Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
Ted Lemon <mellon@fugue.com> Wed, 22 January 2020 16:07 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FE14120119 for <int-area@ietfa.amsl.com>; Wed, 22 Jan 2020 08:07:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2t6V6VIvj4xg for <int-area@ietfa.amsl.com>; Wed, 22 Jan 2020 08:07:33 -0800 (PST)
Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E67151200F7 for <int-area@ietf.org>; Wed, 22 Jan 2020 08:07:32 -0800 (PST)
Received: by mail-qv1-xf2c.google.com with SMTP id m14so3470135qvl.3 for <int-area@ietf.org>; Wed, 22 Jan 2020 08:07:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=uFKBtWBF8Z48dErLegtw1mtGPCqprOJ5ciXcWD8SVSI=; b=yPX4C1VYxwKARdIGAC8DcgE58ZwBmj3sQO4jZVe6xeHg162lByHskEdHERT4VS9nUq vr2t/xKXwCbP1FH58iHKUhaJqssYMVCRx4BfNoLRvclkpmm5649QBcuOkJlYnpkWN+v/ 064s63H2LjCma6Eqn0kFdFylMVCiylU7A9FW7GnGhjfdG1EokBrIsDPEnqnM0DG2Uphs 9F0BhHgfZWtqAmN00fyUgVPGdBA60ufnfBG8dLS5ZJXRFAibdW/ewIDcBBZBO+e+tUVs zm1rxxkIvVOxLmKi9/v+624NZB7sBTcr1UKZfY34ebdX+Qsf+c5zhlbjP3bH+GxwU3Lp beHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=uFKBtWBF8Z48dErLegtw1mtGPCqprOJ5ciXcWD8SVSI=; b=WXMxCLbTAVsfcmok++sb5YdebvD3LQKD+OZ8DpjdNu07KnoocRH7cVpOGLLCzpSoLd RYzTMoWaaOa+8x7DBdAYLQPfrS8Sp/jEyUeM1zntCD/sK+rfNOA+Pjmg5jAxlfMYIMGd kpVie+pdIe3vdBmy7daifr0vSNboBXnTV4aQ70sGOydNt6GT+hAHgUGeCZVka1LXXQlJ mDcC0R9X890IOhGMUjWUdJ6UEkMJXriXuhvomwCQygl3QoBH1sfdK2Ngs0TlVCKRlAfd 1N0D0T0G32pasJ0+7ttReJnziA58Df848K3/vrmEpVdq6fsdgahkzStbePJyH+WwfMrv f7SQ==
X-Gm-Message-State: APjAAAXdjMJQI+XaopjSntwIdcGM53NzB9ep1EqOtcykVgyqLugOHyH5 u0+DeoRubUMcTjr6aFXLCpCFCQ==
X-Google-Smtp-Source: APXvYqwHFeR5IiwYdtNhzUZFBBQCB843Lm2z6uzfa6REa8y3TR9TbNINYdN6HKtnJ8/XfTkqNvqvcQ==
X-Received: by 2002:a0c:ecc6:: with SMTP id o6mr11250372qvq.220.1579709251926; Wed, 22 Jan 2020 08:07:31 -0800 (PST)
Received: from ?IPv6:2601:18b:300:36ee:e8e9:2624:8291:2383? ([2601:18b:300:36ee:e8e9:2624:8291:2383]) by smtp.gmail.com with ESMTPSA id u6sm2176919qkj.70.2020.01.22.08.07.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 22 Jan 2020 08:07:30 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 22 Jan 2020 11:07:30 -0500
Message-Id: <9856A903-AFBF-4FEA-9ABD-BE3A810C20EA@fugue.com>
References: <5D6F756D-16CB-430F-904C-7A5A21EE6AB9@apple.com>
Cc: Warren Kumari <warren@kumari.net>, Adam Roach <adam@nostrum.com>, Erik Kline <ek@loon.com>, draft-ietf-intarea-provisioning-domains@ietf.org, Internet Area <int-area@ietf.org>, The IESG <iesg@ietf.org>, intarea-chairs <intarea-chairs@ietf.org>
In-Reply-To: <5D6F756D-16CB-430F-904C-7A5A21EE6AB9@apple.com>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (17E210a)
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/x703sZwZxm9GypbbD1mjJ2PG4Fw>
Subject: Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 16:07:36 -0000
On Jan 22, 2020, at 10:53, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org> wrote: > Network operators SHOULD restrict access to PvD Additional > Information to only expose it to hosts that are connected to the local > network... [this] can be implemented by > whitelisting access from the addresses and prefixes that the router provides > for the PvD, which will match the prefixes contained in the PvD Additional > Information. But does this help with the problem Adam is talking about? The attack is coming from the RA. A rogue RA will not be in control of the network operator. So the mitigation has to be on the recipient of the RA, I think. So your suggestion to abandon the query of the host gets a bad answer sounds okay-ish, but probably we could do better by randomizing the query time on the client and the like. Beyond that, is there any way to limit the scope of the query so that the attack isn’t useful? My first instinct about this is that the attack isn’t very useful because it requires an attacker on the local net, but we’ve seen the power of the Mira attack; this would be a significant increase in these attack’s effectiveness. Requiring the http listener to be local could make this pretty useless as an attack. It’s inconvenient, but probably doable. Is there a reason not to do it?
- [Int-area] Adam Roach's Discuss on draft-ietf-int… Adam Roach via Datatracker
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Warren Kumari
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Ted Lemon
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Ted Lemon
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Suresh Krishnan
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Eric Vyncke (evyncke)
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly