Welcome to Etherpad Lite!

This pad text is synchronized as you type, so that
everyone viewing this page sees the same text.
This allows you to collaborate seamlessly on documents.

warren - 
note-well

agenda

gunter

kk 

observation slide

still rather little communication between the 300 participants.

gunter - itu liason request on ipv6 security considerations in devices.

eliot lear - find me at another time.

gunter - opsec drafts update

doucments to be removed...

to be kept - filter caps

fernando gont - presentation host scanning in ipv6 networks

sheds som light on a myth that scanning attacks are infeasible.

has something to do with assumption that /64 subnets are rather large.

doucment explores address scanning attacks what the real search space is and possible mitigation.

next draft will discuss non-traditional host scanning techniques...

how addresses are generated
slaac 
ipp4 based 
teredo 
low byte
privacy 
wordy
etc

slaac ieee oui ids
has at most 2^23 search space
 
virtual box or vmware specific uoi
 
low byte address assignments 

mitigations
windows machine use a different interface id calculation method.

manually configured address not set to low byte.
  
local scanning  
  leverage all routers multicast address
      windows machines don't respond.
      unrecognized options generate an icmp error.
combined learned iids with know prefixes 
technique implmented in scan6 tool.

possible mitigations 
do not respond to multicast icmp echo

it's virtually impossible to mitigation scanning of local networks.

joel - 

tim chown - duplicating an existing rfc. rfc 5157 

how addresses are generated
slaac 
ipp4 based 
teredo 
low byte
privacy 
wordy
etc

slaac ieee oui ids
has at most 2^23 search space
 
virtual box or vmware specific uoi
 
low byte address assignments 

mitigations
windows machine use a different interface id calculation method.

manually configured address not set to low byte.
  
local scanning  
  leverage all routers multicast address
      windows machines don't respond.
      unrecognized options generate an icmp error.
combined learned iids with know prefixes 
technique implmented in scan6 tool.

possible mitigations 
do not respond to multicast icmp echo

it's virtually impossible to mitigation scanning of local networks.

joel - 

tim chown - duplicating an existing rfc. rfc 5157 

how addresses are generated
slaac 
ipp4 based 
teredo 
low byte
privacy 
wordy
etc

slaac ieee oui ids
has at most 2^23 search space
 
virtual box or vmware specific uoi
 
low byte address assignments 

mitigations
windows machine use a different interface id calculation method.

manually configured address not set to low byte.
  
local scanning  
  leverage all routers multicast address
      windows machines don't respond.
      unrecognized options generate an icmp error.
combined learned iids with know prefixes 
technique implmented in scan6 tool.

possible mitigations 
do not respond to multicast icmp echo

it's virtually impossible to mitigation scanning of local networks.

joel - 

tim chown - duplicating an existing rfc. rfc 5157 
        
fernando gont - dhcp6-sheild protecting against rogue dhcpv6 servers

complments ra-guard

enforced on all ports where you don't have a dhcpv6 server

joel - want to see a vendor involved in the draft

tim chown - rfc 6104 points to a draft potentially 

warren - process gate on 6man agreeing that upper layer protocol need to appear in first fragment.

? - do you disinguish between dhcp stateful and stateless?

fernando  - I don't

next preso 
nd-shield aims at blocking neighbor discovery attacks in link layer

filtering rules.

open issues - 

philip mathews - rule 3 how long 

    seems like a harsh requirement

jean-michel - rfc 6620 savi complimnets


next preso 

operational security considerations for ipv6 networks -  merike keio

updates to 01

networks not as secure as they could be.

questions

paul hoffman - don't fill in the lawful intercept sections

tim chown - ulas exist, some if these devices may actually want to talk to the outside world... 

merike - monitoring e.g. atribution is problematic. accountabiltiy when device are picking their own address.

? - are you looking to include 4to6 transition teachnologies.

richard graveman - like it goes back over the last 10 years  of work that didn't get published.

reference external documents in normative references sections.

warren 

we have a lot of documents

bill manning - kill off dane

joel  - 

tim chown - condensed document makes it either.

warren senior -  general overload

next preso - 

michael behringer  - using link local addressing in core links.

    has consequences
    
possible advantages - 

wes goerge - other ways to reduce table size

bill manning - is the next slide disantages.

reduced attack surface versus loopbacks
deconstruct implications for traceroute

caveats - cannot ping an interface (only the router)

ron - one problem is that information is lost - you can not longer ping a specific interface

hardware dependancy - link local may change.
    statically configured ll

mpls rsvp te requires global link address

feedback 

mark blanchet - one of the problem with link local is that it doesn't have the context of the interface
. I think it's more error prone as a result.


changes - 

philip mthews - I went looking for that but i didn't find anything.

gunter - needs a nexthop,

joel jaeggli - no objection

bill manning - 

wes geroge - general operational document. 

merike - I like this document.

ron - was dicussed in v6ops, if we adopted here.

warren - test for wg acceptance - who has read ( a few ) - who supports as a wg document ( fewer ) - who is opposed ( 1 ) 

new document - bgp operations and security  - gunter presenting 

changes between 01 and 00

mark blanchet - the rfc I wrote about special use prefixes is consigned to history 

joel  - special purpose registry.

ron 

bill 

arturo servrin - in the future iana will create Roas

warren meeting is adjurned.