Re: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13

Mon, 08 Feb 2021 08:11:26 -0800 

Hello Donald,

As for Tim Chown's review, here is my belated reply...

Look for EV>

Thank you for the review

-éric


-----Original Message-----
From: "Smith, Donald" <donald.sm...@centurylink.com>
Date: Monday, 2 July 2018 at 22:14
To: Tim Chown <tim.ch...@jisc.ac.uk>, "ops-...@ietf.org" <ops-...@ietf.org>
Cc: "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6....@ietf.org" 
<draft-ietf-opsec-v6....@ietf.org>
Subject: Re: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13

    Routing security talks exclusively to OSFPv3 which isn't in common use 
externally today, BGP would be a better choice.

EV> I made the reference to RFC 7454 more prominent in the text

    2.1.1 This:
    There are many scanning
       techniques and more to come possible, hence, operators should never
       relly on the 'impossible to find because my address is random'
       paradigm.

    Should probably be this:
    There are many scanning techniques and possibly more to come, hence, 
operators should never rely on the 'impossible to find because my address is 
random' paradigm.

    Or adding Tom's suggestion:
    There are many scanning techniques and possibly more to come, hence, 
operators should never rely on the 'security by obscurity' paradigm.

EV> indeed, the text has changed following Tim's suggestion

    Maybe it doesn't belong there but this appears to be a potential new smurf 
amplification vector.

    "Another way works only for local network, it consists in sending a
       ICMP ECHO_REQUEST to the link-local multicast address ff02::1 which
       is all IPv6 nodes on the network.  All nodes should reply to this
       ECHO_REQUEST per [RFC4443]."

EV> except that this is local only (packets to ff02::1 will not be forwarded by 
an IP router). SO, the attack is local only (but could be a real annoyance in 
same settings).

    But maybe that belongs in 4443 or some other draft?



    I feel some mention of anycast used for DDoS Reflection and Amplification 
(RA) should be included (again might be out of scope)?

EV> I agree that RFC 4443 did not take this amplification attack into 
consideration. At least nowadays, large layer-2 (notably wifi) have disabled 
the link-local multicast. Added a new section 2.3.6 on this issue.



    Metric System < +000 > -000
    Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For     
Ages
    Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico    
Femto Atto
    donald.sm...@centurylink.com

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec

Reply via email to