From iesg-secretary@ietf.org Tue Oct 15 09:52:20 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1963F21F9CCC; Tue, 15 Oct 2013 09:52:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.436 X-Spam-Level: X-Spam-Status: No, score=-102.436 tagged_above=-999 required=5 tests=[AWL=0.164, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TLIYUz1Oi++R; Tue, 15 Oct 2013 09:52:19 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D2BDA21E8151; Tue, 15 Oct 2013 09:52:18 -0700 (PDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 4.80.p2 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20131015165218.2100.32002.idtracker@ietfa.amsl.com> Date: Tue, 15 Oct 2013 09:52:18 -0700 Cc: opsec WG Subject: [OPSEC] WG Review: Operational Security Capabilities for IP Network Infrastructure (opsec) X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Oct 2013 16:52:20 -0000 The Operational Security Capabilities for IP Network Infrastructure (opsec) working group in the Operations and Management Area of the IETF is undergoing rechartering. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg at ietf.org) by 2013-10-22. Operational Security Capabilities for IP Network Infrastructure (opsec) ------------------------------------------------ Current Status: Active WG Chairs: Warren Kumari Gunter Van de Velde KK Chittimaneni Assigned Area Director: Joel Jaeggli Mailing list Address: opsec@ietf.org To Subscribe: https://www.ietf.org/mailman/listinfo/opsec Archive: http://www.ietf.org/mail-archive/web/opsec/ Charter: Goals: The OPSEC WG will document operational issues and best current practices with regard to network security.In particular, the working group will clarify the rationale of supporting current operational practice, addressing gaps in currently understood best practices, and clarifying liabilities inherent in security practices where they exist. Scope: The scope of the OPSEC WG includes the protection and secure operation of the forwarding, control and management planes. Documentation of operational issues, revision of existing operational security practices documents and proposals for new approaches to operational challenges related to network security are in scope. Method: The work will result in the publication of informational or BCP RFCs. Taxonomy or problem statement documents may provide a basis for such documents. Informational or Best Current Practices Documents For each topic addressed, the working group will produce a document that captures common practices related to secure network operation. will be produced. This will be primarily based on operational experience. A document might convey: * a threat or threats to be addressed * current practices for addressing the threat * protocols, tools and technologies extant at the time of writing that are used to address the threat * the possibility that a solution does not exist within existing tools or technologies Taxonomy and Problem Statement Documents These are documents that describe the scope of particular operational security challenges or problem spaces without necessarily coming to conclusions or proposing solutions. Such a document might be the precusor to an informational or best current practices document. While the principal input of the working group is operational experience and needs, the output should be directed towards providing guidance to the operators community, other working groups that develop protocols or the protocol development community. Non-Goals: The OPSEC WG is will not write or modify protocols. New protocol work must be addressed through a working group chartered for that work, or via one of the individual submission processes. The OPSEC WG may take on documents related to the practices of using such work. Milestones: Done - Complete Charter Done - First draft of Framework Document as Internet Draft Done - First draft of Standards Survey Document as Internet Draft Done - First draft of Packet Filtering Capabilities Done - First draft of Event Logging Capabilities Done - First draft of Network Operator Current Security Practices Done - First draft of In-Band management capabilities Done - First draft of Out-of-Band management capabilities Done - First draft of Configuration and Management Interface Capabilities Done - Submit Network Operator Current Security Practices to IESG Dec 2012 - WG Adoption of 'BGP operations and security' document Dec 2012 - WG Adoption of 'Network Reconnaissance in IPv6 Networks' document Dec 2012 - WG Adoption of 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers' document Dec 2012 - WG Adoption of 'Virtual Private Network (VPN) traffic leakages in dual-stack hosts/networks' document Jan 2013 - WG Last Call for 'Operational Security Considerations for IPv6 Networks' document Jan 2013 - WG Last Call for 'Recommendations for filtering ICMP messages' document Jan 2013 - WG Last Call for 'Recommendations on filtering of IPv4 packets containing IPv4 options' document Jan 2013 - WG Last Call for 'Security Implications of IPv6 on IPv4 networks' document Mar 2013 - WG Last Call for 'Using Only Link-Local Addressing Inside an IPv6 Network' document Mar 2013 - Submit 'Recommendations for filtering ICMP messages' document to IESG Mar 2013 - Submit 'Recommendations on filtering of IPv4 packets containing IPv4 options' document to IESG Mar 2013 - Submit 'Operational Security Considerations for IPv6 Networks' document to IESG Mar 2013 - Submit 'Recommendations for filtering ICMP messages' document to IESG May 2013 - Submit 'Using Only Link-Local Addressing Inside an IPv6 Network' document to IESG Jul 2013 - WG Last Call for 'BGP operations and security' document Jul 2013 - WG Last Call for 'Network Reconnaissance in IPv6 Networks' document Jul 2013 - WG Last Call for 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers' document Jul 2013 - WG Last Call for 'Virtual Private Network (VPN) traffic leakages in dual-stack hosts/networks' document Sep 2013 - Submit 'BGP operations and security' document to IESG Sep 2013 - Submit 'Network Reconnaissance in IPv6 Networks' document to IESG Sep 2013 - Submit 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers' document to IESG From dave@juniper.net Tue Oct 15 12:12:37 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6864F1F0D5E; Tue, 15 Oct 2013 12:12:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fZCrf0MrOn5; Tue, 15 Oct 2013 12:12:33 -0700 (PDT) Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe002.messaging.microsoft.com [216.32.180.12]) by ietfa.amsl.com (Postfix) with ESMTP id F35321F0ECF; Tue, 15 Oct 2013 12:12:29 -0700 (PDT) Received: from mail111-va3-R.bigfish.com (10.7.14.247) by VA3EHSOBE003.bigfish.com (10.7.40.23) with Microsoft SMTP Server id 14.1.225.23; Tue, 15 Oct 2013 19:12:28 +0000 Received: from mail111-va3 (localhost [127.0.0.1]) by mail111-va3-R.bigfish.com (Postfix) with ESMTP id E6FC7240201; Tue, 15 Oct 2013 19:12:28 +0000 (UTC) X-Forefront-Antispam-Report: CIP:66.129.224.54; KIP:(null); UIP:(null); IPV:NLI; H:P-EMF03-SAC.jnpr.net; RD:none; EFVD:NLI X-SpamScore: -9 X-BigFish: VPS-9(zzbb2dIdb82h9371I119bI1432Izz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz8275ch1de098h1033IL17326ah1de097h186068h8275bh8275dhz2fh2a8h839h93fhd25he5bhf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h1765h18e1h190ch1946h19b4h19c3h1ad9h1b0ah1b2fh1fb3h1d0ch1d2eh1d3fh1dfeh1dffh1f5fh1fe8h1ff5h209eh133w1155h) Received-SPF: pass (mail111-va3: domain of juniper.net designates 66.129.224.54 as permitted sender) client-ip=66.129.224.54; envelope-from=dave@juniper.net; helo=P-EMF03-SAC.jnpr.net ; SAC.jnpr.net ; Received: from mail111-va3 (localhost.localdomain [127.0.0.1]) by mail111-va3 (MessageSwitch) id 1381864345699558_6919; Tue, 15 Oct 2013 19:12:25 +0000 (UTC) Received: from VA3EHSMHS017.bigfish.com (unknown [10.7.14.236]) by mail111-va3.bigfish.com (Postfix) with ESMTP id A5169A0059; Tue, 15 Oct 2013 19:12:25 +0000 (UTC) Received: from P-EMF03-SAC.jnpr.net (66.129.224.54) by VA3EHSMHS017.bigfish.com (10.7.99.27) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 15 Oct 2013 19:12:19 +0000 Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMF03-SAC.jnpr.net (172.24.192.19) with Microsoft SMTP Server (TLS) id 14.3.146.0; Tue, 15 Oct 2013 12:12:15 -0700 Received: from [127.0.0.1] (172.28.34.184) by p-emfe01-wf.jnpr.net (172.28.145.24) with Microsoft SMTP Server (TLS) id 8.3.245.1; Tue, 15 Oct 2013 15:12:14 -0400 Message-ID: <525D938D.2030505@juniper.net> Date: Tue, 15 Oct 2013 15:12:13 -0400 From: Dave Dugal Organization: Juniper Networks, Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1 MIME-Version: 1.0 To: References: <20131015165218.2100.32002.idtracker@ietfa.amsl.com> In-Reply-To: <20131015165218.2100.32002.idtracker@ietfa.amsl.com> X-Enigmail-Version: 1.5.2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-EXCLAIMER-MD-CONFIG: e3cb0ff2-54e7-4646-8a04-0dae4ac7b136 X-OriginatorOrg: juniper.net X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn% Cc: opsec WG Subject: Re: [OPSEC] WG Review: Operational Security Capabilities for IP Network Infrastructure (opsec) X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Oct 2013 19:12:37 -0000 I agree with the updated charter as presented below. Please consider removing the following minor cut/paste error: > > Informational or Best Current Practices Documents > > For each topic addressed, the working group will produce a document that > captures common practices related to secure network operation. -will be > produced-. This will be primarily based on operational experience. A > document might convey: EDIT: Remove " will be produced." - Dave Dugal On 10/15/2013 12:52 PM, The IESG proclaimed ... > The Operational Security Capabilities for IP Network Infrastructure > (opsec) working group in the Operations and Management Area of the IETF > is undergoing rechartering. The IESG has not made any determination yet. > The following draft charter was submitted, and is provided for > informational purposes only. Please send your comments to the IESG > mailing list (iesg at ietf.org) by 2013-10-22. > > Operational Security Capabilities for IP Network Infrastructure (opsec) > ------------------------------------------------ > Current Status: Active WG > > Chairs: > Warren Kumari > Gunter Van de Velde > KK Chittimaneni > > Assigned Area Director: > Joel Jaeggli > > Mailing list > Address: opsec@ietf.org > To Subscribe: https://www.ietf.org/mailman/listinfo/opsec > Archive: http://www.ietf.org/mail-archive/web/opsec/ > > Charter: > > Goals: > > The OPSEC WG will document operational issues and best current practices > with regard to network security.In particular, the working group will > clarify the rationale of supporting current operational practice, > addressing gaps in currently understood best practices, and clarifying > liabilities inherent in security practices where they exist. > > Scope: > > The scope of the OPSEC WG includes the protection and secure operation > of the forwarding, control and management planes. Documentation of > operational issues, revision of existing operational security practices > documents and proposals for new approaches to operational challenges > related to network security are in scope. > > Method: > > The work will result in the publication of informational or BCP RFCs. > Taxonomy or problem statement documents may provide a basis for such > documents. > > Informational or Best Current Practices Documents > > For each topic addressed, the working group will produce a document that > captures common practices related to secure network operation. will be > produced. This will be primarily based on operational experience. A > document might convey: > > * a threat or threats to be addressed > > * current practices for addressing the threat > > * protocols, tools and technologies extant at the time of writing that > are used to address the threat > > * the possibility that a solution does not exist within existing tools or technologies > > Taxonomy and Problem Statement Documents > > These are documents that describe the scope of particular operational > security challenges or problem spaces without necessarily coming to > conclusions or proposing solutions. Such a document might be the > precusor to an informational or best current practices document. > > While the principal input of the working group is operational experience > and needs, the output should be directed towards providing guidance to > the operators community, other working groups that develop protocols or > the protocol development community. > > Non-Goals: > > The OPSEC WG is will not write or modify protocols. New protocol work > must be addressed through a working group chartered for that work, or > via one of the individual submission processes. The OPSEC WG may take on > documents related to the practices of using such work. > > > > Milestones: > Done - Complete Charter > Done - First draft of Framework Document as Internet Draft > Done - First draft of Standards Survey Document as Internet Draft > Done - First draft of Packet Filtering Capabilities > Done - First draft of Event Logging Capabilities > Done - First draft of Network Operator Current Security Practices > Done - First draft of In-Band management capabilities > Done - First draft of Out-of-Band management capabilities > Done - First draft of Configuration and Management Interface > Capabilities > Done - Submit Network Operator Current Security Practices to IESG > Dec 2012 - WG Adoption of 'BGP operations and security' document > Dec 2012 - WG Adoption of 'Network Reconnaissance in IPv6 Networks' > document > Dec 2012 - WG Adoption of 'DHCPv6-Shield: Protecting Against Rogue > DHCPv6 Servers' document > Dec 2012 - WG Adoption of 'Virtual Private Network (VPN) traffic > leakages in dual-stack hosts/networks' document > Jan 2013 - WG Last Call for 'Operational Security Considerations for > IPv6 Networks' document > Jan 2013 - WG Last Call for 'Recommendations for filtering ICMP > messages' document > Jan 2013 - WG Last Call for 'Recommendations on filtering of IPv4 > packets containing IPv4 options' document > Jan 2013 - WG Last Call for 'Security Implications of IPv6 on IPv4 > networks' document > Mar 2013 - WG Last Call for 'Using Only Link-Local Addressing Inside an > IPv6 Network' document > Mar 2013 - Submit 'Recommendations for filtering ICMP messages' > document to IESG > Mar 2013 - Submit 'Recommendations on filtering of IPv4 packets > containing IPv4 options' document to IESG > Mar 2013 - Submit 'Operational Security Considerations for IPv6 > Networks' document to IESG > Mar 2013 - Submit 'Recommendations for filtering ICMP messages' > document to IESG > May 2013 - Submit 'Using Only Link-Local Addressing Inside an IPv6 > Network' document to IESG > Jul 2013 - WG Last Call for 'BGP operations and security' document > Jul 2013 - WG Last Call for 'Network Reconnaissance in IPv6 Networks' > document > Jul 2013 - WG Last Call for 'DHCPv6-Shield: Protecting Against Rogue > DHCPv6 Servers' document > Jul 2013 - WG Last Call for 'Virtual Private Network (VPN) traffic > leakages in dual-stack hosts/networks' document > Sep 2013 - Submit 'BGP operations and security' document to IESG > Sep 2013 - Submit 'Network Reconnaissance in IPv6 Networks' document to > IESG > Sep 2013 - Submit 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 > Servers' document to IESG > > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec > > > . > From warren@kumari.net Tue Oct 15 23:29:16 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C9E11E8268; Tue, 15 Oct 2013 23:29:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QloRmoXB3dK6; Tue, 15 Oct 2013 23:29:12 -0700 (PDT) Received: from vimes.kumari.net (smtp1.kumari.net [204.194.22.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1941111E8101; Tue, 15 Oct 2013 23:29:11 -0700 (PDT) Received: from dhcp-25-116.ripemtg.ripe.net (dhcp-25-116.ripemtg.ripe.net [193.0.25.116]) by vimes.kumari.net (Postfix) with ESMTPSA id 64ABD1B401A0; Wed, 16 Oct 2013 02:29:07 -0400 (EDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) From: Warren Kumari In-Reply-To: <525D938D.2030505@juniper.net> Date: Wed, 16 Oct 2013 09:29:05 +0300 Content-Transfer-Encoding: quoted-printable Message-Id: <1E12CD29-A22D-45DF-B441-4F316762D270@kumari.net> References: <20131015165218.2100.32002.idtracker@ietfa.amsl.com> <525D938D.2030505@juniper.net> To: Dave Dugal X-Mailer: Apple Mail (2.1510) Cc: opsec WG , Warren Kumari , iesg@ietf.org Subject: Re: [OPSEC] WG Review: Operational Security Capabilities for IP Network Infrastructure (opsec) X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Oct 2013 06:29:16 -0000 On Oct 15, 2013, at 10:12 PM, Dave Dugal wrote: > I agree with the updated charter as presented below. >=20 > Please consider removing the following minor cut/paste error: >=20 >>=20 >> Informational or Best Current Practices Documents >>=20 >> For each topic addressed, the working group will produce a document = that >> captures common practices related to secure network operation. -will = be >> produced-. This will be primarily based on operational experience. A >> document might convey: >=20 > EDIT: Remove " will be produced." Ah-ha! That was a cunning trick to see if anyone was actually reading = the text -- guess they were. (AKA, thank you, not sure where that climbed in=85) W >=20 > - Dave Dugal >=20 > On 10/15/2013 12:52 PM, The IESG proclaimed = ... >> The Operational Security Capabilities for IP Network Infrastructure >> (opsec) working group in the Operations and Management Area of the = IETF >> is undergoing rechartering. The IESG has not made any determination = yet. >> The following draft charter was submitted, and is provided for >> informational purposes only. Please send your comments to the IESG >> mailing list (iesg at ietf.org) by 2013-10-22. >>=20 >> Operational Security Capabilities for IP Network Infrastructure = (opsec) >> ------------------------------------------------ >> Current Status: Active WG >>=20 >> Chairs: >> Warren Kumari >> Gunter Van de Velde >> KK Chittimaneni >>=20 >> Assigned Area Director: >> Joel Jaeggli >>=20 >> Mailing list >> Address: opsec@ietf.org >> To Subscribe: https://www.ietf.org/mailman/listinfo/opsec >> Archive: http://www.ietf.org/mail-archive/web/opsec/ >>=20 >> Charter: >>=20 >> Goals: >>=20 >> The OPSEC WG will document operational issues and best current = practices=20 >> with regard to network security.In particular, the working group will >> clarify the rationale of supporting current operational practice,=20 >> addressing gaps in currently understood best practices, and = clarifying=20 >> liabilities inherent in security practices where they exist. >>=20 >> Scope: >>=20 >> The scope of the OPSEC WG includes the protection and secure = operation >> of the forwarding, control and management planes. Documentation of=20 >> operational issues, revision of existing operational security = practices=20 >> documents and proposals for new approaches to operational challenges >> related to network security are in scope. >>=20 >> Method: >>=20 >> The work will result in the publication of informational or BCP RFCs.=20= >> Taxonomy or problem statement documents may provide a basis for such >> documents. >>=20 >> Informational or Best Current Practices Documents >>=20 >> For each topic addressed, the working group will produce a document = that >> captures common practices related to secure network operation. will = be >> produced. This will be primarily based on operational experience. A >> document might convey: >>=20 >> * a threat or threats to be addressed >>=20 >> * current practices for addressing the threat >>=20 >> * protocols, tools and technologies extant at the time of writing = that >> are used to address the threat >>=20 >> * the possibility that a solution does not exist within existing = tools or technologies >>=20 >> Taxonomy and Problem Statement Documents >>=20 >> These are documents that describe the scope of particular operational >> security challenges or problem spaces without necessarily coming to >> conclusions or proposing solutions. Such a document might be the=20 >> precusor to an informational or best current practices document. >>=20 >> While the principal input of the working group is operational = experience >> and needs, the output should be directed towards providing guidance = to=20 >> the operators community, other working groups that develop protocols = or=20 >> the protocol development community. =20 >>=20 >> Non-Goals: >>=20 >> The OPSEC WG is will not write or modify protocols. New protocol work >> must be addressed through a working group chartered for that work, or=20= >> via one of the individual submission processes. The OPSEC WG may take = on >> documents related to the practices of using such work. >>=20 >>=20 >>=20 >> Milestones: >> Done - Complete Charter >> Done - First draft of Framework Document as Internet Draft >> Done - First draft of Standards Survey Document as Internet = Draft >> Done - First draft of Packet Filtering Capabilities >> Done - First draft of Event Logging Capabilities >> Done - First draft of Network Operator Current Security = Practices >> Done - First draft of In-Band management capabilities >> Done - First draft of Out-of-Band management capabilities >> Done - First draft of Configuration and Management Interface >> Capabilities >> Done - Submit Network Operator Current Security Practices to = IESG >> Dec 2012 - WG Adoption of 'BGP operations and security' document >> Dec 2012 - WG Adoption of 'Network Reconnaissance in IPv6 Networks' >> document >> Dec 2012 - WG Adoption of 'DHCPv6-Shield: Protecting Against Rogue >> DHCPv6 Servers' document >> Dec 2012 - WG Adoption of 'Virtual Private Network (VPN) traffic >> leakages in dual-stack hosts/networks' document >> Jan 2013 - WG Last Call for 'Operational Security Considerations for >> IPv6 Networks' document >> Jan 2013 - WG Last Call for 'Recommendations for filtering ICMP >> messages' document >> Jan 2013 - WG Last Call for 'Recommendations on filtering of IPv4 >> packets containing IPv4 options' document >> Jan 2013 - WG Last Call for 'Security Implications of IPv6 on IPv4 >> networks' document >> Mar 2013 - WG Last Call for 'Using Only Link-Local Addressing Inside = an >> IPv6 Network' document >> Mar 2013 - Submit 'Recommendations for filtering ICMP messages' >> document to IESG >> Mar 2013 - Submit 'Recommendations on filtering of IPv4 packets >> containing IPv4 options' document to IESG >> Mar 2013 - Submit 'Operational Security Considerations for IPv6 >> Networks' document to IESG >> Mar 2013 - Submit 'Recommendations for filtering ICMP messages' >> document to IESG >> May 2013 - Submit 'Using Only Link-Local Addressing Inside an IPv6 >> Network' document to IESG >> Jul 2013 - WG Last Call for 'BGP operations and security' document >> Jul 2013 - WG Last Call for 'Network Reconnaissance in IPv6 = Networks' >> document >> Jul 2013 - WG Last Call for 'DHCPv6-Shield: Protecting Against Rogue >> DHCPv6 Servers' document >> Jul 2013 - WG Last Call for 'Virtual Private Network (VPN) traffic >> leakages in dual-stack hosts/networks' document >> Sep 2013 - Submit 'BGP operations and security' document to IESG >> Sep 2013 - Submit 'Network Reconnaissance in IPv6 Networks' document = to >> IESG >> Sep 2013 - Submit 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 >> Servers' document to IESG >>=20 >>=20 >> _______________________________________________ >> OPSEC mailing list >> OPSEC@ietf.org >> https://www.ietf.org/mailman/listinfo/opsec >>=20 >>=20 >> . >>=20 >=20 > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec >=20 -- After you'd known Christine for any length of time, you found yourself = fighting a desire to look into her ear to see if you could spot daylight = coming the other way. -- (Terry Pratchett, Maskerade) From heard@pobox.com Wed Oct 16 03:51:53 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04ECD11E8175 for ; Wed, 16 Oct 2013 03:51:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e9OIapK5yE1g for ; Wed, 16 Oct 2013 03:51:49 -0700 (PDT) Received: from shell4.bayarea.net (shell4.bayarea.net [209.128.82.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79F3511E81B7 for ; Wed, 16 Oct 2013 03:51:43 -0700 (PDT) Received: (qmail 7984 invoked from network); 16 Oct 2013 03:51:41 -0700 Received: from shell4.bayarea.net (209.128.82.1) by shell4.bayarea.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 16 Oct 2013 03:51:41 -0700 Date: Wed, 16 Oct 2013 03:51:41 -0700 (PDT) From: "C. M. Heard" X-X-Sender: heard@shell4.bayarea.net To: IESG In-Reply-To: <525D938D.2030505@juniper.net> Message-ID: References: <20131015165218.2100.32002.idtracker@ietfa.amsl.com> <525D938D.2030505@juniper.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: OPSEC WG Subject: Re: [OPSEC] WG Review: Operational Security Capabilities for IP Network Infrastructure (opsec) X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Oct 2013 10:51:53 -0000 Greetings, I see that the list of milestones is unchanged from the current charter (modulo some reordering), and over 2/3 of these milestones have dates that are now in the past. The ones that are done should be marked as such, and the others should get new dates. There are also a couple of typos (in addition to the one noted by Dave Dugal) that are flagged in-line. Mike Heard On Tue, 15 Oct 2013, Dave Dugal wrote: > I agree with the updated charter as presented below. > > Please consider removing the following minor cut/paste error: > > > > > Informational or Best Current Practices Documents > > > > For each topic addressed, the working group will produce a document that > > captures common practices related to secure network operation. -will be > > produced-. This will be primarily based on operational experience. A > > document might convey: > > EDIT: Remove " will be produced." > > - Dave Dugal > > On 10/15/2013 12:52 PM, The IESG proclaimed ... > > The Operational Security Capabilities for IP Network Infrastructure > > (opsec) working group in the Operations and Management Area of the IETF > > is undergoing rechartering. The IESG has not made any determination yet. > > The following draft charter was submitted, and is provided for > > informational purposes only. Please send your comments to the IESG > > mailing list (iesg at ietf.org) by 2013-10-22. > > > > Operational Security Capabilities for IP Network Infrastructure (opsec) > > ------------------------------------------------ > > Current Status: Active WG > > > > Chairs: > > Warren Kumari > > Gunter Van de Velde > > KK Chittimaneni > > > > Assigned Area Director: > > Joel Jaeggli > > > > Mailing list > > Address: opsec@ietf.org > > To Subscribe: https://www.ietf.org/mailman/listinfo/opsec > > Archive: http://www.ietf.org/mail-archive/web/opsec/ > > > > Charter: > > > > Goals: > > > > The OPSEC WG will document operational issues and best current practices > > with regard to network security.In particular, the working group will > > clarify the rationale of supporting current operational practice, > > addressing gaps in currently understood best practices, and clarifying > > liabilities inherent in security practices where they exist. s/security.In/security. In/ s/rationale of supporting/rationale supporting/ > > > > Scope: > > > > The scope of the OPSEC WG includes the protection and secure operation > > of the forwarding, control and management planes. Documentation of > > operational issues, revision of existing operational security practices > > documents and proposals for new approaches to operational challenges > > related to network security are in scope. > > > > Method: > > > > The work will result in the publication of informational or BCP RFCs. > > Taxonomy or problem statement documents may provide a basis for such > > documents. > > > > Informational or Best Current Practices Documents > > > > For each topic addressed, the working group will produce a document that > > captures common practices related to secure network operation. will be > > produced. This will be primarily based on operational experience. A > > document might convey: s/ will be produced// > > > > * a threat or threats to be addressed > > > > * current practices for addressing the threat > > > > * protocols, tools and technologies extant at the time of writing that are used to address the threat > > > > * the possibility that a solution does not exist within existing tools or technologies > > > > Taxonomy and Problem Statement Documents > > > > These are documents that describe the scope of particular operational > > security challenges or problem spaces without necessarily coming to > > conclusions or proposing solutions. Such a document might be the > > precusor to an informational or best current practices document. > > > > While the principal input of the working group is operational experience > > and needs, the output should be directed towards providing guidance to > > the operators community, other working groups that develop protocols or > > the protocol development community. > > > > Non-Goals: > > > > The OPSEC WG is will not write or modify protocols. New protocol work > > must be addressed through a working group chartered for that work, or > > via one of the individual submission processes. The OPSEC WG may take on > > documents related to the practices of using such work. > > > > > > > > Milestones: > > Done - Complete Charter > > Done - First draft of Framework Document as Internet Draft > > Done - First draft of Standards Survey Document as Internet Draft > > Done - First draft of Packet Filtering Capabilities > > Done - First draft of Event Logging Capabilities > > Done - First draft of Network Operator Current Security Practices > > Done - First draft of In-Band management capabilities > > Done - First draft of Out-of-Band management capabilities > > Done - First draft of Configuration and Management Interface Capabilities > > Done - Submit Network Operator Current Security Practices to IESG > > Dec 2012 - WG Adoption of 'BGP operations and security' document > > Dec 2012 - WG Adoption of 'Network Reconnaissance in IPv6 Networks' document > > Dec 2012 - WG Adoption of 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers' document > > Dec 2012 - WG Adoption of 'Virtual Private Network (VPN) traffic leakages in dual-stack hosts/networks' document > > Jan 2013 - WG Last Call for 'Operational Security Considerations for IPv6 Networks' document > > Jan 2013 - WG Last Call for 'Recommendations for filtering ICMP messages' document > > Jan 2013 - WG Last Call for 'Recommendations on filtering of IPv4 packets containing IPv4 options' document > > Jan 2013 - WG Last Call for 'Security Implications of IPv6 on IPv4 networks' document > > Mar 2013 - WG Last Call for 'Using Only Link-Local Addressing Inside an IPv6 Network' document > > Mar 2013 - Submit 'Recommendations for filtering ICMP messages' document to IESG > > Mar 2013 - Submit 'Recommendations on filtering of IPv4 packets containing IPv4 options' document to IESG > > Mar 2013 - Submit 'Operational Security Considerations for IPv6 Networks' document to IESG > > Mar 2013 - Submit 'Recommendations for filtering ICMP messages' document to IESG > > May 2013 - Submit 'Using Only Link-Local Addressing Inside an IPv6 Network' document to IESG > > Jul 2013 - WG Last Call for 'BGP operations and security' document > > Jul 2013 - WG Last Call for 'Network Reconnaissance in IPv6 Networks' document > > Jul 2013 - WG Last Call for 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers' document > > Jul 2013 - WG Last Call for 'Virtual Private Network (VPN) traffic leakages in dual-stack hosts/networks' document > > Sep 2013 - Submit 'BGP operations and security' document to IESG > > Sep 2013 - Submit 'Network Reconnaissance in IPv6 Networks' document to IESG > > Sep 2013 - Submit 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers' document to IESG > > > > > > _______________________________________________ > > OPSEC mailing list > > OPSEC@ietf.org > > https://www.ietf.org/mailman/listinfo/opsec > > > From sm@resistor.net Fri Oct 18 07:09:35 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1436411E81FD for ; Fri, 18 Oct 2013 07:09:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.698 X-Spam-Level: X-Spam-Status: No, score=-102.698 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ufe8FWKVlnBk for ; Fri, 18 Oct 2013 07:09:31 -0700 (PDT) Received: from mx.elandsys.com (ns1.qubic.net [208.69.177.116]) by ietfa.amsl.com (Postfix) with ESMTP id 039BE11E818F for ; Fri, 18 Oct 2013 07:09:30 -0700 (PDT) Received: from SUBMAN.resistor.net (IDENT:sm@localhost [127.0.0.1]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r9IE8fSD003702 for ; Fri, 18 Oct 2013 07:09:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1382105344; bh=k43CUCzzwBkKTROpE/kZd+L/0C2GLepWmBFV0CdSUuw=; h=Date:To:From:Subject:In-Reply-To:References; b=rYFdZHEe99TstYqbpYnhmZYu1nw1l/xwuE80Oy3uaW4vHHhYUhNQmbszazbmQzQtC E988PNApG0H1Il+65GzhXAQAG5oKNfwMapJIvMLgdjp3jFm2COdr5YMxkmxlL9PSLK Y6hNLqL9MQOKR4q3DXABrIMuzcMogZgB5ES5mcig= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1382105344; i=@resistor.net; bh=k43CUCzzwBkKTROpE/kZd+L/0C2GLepWmBFV0CdSUuw=; h=Date:To:From:Subject:In-Reply-To:References; b=gXeORUAljxIq+gioUGSqe6Pe/LXjvFSNqeKp5VxTWO9lQpfNMCOVwR6gyAJNdtYFz 129G4sHwbjA7CEoMqoN8Ky217xxl6LE+ZCjmIeWnBCk1r+hs6OcN8IJ/FbKThPegZI xV+FB5FXISOavu2pNdOECFhEaH4KxH4wzFLYovfU= Message-Id: <6.2.5.6.2.20131018064254.0c1ce678@resistor.net> X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6 Date: Fri, 18 Oct 2013 06:57:34 -0700 To: opsec@ietf.org From: SM In-Reply-To: <20131015165218.2100.32002.idtracker@ietfa.amsl.com> References: <20131015165218.2100.32002.idtracker@ietfa.amsl.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: [OPSEC] WG Review: Operational Security Capabilities for IP Network Infrastructure (opsec) X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Oct 2013 14:09:35 -0000 At 09:52 15-10-2013, The IESG wrote: >The Operational Security Capabilities for IP Network Infrastructure >(opsec) working group in the Operations and Management Area of the IETF >is undergoing rechartering. The IESG has not made any determination yet. [snip] >Milestones: > Done - Complete Charter > Done - First draft of Framework Document as Internet Draft > Done - First draft of Standards Survey Document as Internet Draft > Done - First draft of Packet Filtering Capabilities > Done - First draft of Event Logging Capabilities > Done - First draft of Network Operator Current Security Practices > Done - First draft of In-Band management capabilities > Done - First draft of Out-of-Band management capabilities > Done - First draft of Configuration and Management Interface >Capabilities > Done - Submit Network Operator Current Security Practices to IESG > Dec 2012 - WG Adoption of 'BGP operations and security' document > Dec 2012 - WG Adoption of 'Network Reconnaissance in IPv6 Networks' >document > Dec 2012 - WG Adoption of 'DHCPv6-Shield: Protecting Against Rogue >DHCPv6 Servers' document > Dec 2012 - WG Adoption of 'Virtual Private Network (VPN) traffic >leakages in dual-stack hosts/networks' document > Jan 2013 - WG Last Call for 'Operational Security Considerations for >IPv6 Networks' document > Jan 2013 - WG Last Call for 'Recommendations for filtering ICMP >messages' document > Jan 2013 - WG Last Call for 'Recommendations on filtering of IPv4 >packets containing IPv4 options' document > Jan 2013 - WG Last Call for 'Security Implications of IPv6 on IPv4 >networks' document > Mar 2013 - WG Last Call for 'Using Only Link-Local Addressing Inside an >IPv6 Network' document > Mar 2013 - Submit 'Recommendations for filtering ICMP messages' >document to IESG > Mar 2013 - Submit 'Recommendations on filtering of IPv4 packets >containing IPv4 options' document to IESG > Mar 2013 - Submit 'Operational Security Considerations for IPv6 >Networks' document to IESG > Mar 2013 - Submit 'Recommendations for filtering ICMP messages' >document to IESG > May 2013 - Submit 'Using Only Link-Local Addressing Inside an IPv6 >Network' document to IESG > Jul 2013 - WG Last Call for 'BGP operations and security' document > Jul 2013 - WG Last Call for 'Network Reconnaissance in IPv6 Networks' >document > Jul 2013 - WG Last Call for 'DHCPv6-Shield: Protecting Against Rogue >DHCPv6 Servers' document > Jul 2013 - WG Last Call for 'Virtual Private Network (VPN) traffic >leakages in dual-stack hosts/networks' document > Sep 2013 - Submit 'BGP operations and security' document to IESG > Sep 2013 - Submit 'Network Reconnaissance in IPv6 Networks' document to >IESG > Sep 2013 - Submit 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 >Servers' document to IESG All the milestones are in the past. Regards, -sm From internet-drafts@ietf.org Sat Oct 19 16:09:56 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E060311E82E6; Sat, 19 Oct 2013 16:09:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.566 X-Spam-Level: X-Spam-Status: No, score=-102.566 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KWOitc0ebvuD; Sat, 19 Oct 2013 16:09:55 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B912E11E82E2; Sat, 19 Oct 2013 16:09:54 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.80.p3 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20131019230954.9604.42688.idtracker@ietfa.amsl.com> Date: Sat, 19 Oct 2013 16:09:54 -0700 Cc: opsec@ietf.org Subject: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Oct 2013 23:09:56 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Operational Security Capabilities for IP = Network Infrastructure Working Group of the IETF. Title : Using Only Link-Local Addressing Inside an IPv6 Network Author(s) : Michael Behringer Eric Vyncke Filename : draft-ietf-opsec-lla-only-04.txt Pages : 9 Date : 2013-10-19 Abstract: In an IPv6 network it is possible to use only link-local addresses on infrastructure links between routers. This document discusses the advantages and disadvantages of this approach to help the decision process for a given network. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-opsec-lla-only There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-opsec-lla-only-04 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-opsec-lla-only-04 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From evyncke@cisco.com Sun Oct 20 10:44:49 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 752D611E83BF for ; Sun, 20 Oct 2013 10:44:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1C88nIQJx0jB for ; Sun, 20 Oct 2013 10:44:44 -0700 (PDT) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 98F3511E8224 for ; Sun, 20 Oct 2013 10:44:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3349; q=dns/txt; s=iport; t=1382291083; x=1383500683; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=IZAMZ+TeiVntUSnFzLhyXz30jcHWp4EtTvY7/Ret93M=; b=TzQDuRLHYfdagFzNTqJO8ABShEfkSJwJbb8R0RkdO7ITo3vEe1AxXope ZqJw731GPKlP0OsWbL0Q9piclzXysKnutDF+2uM0BTzStVxFtEbQ57XC8 9aqa20RLSDMHbbMQaqaB0wUr/9Co3wOlwQXmuDdgTS3UBSph2aJgjkSBR s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqcGADEWZFKtJV2a/2dsb2JhbABagwc4Tga+MoEjFm0HgiUBAQEEAQEBC1cJCwwEAgEIEQQBAQsdBycLFAkIAgQOBQgBh30IBbxujysxBwaDGYEKA4kHkDGQWIMkgio X-IronPort-AV: E=Sophos;i="4.93,534,1378857600"; d="scan'208";a="274352482" Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-8.cisco.com with ESMTP; 20 Oct 2013 17:44:43 +0000 Received: from xhc-rcd-x05.cisco.com (xhc-rcd-x05.cisco.com [173.37.183.79]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r9KHige0026410 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Sun, 20 Oct 2013 17:44:43 GMT Received: from xmb-aln-x02.cisco.com ([169.254.5.143]) by xhc-rcd-x05.cisco.com ([173.37.183.79]) with mapi id 14.02.0318.004; Sun, 20 Oct 2013 12:44:42 -0500 From: "Eric Vyncke (evyncke)" To: "opsec@ietf.org" Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt Thread-Index: AQHOzSBW2t1F3gdMiEC1EuKVNWHvtZn9Tadg Date: Sun, 20 Oct 2013 17:44:42 +0000 Message-ID: <97EB7536A2B2C549846804BBF3FD47E12379401D@xmb-aln-x02.cisco.com> References: <20131019230954.9604.42688.idtracker@ietfa.amsl.com> In-Reply-To: <20131019230954.9604.42688.idtracker@ietfa.amsl.com> Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.65.45.20] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Oct 2013 17:44:49 -0000 Here are the modifications that Michael and I did to the previous version (= also thanking the reviewers) Thanks to Rama Darbha, we have removed the SHOULD hardcode the LLA to avoid= changes of LLA when changing the MAC (same comment by Fernando as well). Thanks to Fernando Gont, we have removed old verbiage about 'authors recomm= end' as it is a balance between pros and cons. Added a reference to RFC 672= 4 (SAS) to use global address (such as loopback address) when generating an= ICMP message. Added reference to the RFC about BGP & Co. We have also clar= ified some wording in the management plane traffic. We did not change the v= erbiage about out-of-band management as we assumed that it is outside of th= e scope of this document. Added reference to RFC 4987 (SYN flood). Clarific= ation about what is meant by a loopback address/interface. The comment abou= t static addresses for LLA and draft-ietf-6man-stable-privacy-addresses has= been ignored because to our knowledge routers never use privacy extension = addresses for their interfaces. The IXP section has also been updated about= the amount of work to map all global addresses of IXP. Thanks also to Wes George: we have removed all "we propose" and "we recomme= nd" as this is only a list of pros and cons and not a technique 'blessed' b= y the IETF. We also removed all references to RFC 2119 as it is an informat= ional document. And we have also removed ambiguities. -=E9ric > -----Original Message----- > From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of > internet-drafts@ietf.org > Sent: dimanche 20 octobre 2013 04:40 > To: i-d-announce@ietf.org > Cc: opsec@ietf.org > Subject: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt >=20 >=20 > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Operational Security Capabilities for I= P > Network Infrastructure Working Group of the IETF. >=20 > Title : Using Only Link-Local Addressing Inside an IPv6 > Network > Author(s) : Michael Behringer > Eric Vyncke > Filename : draft-ietf-opsec-lla-only-04.txt > Pages : 9 > Date : 2013-10-19 >=20 > Abstract: > In an IPv6 network it is possible to use only link-local addresses on > infrastructure links between routers. This document discusses the > advantages and disadvantages of this approach to help the decision > process for a given network. >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-opsec-lla-only >=20 > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-opsec-lla-only-04 >=20 > A diff from the previous version is available at: > http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-opsec-lla-only-04 >=20 >=20 > Please note that it may take a couple of minutes from the time of > submission until the htmlized version and diff are available at > tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ >=20 > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec From internet-drafts@ietf.org Mon Oct 21 15:22:33 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04A5411E8379; Mon, 21 Oct 2013 15:22:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.57 X-Spam-Level: X-Spam-Status: No, score=-102.57 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xbHbjGmbCaPJ; Mon, 21 Oct 2013 15:22:32 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7277E11E875A; Mon, 21 Oct 2013 15:22:29 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.80.p3 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20131021222229.32495.36420.idtracker@ietfa.amsl.com> Date: Mon, 21 Oct 2013 15:22:29 -0700 Cc: opsec@ietf.org Subject: [OPSEC] I-D Action: draft-ietf-opsec-dhcpv6-shield-01.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Oct 2013 22:22:33 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Operational Security Capabilities for IP = Network Infrastructure Working Group of the IETF. Title : DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers Author(s) : Fernando Gont Will Liu Gunter Van de Velde Filename : draft-ietf-opsec-dhcpv6-shield-01.txt Pages : 9 Date : 2013-10-21 Abstract: This document specifies a mechanism for protecting hosts connected to a broadcast network against rogue DHCPv6 servers. The aforementioned mechanism is based on DHCPv6 packet-filtering at the layer-2 device at which the packets are received. The aforementioned mechanism has been widely deployed in IPv4 networks ('DHCP snooping'), and hence it is desirable that similar functionality be provided for IPv6 networks. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-opsec-dhcpv6-shield There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-opsec-dhcpv6-shield-01 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-opsec-dhcpv6-shield-01 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From internet-drafts@ietf.org Mon Oct 21 16:17:54 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C67411E87E0; Mon, 21 Oct 2013 16:17:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.572 X-Spam-Level: X-Spam-Status: No, score=-102.572 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sxPfH8nwDC3o; Mon, 21 Oct 2013 16:17:53 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EC20D11E87D3; Mon, 21 Oct 2013 16:17:52 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.80.p3 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20131021231752.32534.95622.idtracker@ietfa.amsl.com> Date: Mon, 21 Oct 2013 16:17:52 -0700 Cc: opsec@ietf.org Subject: [OPSEC] I-D Action: draft-ietf-opsec-v6-04.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Oct 2013 23:17:54 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Operational Security Capabilities for IP = Network Infrastructure Working Group of the IETF. Title : Operational Security Considerations for IPv6 Networks Author(s) : Kiran Kumar Chittimaneni Merike Kaeo Eric Vyncke Filename : draft-ietf-opsec-v6-04.txt Pages : 40 Date : 2013-10-21 Abstract: Knowledge and experience on how to operate IPv4 securely is available: whether it is the Internet or an enterprise internal network. However, IPv6 presents some new security challenges. RFC 4942 describes the security issues in the protocol but network managers also need a more practical, operations-minded best common practices. This document analyzes the operational security issues in all places of a network (service providers, enterprises and residential users) and proposes technical and procedural mitigations techniques. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-opsec-v6 There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-opsec-v6-04 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-opsec-v6-04 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From fgont@si6networks.com Mon Oct 21 19:23:10 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6E7811E8234 for ; Mon, 21 Oct 2013 19:23:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_42=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pza+UfERT-uC for ; Mon, 21 Oct 2013 19:23:10 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 1993011E8302 for ; Mon, 21 Oct 2013 19:23:02 -0700 (PDT) Received: from [186.134.30.143] (helo=[192.168.123.127]) by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.80.1) (envelope-from ) id 1VYRcY-0000tY-Jn; Tue, 22 Oct 2013 04:22:58 +0200 Message-ID: <5265C277.20807@si6networks.com> Date: Mon, 21 Oct 2013 21:10:31 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 MIME-Version: 1.0 To: "Eric Vyncke (evyncke)" , "opsec@ietf.org" References: <20131019230954.9604.42688.idtracker@ietfa.amsl.com> <97EB7536A2B2C549846804BBF3FD47E12379401D@xmb-aln-x02.cisco.com> In-Reply-To: <97EB7536A2B2C549846804BBF3FD47E12379401D@xmb-aln-x02.cisco.com> X-Enigmail-Version: 1.5.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Oct 2013 02:23:10 -0000 Hi, Eric, On 10/20/2013 02:44 PM, Eric Vyncke (evyncke) wrote: > document. Added reference to RFC 4987 (SYN flood). Clarification > about what is meant by a loopback address/interface. The comment > about static addresses for LLA and > draft-ietf-6man-stable-privacy-addresses has been ignored because to > our knowledge routers never use privacy extension addresses for their > interfaces. You mean slaac? What about link-local addresses? Anyway... has this doc been WGLC'ed? If not, I volunteer fore reviewing the document again (*if* such reviews are needed to progress the I-D :-) ). Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From mbehring@cisco.com Tue Oct 22 05:18:31 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0329811E836F for ; Tue, 22 Oct 2013 05:18:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-hYY4ibnxIU for ; Tue, 22 Oct 2013 05:18:26 -0700 (PDT) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id E6E9811E81A0 for ; Tue, 22 Oct 2013 05:18:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3819; q=dns/txt; s=iport; t=1382444306; x=1383653906; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=Z8zVx8ZIQ1jwXVHIKhmC6uQx4SYOgfwCDh2gMdd9cEo=; b=B4J7XUZ87QK+uBhUQqRIrsUwwnoEb90hNwJfPsxRp1VNlJDHYt83tRNo e5QHQHxDdLj7wvW7cd811ndXwzODEv7ImznBvNMd/H5TvDqJENCqG9Gdk h9TFLhwN0MrPqpS+5I2iFAImMrHWNeyJfj1Qp2JBdbtpWniPzJzRhwkrb w=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AlMFAI5sZlKtJV2a/2dsb2JhbABZgwc4Tga+SIEnFnSCJQEBAQQBAQELVwkXBAIBCBEEAQELHQcnCxQJCAIEARIIAYd9CAW7Do8VOAaDGYEKA4kHkDGQWIMkgio X-IronPort-AV: E=Sophos;i="4.93,548,1378857600"; d="scan'208";a="275066738" Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-8.cisco.com with ESMTP; 22 Oct 2013 12:18:25 +0000 Received: from xhc-rcd-x03.cisco.com (xhc-rcd-x03.cisco.com [173.37.183.77]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r9MCIPc0002101 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 22 Oct 2013 12:18:25 GMT Received: from xmb-rcd-x14.cisco.com ([169.254.4.14]) by xhc-rcd-x03.cisco.com ([173.37.183.77]) with mapi id 14.02.0318.004; Tue, 22 Oct 2013 07:18:25 -0500 From: "Michael Behringer (mbehring)" To: "Eric Vyncke (evyncke)" , "opsec@ietf.org" , opsec chairs Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt Thread-Index: AQHOzSBW5EIb7aiAo0uwuyXzDPDD+pn+Ma0AgAGdWlA= Date: Tue, 22 Oct 2013 12:18:24 +0000 Message-ID: <3AA7118E69D7CD4BA3ECD5716BAF28DF1D8BDD79@xmb-rcd-x14.cisco.com> References: <20131019230954.9604.42688.idtracker@ietfa.amsl.com> <97EB7536A2B2C549846804BBF3FD47E12379401D@xmb-aln-x02.cisco.com> In-Reply-To: <97EB7536A2B2C549846804BBF3FD47E12379401D@xmb-aln-x02.cisco.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.198.54] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Oct 2013 12:18:31 -0000 OPsec chairs,=20 If there is still a slot to present in Vancouver, we would like to discuss = our last edits.=20 Michael > -----Original Message----- > From: Eric Vyncke (evyncke) > Sent: 20 October 2013 11:45 > To: opsec@ietf.org > Cc: Michael Behringer (mbehring) > Subject: RE: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt >=20 > Here are the modifications that Michael and I did to the previous version > (also thanking the reviewers) >=20 > Thanks to Rama Darbha, we have removed the SHOULD hardcode the LLA to > avoid changes of LLA when changing the MAC (same comment by Fernando > as well). >=20 > Thanks to Fernando Gont, we have removed old verbiage about 'authors > recommend' as it is a balance between pros and cons. Added a reference to > RFC 6724 (SAS) to use global address (such as loopback address) when > generating an ICMP message. Added reference to the RFC about BGP & Co. > We have also clarified some wording in the management plane traffic. We > did not change the verbiage about out-of-band management as we assumed > that it is outside of the scope of this document. Added reference to RFC > 4987 (SYN flood). Clarification about what is meant by a loopback > address/interface. The comment about static addresses for LLA and draft- > ietf-6man-stable-privacy-addresses has been ignored because to our > knowledge routers never use privacy extension addresses for their > interfaces. The IXP section has also been updated about the amount of wor= k > to map all global addresses of IXP. >=20 > Thanks also to Wes George: we have removed all "we propose" and "we > recommend" as this is only a list of pros and cons and not a technique > 'blessed' by the IETF. We also removed all references to RFC 2119 as it i= s an > informational document. And we have also removed ambiguities. >=20 > -=E9ric >=20 >=20 > > -----Original Message----- > > From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On > Behalf > > Of internet-drafts@ietf.org > > Sent: dimanche 20 octobre 2013 04:40 > > To: i-d-announce@ietf.org > > Cc: opsec@ietf.org > > Subject: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > > directories. > > This draft is a work item of the Operational Security Capabilities > > for IP Network Infrastructure Working Group of the IETF. > > > > Title : Using Only Link-Local Addressing Inside an IPv6 > > Network > > Author(s) : Michael Behringer > > Eric Vyncke > > Filename : draft-ietf-opsec-lla-only-04.txt > > Pages : 9 > > Date : 2013-10-19 > > > > Abstract: > > In an IPv6 network it is possible to use only link-local addresses o= n > > infrastructure links between routers. This document discusses the > > advantages and disadvantages of this approach to help the decision > > process for a given network. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-opsec-lla-only > > > > There's also a htmlized version available at: > > http://tools.ietf.org/html/draft-ietf-opsec-lla-only-04 > > > > A diff from the previous version is available at: > > http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-opsec-lla-only-04 > > > > > > Please note that it may take a couple of minutes from the time of > > submission until the htmlized version and diff are available at > > tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > _______________________________________________ > > OPSEC mailing list > > OPSEC@ietf.org > > https://www.ietf.org/mailman/listinfo/opsec From internet-drafts@ietf.org Tue Oct 22 06:24:15 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C21911E83B2; Tue, 22 Oct 2013 06:24:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.572 X-Spam-Level: X-Spam-Status: No, score=-102.572 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qh9ZsAaUlYS3; Tue, 22 Oct 2013 06:24:14 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FC8211E84A9; Tue, 22 Oct 2013 06:24:10 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.80.p3 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20131022132407.6863.53451.idtracker@ietfa.amsl.com> Date: Tue, 22 Oct 2013 06:24:07 -0700 Cc: opsec@ietf.org Subject: [OPSEC] I-D Action: draft-ietf-opsec-ipv6-nd-security-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Oct 2013 13:24:15 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Operational Security Capabilities for IP = Network Infrastructure Working Group of the IETF. Title : Security Assessment of Neighbor Discovery (ND) for IPv6 Author(s) : Fernando Gont Ronald P. Bonica Will Liu Filename : draft-ietf-opsec-ipv6-nd-security-00.txt Pages : 62 Date : 2013-10-21 Abstract: Neighbor Discovery is one of the core protocols of the IPv6 suite, and provides in IPv6 similar functions to those provided in the IPv4 protocol suite by the Address Resolution Protocol (ARP) and the Internet Control Message Protocol (ICMP). Its increased flexibility implies a somewhat increased complexity, which has resulted in a number of bugs and vulnerabilities found in popular implementations. This document provides guidance in the implementation of Neighbor Discovery, and documents issues that have affected popular implementations, in the hopes that the same issues do not repeat in other implementations. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-opsec-ipv6-nd-security There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-opsec-ipv6-nd-security-00 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From gvandeve@cisco.com Tue Oct 22 06:49:57 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2DEC11E8391 for ; Tue, 22 Oct 2013 06:49:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.598 X-Spam-Level: X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ADHzdeLm247Y for ; Tue, 22 Oct 2013 06:49:42 -0700 (PDT) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 9155811E83A3 for ; Tue, 22 Oct 2013 06:49:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2524; q=dns/txt; s=iport; t=1382449780; x=1383659380; h=from:to:subject:date:message-id:mime-version; bh=2+xynYeEV7g8B71gFzElTMB46Br4C83p5nA6ZDKuyNo=; b=D9JrMSMp6TP7eZa7c4XAI/TgjG1RzgGV+R7Pr4F86riU2A3OurL+NY8i itorjuvOnH/Gg4UdslTHgMUgtZ17PEsKqQ9py0t+s/NBjRwe4pO8/5x0t laACawsufQ/huhBWbKjSoN2dEossF8KuDGwSLlU69yYyqthnQ2Y9GkBjC 8=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgwfAKuBZlKtJXHA/2dsb2JhbABZgXEEAU1EOFS+R4EjFm0HgicBBB0QXgEMHlYmAQQbh36ZSKFUjxWDV4EKA6oQgySCKg X-IronPort-AV: E=Sophos;i="4.93,548,1378857600"; d="scan'208,217";a="275106826" Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-8.cisco.com with ESMTP; 22 Oct 2013 13:49:40 +0000 Received: from xhc-rcd-x13.cisco.com (xhc-rcd-x13.cisco.com [173.37.183.87]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id r9MDndEN002018 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Tue, 22 Oct 2013 13:49:40 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.116]) by xhc-rcd-x13.cisco.com ([173.37.183.87]) with mapi id 14.02.0318.004; Tue, 22 Oct 2013 08:49:39 -0500 From: "Gunter Van de Velde (gvandeve)" To: "opsec@ietf.org" Thread-Topic: IETF88 Agenda items Thread-Index: Ac7PLSna1GKJXChUSCyJuTX4TXeAqw== Date: Tue, 22 Oct 2013 13:49:38 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B240D2E8EB4@xmb-aln-x12.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.21.146.195] Content-Type: multipart/alternative; boundary="_000_67832B1175062E48926BF3CB27C49B240D2E8EB4xmbalnx12ciscoc_" MIME-Version: 1.0 Subject: [OPSEC] IETF88 Agenda items X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Oct 2013 13:49:57 -0000 --_000_67832B1175062E48926BF3CB27C49B240D2E8EB4xmbalnx12ciscoc_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Folks, Call for Agenda items. Let the chairs know if you desire airtime. Brgds, OPSEC chairs --_000_67832B1175062E48926BF3CB27C49B240D2E8EB4xmbalnx12ciscoc_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Folks,

 

Call for Agenda items.

Let the chairs know if you desire airtime.

 

Brgds,

OPSEC chairs

--_000_67832B1175062E48926BF3CB27C49B240D2E8EB4xmbalnx12ciscoc_-- From gvandeve@cisco.com Wed Oct 23 01:37:13 2013 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 289CF11E8330 for ; Wed, 23 Oct 2013 01:37:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.536 X-Spam-Level: X-Spam-Status: No, score=-10.536 tagged_above=-999 required=5 tests=[AWL=0.063, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TPXZ5h3ILJe4 for ; Wed, 23 Oct 2013 01:37:05 -0700 (PDT) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id F1BD311E817D for ; Wed, 23 Oct 2013 01:37:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4336; q=dns/txt; s=iport; t=1382517425; x=1383727025; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=+buGxbF5xREigmn+F/Czs6SmhxCyT8r1lwCJ/NJCCB8=; b=QpTn07VStp/T82zyTr2DqHUat8G1RnYCR3GBnJJPD6o84cTFfuHTqP/v Dql/TNvRBnnYxMin4pGmlSbJja1XieO5uLwmrpFMkQDNOSuyiRvsYD4l6 kmUGVz5hMsKhx7ZGyIDs5nT271QV19lhafC95AJR3fGFfagFNDyhKpfB2 E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ah4FAPuJZ1KtJV2b/2dsb2JhbABZgwc4Tga+TIEkFnSCJQEBAQQBAQELVwkXBAIBCBEEAQELHQcnCxQJCAIEARIIAYd9CAW6UY8dOAaDGYELA4kHkDGQWIMkgio X-IronPort-AV: E=Sophos;i="4.93,553,1378857600"; d="scan'208";a="275484022" Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-2.cisco.com with ESMTP; 23 Oct 2013 08:37:02 +0000 Received: from xhc-rcd-x08.cisco.com (xhc-rcd-x08.cisco.com [173.37.183.82]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r9N8b1QY030677 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 23 Oct 2013 08:37:01 GMT Received: from xmb-aln-x12.cisco.com ([169.254.7.116]) by xhc-rcd-x08.cisco.com ([173.37.183.82]) with mapi id 14.02.0318.004; Wed, 23 Oct 2013 03:37:01 -0500 From: "Gunter Van de Velde (gvandeve)" To: "Michael Behringer (mbehring)" , "Eric Vyncke (evyncke)" , "opsec@ietf.org" , "opsec chairs" Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt Thread-Index: AQHOzSBWSU0/i4BAxkiF+SNuVP0bLZn+Ma0AgALJfwCAAQCU4A== Date: Wed, 23 Oct 2013 08:37:01 +0000 Message-ID: <67832B1175062E48926BF3CB27C49B240D2ECEE0@xmb-aln-x12.cisco.com> References: <20131019230954.9604.42688.idtracker@ietfa.amsl.com> <97EB7536A2B2C549846804BBF3FD47E12379401D@xmb-aln-x02.cisco.com> <3AA7118E69D7CD4BA3ECD5716BAF28DF1D8BDD79@xmb-rcd-x14.cisco.com> In-Reply-To: <3AA7118E69D7CD4BA3ECD5716BAF28DF1D8BDD79@xmb-rcd-x14.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.93.25] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Oct 2013 08:37:13 -0000 Ok, we will slot you in. G/ -----Original Message----- From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of M= ichael Behringer (mbehring) Sent: 22 October 2013 14:18 To: Eric Vyncke (evyncke); opsec@ietf.org; opsec chairs Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt OPsec chairs,=20 If there is still a slot to present in Vancouver, we would like to discuss = our last edits.=20 Michael > -----Original Message----- > From: Eric Vyncke (evyncke) > Sent: 20 October 2013 11:45 > To: opsec@ietf.org > Cc: Michael Behringer (mbehring) > Subject: RE: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt >=20 > Here are the modifications that Michael and I did to the previous=20 > version (also thanking the reviewers) >=20 > Thanks to Rama Darbha, we have removed the SHOULD hardcode the LLA to=20 > avoid changes of LLA when changing the MAC (same comment by Fernando=20 > as well). >=20 > Thanks to Fernando Gont, we have removed old verbiage about 'authors=20 > recommend' as it is a balance between pros and cons. Added a reference=20 > to RFC 6724 (SAS) to use global address (such as loopback address)=20 > when generating an ICMP message. Added reference to the RFC about BGP & C= o. > We have also clarified some wording in the management plane traffic.=20 > We did not change the verbiage about out-of-band management as we=20 > assumed that it is outside of the scope of this document. Added=20 > reference to RFC > 4987 (SYN flood). Clarification about what is meant by a loopback=20 > address/interface. The comment about static addresses for LLA and=20 > draft- ietf-6man-stable-privacy-addresses has been ignored because to=20 > our knowledge routers never use privacy extension addresses for their=20 > interfaces. The IXP section has also been updated about the amount of=20 > work to map all global addresses of IXP. >=20 > Thanks also to Wes George: we have removed all "we propose" and "we=20 > recommend" as this is only a list of pros and cons and not a technique=20 > 'blessed' by the IETF. We also removed all references to RFC 2119 as=20 > it is an informational document. And we have also removed ambiguities. >=20 > -=E9ric >=20 >=20 > > -----Original Message----- > > From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On > Behalf > > Of internet-drafts@ietf.org > > Sent: dimanche 20 octobre 2013 04:40 > > To: i-d-announce@ietf.org > > Cc: opsec@ietf.org > > Subject: [OPSEC] I-D Action: draft-ietf-opsec-lla-only-04.txt > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts=20 > > directories. > > This draft is a work item of the Operational Security Capabilities=20 > > for IP Network Infrastructure Working Group of the IETF. > > > > Title : Using Only Link-Local Addressing Inside an IPv6 > > Network > > Author(s) : Michael Behringer > > Eric Vyncke > > Filename : draft-ietf-opsec-lla-only-04.txt > > Pages : 9 > > Date : 2013-10-19 > > > > Abstract: > > In an IPv6 network it is possible to use only link-local addresses o= n > > infrastructure links between routers. This document discusses the > > advantages and disadvantages of this approach to help the decision > > process for a given network. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-opsec-lla-only > > > > There's also a htmlized version available at: > > http://tools.ietf.org/html/draft-ietf-opsec-lla-only-04 > > > > A diff from the previous version is available at: > > http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-opsec-lla-only-04 > > > > > > Please note that it may take a couple of minutes from the time of=20 > > submission until the htmlized version and diff are available at=20 > > tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > _______________________________________________ > > OPSEC mailing list > > OPSEC@ietf.org > > https://www.ietf.org/mailman/listinfo/opsec _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec