I think that this is worthwhile work for Opsec to undertake, because ND
security is definitely something that not all vendors and SPs have a handle on
yet, and it's really useful to have all of the information in one place to be
able to point vendors at when trying to improve the state of ND security.
That said, I have some concern about the current format of this document vs.
its name and intent. This is supposed to be a security assessment, but rather
than simply identifying the current vulnerabilities, it also provides
recommendations on how to secure against them. This is certainly good
information that I support being in a document, we just need to decide if it
belongs in this document and whether that drives a title and abstract change to
reflect the document's purpose more accurately, or whether we want to split out
mitigation from assessment.
The doc is currently informational, and does not include any RFC2119
boilerplate, but it makes recommendations for behaviors that are not explicitly
required by the existing protocol implementation. Many of the places where
"...should..." appears in the document look prescriptive/normative to me, and
it's not always clear from the text/references whether this is simply
reiterating what is already in the standard, or making a new recommendation for
better security.
e.g. section 3.1: " If
the packet does not pass this check, it should be silently dropped.
While this is not explicitly required in [RFC4861] this provides
an additional counter-measure (other than the validation of the
Hop Limit) for non-local malicious nodes willing to make use of
Router Solicitation messages for reconnaissance purposes."
Perhaps BCP would be a better choice, or info with 2119 keywords, I don't know.
I'd also recommend moving the current section 6 much earlier in the document,
so that you start by discussing the vulnerabilities, and then you can go into
the recommendations on ND validations (current section 3). I'm not sure how
sections 4 and 5 fit into that framework, since they appear to be talking about
vulnerabilities as well, but I know that the current one doesn't seem very
intuitive to me.
Thanks,
Wes George
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf
> Of Warren Kumari
> Sent: Wednesday, September 11, 2013 10:17 AM
> To: [email protected]; [email protected]
> Cc: Warren Kumari
> Subject: [OPSEC] Call for Adoption: draft-gont-opsec-ipv6-nd-security-01
>
> Dear OpSec WG,
>
> This starts a Call for Adoption for draft-gont-opsec-ipv6-nd-security-
> 01.
>
Anything below this line has been added by my company's mail server, I have no
control over it.
-----------------
This E-mail and any of its attachments may contain Time Warner Cable
proprietary information, which is privileged, confidential, or subject to
copyright belonging to Time Warner Cable. This E-mail is intended solely for
the use of the individual or entity to which it is addressed. If you are not
the intended recipient of this E-mail, you are hereby notified that any
dissemination, distribution, copying, or action taken in relation to the
contents of and attachments to this E-mail is strictly prohibited and may be
unlawful. If you have received this E-mail in error, please notify the sender
immediately and permanently delete the original and any copy of this E-mail and
any printout.
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
