[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-v6ops-nap-01.txt

To: Fred Baker <fred@cisco.com>
Subject: Re: I-D ACTION:draft-ietf-v6ops-nap-01.txt
From: Pekka Savola <pekkas@netcore.fi>
Date: Fri, 17 Jun 2005 11:48:25 +0300 (EEST)
Cc: "'v6ops@ops.ietf.org '" <v6ops@ops.ietf.org>
In-reply-to: <1101b457ea917d5fc76df64c18d11bb8@cisco.com>
References: <E1DieGN-0006vm-6P@newodin.ietf.org> <1101b457ea917d5fc76df64c18d11bb8@cisco.com>

On Wed, 15 Jun 2005, Fred Baker wrote:

Gunter tells me that this draft was almost ready for submission when I issued the last call on the previous version. oops. Let's restart the last call today, reviewing this draft, and ending two weeks from today.

As Jonne was mentioning (and I've stated this in the past, but not as clearly as he did), I think the MIPv6 tunnels for topology hiding should be rephrased slightly to make it just an example of a tunneling mechanism for topology hiding. As he said, any tunneling is just fine. At the moment, something different is possibly easier to provide; in the future, if MIPv6 provisioning methods improve, maybe it gets more popular (and easier).

I think the doc is in a pretty good shape, and after a quick update, ready to go forward.

As a procedural point, it might be courteous to ask for external review from NAT communities (e.g., behave WG chairs, [dare I say this] Keith Moore, maybe some others) to make sure the technical content of the document is OK, because this won't be IETF last called.

substantial
-----------

   When IPv6 NAP is utilized in these three domains then for the first
   category it will be possible to use the same solutions as described
   in chapter 5.1.  The second domain of the ISP/carrier is the
   Operations network.  This environment tends to be a closed
   environment, and consequently intra- communication can be done based
   on ULA addresses.  This would give a stable configuration with
   respect to a local IPv6 address plan.  Using these local scope
   addresses would also prevent from being accessed from the external
   network.

==> For ISP/carrier grade, they already have very stable addresses, so they
don't need ULAs for PI purposes.  I also think the ISP/carriers should be
qualified enough to set up proper filtering, so "prevent from being
accessed" doesn't seem like a winning argument either.

So, I'd remove the case for ULA for ISP/carrier backbones completely.

...

6.  IPv6 gap analysis

==> this section needs major updates. Specifically, 'Completion of work on ULAs' needs to be removed or seriously reworded (the work is finished already). Similarly, as the renumerbing procedure is already also in RFC ed-queue, section 6.4 requires a bit of new phrasing as well. Further, untraceable addresses seem to be discussed in sections 6.2, 6.3 and 6.6; the text should be made more focused. Lastly, in 6.3, I'd say "topology masking _may be_ required" instead of "is required", because whether this is needed or not is a value judgment (which I don't encourage myself, but can live with).


semi-editorial
--------------

2.2  Simple security due to stateful filter implementation

   A firewall doesn't fully secure a network, because many attacks come
   from inside or are at a layer higher than the firewall can protect
   against.  In the final analysis, every system has to be responsible
   for its own security, and every process running on a system has to be
   robust in the face of challenges like stack overflows etc.  What a
   firewall does is prevent a network administration from having to pay
   for bandwidth to carry unauthorized traffic, and in so doing reduce
   the probability of certain kinds of attacks across the protected
   boundary.

   A distributed security mechanism to protect the end-systems may help
   in the above situation; however, to deploy such a system is quite
   complex and may depend upon behaviour per operating system and
   release version.  As a result it will probably not be available in
   the next couple of years for end-user organizations.  End-system-only
   security mechanisms don't protect the network infrastructure from
   being misused for transit, or against DDOS attacks against individual
   systems inside, and this is the area where a NAT device is perceived
   to provide some relief.

==> these _exact_ same paragraphs appear at the start of section 2.4 as well? I suggest removing duplicate text from 2.4 as these issues don't have much to do with 2.4 (privacy & topology hiding)

   3.  The size of the typical subnet ::/64 will make a network ping
       sweep and resulting port-scan virtually impossible due to the
       amount of possible combinations available.  This goes from the
       assumption that the attacker has no access to a local connection.
       If an attacker has local access then he could use ND [3] and
       ping6 to ff02::1 to detect local neighbors.  (Of course, a
       locally connected attacker has many scanning options with IPv4 as
       well.)  It is recommended for site administrators to take [17]
       into consideration to achieve the expected goal.
[...]
   Assuming the network administrator is aware of [17] the increased
   size of the IPv6 address will make topology probing much harder, and
   almost impossible for IPv6 devices.  What one does when topology
   probing is to get an idea of the available hosts inside an
   enterprise.  This mostly starts with a ping-sweep.  This is an
   automated procedure of sending Internet Control Message Protocol
   (ICMP) echo requests (also known as PINGs) to a range of IP addresses
   and recording replies.  This can enable an attacker to map the
   network.  Since the IPv6 subnets are 64 bits worth of address space,
   this means that an attacker has to send out a simply unrealistic
   number of pings to map the network, and virus/worm propagation will
   be thwarted in the process.  At full rate 40Gbps (400 times the
   typical 100Mbps LAN, and 13,000 times the typical DSL/Cable access
   link) it takes over 5000 years to scan a single 64 bit space.

==> There seemed to be some amount of text duplication about ping sweeping, and it seems a bit illogical to have it described at more length after it has already been introduced?

5.  Case Studies

   It is possible to divide the type of networks in different
   categories.  This can be done on various criteria.  The criteria used
   within this document are based on the number of components or
   connections.  [...]

==> clarify what you mean by 'connections'.  For different peoples at
different ISO layers it means completely different things.


editorial
---------

  Wide-scale deployments have shown that using NAT to attach a private
   IPv4 network to the Internet is simple and practical for the non-
   technical end user.  Frequently a simple user interface is sufficient
   for configuring both device and application access rights.

==> even more frequently, the users don't configure these boxes at all..?

Van de Velde, et al.    Expires December 3, 2005                [Page 6]
L
Internet-Draft    IPv6 Network Architecture Protection         june 2005

==> s/june/June/

For these
   reasons the sense of security provided by NAT are actually false.

==> s/are/is/

   Once a list of available devices and IP addresses has been mapped, a
   port-scan on these IP addresses can be performed.  Scanning works by
   tracking which ports do not receive unreachable errors from either
   the firewall or host.

==> s/unreachable/ICMP unreachable/ or was the wording specifically chosen
this way (to a degree also including TCP RST's and such) ?

   The random assignment has as purpose to confuse the outside world on

==> s/as/a/

4.1  Simple gateway between Internet and internal network

==> please reorganize this one long paragraph to 2-3 shorter ones.

  The ongoing subnet size maintenance may become simpler when IPv6
   technology is utilised.  If IPv4 address space is optimised one has
   periodically to look into the number of hosts on a segment and the
   subnet size allocated to the segment;

==> s/periodically to look/to look periodically/

   can be concatenated.  A single /48 alloaction provides an enterprise

==> s/alloac/alloca/

This means that the ISP will provide the
   enterprise with an IPv6 address-range (typically a one or multiple
   range(s) of '/48') from its RIR assigned IPv6 address-space.  The
   goal of this allocation mechanism is to decrease the total amount of
   entries in the internet routing table.

==> remove one word from "a one"
==> s/allocation/assignment/

   IPv6 internet, then some form of 'Untraceable' addresses may be used.

==> s/Untraceable/untraceable/

   Operations network.  This environment tends to be a closed
   environment, and consequently intra- communication can be done based
   on ULA addresses.

==> intra- [what?] communication?

References:
- I-D ACTION:draft-ietf-v6ops-nap-01.txt
  - From: Internet-Drafts@ietf.org
- Re: I-D ACTION:draft-ietf-v6ops-nap-01.txt
  - From: Fred Baker <fred@cisco.com>

Prev by Date: Re: WG Last Call draft-ietf-v6ops-bb-deployment-scenarios*
Next by Date: Re: I-D ACTION:draft-ietf-v6ops-nap-01.txt
Previous by thread: Re: I-D ACTION:draft-ietf-v6ops-nap-01.txt
Next by thread: Re: I-D ACTION:draft-ietf-v6ops-nap-01.txt
Index(es):
- Date
- Thread