Notes for opsec Meeting starts at 9:03 Blue sheet, Note Well, yadda yadda yadda http://datatracker.ietf.org/doc/draft-ietf-opsec-v6 http://tools.ietf.org/html/draft-ietf-opsec-v6 "Operational Security Considerations for IPv6 Networks", KK Chittimaneni, Merike Kaeo, Eric Vyncke, 21-Sep-12 Merike Kaeo presents on the draft. Two people have read it. There are a number of issues raised in the draft which are not necessarily new security issues, but do represent evolution of the architecture. The authors asked RIPE about the security issues they raise, but operators deploying IPv6 appear to be taking steps to deal with them. Joel Jaeggli: around the discussion of the rate-limiting of ND/RA parameters, has questions about the use of SLAAC in networks that attach to the Internet; are there security concerns related to dynamic address allocation? Security technologies in use: RIPE reports no SeND deployment users of BCP-38 in IPv4 "of course" implement it in IPv6 Seeking qualification of statements about DNS64's interaction with DNSSEC. Looking for operator input Joel Jaeggli and Fernando Gont: General comment regarding ::0/128 as the anycast address for "the local router". Authors would like vendors to implement considerations in draft-gont-opsec-ipv6-nd-shield. Ron Bonica: concerns about how extension headers are handled in stateless firewalls and other IPv6-related evolution of middleware. Various drafts in draft-gont-6man-* are relevant. http://datatracker.ietf.org/doc/draft-jdurand-bgp-security http://tools.ietf.org/html/draft-jdurand-bgp-security "BGP operations and security", Jerome Durand, Ivan Pepelnjak, Gert Doering, 21-Sep-12 Merike Kaeo presents on the draft. Two in the meeting have read the document. Document intends to coalesce information from a variety of sources into a comment document, with recommendations on control plane protection (as opposed to protecting the information exchanged in BGP, which is a SIDR topic. General comment - Merike would like to refer to RIR templates rather than to RFCs for recommended configurations. Ron Bonica notes that many of these are being migrated from RFCs to RIR recommendations. Straw poll in the room suggests adoption as a WG item. http://datatracker.ietf.org/doc/draft-ietf-opsec-lla-only http://tools.ietf.org/html/draft-ietf-opsec-lla-only "Using Only Link-Local Addressing Inside an IPv6 Network", Michael Behringer, Eric Vyncke, 21-Sep-12 Comments received have varied; some have tried it and found it to work, and some feel that it makes their lives more difficult. Ron Bonica suggests a revamp of the outline. Benoit Claise would like comments about the work-arounds mentioned in the draft. There seems to be a lot of complexity there. Ron Bonica and Joel Jaeggli don't like the proposal, but find it useful as an informational document. KK notes that it was changed from targeting BCP to Informational for reasons noted. David Lamparter - notes comparison to IPv4 unnumbered interfaces, and suggests similar documentation be included. End of session 10:02