Markdown Version | Session Recording

Session Date/Time: 27 Jul 2023 22:30

opsec

Summary

The opsec working group meeting covered three main topics: security implications of IPv6 addresses, revisiting BGP security best practices, and network path validation ideas. The discussion around IPv6 addressing focused on its impact on security operations, specifically around access control lists, network correlation, neighbor cache exhaustion, firewalling, and network reconnaissance. The BGP security discussion centered on updating RFC 7454 to reflect current internet practices. Finally, network path validation using vector commitments was presented as a potential solution to enforce traffic paths in the data plane.

Key Discussion Points

• IPv6 Addressing Security Implications:
  • The document aims to address the knowledge gap among DevOps and cloud security teams regarding IPv6 and its security implications.
  • Discussion around scenarios where single IPv6 addresses map to multiple hosts.
  • Topics raised for inclusion: Neighbor cache exhaustion, firewalling strategies (stable vs. temporary addresses), and network reconnaissance techniques.
  • General agreement that if a topic is extensively discussed in another document, a brief reference should suffice.
  • Discussion regarding whether it is specific to IPv6 that a single publicly visible address might actually represent multiple hosts and/or systems.
• Revisiting BGP Security Best Practices:
  • Tobias presented the need to update BCP 194 (RFC 7454) to reflect current internet practices, including RPKI and deaggregation.
  • The existing document does not adequately address current practices related to prefix filtering and peering arrangements.
  • It was decided that it is not a rata but a new draft.
• Network Path Validation:
  • Jun Chi presented a path validation solution using vector commitments to enforce and verify traffic paths in the data plane.
  • Use cases include securing sensitive communications, verifying service function chaining, and assuring service level agreements.
  • Concerns were raised about the performance overhead, the ability to subvert the system by malicious nodes, and applicability to the broader internet.
  • Discussions about a transparent path and the implications.
  • Suggestions about discussing in by energy group.
  • Discussion about how much throughput the solution could allow.

Decisions and Action Items

• IPv6 Addressing Security Implications:
  • Fernanda will consider the feedback received and revise the document accordingly. Action: Fernanda to prepare new revision.
• Revisiting BGP Security Best Practices:
  • Tobias will work on a new draft to update BGP security best practices. Action: Tobias to work on new draft.

Next Steps

• Encourage further review and comments on the IPv6 addressing document.
• Tobias to prepare a new draft on BGP security best practices and present in next OPSEC meeting.
• Jun Chi to consider feedback and continue development of the path validation solution, perhaps discuss it in a byenergy group.