[ipv6hackers] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Andrew Walding
awalding at gmail.com
Sat Feb 4 12:04:03 -03 2023
Hi Fernando,
There is a typo in Section 4.1 I think (sunch instead of such).
.
A couple of general comments.
I think this is a good subject and one that probably needs guidance as this
document suggests. That said, I have the following thoughts:
- I will start by being a bit picky. I think the wording describing the
issues is spread too vaguely and needs to be more specific as to the
addressing issues. For example in your email you say compared to IPv4
where you are usually dealing with "an" address from a private or public
network, but in IPv6 a given host could have multiple addresses in multiple
prefixes/networks then compounded with the various address types of IPv6,
yet this is muddled in the document itself. I mean that is the point in
the end - you cannot deal with IPv6 the same way you deal with IPv4 in this
security scenario.
- Now let me be general in this second point. I think there is a
big piece missing in this document, and that is what are the correct ways
of thinking when it comes to these scenarios with IPv6. you certainly hint
at them, and for those who have implemented IPv6 in firewalls, we get where
you are going, but the problem is you really never get to the end game in
this draft. Perhaps that was your intent, so that future drafts would add
the necessary detail.
Anyway, I hope this helps in some way,
Best,
Andy
On Thu, Feb 2, 2023 at 11:06 PM Fernando Gont <fgont at si6networks.com> wrote:
> Folks,
>
> I happened to participate in an IPv6 deployment meeting with some large
> content provider. Eventually there was a discussion about how to
> mitigate some attacks using block-lists, and they argued that they ban
> offending addresses (/128 for the IPv6 case), following IPv4 practices.
> While they had already deployed IPv6, some of the associated
> implications arising from the increased address space seemed to be
> non-obvious to them.
>
> So that's what motivated the publication of this document.
>
> * TXT:
> https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt
> * HTML:
> https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html
>
> Comments welcome!
>
> Thanks,
> Fernando
>
>
>
>
> -------- Forwarded Message --------
> Subject: New Version Notification for
> draft-gont-opsec-ipv6-addressing-00.txt
> Date: Thu, 02 Feb 2023 19:48:40 -0800
> From: internet-drafts at ietf.org
> To: Fernando Gont <fgont at si6networks.com>, Guillermo Gont
> <ggont at si6networks.com>
>
>
> A new version of I-D, draft-gont-opsec-ipv6-addressing-00.txt
> has been successfully submitted by Fernando Gont and posted to the
> IETF repository.
>
> Name: draft-gont-opsec-ipv6-addressing
> Revision: 00
> Title: Implications of IPv6 Addressing on Security Operations
> Document date: 2023-02-02
> Group: Individual Submission
> Pages: 8
> URL:
> https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt
> Status: https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-addressing/
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-gont-opsec-ipv6-addressing
>
>
> Abstract:
> The increased address availability provided by IPv6 has concrete
> implications on security operations. This document discusses such
> implications, and sheds some light on how existing security
> operations techniques and procedures might need to be modified
> accommodate the increased IPv6 address availability.
>
>
>
>
> The IETF Secretariat
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> https://lists.si6networks.com/mailman/listinfo/ipv6hackers
>
More information about the Ipv6hackers
mailing list