Hi Fernando, Here are some thoughts after I reading the draft:
1. To my knowledge, the block-lists can be used for mitigating some DDoS attacks by putting the Zombie's addresses in the block-lists. Of course the lists should be updated dynamically in some way so as to reduce false negatives and false positives. 2. For "Both types of ACLs have a similar challenge in common": IMO, how to keep high accuracy for address filtering/validation in an efficient way is really a challenging problem for both manual configuration-based filtering and automated tool-based filtering. Particularly, I think (more from the operator's point of view) there should be zero false positive so that legitimate users are not affected and operators have confidence to conduct filtering operations (e.g., deploying some tools). On the basis of zero false positive, false negatives should be reduced as less as possible. 3. There are also some methods (e.g., RTBH [RFC 5635], uRPF [RFC3704]) which do address filtering based on FIB instead of ACL. Are they in the scope of the draft? Best, Nan -----Original Message----- From: OPSEC <opsec-boun...@ietf.org> On Behalf Of Fernando Gont Sent: Friday, February 3, 2023 12:28 PM To: opsec@ietf.org Subject: [OPSEC] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Hi, All, I happened to participate in an IPv6 deployment meeting with some large content provider. Eventually there was a discussion about how to mitigate some attacks using block-lists, and they argued that they ban offending addresses (/128 for the IPv6 case), following IPv4 practices. While they had already deployed IPv6, some of the associated implications arising from the increased address space seemed to be non-obvious to them. So that's what motivated the publication of this document. * TXT: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt * HTML: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html Comments welcome! Thanks, Fernando -------- Forwarded Message -------- Subject: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt Date: Thu, 02 Feb 2023 19:48:40 -0800 From: internet-dra...@ietf.org To: Fernando Gont <fg...@si6networks.com>, Guillermo Gont <gg...@si6networks.com> A new version of I-D, draft-gont-opsec-ipv6-addressing-00.txt has been successfully submitted by Fernando Gont and posted to the IETF repository. Name: draft-gont-opsec-ipv6-addressing Revision: 00 Title: Implications of IPv6 Addressing on Security Operations Document date: 2023-02-02 Group: Individual Submission Pages: 8 URL: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt Status: https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-addressing/ Htmlized: https://datatracker.ietf.org/doc/html/draft-gont-opsec-ipv6-addressing Abstract: The increased address availability provided by IPv6 has concrete implications on security operations. This document discusses such implications, and sheds some light on how existing security operations techniques and procedures might need to be modified accommodate the increased IPv6 address availability. The IETF Secretariat _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
