IETF Logo Mail Archive

Re: [Int-area] [IPv6] New Draft - ICMPv6 Loopback

Tal Mizrahi <tal.mizrahi.phd@gmail.com> Thu, 08 June 2023 04:15 UTC

Return-Path: <tal.mizrahi.phd@gmail.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56C7FC151B17; Wed, 7 Jun 2023 21:15:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lkK4eN5-RTo4; Wed, 7 Jun 2023 21:15:09 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5B2EC151B19; Wed, 7 Jun 2023 21:15:09 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id ca18e2360f4ac-77a1a5c98e1so123339f.0; Wed, 07 Jun 2023 21:15:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1686197709; x=1688789709; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=gDP/XiPSdS0KfY97kgSaZjRoBh8KjTLCt/dfjsfOD9I=; b=faRleaPOy+XEs2h6+m37JN4x+aCkGphY9U4CpEWBK8EZQ2skefxraVANg6SgiMkt1d /E1D5m1EH6YeM70eHcpXsVdpD4if7ahdJAxh8Whnm8fESakmswOM9JuCbjJ4BuxKVsNo nVdOi011mrgFcfcPWpLYiYnTKyvjappIF2vPSe2wXoMl+6pzrWVOTI3/b9u3wq8xouMM MHN0J0NHFtk7AR9saqvoE2CU42P9TkjWCqUaMRvr9H339yF5I2a3hVyd57QnjSv9L4L5 rHvN70/XoLiEk2FqnpRirj0h+JQZwjAKgx3HOn3rxv+j+Y9Xrj9eM5wLkoB7/lllMJIZ T5bQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686197709; x=1688789709; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gDP/XiPSdS0KfY97kgSaZjRoBh8KjTLCt/dfjsfOD9I=; b=Ekkzz3/6eONf+fTvyLIM8sJClYbV33ZuCNuKkin82y7HXc5gC2WdCm1iyzTDPzgBwT ziUtgJbZPuo44JA82sCYvFFC7s6BMM6DxZ1f6e+uif69vKAGFeLwK8Sot3v/ywXcZz91 MboLv9IKhKjQFYz2xce+E4s6/2Cg1aVpXyCpjlV2xo9jtA00YTAWoYJkgtFIktQpACvg R2qFCX4oSHniRUSvaXOujaWglYhFmlYqi7acsVaFHwh95TAg0tgradgdWVGW4mGw6k/W jentAHL4nuFL9WtOz9gSIKCYW/gQQI2iZn3Pdj51gNUlQyXpo9hqTjblxfG+E9TU3T1n DDdA==
X-Gm-Message-State: AC+VfDwBGKR0+ffOOaElQjwH+JjgUnCMksZA8LH3A+ajd0w1/1cwXiIK bHc8E7s21zkbxqQ1hpaL/MbfleF6K1/tbiRZ5twFhCYz5RejDQ==
X-Google-Smtp-Source: ACHHUZ4GHR53aqpjam/5r4ex+KiZGRsZzOzrEe6kC8RMnQkFbXoI0naAXnud6bpkSBLfgY6xRUGI+qbu4rWg+5hyzG4=
X-Received: by 2002:a05:6602:2d96:b0:777:b51c:6058 with SMTP id k22-20020a0566022d9600b00777b51c6058mr5480023iow.2.1686197709069; Wed, 07 Jun 2023 21:15:09 -0700 (PDT)
MIME-Version: 1.0
References: <CABUE3Xm5nT4R8wUu6FfXW0u66YoyDS45cRTuiGjRJ0CRGsevnQ@mail.gmail.com> <908A768F-F9CF-468A-A7C1-27736FE10BFE@gmail.com> <5B0C59DC-BD03-4BEE-A719-6E892F61F916@cisco.com> <CABUE3Xk--WodVbGFQtJvPTdtH154bNE6nufxoFDJuh6nVbpFRg@mail.gmail.com> <27866.1686157136@localhost>
In-Reply-To: <27866.1686157136@localhost>
From: Tal Mizrahi <tal.mizrahi.phd@gmail.com>
Date: Thu, 08 Jun 2023 07:14:57 +0300
Message-ID: <CABUE3XmAeR096BP3+Wxf67VWoU=i08vYcQiEMrrF_=Ua3SRwjQ@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "int-area@ietf.org" <int-area@ietf.org>, ipv6@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/y2fwRANIHBwauEUtqWK9Bzjb27w>
Subject: Re: [Int-area] [IPv6] New Draft - ICMPv6 Loopback
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Internet Area WG Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2023 04:15:10 -0000

Michael,

Please note the following sentence in the security considerations
section: "the amplification effect in this case is similar to ICMPv6
error message, and specifically similar to Traceroute."

Sending a Loopback causes the exact same amplification as invoking the
last packet of Traceroute, i.e., sending a packet with Hop
Limit=number of hops to destination. Any amplification attack that can
be invoked with Loopback could alternatively be invoked with any
packet that has Hop Limit=number of hops to destination. Therefore,
Loopback does not introduce a new attack vector.

Cheers,
Tal.

On Wed, Jun 7, 2023 at 7:59 PM Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>
>
> Despite what the Security Considerations suggests, this still looks ripe for
> use as an amplication attack to me.
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email