Re: [dhcwg] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04
Christian Huitema <huitema@huitema.net> Tue, 08 December 2020 03:17 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 453CD3A0DEA for <dhcwg@ietfa.amsl.com>; Mon, 7 Dec 2020 19:17:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Level:
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cjGZsTHfHd75 for <dhcwg@ietfa.amsl.com>; Mon, 7 Dec 2020 19:17:28 -0800 (PST)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E04AD3A0DCE for <dhcwg@ietf.org>; Mon, 7 Dec 2020 19:17:27 -0800 (PST)
Received: from xse119.mail2web.com ([66.113.196.119] helo=xse.mail2web.com) by mx171.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kmTV8-000v13-1g for dhcwg@ietf.org; Tue, 08 Dec 2020 04:17:22 +0100
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4Cqlj84wPVz3JY2 for <dhcwg@ietf.org>; Mon, 7 Dec 2020 19:17:16 -0800 (PST)
Received: from [10.5.2.13] (helo=xmail03.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kmTV6-0001Zb-J4 for dhcwg@ietf.org; Mon, 07 Dec 2020 19:17:16 -0800
Received: (qmail 26677 invoked from network); 8 Dec 2020 03:17:16 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.58.43.42]) (envelope-sender <huitema@huitema.net>) by xmail03.myhosting.com (qmail-ldap-1.03) with ESMTPA for <secdir@ietf.org>; 8 Dec 2020 03:17:15 -0000
Content-Type: multipart/alternative; boundary="Apple-Mail-C3F89CC6-C8D2-4AF0-B20A-C20744FB42A4"
Content-Transfer-Encoding: 7bit
From: Christian Huitema <huitema@huitema.net>
Mime-Version: 1.0 (1.0)
Date: Mon, 07 Dec 2020 19:17:14 -0800
Message-Id: <81C397F9-70EF-4917-8481-B0CC540ECC6E@huitema.net>
References: <D384486E-9FBF-42FB-AA11-3558DEC28B63@cisco.com>
Cc: Naveen Kottapalli <naveen.sarma@gmail.com>, secdir@ietf.org, last-call@ietf.org, draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org, dhcwg@ietf.org
In-Reply-To: <D384486E-9FBF-42FB-AA11-3558DEC28B63@cisco.com>
To: "Bernie Volz (volz)" <volz@cisco.com>
X-Mailer: iPhone Mail (18B92)
X-Originating-IP: 66.113.196.119
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.119/32
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.119/32@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: ham
X-Spampanel-Outgoing-Evidence: Combined (0.09)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT/JbZr0IC4hsUrS+H+jGiiCPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5zQNCpt9/2BbQ3dwpvTsiCXfYzfQXcfqmra3dmoHS4ygvy3 rtrykBUXjmhceuZLA+xWuRWrkPihq53YqAd1ENNqNmNzKeSfp5kYbCWONQIbmPoGl6x5IEQu/7SN wo15lcqpCkd2mmmDBSnM8Xo8GKoWamgxOzMqNCAfXxQyKYgwkMDuSboeZG0iQVHXireuHCeyJhXr Yza12wV4IuMNuf2SvRkWzsAgaWolxIxCj2GHtkrpu4AtVoDvzYsrGDq9GaeDw3VouFep1z6MLVFy dW53+sPa00WfFmZwEM/0ZmjjnrAKWWNb6xu6/FuTSPHZ46J0Dg9K+vwGh2YhLXUzLTJY1ILPlFjJ G5gqKfVSafr3dWErPLbt0n54j3vHX4q9ucblgTl6fJxyntEfhZCKje4ZrSpkrp4/bIk9ge4hHszj +yERbInMiTBIUBbQ/Dy6Ip6W0r4y0/5D4w5pBBP5WfwEiVI8YifosiHq99m3pO5z65V9UvvKDEjE gSFAGCy7uJronV+E7OMXRvgtdyMlnmWiLDQV97eBqXg5oBMProFOA3wgVkkWG6fKd6bHFMsPHf/E wrEzrzgQXv1uFC6lWjrteCoTPPxrkk/WF+YAy+vzURfjAFPOv5gvMD/E7jr4xox2jfA9OlQENpgQ FxWOsSotERWeKKG4PAQYNyavp7c49B3C+wiZiYfLFXzeWYSZ0aYFEtMYkDtPBfDm/HWcGTWm6hV5 B/wFXfajCc07NIy3UcE3gL0oEevLgIRJep1Aly0OVcZv254a1SspgLrZBCX/gUAsMv25yLkEQhbO MGISjTheMPxghFsjIwINNqkbXC8q7fBXfwiTkcwbv0dB5b3yNR3oW5YiBYO7UVjw0gdRPrII++x6 YSSQfv2n7TJ4De1knRDjH7QY7Fm+gQ0M40rBtaly/uPaPGs4IuAYIIDnnmIMx2SsJMcYcfaTa1Z5 siYOS4qqjKkTvrhEiORgsEtrMS+4ayUpOtEhdxekWDmK9g==
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/K4lxmk-ntxTfiKs7Sh5piMCqYVM>
Subject: Re: [dhcwg] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2020 03:17:32 -0000
I do not think this is a new issue that should be fixed in this document. I have written that a couple times already. I do think that it would be nice to work on another document describing best practices to secure DHCP services. -- Christian Huitema > On Dec 7, 2020, at 6:01 PM, Bernie Volz (volz) <volz@cisco.com> wrote: > > There really aren’t any. Clients can generate different client-id and request prefix after prefix. > > However, as this document points out these relays usually have limits to what it may track (and likely it would drop those packets from reaching client). > > In some deployments, the number of prefixes allowed behind a particular relay is limited (at server or relay). Other mitigations may be shorter leases as then it comes down to how many can be requested during that time. > > The main question is what does this benefit anyone? It is a DoS but in general it has limited impact as prefixes tend to be topological, so it isn’t like you could assign all of the prefixes an ISP has — just what is allowed on that link. > > Why do you think this is a new issue that needs to be fixed in this document? > > In my experience we have not seen these kinds of attacks as they aren’t very useful. And it has been a dhcp issue since dhcpv4 (addresses were much more scarce). > > We tried securing dhcpv6...but it isn’t an easy problem to solve. > > - Bernie > >>> On Dec 7, 2020, at 8:06 PM, Christian Huitema <huitema@huitema.net> wrote: >>> >> >> >> >>> On 12/7/2020 4:31 AM, Bernie Volz (volz) wrote: >>> FYI: >>> >>>>> I understand that solutions like RA >>>>> Guard will in practice provide some protection, but the use of these solutions are >>>>> not discussed in RFC 8213. The DHCP WG might want to address that. >>> >>> RFC8415’s security considerations is rather extensive and includes reference to many techniques to reduce the issues. 8213 was written while 8415 was under development. >> In the context of the draft, I am concerned in particular with the "resource-exhaustion" DoS attack, through exhaustion of delegatable prefixes. The attack is mentioned in the security section of 8415, but I have not seen the proposed mitigation. >> >> -- Christian Huitema >> >>
- [dhcwg] Secdir last call review of draft-ietf-dhc… Christian Huitema via Datatracker
- Re: [dhcwg] Secdir last call review of draft-ietf… Naveen Kottapalli
- Re: [dhcwg] Secdir last call review of draft-ietf… Bernie Volz (volz)
- Re: [dhcwg] [Last-Call] Secdir last call review o… Ted Lemon
- Re: [dhcwg] [Last-Call] Secdir last call review o… Christian Huitema
- Re: [dhcwg] [Last-Call] Secdir last call review o… Bernie Volz (volz)
- Re: [dhcwg] [Last-Call] Secdir last call review o… Christian Huitema
- Re: [dhcwg] [Last-Call] Secdir last call review o… Christian Huitema