagged_above=-999 required=5 tests=[AWL=0.176, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qx6X-Z87aIMq for ; Fri, 17 Aug 2012 08:00:20 -0700 (PDT) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id EB44221F8605 for ; Fri, 17 Aug 2012 08:00:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=evyncke@cisco.com; l=2430; q=dns/txt; s=iport; t=1345215616; x=1346425216; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=6nB+vSbtSSwGzdda7MmsCf7hwE6zMDxjN+cwO1AVUDg=; b=C1VQW7LK9OAYfa96to52tH7medZ0UJ3ygmI1sw8iAA7YdrEs6fjqbNHX HyyGNloEnd8x4b9tTBmu+djeEhppHCJ0488d+SIrASO8X2vkNxk7zt/X3 pCBxjQ4ttkU90MbOBWnvfNqxhiZSGb+gU2NpJm8rUq4YMTzMUNKd4NJ10 0=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAPZbLlCtJV2Y/2dsb2JhbABFujqBB4IgAQEBBAEBAQ8BWwsMBAIBCBEEAQEBCh0HJwsUCQgCBAENBQgBGYdrC5looEiLCxqGAWADiBmbYoFmgmCBYQ X-IronPort-AV: E=Sophos;i="4.77,785,1336348800"; d="scan'208";a="112674803" Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-8.cisco.com with ESMTP; 17 Aug 2012 15:00:15 +0000 Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id q7HF0FYf010983 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 17 Aug 2012 15:00:15 GMT Received: from xmb-aln-x02.cisco.com ([169.254.5.72]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.02.0298.004; Fri, 17 Aug 2012 10:00:15 -0500 From: "Eric Vyncke (evyncke)" To: "Bhatia, Manav (Manav)" , Gert Doering Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt Thread-Index: AQHNfFYrAmFSLWLOVUSsdTNMIcYtaJdeJxKAgAAW5oCAAB4cgP//vCpQ Date: Fri, 17 Aug 2012 15:00:14 +0000 Message-ID: <97EB7536A2B2C549846804BBF3FD47E10C7FE9@xmb-aln-x02.cisco.com> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> <20120817121121.GJ38127@Space.Net> <7C362EEF9C7896468B36C9B79200D8350D063A0F90@INBANSXCHMBSA1.in.alcatel-lucent.com> In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D063A0F90@INBANSXCHMBSA1.in.alcatel-lucent.com> Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.185.71] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19120.005 x-tm-as-result: No--49.395900-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 15:00:21 -0000 Manav First thanks for your interest in our I-D. Regarding duplicate MAC, there is a vast difference between low-cost CPE an= d high-end routers used in the core. Moreover, if on a specific really broadcast LAN (not broadband access) ther= e are duplicate MAC addresses, then forget about getting any packet through= ;-) The 'DAD' discussion on another mailing list was not related to pure E= thernet. Moreoverover, as you known, OSPFv3 and other IGP uses LLA anyway, so, in ca= se of duplicate LLA address, you will not get your IGP running correctly. Last point, in most OS, you can override the default EUI-64 LLA by another = one. I have seen deployments where all PE interfaces were fe80::1 and all C= E interfaces were fe80::2 easy to remember and test ;-) -=E9ric > -----Original Message----- > From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf > Of Bhatia, Manav (Manav) > Sent: vendredi 17 ao=FBt 2012 15:59 > To: Gert Doering > Cc: opsec@ietf.org > Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt >=20 > Oh, it happens all the time. Any proposal that relies on MACs being > unique in the network lies on tenuous grounds. >=20 > You might want to look at this thread going on in the 6man mailing list. >=20 > http://www.ietf.org/mail-archive/web/ipv6/current/msg16222.html >=20 > Cheers, Manav >=20 > > -----Original Message----- > > From: Gert Doering [mailto:gert@space.net] > > Sent: Friday, August 17, 2012 5:41 PM > > To: Bhatia, Manav (Manav) > > Cc: opsec@ietf.org > > Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt > > > > Hi, > > > > On Fri, Aug 17, 2012 at 04:19:23PM +0530, Bhatia, Manav (Manav) wrote: > > > It seems its common for duplicate MAC addresses to appear > > in the network. > > > > If that happens to you, you have way bigger problems. > > > > Gert Doering > > -- NetMaster > > -- > > have you enabled IPv6 on something today...? > > > > SpaceNet AG Vorstand: Sebastian v. Bomhard > > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. > > Grundner-Culemann > > D-80807 Muenchen HRB: 136055 (AG Muenchen) > > Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 > > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec From lee@asgard.org Fri Aug 17 08:15:52 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 303C311E80D5 for ; Fri, 17 Aug 2012 08:15:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.73 X-Spam-Level: X-Spam-Status: No, score=-1.73 tagged_above=-999 required=5 tests=[AWL=0.869, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6I7GIYk2W9e for ; Fri, 17 Aug 2012 08:15:51 -0700 (PDT) Received: from omr4.networksolutionsemail.com (omr4.networksolutionsemail.com [205.178.146.54]) by ietfa.amsl.com (Postfix) with ESMTP id 8D19821E8034 for ; Fri, 17 Aug 2012 08:15:51 -0700 (PDT) Received: from cm-omr8 (mail.networksolutionsemail.com [205.178.146.50]) by omr4.networksolutionsemail.com (8.14.4/8.14.4) with ESMTP id q7HFFoqf008201 for ; Fri, 17 Aug 2012 11:15:50 -0400 Authentication-Results: cm-omr8 smtp.user=lee@asgard.org; auth=pass (LOGIN) X-Authenticated-UID: lee@asgard.org Received: from [204.235.115.163] ([204.235.115.163:18490] helo=HDC00042402) by cm-omr8 (envelope-from ) (ecelerity 2.2.2.41 r(31179/31189)) with ESMTPA id 68/42-11452-6206E205; Fri, 17 Aug 2012 11:15:50 -0400 From: "Lee Howard" To: "'Mark Andrews'" , "'Warren Kumari'" References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> <001f01cd7a4e$d05c7390$71155ab0$@asgard.org> <20120817001116.AA2D123ABFA7@drugs.dv.isc.org> In-Reply-To: <20120817001116.AA2D123ABFA7@drugs.dv.isc.org> Date: Fri, 17 Aug 2012 11:15:49 -0400 Message-ID: <000001cd7c8b$2fb8a1e0$8f29e5a0$@asgard.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQGGlPLakFxZCTrqhE95LHJwbjJ3AQK/mXl8AqNTmP4CG5HaMANbc19el5UYViA= Content-Language: en-us Cc: 'Fernando Gont' , 'v6ops v6ops WG' , opsec@ietf.org Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 15:15:52 -0000 > > > - 1.0 please avoid all discussion about NAPT being =91minimal/simpl > > e=92 security, the days of scanning are over and have been replaced by > > malw are download/email propagated > > > > > This is demonstrably false, and I can send you logs of scanning > > > attempts > > foiled by NAPT. NAT is crap security, but it=92s not zero security. > > > > Heretic! > > > > Actually, I'd go so far as to drop the "crap" from the above -- while > > it is n't "real" security (whatever that means) it has become cool to > > simply beat on the NAT. > > But the problem is that people think they need "NAT" as opposed to a "stateful firewall with > default allow out all, block in all". > NAPT effectively establishes the latter + munges with addresses and ports. It's the state table > not the address/port translation that stops scans. That is true, but is not a flaw in the document. The offending text is: Finally, some transition/co-existence mechanisms (notably Teredo) are designed to traverse Network Address Translators (NATs), which in many deployments provide a minimum level of protection by only allowing those instances of communication that have been initiated from the internal network. Thus, these mechanisms might cause an internal host with otherwise limited IPv4 connectivity to become globally reachable over IPv6, therefore resulting in increased (and possibly unexpected) host exposure. That is, the aforementioned technologies might inadvertently allow incoming IPv6 connections from the Internet to hosts behind the organizational firewall. Would you be happy if it said: to traverse Network Address Translators (NATs), which, by keeping a state table and only allowing inbound packets to hosts which have established outbound communication, provides a minimum level of protection. . . I don't think a more thorough discussion of the different risk profiles of full cone versus symmetric NAT, etc., is warranted here. I absolutely agree that networks should have a stateful firewall. Would you say that a stateful firewall is *even more important* now (with IPv6 ramping up) than it ever was before? > Stateless NAT44 or NAT66 doesn't stop scans. True. How is that relevant to a discussion of how unintentional IPv6 may affect IPv4 networks? > As for the secretary's desktop how many of them would be owned if LSR was being used to > scan 192.168/16 though the NAT box? Fewer than if it were even easier. Again, not really the point of the document. Lee > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From mbehring@cisco.com Fri Aug 17 09:15:10 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3401821F845B for ; Fri, 17 Aug 2012 09:15:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LELGd9hMthBt for ; Fri, 17 Aug 2012 09:15:09 -0700 (PDT) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 5185D21F844E for ; Fri, 17 Aug 2012 09:15:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mbehring@cisco.com; l=857; q=dns/txt; s=iport; t=1345220109; x=1346429709; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=W6RdVp1LHJXF3NTMkAi3OUbft29B+TMnc4FCXNDFA8g=; b=iTg2KcCS0BHi+CwUigP4dfpyMFtSNRGek8GNCAMXswigxVGcw0/CvXg9 JSMCNG/i6gNLCOqs8Njd7Leu1hZypfl52Evju4b+75zp8NPc6PUOkpNdK PqfsvXa/lZjRPDw/f3LdPxM19CWKX5wx7z5mYry85YaqP+o1y/Q7oiI79 w=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av4EAG9tLlCtJXHA/2dsb2JhbAA7Cro9gQeCIAEBAQMBEgEnRAsCAQgiFBAyJQIEARoah2UGmgegSYsbhgtgA6N7gWaCYA X-IronPort-AV: E=Sophos;i="4.77,785,1336348800"; d="scan'208";a="112691540" Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-5.cisco.com with ESMTP; 17 Aug 2012 16:15:09 +0000 Received: from xhc-aln-x07.cisco.com (xhc-aln-x07.cisco.com [173.36.12.81]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id q7HGF8al005178 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 17 Aug 2012 16:15:08 GMT Received: from xmb-rcd-x14.cisco.com ([169.254.4.3]) by xhc-aln-x07.cisco.com ([173.36.12.81]) with mapi id 14.02.0298.004; Fri, 17 Aug 2012 11:15:08 -0500 From: "Michael Behringer (mbehring)" To: "Bhatia, Manav (Manav)" , "opsec@ietf.org" Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt Thread-Index: AQHNfFYrLW6Iov7LYkm03FyyQsg8r5deJxKA///DZwA= Date: Fri, 17 Aug 2012 16:15:07 +0000 Message-ID: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EE62E@xmb-rcd-x14.cisco.com> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.194.30] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19120.005 x-tm-as-result: No--35.389300-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 16:15:10 -0000 Manav,=20 [...] > It seems its common for duplicate MAC addresses to appear in the network. > In that case more than one router would end up with having the same link > local address. Will this not be an issue? Duplicate MAC on a link would mess up a lot of things, as Gert also pointed= out. Bottom line: That must not happen (independently of this draft). Acro= ss a network we don't care - it only has to be unique on a link. =20 > I was also wondering why the draft suggests using loose sequence of IPv6 > prefixes to identify the complete path in RSVP-TE. Bad wording - sorry. We mean to say: "A possible workaround is to use routa= ble (non-link local) addresses of each router to identify an explicit path,= along with shared-risk-link-group (to not use a set of common interfaces).= " Is that clearer?=20 Michael [...] From manav.bhatia@alcatel-lucent.com Fri Aug 17 09:26:27 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4BCE21F84B6 for ; Fri, 17 Aug 2012 09:26:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.456 X-Spam-Level: X-Spam-Status: No, score=-7.456 tagged_above=-999 required=5 tests=[AWL=-0.857, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nnvcA3UEAeEC for ; Fri, 17 Aug 2012 09:26:27 -0700 (PDT) Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by ietfa.amsl.com (Postfix) with ESMTP id 1C64321F8491 for ; Fri, 17 Aug 2012 09:26:26 -0700 (PDT) Received: from ihemail2.lucent.com (h135-245-2-35.lucent.com [135.245.2.35]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id q7HGQPEx016889 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 17 Aug 2012 11:26:25 -0500 (CDT) Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id q7HGQMTn009856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 17 Aug 2012 11:26:25 -0500 (CDT) Received: from INBANSXCHHUB02.in.alcatel-lucent.com (inbansxchhub02.in.alcatel-lucent.com [135.250.12.35]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q7HGQK2f028747 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Fri, 17 Aug 2012 21:56:21 +0530 Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB02.in.alcatel-lucent.com ([135.250.12.35]) with mapi; Fri, 17 Aug 2012 21:56:20 +0530 From: "Bhatia, Manav (Manav)" To: "Michael Behringer (mbehring)" , "opsec@ietf.org" Date: Fri, 17 Aug 2012 21:56:20 +0530 Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt Thread-Index: AQHNfFYrLW6Iov7LYkm03FyyQsg8r5deJxKA///DZwCAAEZZ8A== Message-ID: <7C362EEF9C7896468B36C9B79200D8350D063A0FBF@INBANSXCHMBSA1.in.alcatel-lucent.com> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EE62E@xmb-rcd-x14.cisco.com> In-Reply-To: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EE62E@xmb-rcd-x14.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37 X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35 Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 16:26:28 -0000 Hi Michael, RSVP-TE will only use global IPv6 prefixes as OSPF/ISIS traffic engineering= LSAs only advertise global v6 addresses. The link local IP addresses are N= OT advertised and hence RSVP-TE can never use them. You can look at rfc 5329 where we clearly say that only global v6 addresses= must be used. Cheers, Manav=20 > -----Original Message----- > From: Michael Behringer (mbehring) [mailto:mbehring@cisco.com]=20 > Sent: Friday, August 17, 2012 9:45 PM > To: Bhatia, Manav (Manav); opsec@ietf.org > Subject: RE: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt >=20 > Manav,=20 >=20 > [...] > > It seems its common for duplicate MAC addresses to appear=20 > in the network. > > In that case more than one router would end up with having the same=20 > > link local address. Will this not be an issue? >=20 > Duplicate MAC on a link would mess up a lot of things, as=20 > Gert also pointed out. Bottom line: That must not happen=20 > (independently of this draft). Across a network we don't care=20 > - it only has to be unique on a link. > =20 > > I was also wondering why the draft suggests using loose sequence of=20 > > IPv6 prefixes to identify the complete path in RSVP-TE. >=20 > Bad wording - sorry. We mean to say: "A possible workaround=20 > is to use routable (non-link local) addresses of each router=20 > to identify an explicit path, along with=20 > shared-risk-link-group (to not use a set of common interfaces)." >=20 > Is that clearer?=20 > Michael >=20 > [...] >=20 >=20 > = From mbehring@cisco.com Fri Aug 17 09:28:47 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 404F421F84F3 for ; Fri, 17 Aug 2012 09:28:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29qscaX+QwGk for ; Fri, 17 Aug 2012 09:28:46 -0700 (PDT) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 76C4C21F84C2 for ; Fri, 17 Aug 2012 09:28:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mbehring@cisco.com; l=2102; q=dns/txt; s=iport; t=1345220919; x=1346430519; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=G41onE81539n5RKaF7kIb04f8rB7PxleJndIKvr/ryI=; b=THQuEuJzII9g+854ONzz/1TMXXKkF1be692bU19TtUu3/DmNbT61LFj5 Dvhsc4b5COrND5/Y9MYnOIsErwyKkDpSpO5kU2aiI354L+F/JIITw9AVY B88xRRtxR6LlKlGz0HXmmauq4JaF5WpRHHyDjAuYZWn1WXrJV5fwrWvey w=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAIZwLlCtJXG9/2dsb2JhbAA7Cro9gQeCIAEBAQMBEgEnRAcEAgEIEQQBAQsUCQcyFAkIAgQBEggODIdlBpoIoEOLCxCGC2ADo3uBZoJg X-IronPort-AV: E=Sophos;i="4.77,785,1336348800"; d="scan'208";a="112706309" Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by rcdn-iport-8.cisco.com with ESMTP; 17 Aug 2012 16:28:39 +0000 Received: from xhc-aln-x12.cisco.com (xhc-aln-x12.cisco.com [173.36.12.86]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id q7HGScrP018424 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 17 Aug 2012 16:28:38 GMT Received: from xmb-rcd-x14.cisco.com ([169.254.4.3]) by xhc-aln-x12.cisco.com ([173.36.12.86]) with mapi id 14.02.0298.004; Fri, 17 Aug 2012 11:28:38 -0500 From: "Michael Behringer (mbehring)" To: "Bhatia, Manav (Manav)" , "opsec@ietf.org" Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt Thread-Index: AQHNfFYrLW6Iov7LYkm03FyyQsg8r5deJxKA///DZwCAAEZZ8IAAAN8A Date: Fri, 17 Aug 2012 16:28:37 +0000 Message-ID: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EE713@xmb-rcd-x14.cisco.com> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EE62E@xmb-rcd-x14.cisco.com> <7C362EEF9C7896468B36C9B79200D8350D063A0FBF@INBANSXCHMBSA1.in.alcatel-lucent.com> In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D063A0FBF@INBANSXCHMBSA1.in.alcatel-lucent.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.194.30] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19120.004 x-tm-as-result: No--52.967200-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 16:28:47 -0000 > -----Original Message----- > From: Bhatia, Manav (Manav) [mailto:manav.bhatia@alcatel-lucent.com] > Sent: 17 August 2012 18:26 > To: Michael Behringer (mbehring); opsec@ietf.org > Subject: RE: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt >=20 > Hi Michael, >=20 > RSVP-TE will only use global IPv6 prefixes as OSPF/ISIS traffic engineeri= ng > LSAs only advertise global v6 addresses. The link local IP addresses are = NOT > advertised and hence RSVP-TE can never use them. >=20 > You can look at rfc 5329 where we clearly say that only global v6 address= es > must be used. Understood, we have clear that link local breaks the current model. My ques= tion is: Does it have to be a link address, or could it be a loopback? (And= I don't know TE well enough, so this may well not work, looking for educat= ion).=20 Michael =20 > Cheers, Manav >=20 > > -----Original Message----- > > From: Michael Behringer (mbehring) [mailto:mbehring@cisco.com] > > Sent: Friday, August 17, 2012 9:45 PM > > To: Bhatia, Manav (Manav); opsec@ietf.org > > Subject: RE: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt > > > > Manav, > > > > [...] > > > It seems its common for duplicate MAC addresses to appear > > in the network. > > > In that case more than one router would end up with having the same > > > link local address. Will this not be an issue? > > > > Duplicate MAC on a link would mess up a lot of things, as Gert also > > pointed out. Bottom line: That must not happen (independently of this > > draft). Across a network we don't care > > - it only has to be unique on a link. > > > > > I was also wondering why the draft suggests using loose sequence of > > > IPv6 prefixes to identify the complete path in RSVP-TE. > > > > Bad wording - sorry. We mean to say: "A possible workaround is to use > > routable (non-link local) addresses of each router to identify an > > explicit path, along with shared-risk-link-group (to not use a set of > > common interfaces)." > > > > Is that clearer? > > Michael > > > > [...] > > > > > > From manav.bhatia@alcatel-lucent.com Fri Aug 17 09:30:24 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7320D11E80D1 for ; Fri, 17 Aug 2012 09:30:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.399 X-Spam-Level: X-Spam-Status: No, score=-7.399 tagged_above=-999 required=5 tests=[AWL=-0.800, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6g4JCK3n482X for ; Fri, 17 Aug 2012 09:30:23 -0700 (PDT) Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by ietfa.amsl.com (Postfix) with ESMTP id AC83A11E80A5 for ; Fri, 17 Aug 2012 09:30:23 -0700 (PDT) Received: from inbansmailrelay1.in.alcatel-lucent.com (h135-250-11-31.lucent.com [135.250.11.31]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id q7HGUJIX020284 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 17 Aug 2012 11:30:22 -0500 (CDT) Received: from INBANSXCHHUB01.in.alcatel-lucent.com (inbansxchhub01.in.alcatel-lucent.com [135.250.12.32]) by inbansmailrelay1.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q7HGUI06005029 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Fri, 17 Aug 2012 22:00:19 +0530 Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.38]) by INBANSXCHHUB01.in.alcatel-lucent.com ([135.250.12.32]) with mapi; Fri, 17 Aug 2012 22:00:18 +0530 From: "Bhatia, Manav (Manav)" To: "Michael Behringer (mbehring)" , "opsec@ietf.org" Date: Fri, 17 Aug 2012 22:00:20 +0530 Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt Thread-Index: AQHNfFYrLW6Iov7LYkm03FyyQsg8r5deJxKA///DZwCAAEZZ8IAAAN8AgAAApxA= Message-ID: <7C362EEF9C7896468B36C9B79200D8350D063A0FC1@INBANSXCHMBSA1.in.alcatel-lucent.com> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EE62E@xmb-rcd-x14.cisco.com> <7C362EEF9C7896468B36C9B79200D8350D063A0FBF@INBANSXCHMBSA1.in.alcatel-lucent.com> <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EE713@xmb-rcd-x14.cisco.com> In-Reply-To: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EE713@xmb-rcd-x14.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37 Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 16:30:24 -0000 It should be a link address as there are link attributes that CSPF uses whe= n computing the RSVP path. Cheers, Manav=20 > -----Original Message----- > From: Michael Behringer (mbehring) [mailto:mbehring@cisco.com]=20 > Sent: Friday, August 17, 2012 9:59 PM > To: Bhatia, Manav (Manav); opsec@ietf.org > Subject: RE: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt >=20 > > -----Original Message----- > > From: Bhatia, Manav (Manav) [mailto:manav.bhatia@alcatel-lucent.com] > > Sent: 17 August 2012 18:26 > > To: Michael Behringer (mbehring); opsec@ietf.org > > Subject: RE: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt > >=20 > > Hi Michael, > >=20 > > RSVP-TE will only use global IPv6 prefixes as OSPF/ISIS traffic=20 > > engineering LSAs only advertise global v6 addresses. The=20 > link local IP=20 > > addresses are NOT advertised and hence RSVP-TE can never use them. > >=20 > > You can look at rfc 5329 where we clearly say that only global v6=20 > > addresses must be used. >=20 > Understood, we have clear that link local breaks the current=20 > model. My question is: Does it have to be a link address, or=20 > could it be a loopback? (And I don't know TE well enough, so=20 > this may well not work, looking for education).=20 >=20 > Michael > =20 > > Cheers, Manav > >=20 > > > -----Original Message----- > > > From: Michael Behringer (mbehring) [mailto:mbehring@cisco.com] > > > Sent: Friday, August 17, 2012 9:45 PM > > > To: Bhatia, Manav (Manav); opsec@ietf.org > > > Subject: RE: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt > > > > > > Manav, > > > > > > [...] > > > > It seems its common for duplicate MAC addresses to appear > > > in the network. > > > > In that case more than one router would end up with having the=20 > > > > same link local address. Will this not be an issue? > > > > > > Duplicate MAC on a link would mess up a lot of things, as=20 > Gert also=20 > > > pointed out. Bottom line: That must not happen (independently of=20 > > > this draft). Across a network we don't care > > > - it only has to be unique on a link. > > > > > > > I was also wondering why the draft suggests using loose=20 > sequence=20 > > > > of > > > > IPv6 prefixes to identify the complete path in RSVP-TE. > > > > > > Bad wording - sorry. We mean to say: "A possible workaround is to=20 > > > use routable (non-link local) addresses of each router to=20 > identify=20 > > > an explicit path, along with shared-risk-link-group (to not use a=20 > > > set of common interfaces)." > > > > > > Is that clearer? > > > Michael > > > > > > [...] > > > > > > > > > > = From gvandeve@cisco.com Sat Aug 18 00:53:00 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C92321F84D9 for ; Sat, 18 Aug 2012 00:53:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.454 X-Spam-Level: X-Spam-Status: No, score=-10.454 tagged_above=-999 required=5 tests=[AWL=0.145, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ylMfx3-6CXYq for ; Sat, 18 Aug 2012 00:53:00 -0700 (PDT) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id 0949421F84A0 for ; Sat, 18 Aug 2012 00:52:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=1056; q=dns/txt; s=iport; t=1345276380; x=1346485980; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=5c7tagIthnIDYFFohWpHQGR6UQxRHHcWOCExcvw7o5s=; b=XqPvWLeC33iNmDvE67VNYfqlLVrMc7F1MuWRmqsPaXE+DA1DNvcgSkXu dNmZcM0nVTU4gBnWnAUlUr+7ouoQz2ZYvYLdKpCbTQsth8PpR/QIK19mW UCiMErL+cM9YR0zV607/vXBkZ8FeV1IKoSc3Lf50xKSMkg1pn1q8ez3bS M=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAJ9IL1CtJV2c/2dsb2JhbABEuj+BB4IgAQEBBBIBCh0/DAQCAQgOAwQBAQEKFAkHMhQJCAEBBA4FCBqHa5oAoB6LCxqGGGADo3uBZoJggWE X-IronPort-AV: E=Sophos;i="4.77,790,1336348800"; d="scan'208";a="112925148" Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-3.cisco.com with ESMTP; 18 Aug 2012 07:52:59 +0000 Received: from xhc-rcd-x08.cisco.com (xhc-rcd-x08.cisco.com [173.37.183.82]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id q7I7qx9l016716 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 18 Aug 2012 07:52:59 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-rcd-x08.cisco.com ([173.37.183.82]) with mapi id 14.02.0298.004; Sat, 18 Aug 2012 02:52:58 -0500 From: "Gunter Van de Velde (gvandeve)" To: Fernando Gont Thread-Topic: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: Ac18T01ACwflm2isSWu2MfBRi7t6fAANIVgAACShttA= Date: Sat, 18 Aug 2012 07:52:58 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B24076A9B@xmb-aln-x12.cisco.com> References: <67832B1175062E48926BF3CB27C49B240761BE@xmb-aln-x12.cisco.com> <502E0D7C.3080504@si6networks.com> In-Reply-To: <502E0D7C.3080504@si6networks.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.104.151] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19122.004 x-tm-as-result: No--33.906900-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Aug 2012 07:53:00 -0000 I would be inclined to go for your option #2 and see if there is rough cons= ensus on the point of track. G/ -----Original Message----- From: Fernando Gont [mailto:fgont@si6networks.com]=20 Sent: 17 August 2012 11:23 To: Gunter Van de Velde (gvandeve) Cc: opsec@ietf.org Subject: Re: draft-gont-opsec-ipv6-implications-on-ipv4-nets Hi, Gunter, On 08/17/2012 05:10 AM, Gunter Van de Velde (gvandeve) wrote: > I have seen more supportive messages as un-supportive messages on this=20 > draft. >=20 > Once you have updated the draft, we will do a 2 week call for WG=20 > adoption on the email list. The only remaining bit to act/decide upon is the track. I've seen mixed opi= nions on the subject. Should the wg be polled about adoption on the document, and then decide on = the track? Should the poll be about adopting the document *and* about the d= esired track? Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From fgont@si6networks.com Sat Aug 18 02:01:57 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00FDE21F855E for ; Sat, 18 Aug 2012 02:01:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PEIvd7N-7A1z for ; Sat, 18 Aug 2012 02:01:56 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 4E64121F8555 for ; Sat, 18 Aug 2012 02:01:56 -0700 (PDT) Received: from [186.134.30.116] (helo=[192.168.123.104]) by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1T2eul-0002xl-GO; Sat, 18 Aug 2012 11:01:51 +0200 Message-ID: <502F59CF.5000801@si6networks.com> Date: Sat, 18 Aug 2012 06:01:03 -0300 From: Fernando Gont Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "Gunter Van de Velde (gvandeve)" References: <67832B1175062E48926BF3CB27C49B240761BE@xmb-aln-x12.cisco.com> <502E0D7C.3080504@si6networks.com> <67832B1175062E48926BF3CB27C49B24076A9B@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B24076A9B@xmb-aln-x12.cisco.com> X-Enigmail-Version: 1.5a1pre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "opsec@ietf.org" Subject: Re: [OPSEC] draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Aug 2012 09:01:57 -0000 Hi, Gunter, On 08/18/2012 04:52 AM, Gunter Van de Velde (gvandeve) wrote: > I would be inclined to go for your option #2 and see if there is > rough consensus on the point of track. Just double-checking: Since the track is going to be part of the poll, I may live the track "as is" (bcp), right? -- Thus, based on the outcome of the poll, I could change the track if necessary. P.S.: Other than this, I have the next rev ready.. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From gvandeve@cisco.com Sun Aug 19 13:04:46 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 629F321F85A8 for ; Sun, 19 Aug 2012 13:04:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.459 X-Spam-Level: X-Spam-Status: No, score=-10.459 tagged_above=-999 required=5 tests=[AWL=0.140, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8q12LbH6xB6N for ; Sun, 19 Aug 2012 13:04:45 -0700 (PDT) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id B96F521F85A0 for ; Sun, 19 Aug 2012 13:04:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=947; q=dns/txt; s=iport; t=1345406685; x=1346616285; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ibwK7Gzpa5GwOIjK1h8G10Bm/Y5jg3xnSH3iKLtk6Yw=; b=Prh910RZ26n6ZYdFX/hitZ0oM995d3kfGmdYq0GD9/SULDRxJSgKyeaT 3nUH/jJv8Dd8phkv/gnidQhWd6+Z+TrjMuNbMT+kSfptaF/VIkI69vo8M W2vdiBcuhxBCWk1CtAGsIXYLBN4mz9Q4OGOMKpWLqyYeUyuSPH4DMvgw3 w=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AggFAJdGMVCtJXG9/2dsb2JhbABFhTq1BYEHgiABAQEEEgEnPwwEAgEIDgMEAQEBChQJBzIUCQgBAQQOBQgah2uYPZ8miwsahhhgA6N8gWaCYYFh X-IronPort-AV: E=Sophos;i="4.77,794,1336348800"; d="scan'208";a="112929960" Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by rcdn-iport-1.cisco.com with ESMTP; 19 Aug 2012 20:04:31 +0000 Received: from xhc-rcd-x09.cisco.com (xhc-rcd-x09.cisco.com [173.37.183.83]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id q7JK4Vof007959 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 19 Aug 2012 20:04:31 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-rcd-x09.cisco.com ([173.37.183.83]) with mapi id 14.02.0298.004; Sun, 19 Aug 2012 15:04:30 -0500 From: "Gunter Van de Velde (gvandeve)" To: Fernando Gont Thread-Topic: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: Ac18T01ACwflm2isSWu2MfBRi7t6fAANIVgAACShttAADON0gAA+9s0A Date: Sun, 19 Aug 2012 20:04:29 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B24076BE6@xmb-aln-x12.cisco.com> References: <67832B1175062E48926BF3CB27C49B240761BE@xmb-aln-x12.cisco.com> <502E0D7C.3080504@si6networks.com> <67832B1175062E48926BF3CB27C49B24076A9B@xmb-aln-x12.cisco.com> <502F59CF.5000801@si6networks.com> In-Reply-To: <502F59CF.5000801@si6networks.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.81.14] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19126.001 x-tm-as-result: No--34.801400-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Aug 2012 20:04:46 -0000 Sounds reasonable if that is what you understood from current discussions i= n the list. Ciao, G/ -----Original Message----- From: Fernando Gont [mailto:fgont@si6networks.com]=20 Sent: 18 August 2012 11:01 To: Gunter Van de Velde (gvandeve) Cc: opsec@ietf.org Subject: Re: draft-gont-opsec-ipv6-implications-on-ipv4-nets Hi, Gunter, On 08/18/2012 04:52 AM, Gunter Van de Velde (gvandeve) wrote: > I would be inclined to go for your option #2 and see if there is rough=20 > consensus on the point of track. Just double-checking: Since the track is going to be part of the poll, I ma= y live the track "as is" (bcp), right? -- Thus, based on the outcome of the= poll, I could change the track if necessary. P.S.: Other than this, I have the next rev ready.. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From fgont@si6networks.com Sun Aug 19 16:34:12 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 953E521F8618 for ; Sun, 19 Aug 2012 16:34:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZhs9hmjlAqG for ; Sun, 19 Aug 2012 16:33:56 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 65AB521F8606 for ; Sun, 19 Aug 2012 16:33:56 -0700 (PDT) Received: from 186.1.226.185.nortech.com.ar ([186.1.226.185] helo=[192.168.2.107]) by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1T3F09-0007xL-RL; Mon, 20 Aug 2012 01:33:50 +0200 Message-ID: <50317796.9000405@si6networks.com> Date: Sun, 19 Aug 2012 20:32:38 -0300 From: Fernando Gont Organization: SI6 Networks User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "Gunter Van de Velde (gvandeve)" References: <67832B1175062E48926BF3CB27C49B240761BE@xmb-aln-x12.cisco.com> <502E0D7C.3080504@si6networks.com> <67832B1175062E48926BF3CB27C49B24076A9B@xmb-aln-x12.cisco.com> <502F59CF.5000801@si6networks.com> <67832B1175062E48926BF3CB27C49B24076BE6@xmb-aln-x12.cisco.com> In-Reply-To: <67832B1175062E48926BF3CB27C49B24076BE6@xmb-aln-x12.cisco.com> X-Enigmail-Version: 1.5a1pre Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "opsec@ietf.org" Subject: Re: [OPSEC] draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Aug 2012 23:34:12 -0000 Hi, Gunter, Regarding the track, there has been mixed opinions on what would be the appropriate track. However, my feeling is that this is to some extent a secondary issue (after all, the track can always be changed at a later time). That said, the wg can be polled about the proper track during the call for adoption, and, if there's consensus on adoption of the document, but lack of consensus on a proper track, we can fall back to "Informational", and that's it. (i.e., the track is not "cast in stone"). P.S.: I will resubmit the I-D such that you can perform the call for adoption. Thanks! Best regards, Fernando On 08/19/2012 05:04 PM, Gunter Van de Velde (gvandeve) wrote: > Sounds reasonable if that is what you understood from current discussions in the list. > > Ciao, > G/ > > -----Original Message----- > From: Fernando Gont [mailto:fgont@si6networks.com] > Sent: 18 August 2012 11:01 > To: Gunter Van de Velde (gvandeve) > Cc: opsec@ietf.org > Subject: Re: draft-gont-opsec-ipv6-implications-on-ipv4-nets > > Hi, Gunter, > > On 08/18/2012 04:52 AM, Gunter Van de Velde (gvandeve) wrote: >> I would be inclined to go for your option #2 and see if there is rough >> consensus on the point of track. > > Just double-checking: Since the track is going to be part of the poll, I may live the track "as is" (bcp), right? -- Thus, based on the outcome of the poll, I could change the track if necessary. > > P.S.: Other than this, I have the next rev ready.. > > Thanks! > > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From mbehring@cisco.com Mon Aug 20 01:30:52 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 857A021F86B8 for ; Mon, 20 Aug 2012 01:30:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.479 X-Spam-Level: X-Spam-Status: No, score=-10.479 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZJwef5Sg1vRE for ; Mon, 20 Aug 2012 01:30:51 -0700 (PDT) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id 9746F21F86AD for ; Mon, 20 Aug 2012 01:30:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mbehring@cisco.com; l=3304; q=dns/txt; s=iport; t=1345451451; x=1346661051; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=sJBDEm1hZJkIf7SEVhZYLIsesassyVoprsubyo5GHxw=; b=JXhMGsYA7HkDOoTDv5/KMfC/v3aKLXc5Nwi2N0nEZT1hBX2B/cX/guTT wiLGYY2Ij9e/HzGdZk4Kpfjotr77VUqJ9Rz6od/4eTUIlg0ikxdqksXZc hFlnpyk1khGfna/eoToK5u9sApUVC47ZgbD0rdYzLR5FKK2x/CZVOa5GP g=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAIf0MVCtJXHB/2dsb2JhbAA7CrpHgQeCIAEBAQQSASdLBAIBCBEEAQELFAkHMhQJCAIEARIIDgyHa5hdn02LCxCGImADo3yBZoJh X-IronPort-AV: E=Sophos;i="4.77,796,1336348800"; d="scan'208";a="113254316" Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-2.cisco.com with ESMTP; 20 Aug 2012 08:30:51 +0000 Received: from xhc-rcd-x13.cisco.com (xhc-rcd-x13.cisco.com [173.37.183.87]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id q7K8UpdW027059 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 20 Aug 2012 08:30:51 GMT Received: from xmb-rcd-x14.cisco.com ([169.254.4.3]) by xhc-rcd-x13.cisco.com ([173.37.183.87]) with mapi id 14.02.0298.004; Mon, 20 Aug 2012 03:30:50 -0500 From: "Michael Behringer (mbehring)" To: "Bhatia, Manav (Manav)" , "opsec@ietf.org" Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt Thread-Index: AQHNfFYrLW6Iov7LYkm03FyyQsg8r5deJxKA///DZwCAAEZZ8IAAAN8AgAAApxCABC/UAA== Date: Mon, 20 Aug 2012 08:30:49 +0000 Message-ID: <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EFBD5@xmb-rcd-x14.cisco.com> References: <20120817085532.28295.20004.idtracker@ietfa.amsl.com> <7C362EEF9C7896468B36C9B79200D8350D063A0F2B@INBANSXCHMBSA1.in.alcatel-lucent.com> <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EE62E@xmb-rcd-x14.cisco.com> <7C362EEF9C7896468B36C9B79200D8350D063A0FBF@INBANSXCHMBSA1.in.alcatel-lucent.com> <3AA7118E69D7CD4BA3ECD5716BAF28DF0F4EE713@xmb-rcd-x14.cisco.com> <7C362EEF9C7896468B36C9B79200D8350D063A0FC1@INBANSXCHMBSA1.in.alcatel-lucent.com> In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350D063A0FC1@INBANSXCHMBSA1.in.alcatel-lucent.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.55.194.18] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19126.004 x-tm-as-result: No--57.752800-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 08:30:52 -0000 If the requirement for RSVP-TE is definitely to have a ROUTABLE address ON = THE LINK, then this looks like a reason not to use the approach described.= =20 I'll do some more digging to see whether there are workarounds, but if not,= let's just be more explicit in that paragraph.=20 Michael > -----Original Message----- > From: Bhatia, Manav (Manav) [mailto:manav.bhatia@alcatel-lucent.com] > Sent: 17 August 2012 18:30 > To: Michael Behringer (mbehring); opsec@ietf.org > Subject: RE: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt >=20 > It should be a link address as there are link attributes that CSPF uses w= hen > computing the RSVP path. >=20 > Cheers, Manav >=20 > > -----Original Message----- > > From: Michael Behringer (mbehring) [mailto:mbehring@cisco.com] > > Sent: Friday, August 17, 2012 9:59 PM > > To: Bhatia, Manav (Manav); opsec@ietf.org > > Subject: RE: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt > > > > > -----Original Message----- > > > From: Bhatia, Manav (Manav) [mailto:manav.bhatia@alcatel-lucent.com] > > > Sent: 17 August 2012 18:26 > > > To: Michael Behringer (mbehring); opsec@ietf.org > > > Subject: RE: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt > > > > > > Hi Michael, > > > > > > RSVP-TE will only use global IPv6 prefixes as OSPF/ISIS traffic > > > engineering LSAs only advertise global v6 addresses. The > > link local IP > > > addresses are NOT advertised and hence RSVP-TE can never use them. > > > > > > You can look at rfc 5329 where we clearly say that only global v6 > > > addresses must be used. > > > > Understood, we have clear that link local breaks the current model. My > > question is: Does it have to be a link address, or could it be a > > loopback? (And I don't know TE well enough, so this may well not work, > > looking for education). > > > > Michael > > > > > Cheers, Manav > > > > > > > -----Original Message----- > > > > From: Michael Behringer (mbehring) [mailto:mbehring@cisco.com] > > > > Sent: Friday, August 17, 2012 9:45 PM > > > > To: Bhatia, Manav (Manav); opsec@ietf.org > > > > Subject: RE: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-00.txt > > > > > > > > Manav, > > > > > > > > [...] > > > > > It seems its common for duplicate MAC addresses to appear > > > > in the network. > > > > > In that case more than one router would end up with having the > > > > > same link local address. Will this not be an issue? > > > > > > > > Duplicate MAC on a link would mess up a lot of things, as > > Gert also > > > > pointed out. Bottom line: That must not happen (independently of > > > > this draft). Across a network we don't care > > > > - it only has to be unique on a link. > > > > > > > > > I was also wondering why the draft suggests using loose > > sequence > > > > > of > > > > > IPv6 prefixes to identify the complete path in RSVP-TE. > > > > > > > > Bad wording - sorry. We mean to say: "A possible workaround is to > > > > use routable (non-link local) addresses of each router to > > identify > > > > an explicit path, along with shared-risk-link-group (to not use a > > > > set of common interfaces)." > > > > > > > > Is that clearer? > > > > Michael > > > > > > > > [...] > > > > > > > > > > > > > > From warren@kumari.net Mon Aug 20 01:54:41 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E795821F8691; Mon, 20 Aug 2012 01:54:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QY0JIDb62JA1; Mon, 20 Aug 2012 01:54:40 -0700 (PDT) Received: from vimes.kumari.net (vimes.kumari.net [198.186.192.250]) by ietfa.amsl.com (Postfix) with ESMTP id BA3F221F8682; Mon, 20 Aug 2012 01:54:36 -0700 (PDT) Received: from [192.168.202.132] (unknown [74.125.121.33]) by vimes.kumari.net (Postfix) with ESMTPSA id AE6FA1B4085C; Mon, 20 Aug 2012 04:54:35 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset=windows-1252 From: Warren Kumari In-Reply-To: <000001cd7c8b$2fb8a1e0$8f29e5a0$@asgard.org> Date: Mon, 20 Aug 2012 04:11:45 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <97EB7536A2B2C549846804BBF3FD47E10C3A2A@xmb-aln-x02.cisco.com> <001f01cd7a4e$d05c7390$71155ab0$@asgard.org> <20120817001116.AA2D123ABFA7@drugs.dv.isc.org> <000001cd7c8b$2fb8a1e0$8f29e5a0$@asgard.org> To: Lee Howard X-Mailer: Apple Mail (2.1278) Cc: 'Fernando Gont' , 'v6ops v6ops WG' , Warren Kumari , opsec@ietf.org, 'Mark Andrews' Subject: Re: [OPSEC] [v6ops] 3 Volunteers wanted - Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 08:54:41 -0000 On Aug 17, 2012, at 11:15 AM, Lee Howard wrote: >>>> - 1.0 please avoid all discussion about NAPT being > =3D91minimal/simpl >>> e=3D92 security, the days of scanning are over and have been = replaced by >>> malw are download/email propagated >>>=20 >>>> This is demonstrably false, and I can send you logs of scanning >>>> attempts >>> foiled by NAPT. NAT is crap security, but it=3D92s not zero = security. >>>=20 >>> Heretic! >>>=20 >>> Actually, I'd go so far as to drop the "crap" from the above -- = while >>> it is n't "real" security (whatever that means) it has become cool = to >>> simply beat on the NAT. >>=20 >> But the problem is that people think they need "NAT" as opposed to a > "stateful firewall with >> default allow out all, block in all". >> NAPT effectively establishes the latter + munges with addresses and = ports. > It's the state table >> not the address/port translation that stops scans. >=20 > That is true, but is not a flaw in the document. =20 > The offending text is: > Finally, > some transition/co-existence mechanisms (notably Teredo) are = designed > to traverse Network Address Translators (NATs), which in many > deployments provide a minimum level of protection by only allowing > those instances of communication that have been initiated from the > internal network. Thus, these mechanisms might cause an internal > host with otherwise limited IPv4 connectivity to become globally > reachable over IPv6, therefore resulting in increased (and possibly > unexpected) host exposure. That is, the aforementioned technologies > might inadvertently allow incoming IPv6 connections from the = Internet > to hosts behind the organizational firewall. >=20 > Would you be happy if it said: > to traverse Network Address Translators (NATs), which, by keeping a > state table and only allowing inbound packets to hosts which have > established outbound communication, provides a minimum level of > protection. . .=20 >=20 Personally I'm fine with either=85.=20 I was just mumbling, don't have any particularly strong feelings on = this=85 > I don't think a more thorough discussion of the different risk = profiles of > full > cone versus symmetric NAT, etc., is warranted here. I absolutely = agree that >=20 > networks should have a stateful firewall. Would you say that a = stateful > firewall is *even more important* now (with IPv6 ramping up) than it = ever > was before? =20 >=20 >> Stateless NAT44 or NAT66 doesn't stop scans. >=20 > True. How is that relevant to a discussion of how unintentional IPv6 = may > affect > IPv4 networks? >=20 >> As for the secretary's desktop how many of them would be owned if LSR = was > being used to >> scan 192.168/16 though the NAT box? >=20 > Fewer than if it were even easier. Again, not really the point of the > document. >=20 > Lee >=20 >=20 >>=20 >> Mark >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: marka@isc.org >=20 >=20 > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec >=20 --=20 "He who laughs last, thinks slowest."=20 -- Anonymous From gvandeve@cisco.com Mon Aug 20 04:17:32 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8493D21F85AD for ; Mon, 20 Aug 2012 04:17:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.473 X-Spam-Level: X-Spam-Status: No, score=-10.473 tagged_above=-999 required=5 tests=[AWL=0.126, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B29nJFCJR35V for ; Mon, 20 Aug 2012 04:17:31 -0700 (PDT) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id B5E4521F85AF for ; Mon, 20 Aug 2012 04:17:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=2161; q=dns/txt; s=iport; t=1345461451; x=1346671051; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=+LLlU1wSkoB2hzuY9rTO3hdkfdCGUAsgu31mefu2OrI=; b=XtyfS0zxOiUvz31Ls72+vhdRtUnbQNxRyaruN5CI8746OGrDroAwcu3K BUwiGE4x7QiCR0vEiaLKXh/XzMxl3RsyXKEcqUclvHrQOIPZo+Krdca2p Ao+oLZZgR4aU0xa8LAjrNnObs9K8I1fd99z+9tm6gtxe/mS/yChhKELNO g=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EAGUcMlCtJXHA/2dsb2JhbABFukmBB4IgAQEBBBIBCh0/DAQCAQgOAwQBAQEKFAkHMhQJCAIEDgUIGodrmGSfWYsLGoYYYAOjfIFmgmGBYQ X-IronPort-AV: E=Sophos;i="4.77,796,1336348800"; d="scan'208";a="113095671" Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-1.cisco.com with ESMTP; 20 Aug 2012 11:17:31 +0000 Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id q7KBHV3I015114 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 20 Aug 2012 11:17:31 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.02.0298.004; Mon, 20 Aug 2012 06:17:31 -0500 From: "Gunter Van de Velde (gvandeve)" To: Fernando Gont Thread-Topic: draft-gont-opsec-ipv6-implications-on-ipv4-nets Thread-Index: Ac18T01ACwflm2isSWu2MfBRi7t6fAANIVgAACShttAADON0gAA+9s0AABHEXQAADiKR8A== Date: Mon, 20 Aug 2012 11:17:30 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B24076F22@xmb-aln-x12.cisco.com> References: <67832B1175062E48926BF3CB27C49B240761BE@xmb-aln-x12.cisco.com> <502E0D7C.3080504@si6networks.com> <67832B1175062E48926BF3CB27C49B24076A9B@xmb-aln-x12.cisco.com> <502F59CF.5000801@si6networks.com> <67832B1175062E48926BF3CB27C49B24076BE6@xmb-aln-x12.cisco.com> <50317796.9000405@si6networks.com> In-Reply-To: <50317796.9000405@si6networks.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.80.39] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19126.006 x-tm-as-result: No--45.592400-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "opsec@ietf.org" Subject: Re: [OPSEC] draft-gont-opsec-ipv6-implications-on-ipv4-nets X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 11:17:32 -0000 Sounds as a plan. G/ -----Original Message----- From: Fernando Gont [mailto:fgont@si6networks.com]=20 Sent: 20 August 2012 01:33 To: Gunter Van de Velde (gvandeve) Cc: opsec@ietf.org Subject: Re: draft-gont-opsec-ipv6-implications-on-ipv4-nets Hi, Gunter, Regarding the track, there has been mixed opinions on what would be the app= ropriate track. However, my feeling is that this is to some extent a second= ary issue (after all, the track can always be changed at a later time). That said, the wg can be polled about the proper track during the call for = adoption, and, if there's consensus on adoption of the document, but lack o= f consensus on a proper track, we can fall back to "Informational", and tha= t's it. (i.e., the track is not "cast in stone"). P.S.: I will resubmit the I-D such that you can perform the call for adopti= on. Thanks! Best regards, Fernando On 08/19/2012 05:04 PM, Gunter Van de Velde (gvandeve) wrote: > Sounds reasonable if that is what you understood from current discussions= in the list. >=20 > Ciao, > G/ >=20 > -----Original Message----- > From: Fernando Gont [mailto:fgont@si6networks.com] > Sent: 18 August 2012 11:01 > To: Gunter Van de Velde (gvandeve) > Cc: opsec@ietf.org > Subject: Re: draft-gont-opsec-ipv6-implications-on-ipv4-nets >=20 > Hi, Gunter, >=20 > On 08/18/2012 04:52 AM, Gunter Van de Velde (gvandeve) wrote: >> I would be inclined to go for your option #2 and see if there is=20 >> rough consensus on the point of track. >=20 > Just double-checking: Since the track is going to be part of the poll, I = may live the track "as is" (bcp), right? -- Thus, based on the outcome of t= he poll, I could change the track if necessary. >=20 > P.S.: Other than this, I have the next rev ready.. >=20 > Thanks! >=20 > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 >=20 >=20 >=20 >=20 -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From gvandeve@cisco.com Mon Aug 20 04:45:12 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A8FC21F8617 for ; Mon, 20 Aug 2012 04:45:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.449 X-Spam-Level: X-Spam-Status: No, score=-10.449 tagged_above=-999 required=5 tests=[AWL=0.149, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LthOxmAkMKb5 for ; Mon, 20 Aug 2012 04:45:11 -0700 (PDT) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id B0E8E21F8600 for ; Mon, 20 Aug 2012 04:45:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=4421; q=dns/txt; s=iport; t=1345463111; x=1346672711; h=from:to:cc:subject:date:message-id:mime-version; bh=E/UviK2J8cp7xskhWtgpyFYp3OW62icNG4M3dQRst7M=; b=PgwRQdEdj8WOtEHTkEfSQyyUIfEVUBlkFxDttVk0n8fDJ+eaK+8nXx+/ D5P5WscPPnWv/J9IbHy4PYOjG5tKXsW/XMSHxbpgk9bpMj5j/eePgaEGz B+euyxT1lvJ6WFYRLdiYLKQbrd6XCJsSxYTBRq6DgZw/GS5BIF9XPUpqI Y=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AhsGAO4iMlCtJV2Y/2dsb2JhbABFgkqGFqBViEeGIYIsgQeCIgEEEgEKEEwSASpWJgEEDg0ah2sLmFefXpE9YAOWZI0YgWaCYQ X-IronPort-AV: E=Sophos;i="4.77,796,1336348800"; d="scan'208,217";a="113323747" Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-8.cisco.com with ESMTP; 20 Aug 2012 11:45:11 +0000 Received: from xhc-aln-x14.cisco.com (xhc-aln-x14.cisco.com [173.36.12.88]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id q7KBjBdB032599 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 20 Aug 2012 11:45:11 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-aln-x14.cisco.com ([173.36.12.88]) with mapi id 14.02.0283.003; Mon, 20 Aug 2012 06:45:10 -0500 From: "Gunter Van de Velde (gvandeve)" To: "opsec@ietf.org" Thread-Topic: Call for WG adoption - draft-vyncke-opsec-v6-01 Thread-Index: Ac1+xz7voMRA3STDRSelbTsWNFP4aw== Date: Mon, 20 Aug 2012 11:45:10 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B24077045@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.80.39] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19126.004 x-tm-as-result: No--34.336300-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/alternative; boundary="_000_67832B1175062E48926BF3CB27C49B24077045xmbalnx12ciscocom_" MIME-Version: 1.0 Cc: "draft-vyncke-opsec-v6-01@tools.ietf.org" Subject: [OPSEC] Call for WG adoption - draft-vyncke-opsec-v6-01 X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 11:45:12 -0000 --_000_67832B1175062E48926BF3CB27C49B24077045xmbalnx12ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Dear WG, During the latest OPSEC meeting the draft draft-vyncke-opsec-v6-01 was pres= ented. The document received positive feedback from the people that read the docum= ent. To give more people the chance to read the document before asking on the WG= list for adoption it was agreed to wait about three weeks to give that cha= nce. Current document: http://datatracker.ietf.org/doc/draft-vyncke-opsec-v6/ Kindly provide feedback on this document during the next two weeks for adop= tion of this work as WG document. Unless mayor issues with the document are= identified in that period, this document will be accepted as WG document. Kind Regards, G/ --_000_67832B1175062E48926BF3CB27C49B24077045xmbalnx12ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Dear WG,

 

During the latest OPSEC meeting the draft draft-vync= ke-opsec-v6-01 was presented.

The document received positive feedback from the peo= ple that read the document.

 

To give more people the chance to read the document = before asking on the WG list for adoption it was agreed to wait about three= weeks to give that chance.

 

Current document: http://datatracker.ietf.org/doc/draft-vyncke-opsec-v6/

 

Kindly provide feedback on this document during the = next two weeks for adoption of this work as WG document. Unless mayor issue= s with the document are identified in that period, this document will be ac= cepted as WG document.

 

Kind Regards,

G/

--_000_67832B1175062E48926BF3CB27C49B24077045xmbalnx12ciscocom_-- From tsbsg17@itu.int Mon Aug 20 12:32:05 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 067B421F8606 for ; Mon, 20 Aug 2012 12:32:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VrlMmrrEL+1M for ; Mon, 20 Aug 2012 12:32:04 -0700 (PDT) Received: from kapur.svc.unicc.org (kapur.svc.unicc.org [193.194.138.75]) by ietfa.amsl.com (Postfix) with ESMTP id A1A7F21F8617 for ; Mon, 20 Aug 2012 12:32:03 -0700 (PDT) Received: from chicha.svc.unicc.org (chicha.svc.unicc.org [192.168.202.41]) by kapur.svc.unicc.org (Switch-3.1.7/Switch-3.1.7) with ESMTP id q7KJVudD012314; Mon, 20 Aug 2012 21:31:56 +0200 Received: from judas.svc.unicc.org (localhost.localdomain [127.0.0.1]) by chicha.svc.unicc.org (Switch-3.1.7/Switch-3.1.7) with ESMTP id q7KJVuGW030727; Mon, 20 Aug 2012 21:31:56 +0200 Received: from mailweb.itu.int ([10.81.6.60]) by judas.svc.unicc.org (Switch-3.1.7/Switch-3.1.7) with ESMTP id q7KJVuEV011091; Mon, 20 Aug 2012 21:31:56 +0200 Received: from TUCHM07.TUECSP.UNICC.ORG ([169.254.4.209]) by TUCHM01.TUECSP.UNICC.ORG ([169.254.3.159]) with mapi id 14.02.0298.004; Mon, 20 Aug 2012 19:31:55 +0000 From: "TSBSG17, ITU" To: Liaison Statement Management Tool , "TSBSG17, ITU" , "Euchner, Martin" Thread-Topic: New Liaison Statement, "Response to Liaison on the IPv6 Security Guideline - ITU-T Question 2/17" Thread-Index: AQHNfuS+D8qJ2r4zpUG1pdfY421hxZdjFjmg Date: Mon, 20 Aug 2012 19:31:54 +0000 Message-ID: References: <20120820150155.26390.971.idtracker@ietfa.amsl.com> In-Reply-To: <20120820150155.26390.971.idtracker@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.81.64.160] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 20 Aug 2012 23:14:36 -0700 Cc: "ko-nakao@kddi.com" , Eliot Lear , "opsec@ietf.org" , Warren Kumari , "kremer@rans.ru" Subject: Re: [OPSEC] New Liaison Statement, "Response to Liaison on the IPv6 Security Guideline - ITU-T Question 2/17" X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 04:48:26 -0000 RGVhciBFbGlvdCwNCg0KVGhhbmsgeW91IHZlcnkgbXVjaCBmb3IgeW91ciBsaWFpc29uIHJlc3Bv bnNlIHRoYXQgd2UnbGwgcG9zdCBhcyBhbiBpbmNvbWluZyBsaWFpc29uIHN0YXRlbWVudCBmcm9t IElFVEYgT1BTRUMgV0cgdG8gb3VyIFF1ZXN0aW9uIDIvMTcsIFNlY3VyaXR5IGFyY2hpdGVjdHVy ZSBhbmQgZnJhbWV3b3JrLCBmb3IgaW5mb3JtYXRpb24uDQoNCk91ciBuZXh0IElUVS1UIFN0dWR5 IEdyb3VwIDE3IG1lZXRpbmcgd2lsbCBiZSBpbiBHZW5ldmEsIDI5IEF1Z3VzdCAtIDcgU2VwdGVt YmVyIDIwMTcuDQoNCldpdGgga2luZCByZWdhcmRzDQoNCk1hcnRpbiBFdWNobmVyLg0KDQpBZHZp c29yIG9mIFN0dWR5IEdyb3VwIDE3DQpUZWxlY29tbXVuaWNhdGlvbiBTdGFuZGFyZGl6YXRpb24g QnVyZWF1IChUU0IpDQpJbnRlcm5hdGlvbmFsIFRlbGVjb21tdW5pY2F0aW9uIFVuaW9uIChJVFUp DQplLW1haWwgOiBNYXJ0aW4uRXVjaG5lckBpdHUuaW50DQpQaG9uZSA6ICs0MSAyMiA3MzAgNTg2 Ng0KTW9iaWxlOiArNDEgNzkgNTkyIDQ2ODgNClVSTMKgOiBodHRwOi8vd3d3Lml0dS5pbnQvSVRV LVQvc3R1ZHlncm91cHMvY29tMTcNCk9mZmljZSBOb8KgOiBNLjQxNQ0KwqANClBsYWNlIGRlcyBO YXRpb25zIA0KQ0gtMTIxMSBHZW5ldmEgMjAgDQpTd2l0emVybGFuZA0KDQoNCi0tLS0tT3JpZ2lu YWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBMaWFpc29uIFN0YXRlbWVudCBNYW5hZ2VtZW50IFRvb2wg W21haWx0bzpsc210QGlldGYub3JnXSANClNlbnQ6IE1vbmRheSwgQXVndXN0IDIwLCAyMDEyIDU6 MDIgUE0NClRvOiBUU0JTRzE3LCBJVFUNCkNjOiBFbGlvdCBMZWFyOyBXYXJyZW4gS3VtYXJpOyBH dW50ZXIgVmFuIGRlIFZlbGRlOyBLSyBDaGl0dGltYW5lbmk7IFJvbmFsZCBCb25pY2E7IEJlbm9p dCBDbGFpc2U7IG9wc2VjQGlldGYub3JnOyBrcmVtZXJAcmFucy5ydTsga28tbmFrYW9Aa2RkaS5j b207IGd2YW5kZXZlQGNpc2NvLmNvbTsgZ3ZhbmRldmVAY2lzY28uY29tDQpTdWJqZWN0OiBOZXcg TGlhaXNvbiBTdGF0ZW1lbnQsICJSZXNwb25zZSB0byBMaWFpc29uIG9uIHRoZSBJUHY2IFNlY3Vy aXR5IEd1aWRlbGluZSAtIElUVS1UIFF1ZXN0aW9uIDIvMTciDQoNClRpdGxlOiBSZXNwb25zZSB0 byBMaWFpc29uIG9uIHRoZSBJUHY2IFNlY3VyaXR5IEd1aWRlbGluZSAtIElUVS1UIFF1ZXN0aW9u IDIvMTcgU3VibWlzc2lvbiBEYXRlOiAyMDEyLTA4LTIwIFVSTCBvZiB0aGUgSUVURiBXZWIgcGFn ZTogaHR0cDovL2RhdGF0cmFja2VyLmlldGYub3JnL2xpYWlzb24vMTE4MC8NCg0KRnJvbTogT3Bl cmF0aW9uYWwgU2VjdXJpdHkgQ2FwYWJpbGl0aWVzIGZvciBJUCBOZXR3b3JrIEluZnJhc3RydWN0 dXJlIChFbGlvdCBMZWFyIDxndmFuZGV2ZUBjaXNjby5jb20+KQ0KVG86IElUVS1UIFNHIDE3ICh0 c2JzZzE3QGl0dS5pbnQpDQpDYzogRWxpb3QgTGVhciA8bGVhckBjaXNjby5jb20+LFdhcnJlbiBL dW1hcmkgPHdhcnJlbkBrdW1hcmkubmV0PixHdW50ZXIgVmFuIGRlIFZlbGRlIDxndmFuZGV2ZUBj aXNjby5jb20+LEtLIENoaXR0aW1hbmVuaSA8a2tAZ29vZ2xlLmNvbT4sUm9uYWxkIEJvbmljYSA8 cmJvbmljYUBqdW5pcGVyLm5ldD4sQmVub2l0IENsYWlzZSA8YmNsYWlzZUBjaXNjby5jb20+LG9w c2VjQGlldGYub3JnLGtyZW1lckByYW5zLnJ1LGtvLW5ha2FvQGtkZGkuY29tDQpSZXBvbnNlIENv bnRhY3Q6IGd2YW5kZXZlQGNpc2NvLmNvbQ0KVGVjaG5pY2FsIENvbnRhY3Q6IGd2YW5kZXZlQGNp c2NvLmNvbQ0KUHVycG9zZTogSW4gcmVzcG9uc2UNClJlZmVyZW5jZWQgbGlhaXNvbjogTGlhaXNv biBvbiB0aGUgSVB2NiBTZWN1cml0eSBHdWlkZWxpbmUgKGh0dHA6Ly9kYXRhdHJhY2tlci5pZXRm Lm9yZy9saWFpc29uLzExNDkvKQ0KQm9keTogVGhlIE9QU0VDIHdvcmtpbmcgZ3JvdXAgdGhhbmtz IHRoZSBJVFUtVCBmb3IgaXRzICJMaWFpc29uIG9uIHRoZSBJUHY2IFNlY3VyaXR5IEd1aWRlbGlu ZSIuIFdlIGRpc2N1c3NlZCB0aGlzIGRvY3VtZW50IGF0IG91ciBmYWNlIHRvIGZhY2UgKDEgQXVn dXN0IDIwMTIpIG1lZXRpbmcgaW4gVmFuY291dmVyLg0KDQpUaGUgV0cgYmVsaWV2ZXMgdGhhdCB0 aGUgSVB2NiBzZWN1cml0eSBndWlkZWxpbmUgaGFzIHNpbWlsYXJpdGllcyB3aXRoIGRyYWZ0LXZ5 bmNrZS1vcHNlYy12Ni4gV2UgYmVsaWV2ZSB0aGUgYmVzdCBjb3Vyc2Ugb2YgYWN0aW9uIHdvdWxk IGJlIGZvciBhdXRob3JzIG9mIGJvdGggd29ya3MgdG8gZGlyZWN0bHkgY29sbGFib3JhdGUgb24g aXNzdWVzIHJhaXNlZCBpbiB0aGVzZSBkcmFmdHMuDQoNClRoZSBPUFNFQyBjaGFpcnMgd2lsbCBz ZW5kIGZvciB0aGlzIHB1cnBvc2UgYSBzZXBhcmF0ZSBlbWFpbCB0byB0aGUgaW52b2x2ZWQgcGFy dGllcyB0byBmYWNpbGl0YXRlIGNvbGxhYm9yYXRpb24uDQpBdHRhY2htZW50czoNCg0KTm8gZG9j dW1lbnQgaGFzIGJlZW4gYXR0YWNoZWQNCg0K From fernando.gont.netbook.win@gmail.com Tue Aug 21 04:20:10 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5621E21F866A for ; Tue, 21 Aug 2012 04:20:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N4r4o4jV9FW3 for ; Tue, 21 Aug 2012 04:20:09 -0700 (PDT) Received: from mail-gg0-f172.google.com (mail-gg0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id B391D21F8668 for ; Tue, 21 Aug 2012 04:20:09 -0700 (PDT) Received: by ggnh4 with SMTP id h4so6305111ggn.31 for ; Tue, 21 Aug 2012 04:20:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:x-forwarded-message-id :content-type:content-transfer-encoding; bh=6MNXWUG09vnt/M5jPVVjnBdYWrAIaYmXlp6enqK3COk=; b=E9N0g1lkLRKiayFqZf4i5DCD4ZKWgG2QV636dI71ZQ+FQH+9p76IIGxrTuH1LfVOoo uWDzbudBecS4Gaaxgs2h05faYaZZMnJ+WgXMUqNXOMpoIwgWVUMCVCp9jmr7hSfGfxKp /3kv44VsMyTfh70injbgslbry42zKn6bf8wE9CUoEk7W2iEDjOd1BCWPJYL6oZRFUcox 8XN0oFuRZ6i0zUZNuV24ksjxDga0RlMEv/gzS14KJaWmNJr660gU1sUKJ2XcS1+eTJNK EFnBdifRhGUW7GkStsQ/N0L/z9nHrHYWkVOqtxznHb2eOzqa4HZsw4fGMbMLR7V7VUnN qauw== Received: by 10.236.187.1 with SMTP id x1mr280292yhm.125.1345548009103; Tue, 21 Aug 2012 04:20:09 -0700 (PDT) Received: from [192.168.123.104] ([186.134.19.19]) by mx.google.com with ESMTPS id t39sm889335anh.3.2012.08.21.04.20.05 (version=SSLv3 cipher=OTHER); Tue, 21 Aug 2012 04:20:07 -0700 (PDT) Sender: Fernando Gont Message-ID: <50336EBA.1080105@gont.com.ar> Date: Tue, 21 Aug 2012 08:19:22 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "'opsec@ietf.org'" References: <20120821111757.8846.20372.idtracker@ietfa.amsl.com> In-Reply-To: <20120821111757.8846.20372.idtracker@ietfa.amsl.com> X-Enigmail-Version: 1.5a1pre X-Forwarded-Message-Id: <20120821111757.8846.20372.idtracker@ietfa.amsl.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: opsec chairs Subject: [OPSEC] New Rev of draft-gont-opsec-ipv6-implications-on-ipv4-nets-02.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 11:20:10 -0000 Folks, FYI, I have posted a new rev of the aforementioned I-D, which is meant to address the feedback I have received so far. This version should be ready for the formal wg call for adoption-. Thanks! Best regards, Fernando -------- Original Message -------- Subject: New Version Notification for draft-gont-opsec-ipv6-implications-on-ipv4-nets-02.txt Date: Tue, 21 Aug 2012 04:17:57 -0700 From: internet-drafts@ietf.org To: fernando@gont.com.ar A new version of I-D, draft-gont-opsec-ipv6-implications-on-ipv4-nets-02.txt has been successfully submitted by Fernando Gont and posted to the IETF repository. Filename: draft-gont-opsec-ipv6-implications-on-ipv4-nets Revision: 02 Title: Security Implications of IPv6 on IPv4 Networks Creation date: 2012-08-21 WG ID: Individual Submission Number of pages: 18 URL: http://www.ietf.org/internet-drafts/draft-gont-opsec-ipv6-implications-on-ipv4-nets-02.txt Status: http://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-implications-on-ipv4-nets Htmlized: http://tools.ietf.org/html/draft-gont-opsec-ipv6-implications-on-ipv4-nets-02 Diff: http://www.ietf.org/rfcdiff?url2=draft-gont-opsec-ipv6-implications-on-ipv4-nets-02 Abstract: This document discusses the security implications of native IPv6 support and IPv6 transition/co-existence technologies on "IPv4-only" networks, and describes possible mitigations for the aforementioned issues. The IETF Secretariat From gvandeve@cisco.com Tue Aug 21 04:27:19 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7085421F8682 for ; Tue, 21 Aug 2012 04:27:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.433 X-Spam-Level: X-Spam-Status: No, score=-10.433 tagged_above=-999 required=5 tests=[AWL=0.166, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CECJcKLVJfC8 for ; Tue, 21 Aug 2012 04:27:18 -0700 (PDT) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id A8AB321F856F for ; Tue, 21 Aug 2012 04:27:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gvandeve@cisco.com; l=2343; q=dns/txt; s=iport; t=1345548438; x=1346758038; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Pxw2Hx31EDsEIRDwufjP3b+BgrTDUoovDTE7JzvUgeg=; b=lo4Q0WzNUyDB7gSV7C75Xy51l9y4B+rXvZZ4D1WhN6o7JtvJ9dXEN6a8 KCj17JiAu6V0TU7nlLnWnbrw9brPY9+AsK46mwa/WTuqdKoMw90rgwUr8 29emXY/FmxT6+/FYo/kTSOdMnXbSFkM7Iygz9RPVNDYVNslH6z7YRoS1m I=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EADZwM1CtJV2Y/2dsb2JhbABFul+BB4IgAQEBBAEBAQ8BCh00CwwEAgEIEQMBAQELFAkHJwsUCQgCBAENBQgBGYdrC5h/oDWLCIY8YAOWZo0ZgWaCYQ X-IronPort-AV: E=Sophos;i="4.77,802,1336348800"; d="scan'208";a="113713924" Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-6.cisco.com with ESMTP; 21 Aug 2012 11:27:18 +0000 Received: from xhc-aln-x14.cisco.com (xhc-aln-x14.cisco.com [173.36.12.88]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id q7LBRIsY025655 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 21 Aug 2012 11:27:18 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-aln-x14.cisco.com ([173.36.12.88]) with mapi id 14.02.0283.003; Tue, 21 Aug 2012 06:27:17 -0500 From: "Gunter Van de Velde (gvandeve)" To: Fernando Gont , "'opsec@ietf.org'" Thread-Topic: [OPSEC] New Rev of draft-gont-opsec-ipv6-implications-on-ipv4-nets-02.txt Thread-Index: AQHNf47wjfVm1Ww1L02M21WjyxEjMZdkHuYQ Date: Tue, 21 Aug 2012 11:27:17 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B24077F08@xmb-aln-x12.cisco.com> References: <20120821111757.8846.20372.idtracker@ietfa.amsl.com> <50336EBA.1080105@gont.com.ar> In-Reply-To: <50336EBA.1080105@gont.com.ar> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.100.21] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19128.004 x-tm-as-result: No--37.617400-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: opsec chairs Subject: Re: [OPSEC] New Rev of draft-gont-opsec-ipv6-implications-on-ipv4-nets-02.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 11:27:19 -0000 With this note the OPSEC chairs would like to probe for WG adoption. During the cause of events and discussion on the WG mailing list, this docu= ment has been seen as valuable for the WG to adopt as work item. 2 questions need to be addressed: 1. Please find 2 weeks to provide feedback on this draft. Please say yes/no= on WG adoption.=20 2. Should this be BCP or Informational track G/ -----Original Message----- From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of F= ernando Gont Sent: 21 August 2012 13:19 To: 'opsec@ietf.org' Cc: opsec chairs Subject: [OPSEC] New Rev of draft-gont-opsec-ipv6-implications-on-ipv4-nets= -02.txt Folks, FYI, I have posted a new rev of the aforementioned I-D, which is meant to a= ddress the feedback I have received so far. This version should be ready for the formal wg call for adoption-. Thanks! Best regards, Fernando -------- Original Message -------- Subject: New Version Notification for draft-gont-opsec-ipv6-implications-on-ipv4-nets-02.txt Date: Tue, 21 Aug 2012 04:17:57 -0700 From: internet-drafts@ietf.org To: fernando@gont.com.ar A new version of I-D, draft-gont-opsec-ipv6-implications-on-ipv4-nets-02.tx= t has been successfully submitted by Fernando Gont and posted to the IETF rep= ository. Filename: draft-gont-opsec-ipv6-implications-on-ipv4-nets Revision: 02 Title: Security Implications of IPv6 on IPv4 Networks Creation date: 2012-08-21 WG ID: Individual Submission Number of pages: 18 URL: http://www.ietf.org/internet-drafts/draft-gont-opsec-ipv6-implications-on-i= pv4-nets-02.txt Status: http://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-implications-on-ipv4-= nets Htmlized: http://tools.ietf.org/html/draft-gont-opsec-ipv6-implications-on-ipv4-nets-= 02 Diff: http://www.ietf.org/rfcdiff?url2=3Ddraft-gont-opsec-ipv6-implications-on-ip= v4-nets-02 Abstract: This document discusses the security implications of native IPv6 support and IPv6 transition/co-existence technologies on "IPv4-only" networks, and describes possible mitigations for the aforementioned issues. The IETF Secretariat _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec From gvandeve@cisco.com Tue Aug 21 04:29:44 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F261D21F8628 for ; Tue, 21 Aug 2012 04:29:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.476 X-Spam-Level: X-Spam-Status: No, score=-10.476 tagged_above=-999 required=5 tests=[AWL=0.123, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01GoIesdlgnR for ; Tue, 21 Aug 2012 04:29:44 -0700 (PDT) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 6F77221F856F for ; Tue, 21 Aug 2012 04:29:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=788; q=dns/txt; s=iport; t=1345548584; x=1346758184; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=kaSd27JEMts78tXqSaDQSxlMiD2qOs/AxZZpVs5/lHg=; b=l4DFVMbjK6V6OHTJVzWQTt4L0x/fXPNaC8KEP82ihQ0YFYfyUNbTJQP7 UhHGxCfOy2Kg+JbzNaZh7CT34kS5a6tf+nsdE57lQkmyF/Ig2tJCzq6Ax 2tS1e1VWCzj/pkkLQ2grq15+KrpK7PObwvDNLnbCQv6NaWU90ZA9QyV9I U=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AjAFANVwM1CtJXHB/2dsb2JhbABFhTq1JYEHgiABAQEEEgEnNAsMBgEZBAEBCxQJORQJCQEEAQ0FCBqHa5kMoDWLCIY8YAOjf4FmgmE X-IronPort-AV: E=Sophos;i="4.77,802,1336348800"; d="scan'208";a="110727246" Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-9.cisco.com with ESMTP; 21 Aug 2012 11:29:34 +0000 Received: from xhc-rcd-x06.cisco.com (xhc-rcd-x06.cisco.com [173.37.183.80]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id q7LBTYkR007204 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 21 Aug 2012 11:29:34 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.122]) by xhc-rcd-x06.cisco.com ([173.37.183.80]) with mapi id 14.02.0298.004; Tue, 21 Aug 2012 06:29:33 -0500 From: "Gunter Van de Velde (gvandeve)" To: Fernando Gont , "'opsec@ietf.org'" Thread-Topic: WG adoption request: draft-gont-opsec-ipv6-implications-on-ipv4-nets-02.txt Thread-Index: Ac1/kBx4rtGr56t9R0+XsilPyCcPpg== Date: Tue, 21 Aug 2012 11:29:33 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B24077F1E@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.100.21] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19128.004 x-tm-as-result: No--33.052300-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: opsec chairs Subject: [OPSEC] WG adoption request: draft-gont-opsec-ipv6-implications-on-ipv4-nets-02.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 11:29:45 -0000 I forgot to mention: 2 weeks timing for providing feedback. G/ -----Original Message----- From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of G= unter Van de Velde (gvandeve) Sent: 21 August 2012 13:27 To: Fernando Gont; 'opsec@ietf.org' Cc: opsec chairs Subject: Re: [OPSEC] New Rev of draft-gont-opsec-ipv6-implications-on-ipv4-= nets-02.txt With this note the OPSEC chairs would like to probe for WG adoption. During the cause of events and discussion on the WG mailing list, this docu= ment has been seen as valuable for the WG to adopt as work item. 2 questions need to be addressed: 1. Please find 2 weeks to provide feedback on this draft. Please say yes/no= on WG adoption.=20 2. Should this be BCP or Informational track G/ From kkumar@google.com Tue Aug 21 14:08:17 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB4A611E80FE for ; Tue, 21 Aug 2012 14:08:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.742 X-Spam-Level: X-Spam-Status: No, score=-102.742 tagged_above=-999 required=5 tests=[AWL=0.235, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fcFIzMg9jPEX for ; Tue, 21 Aug 2012 14:08:17 -0700 (PDT) Received: from mail-lpp01m010-f44.google.com (mail-lpp01m010-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id A851311E80F7 for ; Tue, 21 Aug 2012 14:08:16 -0700 (PDT) Received: by lahm15 with SMTP id m15so153159lah.31 for ; Tue, 21 Aug 2012 14:08:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type :x-system-of-record; bh=4Dxlss6ASX/zRMkHYVRGmoKkK6sIaqTAVWRBVXSJeSM=; b=ZoNhj5f8uSk6kpMMrTguuaoANaHV5e53ty78kKa6MyvmmWTqSnpKVaxW92nQvhY30e LzwychjpGJ76wDj8hfh1Wsp8AbnJaa5udgePbpd+B+nuR2Y/i2IP5Hp1STJaW95io4Cy TLLpMcOKPPxFOaJ4rReiUuI4cIl85jDCoz319mzweYBNkVS8GgjTgxDVU9o0cl4ZswoA 28AlA9IuzNR2hX04dHEZNoSEeY40WsWaeYwqGugldK6FQohv/wjb/1RavY8ElafKNeND jKR74ZWDuzFyBvmreXQ1wFHjAWjt2Ap+ezhbmSBPJOl0/rIMufnTdSabdSDFdGiuzA74 t3Zg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type :x-system-of-record:x-gm-message-state; bh=4Dxlss6ASX/zRMkHYVRGmoKkK6sIaqTAVWRBVXSJeSM=; b=YP3qPWxAGzuM4Rk7N2/2I9jwb2QLJCAAl5RKQ4FDwKVfcF5ShUV6mu1qNgel4hclpD qD9pdgH7WayjTZH4QwHyn/gLHGMJ4wIA8jeLJ+Wqtbh/ch87Cf4ydf6RAgcoBtv5wi0B Rf7uoXj+cAIjMbqL7GqfN//0mXRZZx1UvIBQmkCOQvRN6wUpPgLaWKCW6Qe/X5sNtKXK OoO3+yxBqUtX5giFlrMz0vGBXT6IiFR1RVpyk2E1ve69yCoopJCZUZMBUhy/rfrVpz4y +xAi5LGgzY00ddUeUE3TKLbb2Je7N+a+Do8LtlFobklnzqtYAHeMiaF4qAO9/b/+6MKH WO/A== Received: by 10.152.110.46 with SMTP id hx14mr18791419lab.21.1345583295553; Tue, 21 Aug 2012 14:08:15 -0700 (PDT) Received: by 10.152.110.46 with SMTP id hx14mr18791410lab.21.1345583295442; Tue, 21 Aug 2012 14:08:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.66.42 with HTTP; Tue, 21 Aug 2012 14:07:55 -0700 (PDT) From: KK Date: Tue, 21 Aug 2012 14:07:55 -0700 Message-ID: To: opsec@ietf.org Content-Type: text/plain; charset=ISO-8859-1 X-System-Of-Record: true X-Gm-Message-State: ALoCoQl8hTbCS66dPZJ1Y2ueT9QL1FlSyW8iZux9fh1dd5Xj7bVsTwFVMUm6a0KPURO7PNEbvpASbZ8XhP1w3Yrzozh7m8MUmQlKq+xUC3QcmRPvBGibTx6LFRnn752CW0/+751RYUzi4hygXh4viJ6qXc3YHu1e/l/aFKkkOHyRpS9iuygWh53gQ3xheUHnfU6uIdb9X8MS Subject: [OPSEC] OPSEC Interim Meeting Announcement - Sep 29th 2012 X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 21:08:18 -0000 Hello Everyone, OPSEC is going to hold an interim meeting in Amsterdam, right after the end of RIPE 65 , on Sep 29th, 2012. The meeting will be held in the same hotel as the RIPE meeting: Hotel Okura Ferdinand Bolstraat 333 1072 LH Amsterdam +31 (0) 20 678 7493 Meeting time TBD. Here, we would discuss drafts that have been updated or posted no later than a week in advance of the interim. Therefore, I would request that you submit your drafts by 23:59 UTC, Sep 21, 2012 Thanks, KK, Gunter, Warren From kkumar@google.com Thu Aug 30 21:19:00 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21F8011E80ED for ; Thu, 30 Aug 2012 21:19:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.76 X-Spam-Level: X-Spam-Status: No, score=-102.76 tagged_above=-999 required=5 tests=[AWL=0.217, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DwxG3DJZ4bSZ for ; Thu, 30 Aug 2012 21:18:59 -0700 (PDT) Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4CF7F11E80EA for ; Thu, 30 Aug 2012 21:18:59 -0700 (PDT) Received: by lbky2 with SMTP id y2so1135646lbk.31 for ; Thu, 30 Aug 2012 21:18:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type :x-system-of-record; bh=7cj3Y74ccamEUOEHDjrwf90azzLjecT5dIbhM/QLn2c=; b=oNeO/39PucjgX4DS88KzWZMpNLIu49pdkFovG0OzIB33kXTxrBZDJeI5w4E1dwBuGy bsGejSWv5yVrVqLTTuJ/kiUPPXnI+5IrIlGtuj8zc/RwhGbd6GE1J3DnNZVcaguc3c8C UcgqlHhKwvaGzEW/Nz9VI0hrG+RM/bJaLwDT1uDgK4Py1U+mHEaau8Zh85LWKDYWBDPU 2vKYMhR34B1bULXYrGTAe/Zq5M6VYlvaN1SPSplunmSq898JuU/Nsw6MfSjh+Rb+Zlwi XtnwaX5vTTgxz8aPmOVrgg+NwZxhF6Wp+5huq/MevXzUBtTEIKrl0qYVpsDBhL7sQxFE Q0zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type :x-system-of-record:x-gm-message-state; bh=7cj3Y74ccamEUOEHDjrwf90azzLjecT5dIbhM/QLn2c=; b=KTShoVh6CccJTHdWM3MpZQ8m8wCGm7iR7sGylOPYnyijesy6F9GLJG4mi3zOMUPI9x 6ShBrU/0ciUuL+Se/QCpXiSAIUJAX/meLKP0BBCbKWsBIp5GdVZULarUBw1OSSUla8Tz gzbF3cvGjMVdW3IFHIbg+GXeYsDZghRsjbShrCnltu/Rj7BHP3Sud/CfGNLeLxMG+F1S sqgnkRIQuZjViyVfUlxoBU74bOFOr1Ak+UA+uFR8kUoWqbBe2D3wsw40ak7w6nyO3YoN aTNiU0srzK26GodaXGRu5G11SH2QCm7JSms9B4rE+BzicIqtHejxH5TOdNl+TvTMinKb Q8ag== Received: by 10.152.148.199 with SMTP id tu7mr5166974lab.37.1346386738218; Thu, 30 Aug 2012 21:18:58 -0700 (PDT) Received: by 10.152.148.199 with SMTP id tu7mr5166964lab.37.1346386738072; Thu, 30 Aug 2012 21:18:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.66.42 with HTTP; Thu, 30 Aug 2012 21:18:37 -0700 (PDT) From: KK Date: Thu, 30 Aug 2012 21:18:37 -0700 Message-ID: To: ietf-secretariat@ietf.org, opsec@ietf.org Content-Type: text/plain; charset=ISO-8859-1 X-System-Of-Record: true X-Gm-Message-State: ALoCoQm3tDK+AYZp/zq81ijSsJtT1mIU1BAgK42ZA3pHNSYKMj4i41USXvycAl5pTMgL3WmY3HM2CeTwpEbu+0kx6N0fkuwS/q9u8kBvj5RhOXSjom+dY+oq7TPk8gSQ8pLZ4ub0j7u7EIeVADMbcb6XBI35VyGXlnpA7YkvF8wS2Dvbz6o2Qc8ToK6Z4WUtZwcFgip3GucS Cc: Warren Kumari , Gunter Van de Velde Subject: [OPSEC] OPSEC Interim Meeting announcement - Sep 29th 2012, Amsterdam X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2012 04:19:00 -0000 Greetings Folks, The OPSEC working group plans a face-to-face interim meeting on Sat 29, Sep 2012 in Amsterdam. The meeting will be held 0900-1130. Location will be announced later, and is expected to be arranged as part of the IETF Large Interim Meeting (LIM). In order to obtain agenda time, please post drafts and send a request to the WG chairs by 23:59 UTC, Sep 21, 2012. Refinements of this agenda will be announced on the OPSEC mailing list. Remote participation by webex or meetecho, teleconference, jabber and etherpad will be provided as needed. Details will be announced before hand. Thanks, KK, Gunter, Warren From iesg-secretary@ietf.org Fri Aug 31 08:10:11 2012 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D46DD21F85C0; Fri, 31 Aug 2012 08:10:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.533 X-Spam-Level: X-Spam-Status: No, score=-102.533 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kKShRhwGNE2E; Fri, 31 Aug 2012 08:10:11 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52D2721F8669; Fri, 31 Aug 2012 08:10:11 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: IESG Secretary To: IETF Announcement List X-Test-IDTracker: no X-IETF-IDTracker: 4.34 Message-ID: <20120831151011.1605.83058.idtracker@ietfa.amsl.com> Date: Fri, 31 Aug 2012 08:10:11 -0700 Cc: opsec@ietf.org Subject: [OPSEC] OPSEC WG Interim Meeting, September 29, 2012 X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2012 15:10:12 -0000 Greetings Folks, The OPSEC working group plans a face-to-face interim meeting on Sat 29, Sep 2012 in Amsterdam. The meeting will be held 0900-1130. Location will be announced later, and is expected to be arranged as part of the IETF Large Interim Meeting (LIM). In order to obtain agenda time, please post drafts and send a request to the WG chairs by 23:59 UTC, Sep 21, 2012. Refinements of this agenda will be announced on the OPSEC mailing list. Remote participation by webex or meetecho, teleconference, jabber and etherpad will be provided as needed. Details will be announced before hand. Thanks, KK, Gunter, Warren