David, Lucy,
Having thought about it a little more, would you mind if I crafted the text as
follows:
The security section of [RFC 4023] identifies threats encountered when MPLS is
deliver over GRE. These threats apply equally to any GRE payload that is
delivered over GRE. As stated in RFC 4023, these threats can be mitigated by
authenticating and/or encrypting the delivery packet using IPSec [RFC 4301]
procedures. When the payload is IPv6, they can also be mitigated by
authenticating and/or encrypting the payload using IPSec. Beyond that, the
current specification introduces no security considerations beyond those
mentioned in RFC 2784.
More generically, security considerations for IPv6 are discussed in [RFC4942],
operational security for IPv6 is discussed in [I-D.ietf-opsec-v6], and security
concerns for tunnels in general are discussed in [RFC6169].
Ron
> -----Original Message-----
> From: David Farmer [mailto:[email protected]]
> Sent: Friday, April 10, 2015 2:52 PM
> To: Ronald Bonica; Lucy yong; [email protected]; [email protected]
> Cc: David Farmer
> Subject: Re: [Int-area] FW: New Version Notification for draft-ietf-intarea-
> gre-ipv6-05.txt
>
> I agree with Lucy, I'd like to see a direct reference to IPsec. How about
> something like what Lucy had and then reference RFC 4023 for a more
> extensive discussion.
>
> IPsec [RFC4301] can be used to provide payload security and privacy
> over an IP network where security is a concern, the Security
> Considerations section of MPLS in GRE [RFC4023] discusses this more
> extensively and applies equally to the current specification. Beyond
> that, the current specification introduces no security
> considerations beyond those mentioned in RFC 2784.
>
> I'd like to see general security references for IPv6 and tunnels included as
> well, maybe something like the following as a second paragraph.
>
> More generically, security considerations for IPv6 are discussed in
> [RFC4942], operational security for IPv6 is discussed in
> [I-D.ietf-opsec-v6], and security concerns for tunnels in general are
> discussed in [RFC6169].
>
> Thanks
>
> On 4/10/15 08:21 , Ronald Bonica wrote:
> > Hi Lucy,
> >
> > MPLS over GRE [RFC 4023] has exactly the same security issues as IPv6 over
> GRE. Fortunately, RFC 4023 has an extensive Security Considerations section
> that references IPSec. So, the current document references RFC 4023 and
> gets IPSec through one layer of indirection.
> >
> >
> > Ron
> >
> >
> >> -----Original Message-----
> >> From: Lucy yong [mailto:[email protected]]
> >> Sent: Thursday, April 09, 2015 5:15 PM
> >> To: Ronald Bonica; [email protected]; [email protected]
> >> Subject: RE: [Int-area] FW: New Version Notification for
> >> draft-ietf-intarea- gre-ipv6-05.txt
> >>
> >> Hi Ron,
> >>
> >> Security considerations should state that IPsec [RFC4301] can be used
> >> to provide payload security and privacy over an IP network where the
> >> security is a concern.
> >>
> >> Thanks,
> >> Lucy
> >>
> >> -----Original Message-----
> >> From: Int-area [mailto:[email protected]] On Behalf Of Ronald
> >> Bonica
> >> Sent: Thursday, April 09, 2015 4:03 PM
> >> To: [email protected]; [email protected]
> >> Subject: [Int-area] FW: New Version Notification for
> >> draft-ietf-intarea-gre- ipv6-05.txt
> >>
> >> Folks,
> >>
> >> I have updated draft-ietf-intarea-gre-ipv6. Please tell me if I have
> >> addressed all of your comments.
> >>
> >> Ron
> >>
> >>
> >>> -----Original Message-----
> >>> From: [email protected] [mailto:[email protected]]
> >>> Sent: Thursday, April 09, 2015 4:58 PM
> >>> To: Ronald Bonica; Suresh Krishnan; Suresh Krishnan; Carlos
> >>> Pignataro; Ronald Bonica; Carlos Pignataro
> >>> Subject: New Version Notification for
> >>> draft-ietf-intarea-gre-ipv6-05.txt
> >>>
> >>>
> >>> A new version of I-D, draft-ietf-intarea-gre-ipv6-05.txt
> >>> has been successfully submitted by Ron Bonica and posted to the IETF
> >>> repository.
> >>>
> >>> Name: draft-ietf-intarea-gre-ipv6
> >>> Revision: 05
> >>> Title: IPv6 Support for Generic Routing Encapsulation (GRE)
> >>> Document date: 2015-04-10
> >>> Group: intarea
> >>> Pages: 8
> >>> URL:
> >>> http://www.ietf.org/internet-drafts/draft-ietf-intarea-gre-
> ipv6-
> >>> 05.txt
> >>> Status:
> >>> https://datatracker.ietf.org/doc/draft-ietf-intarea-gre-ipv6/
> >>> Htmlized: http://tools.ietf.org/html/draft-ietf-intarea-gre-ipv6-05
> >>> Diff:
> >>> http://www.ietf.org/rfcdiff?url2=draft-ietf-intarea-gre-ipv6-05
> >>>
> >>> Abstract:
> >>> Generic Routing Encapsulation (GRE) can be used to carry any
> network-
> >>> layer payload protocol over any network-layer delivery protocol. GRE
> >>> procedures are specified for IPv4, used as either the payload or
> >>> delivery protocol. However, GRE procedures are not specified for
> >>> IPv6.
> >>>
> >>> This document specifies GRE procedures for IPv6, used as either the
> >>> payload or delivery protocol. It updates the GRE specification, RFC
> >>> 2784.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Please note that it may take a couple of minutes from the time of
> >>> submission until the htmlized version and diff are available at
> tools.ietf.org.
> >>>
> >>> The IETF Secretariat
> >>
> >> _______________________________________________
> >> Int-area mailing list
> >> [email protected]
> >> https://www.ietf.org/mailman/listinfo/int-area
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > [email protected]
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
> >
>
>
> --
> ================================================
> David Farmer Email: [email protected]
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE Phone: 1-612-626-0815
> Minneapolis, MN 55414-3029 Cell: 1-612-812-9952
> ================================================
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
