IETF Logo Mail Archive

Re: [dhcwg] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04

"Bernie Volz (volz)" <volz@cisco.com> Tue, 08 December 2020 02:01 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D87A33A0A7E; Mon, 7 Dec 2020 18:01:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=YESiAepd; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=XZyl4rwo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gyMM_OFsqEma; Mon, 7 Dec 2020 18:01:37 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C50093A03F2; Mon, 7 Dec 2020 18:01:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6783; q=dns/txt; s=iport; t=1607392896; x=1608602496; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=BMsOiX945HOm27zh/nTLpi3+S4tXTSFG9dgNhjgj9Lg=; b=YESiAepdDwI1SzOF2jQxv+Th5DmAHm4vZLsZHKhXYh90XKnAZYGMeTPz sEoCQvGwYYAtEtJ6VyIC2AAAh/NISv90GR3mYiX/VsqSy2VGViNSMUlWg T8K2GcjwMHEcrI+GLBFoNuwTapJL0sRvvVQRiD2DqJn+7400+dIb8gYFj A=;
X-IPAS-Result: A0AHAAAO3s5fmJhdJa1iGwEBAQEBAQEBBQEBARIBAQEDAwEBAYF7BgEBAQsBgVFRgVcvLgqENINIA4RZiQOUGoRxgS6BJQNUCwEBAQ0BAS0CBAEBhEoCF4F+AiU0CQ4CAwEBAQMCAwEBAQEFAQEBAgEGBBQBAQEBAQEBAYY2DIVzAgEDEhEdAQE3AQ8CAQgEPgICAjAlAgQOBRsHgwSBf1cDLgGhSwKBPIhpdoEygwQBAQWFQRiCEAmBOAGCcoN2hA2CSxuCAIE4HIInLj6EFREvgwAzgiyBWYFOBHICLQE1PRIDBDUZkloBPoconVoKgnSbPAMfoiywXgGEMQIEAgQFAg4BAQWBVjiBWXAVZQGCPlAXAg2OIRodgzqKWHQ3AgYBCQEBAwl8iTOBNQGBEAEB
IronPort-PHdr: 9a23:Es5+1hHWkIG6RGohj8Jnl51GYnJ96bzpIg4Y7IYmgLtSc6Oluo7vJ1Hb+e401QObUoDS6vYCgO3T4OjsWm0FtJCGtn1KMJlBTAQMhshemQs8SNWEBkv2IL+PDWQ6Ec1OWUUj8yS9Nk5YS8n7blzW5Ha16G1aFhD2LwEgIOPzF8bbhNi20Obn/ZrVbk1IiTOxbKk0Ig+xqFDat9Idhs1pLaNixw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.78,401,1599523200"; d="scan'208,217";a="649136442"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Dec 2020 02:01:34 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 0B821XFs014209 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 8 Dec 2020 02:01:34 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 7 Dec 2020 20:01:33 -0600
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 7 Dec 2020 20:01:33 -0600
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 7 Dec 2020 21:01:33 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AbC3FttaHxP3cVFzpzjByhkjJbEnNti4kMwkOfAWhOTddaX3wY7A/qVJXth7c06QB4iSpbZjb95nUTOIFMAfH6CMZvFoeT4j78+Pz3Dp5L4cxKrXFYjP4z2PW4Smcf1cTOPWBrSv/iCp9yXupUlexQn08CdRPz3uEhnRmP9CLJqH9okAU7N2bH2G2f7z2VpOUzPKTslcRWF4MB9JwoNvtmX0ixlNdJf87B87Kn4YT8Fmho7n7oJETR/D1OZwQgI9MTz4eXsssVT5tT9wjUUka1973zzm8T2PymPVkMdm3xFRf46gIY9hukPiewfFYdS0u5Bd0jfwDJG6LBNn8BFxDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BMsOiX945HOm27zh/nTLpi3+S4tXTSFG9dgNhjgj9Lg=; b=WLBCA5El8bV73DnRuxT8BcqkFKL4sJ7gcDR0RSIxrbRiWklMqypPxyNyccJkCKN4QPJfEUVTZ2+8DMsY+eTJPcNobrCboSH+/LxyBPNe0l+2OmUJZ974ODeix44vq4Jm4X/dTaph7rcEn9Vps3P3ExhwWDgWwBSRpagQ+jw/rcczV24WKUNgkkoj/16Gg5/o/I242N8p+i2zlzwR0k+jFKO7ce3ibCrxKeGtBSlhjdsG8jhBMvi0z5vPgDxruvpuqk+4QegS9yhIzI2U5OoIMjAdWnz1Zfqh7irihtcYh8AX4dnBo1n52kYIgezkrTjdco+7MHdyo941xDSHfy7tAg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BMsOiX945HOm27zh/nTLpi3+S4tXTSFG9dgNhjgj9Lg=; b=XZyl4rwoGuyTtqb/7xtRyimFvCI0xFMObwYWD/ZVZCLJJOq2vH1issCt3pQbEAXPkhmmIBv3xQTPbyYdQv3dcq5hYCTipb9ADN3vkHfferKo7vf/knrcHC2zG1fqVGXaJ2gbvoZeOPDxpD8be670VpsTkq8++jpHZlhgmKZ4em8=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN6PR1101MB2322.namprd11.prod.outlook.com (2603:10b6:404:9b::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.17; Tue, 8 Dec 2020 02:01:32 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::1dc1:e7f4:84ef:3711]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::1dc1:e7f4:84ef:3711%6]) with mapi id 15.20.3632.023; Tue, 8 Dec 2020 02:01:32 +0000
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Christian Huitema <huitema@huitema.net>
CC: Naveen Kottapalli <naveen.sarma@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org" <draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04
Thread-Index: AQHWzIj6eBYmgkGtQ0undY5o+MeyR6nrkKNOgADS+YCAAA9rqA==
Date: Tue, 08 Dec 2020 02:01:32 +0000
Message-ID: <D384486E-9FBF-42FB-AA11-3558DEC28B63@cisco.com>
References: <160711219694.2677.7881042583251252532@ietfa.amsl.com> <CANFmOt=gMjjD0S53+76r2EMH8AzTY29m9jFyupkb_qa0RjK4vQ@mail.gmail.com> <F5FE0A09-351E-4ED5-8880-A7EE943B8EA9@cisco.com>, <3d382362-9eed-5cb3-07b6-ee3e358d5e51@huitema.net>
In-Reply-To: <3d382362-9eed-5cb3-07b6-ee3e358d5e51@huitema.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [24.233.121.124]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5e2c85f3-ca57-4b9e-44d6-08d89b1d2f4b
x-ms-traffictypediagnostic: BN6PR1101MB2322:
x-microsoft-antispam-prvs: <BN6PR1101MB2322EE7C9539D9BC3C780D61CFCD0@BN6PR1101MB2322.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: x+SIK8ThH9d/lw/NAnaigsfZgfjHydlpRJh8pPFYLrUmKDSTdQplXAmft6tfhTghHDl8KnWDLDCSrwdVc/+U2ox03InNmRGPdBe49AlVO4AkpoTmlURt9HyWMFBiUNWdN95Dj3HbGE9+1Fq5WfrFxdo08ty2UVuPTfJrhvONKkZ46/4ENhH6MfmGfrBk77epF2YCLI0AzoHLdT9mG/4RH4J9vVW34Tenjp+EWsSECxRz/OXZRdRCGHeh693uxmrdkClg0SoSvQT63257OA0kNNhWwjq1su43/fcSiQkLplzhYe5xB+fpjgyQzF6yXPFpRBCj8H43paGGNRTYCJjooMxgfvkZFLHYYXgRLojBuB8ygH6KrGi13rjZtNffJRyl
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(376002)(366004)(346002)(136003)(39860400002)(316002)(186003)(36756003)(6506007)(53546011)(8676002)(66946007)(54906003)(66556008)(71200400001)(83380400001)(6486002)(64756008)(86362001)(66476007)(66446008)(76116006)(6512007)(5660300002)(33656002)(2616005)(2906002)(6916009)(4326008)(26005)(8936002)(478600001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: oVbK3+bOuIxAI5UZysewKud4lf8R55OtWHYmabwlbZdNlXWC64GF2Fp3f62W0w2inVruSM+SBrhtkRUJUv+XgcsLpUttL3exopZ0Eo80dtC5sTMK66nH4IQGSDZjblNVWSsUnyEheCNeJuVcSiQUJDFnxejlo2IODrfGym4YdRaPbJuo12MdTDEmXkf3ZTdflb1DWViRPi5Ofio1DbhcEtsUoLz78ACeHyhjvP2v3ahuw+/GDlBun8w3vH63rVJZityUbTwU94JplUsY+EwCnKrWg4N+hSLJe86G6drgU061/aG/enU5+FMDsE0S8r4/0ZzRp5KIySTalho/c0vIL96ViIqZiojLbH1Shvi4wk/7yH5mDayhYXeDkjXg9sq9fjeu+98jHPK632Cc6DDJIbgCSq5wfQ0JfMZYsMS/XWGfgRffbgSWYHh67xjSc70+lX/W/2UaxTcta2X1QnOjUMAfooyyRt1qEVJS6B8zJI4kA1S4+WnZIdhk9vhvPiSINtSTnjVZHgbw1B/v4CyM23+MmOs+2rkVLmwhA/ShTCE8o4dvBWv8CJqgBx4bt9rY1nf9GSWyTOT5OQ9+C+XPq1rmQEmR1b+J4vijzq1qAmiX2lOvujZJgRO8R6PqgLRAZPP8gXDlb/LM1aGpGqxby9YVlZudwnLgQp2uEnXc1TbZprUuzdXPTHaqKphctnZKrdtsqjZ+Y8vmOejHgFjl3y7mb7QmOAaEtQT02uVdgO1jQ211gkWq4IfbYBWd2ZNGrOM66Hl63e0WN8sUP1wn8fkCmOTXflwWvnLMh7hxMjIFV4qodtqMJlWEyklWFNEdj1Aqvnxm4WW9bhu58/WHHSWDUMLADheUZUPz1/JOfO3WDBfH3cARzck0nB1FDoOgxtYnX6BcSWM1HznVVSeUG2yTlUKcCZZl2QLrO7aA6E4oWvgthZWcEHJvLB60M3fD9rG7R9FSUxsRVvGzkBQQPSI5fpupool9SNSYYRbO+m0SXYkjwDrou8BOK1N4s4YE
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_D384486E9FBF42FBAA113558DEC28B63ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2547.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e2c85f3-ca57-4b9e-44d6-08d89b1d2f4b
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Dec 2020 02:01:32.1844 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SweXe/ZPnK2N5aAQq0AIqgegPwYQ0TsobqFyuKySPy3MNNXVQl5Pe/kuUGPpJ0Jn
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2322
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/U3cQSKouq1tX1hot_THXrIRyfHE>
Subject: Re: [dhcwg] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2020 02:01:40 -0000

There really aren’t any. Clients can generate different client-id and request prefix after prefix.

However, as this document points out these relays usually have limits to what it may track (and likely it would drop those packets from reaching client).

In some deployments, the number of prefixes allowed behind a particular relay is limited (at server or relay). Other mitigations may be shorter leases as then it comes down to how many can be requested during that time.

The main question is what does this benefit anyone? It is a DoS but in general it has limited impact as prefixes tend to be topological, so it isn’t like you could assign all of the prefixes an ISP has — just what is allowed on that link.

Why do you think this is a new issue that needs to be fixed in this document?

In my experience we have not seen these kinds of attacks as they aren’t very useful. And it has been a dhcp issue since dhcpv4 (addresses were much more scarce).

We tried securing dhcpv6...but it isn’t an easy problem to solve.

- Bernie

On Dec 7, 2020, at 8:06 PM, Christian Huitema <huitema@huitema.net> wrote:




On 12/7/2020 4:31 AM, Bernie Volz (volz) wrote:
FYI:

I understand that solutions like RA
Guard will in practice provide some protection, but the use of these solutions are
not discussed in RFC 8213. The DHCP WG might want to address that.

RFC8415’s security considerations is rather extensive and includes reference to many techniques to reduce the issues. 8213 was written while 8415 was under development.

In the context of the draft, I am concerned in particular with the "resource-exhaustion" DoS attack, through exhaustion of delegatable prefixes. The attack is mentioned in the security section of 8415, but I have not seen the proposed mitigation.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email