IETF Logo Mail Archive

Re: [dhcwg] Review of draft-ietf-v6ops-scanning-implications

Tim Chown <tjc@ecs.soton.ac.uk> Mon, 27 November 2006 17:03 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gojsp-0000Gm-S9; Mon, 27 Nov 2006 12:03:07 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gojso-0000EZ-GC for dhcwg@ietf.org; Mon, 27 Nov 2006 12:03:06 -0500
Received: from [2001:630:d0:f102:230:48ff:fe77:96e] (helo=owl.ecs.soton.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gojsh-0000sU-MO for dhcwg@ietf.org; Mon, 27 Nov 2006 12:03:06 -0500
Received: from goose.ecs.soton.ac.uk (goose.ecs.soton.ac.uk [152.78.68.131]) by owl.ecs.soton.ac.uk (8.13.1/8.13.1) with ESMTP id kARH2W9G030911; Mon, 27 Nov 2006 17:02:32 GMT
Received: from login.ecs.soton.ac.uk (login.ecs.soton.ac.uk [152.78.68.162]) by goose.ecs.soton.ac.uk (8.13.1/8.13.1) with ESMTP id kARH2Kik020623; Mon, 27 Nov 2006 17:02:20 GMT
Received: (from tjc@localhost) by login.ecs.soton.ac.uk (8.12.11.20060308/8.11.6) id kARH2GAN006101; Mon, 27 Nov 2006 17:02:16 GMT
Date: Mon, 27 Nov 2006 17:02:16 +0000
From: Tim Chown <tjc@ecs.soton.ac.uk>
To: Eric Klein <ericlklein@softhome.net>
Subject: Re: [dhcwg] Review of draft-ietf-v6ops-scanning-implications
Message-ID: <20061127170216.GJ26966@login.ecs.soton.ac.uk>
Mail-Followup-To: Eric Klein <ericlklein@softhome.net>, Stig Venaas <stig.venaas@uninett.no>, dhcwg@ietf.org, v6ops@ops.ietf.org
References: <8E296595B6471A4689555D5D725EBB2102A2B1AA@xmb-rtp-20a.amer.cisco.com> <027101c71242$1ec75570$0401a8c0@ftssoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <027101c71242$1ec75570$0401a8c0@ftssoft.com>
User-Agent: Mutt/1.4i
X-Null-Tag: dc8993efe73f7312389974e1134ad3f1
X-Null-Tag: e710ccfffb1aadcbb64b97da9abc57db
X-ECS-MailScanner: Found to be clean, Found to be clean
X-Spam-Status: No
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-From: tjc@ecs.soton.ac.uk
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0a7aa2e6e558383d84476dc338324fab
Cc: v6ops@ops.ietf.org, dhcwg@ietf.org, Stig Venaas <stig.venaas@uninett.no>
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org

On Mon, Nov 27, 2006 at 06:35:56PM +0200, Eric Klein wrote:
> On Thursday, November 23, 2006 Stig Venaas  wrote:
> >
> >Per Fred's request, please let v6ops and/or authors know if you have
> >any thoughts regarding this draft. In particular there is the following
> >section:
> >
> >4.2.  DHCP Service Configuration Options
> >
> >    The administrator should configure DHCPv6 so that the first
> >addresses
> >    allocated from the pool begins much higher in the address space than
> >    at [prefix]::1.  DHCPv6 also includes an option to use Privacy
> >    Extension [2] addresses, i.e. temporary addresses, as described in
> >    Section 12 of the DHCPv6 [5] specification.  It is desirable that
> >    allocated addresses are not sequential, nor have any predictable
> >    pattern to them.
> 
> I am not sure that I like the idea that we are suggesting that the DCHPv6 
> start higher than 1 for 2 reasons:
> 1. It reduces the number of addresses available, by 1 less than the 
> starting number chosen by the administrator. Yes I know that there are many 
> more numbers available, but I am hesitant to start recommending that they 
> be arbitrarily reduced for a dubious security consideration (see reason #2).

A nice property of IPv6 is that you have effectively infinite addresses on
a link.   You don't have to resize links like you do in IPv4 today.  You
don't need to worry about 'lost' space.

The aim of the text is to encourage DHCPv6 server implementors to support
an option to configure an address pool that can in effect serve addresses
randomly from that pool.   This implies some overhead in checking whether
such an address is already used, but that cost should in principle not be 
that high.

> 2. By stating that it is desirable, but not mandatory that the numbers from 
> the address pool of numbers are not allocated sequentially, you leave the 
> possibility that people choosing the easy coding methodology will still 
> allow it to be sequential. So, by choosing a number higher than 1 you have 
> only reduced the security implications by a few seconds as the scan will 
> eventually reach the first entry and then be able to scan the network. 

It would be likely to take more than a few seconds, and would probably
generate traffic that would alert an IDS to the scan.

Our evidence here is that we see scans run on specific ports of addresses
that we publish (DNS, MX, etc) and also on low addresses, <prefix>::1
being the primary example.   

Emphasis here is on the option to support this.   If you chose to number
sequentially from <prefix>::1 you choose to have easier-to-remember
addresses at the cost of a ignoring an opportunity for a little port 
scanning obfuscation.   It's a trade-off but it would be nice to have
the choice.

-- 
Tim



_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email