IETF Logo Mail Archive

RE: 6MAN Agenda for IETF86

"Hosnieh Rafiee" <ietf@rozanak.com> Tue, 05 March 2013 15:43 UTC

Return-Path: <ietf@rozanak.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80CEF21F889C for <ipv6@ietfa.amsl.com>; Tue, 5 Mar 2013 07:43:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.485
X-Spam-Level:
X-Spam-Status: No, score=-1.485 tagged_above=-999 required=5 tests=[AWL=-0.686, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, J_CHICKENPOX_21=0.6, J_CHICKENPOX_34=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bd9p3GarngYS for <ipv6@ietfa.amsl.com>; Tue, 5 Mar 2013 07:43:25 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by ietfa.amsl.com (Postfix) with ESMTP id 5368921F88E1 for <ipv6@ietf.org>; Tue, 5 Mar 2013 07:43:25 -0800 (PST)
Received: from FB10H117WS01 ([141.89.226.146]) by mrelay.perfora.net (node=mrus3) with ESMTP (Nemesis) id 0MEG5w-1U1vfg36HQ-00G5oe; Tue, 05 Mar 2013 10:43:14 -0500
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Nalini Elkins' <nalini.elkins@insidethestack.com>
References: <7EE61AD6-2E54-4F17-BBFD-30BE77F7E782@gmail.com> <1362476231.3387.278.camel@karl> <1362490400.37136.YahooMailNeo@web2805.biz.mail.ne1.yahoo.com> <5135F5CA.1090207@gmail.com> <006801ce19a9$0ff8bcd0$2fea3670$@com> <51360424.5030504@gmail.com> <1362497088.22505.YahooMailNeo@web2805.biz.mail.ne1.yahoo.com>
In-Reply-To: <1362497088.22505.YahooMailNeo@web2805.biz.mail.ne1.yahoo.com>
Subject: RE: 6MAN Agenda for IETF86
Date: Tue, 05 Mar 2013 16:43:06 +0100
Message-ID: <007301ce19b8$25a3c610$70eb5230$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac4ZtZRoovOh6mUkS8a9+cIcab8u4QAAJqZQ
Content-Language: de
X-Provags-ID: V02:K0:H0GopRyG+Eh2w43oWzirp16LBEH7Se5GvI8zYtS7BXz XuHipe9k7E6biciqSVh8TTVw/tZEjP5y5pYfKqERiFs5cxvoJk xDZenAme/TUmZj4jJCrG4JlxEf586seUYsEqmVL6DSvbPTD89j h7lFGFLD8EBL/GqXIg+6h3i60UuuGaBZHfesThvMeFgCwXhc26 OH+VwSo7n5TUZfpm0Uo52g9Nid6IjjIzYqIrA7LT41vsOSP9B8 IKVEuOtcA2bEyNa526UQcQ/2ltgFHw/Qru0By8ExUkRQARVTLy FV72KlZ3nShs1JrdnU/W1FLhdbb7lr3/msZfdY3tyFSG5pALKV 9GXTc76Hivt1/mQMeg0g=
Cc: 'Alexandru Petrescu' <alexandru.petrescu@gmail.com>, ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2013 15:43:26 -0000

Dear Nalini,

Yes. That RFC is an old RFC that explained the most probable attacks that
could be used against ND. This is the main reason that ND is not at all
secure and the people who think that just privacy is enough (like what was
just implemented in windows) are making a big mistake.

In our lab we are currently working on devising possible attacks against
IPv6 networks in order to find ways of preventing them. We hope to be able
to provide the necessary tools to provide the security necessary to use
against these many different types of attack. 

Thank you,
Hosnieh

-----Original Message-----
From: Nalini Elkins [mailto:nalini.elkins@insidethestack.com] 
Sent: Dienstag, 5. März 2013 16:25
To: Alexandru Petrescu; Hosnieh Rafiee; Karl Auer
Cc: ipv6@ietf.org
Subject: Re: 6MAN Agenda for IETF86

Guys,

I am going to go back and review "IPv6 Neighbor Discovery (ND) Trust Models
and Threats: RFC 3756"

http://datatracker.ietf.org/doc/rfc3756/

For all who think that ND and RA in particular does not have problems, here
is a UTube video of a hacker at work using RA.

http://www.youtube.com/watch?v=TfsfNWHCKK0

Next, there is an interesting web site: http://www.thc.org/thc-ipv6/

You can see the "interesting" tools available:

dnssecwalk - performs NSEC walking including Iv6+IPv4 resolving
firewall6 - various TCP/UDP ACL bypass test cases
fake_pim6 - send fake hello and join/prune pim messages
ndpexhaust26 - very performant ndp exhauster based on ICMP error toobig
messages but can send many types of packets
alive6: ranges are now supported in the input file too
parasite6: enhancements to make it way more effective
fake_router26: added overlap RA guard evasion type (-E o, -E O)
dos-new-ip6: fix that only DAD replies are sent, not full NDP spoofing
flood_router26: Added local LAN privacy extension prevention attack
randicmp6: - added function which dumps icmp answers received - added
funtionality to send a specific type (and also code)
dnsdict6: added SRV result address resolving

and others.

I will review all drafts with the above in mind.

Thanks,

Nalini Elkins
Inside Products, Inc.
(831) 659-8360
www.insidethestack.com



________________________________
From: Alexandru Petrescu <alexandru.petrescu@gmail.com>
To: Hosnieh Rafiee <ietf@rozanak.com>
Cc: ipv6@ietf.org
Sent: Tuesday, March 5, 2013 6:41 AM
Subject: Re: 6MAN Agenda for IETF86

Hosnieh,

I would have to read the draft and feed back about SSAS.

Some of the drafts I mentioned (ND-PD) were presented to 6MAN meeting in
Atlanta, and discussed on the email list.  One of the drafts
(draft-jhlee-mext-mnpp-00) is considered at ISO, but I dont know its status.

Another draft which generates IID from VIN (Vehicular Identification
Number) we discussed recently in the 6MAN email list is:
draft-imadali-its-vinipv6-viid-00.txt

We don't have a WG about vehicular communications but we have an email list
ITS for Intelligent Transportation Systems (ietf.org/mailman/listinfo/its). 
We discuss a Charter proposal there.

Alex

Le 05/03/2013 14:55, Hosnieh Rafiee a écrit :
> In the latest version of my draft RFC,SSAS, l have provided 
> information about using SSAS for mobile nodes and I have specified the 
> sections of the RFCs that can use this mechanism. So maybe this can 
> prove useful for vehicular communication too. Are the drafts that you 
> mentioned discussed in 6man? I have not seen any discussions about 
> them. Maybe I missed it. If it is in another WG, would you please tell 
> me which one?
>
> Thanks, Hosnieh
>
>
>
> -----Original Message----- From: ipv6-bounces@ietf.org 
> [mailto:ipv6-bounces@ietf.org] On Behalf Of Alexandru Petrescu Sent:
> Dienstag, 5. März 2013 14:40 To: ipv6@ietf.org Subject: Re: 6MAN 
> Agenda for IETF86
>
> ND security is an important topic.
>
> Let me explain why.
>
> We consider the use of ND over 802.11p links for vehicular  
>communications. These links dont have ESSID nor link-layer security.
>  (it is not clear whether it is legal to run IP straight over  80211p, 
>being "safety apps") but once it becomes clear the security  question 
>comes up.
>
> (ND drafts for vehicular communications:
> draft-petrescu-autoconf-ra-based-routing draft-kaiser-nd-pd-01
> draft-jhlee-mext-mnpp-00)
>
> The security of ND on these links needs to be fast and easy to set up.
>
> Alex
>
> Le 05/03/2013 14:33, Nalini Elkins a écrit :
>> Karl,
>>
>> I definitely agree that ND needs to be secured.  Also agree that 
>> neither IPSec nor SEND are viable solutions.
>>
>> I do not know if I am missing something but I have not seen a 
>> comprehensive document with these problems detailed.  I certainly 
>> don't have a solution but I have been trying to at least catalog such 
>> problems.   If there is such a document, would appreciate anyone 
>> letting me know.
>>
>> If there isn't, if you would like, we can collaborate on such a 
>> document and create a draft for the IETF meeting in Berlin. Maybe 
>> v6Ops is a place to discuss this topic.  Once many at IETF agree that 
>> indeed there is a problem, then we can discuss a potential solution. 
>> Thanks,
>>
>> Nalini Elkins Inside Products, Inc. (831) 659-8360 
>> www.insidethestack.com
>>
>> ---------------------------------------------------------------------
>> -
>>
>>
>>
--
>>
>>
> *From:* Karl Auer <kauer@biplane.com.au>
>> *To:* ipv6@ietf.org *Sent:* Tuesday, March 5, 2013 1:37 AM
>> *Subject:* Re: 6MAN Agenda for IETF86
>>
>> On Mon, 2013-03-04 at 16:02 -0800, Bob Hinden wrote:
>>> A Simple Secure Addressing Generation Scheme for IPv6  
>>>AutoConfiguration draft-rafiee-6man-ssas-01.txt [...]  DHCPv6/SLAAC 
>>>Address Configuration Interaction Problem Statement
>>>  draft-liu-bonica-dhcpv6-slaac-problem-01.txt
>>>
>>> We did not think there had been enough discussion or interest on the 
>>> w.g. list to guarantee a speaking slot.  We allocated short slots at 
>>> the end of the session if there is time before the meeting ends.  If 
>>> anyone (other than the authors) think one of these should be given 
>>> more time, please speak up.
>>
>> For what it's worth it seems to me that there is a gaping hole around 
>> securing ND. IPSec is obviously ridiculous, SEND is only marginally 
>> less ridiculous. Maybe SSAS is a way forward? Or maybe noone else 
>> thinks ND needs to be secured? Maybe the meeting could attempt to 
>> gauge whether this is actually a real problem. I think it is, and I 
>> urge others to speak up if they too think this should be pursued.
>>
>> If there is a priority to these things, then sorting out the 
>> perceived and actual discrepancies\ and ambiguities in the meaning of 
>> the RA M and O flags would seem pretty important. Otherwise they will 
>> end up cemented into even more implementations than they are now. The 
>> way Windows handles them is just plain broken, and if the RFCs 
>> support that way of handling them, then the RFCs are broken. At very 
>> least this topic needs some impetus.
>>
>> Regards, K.
>>
>> --
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> ~
>>
>>
>>
~
>>
>>
> Karl Auer (kauer@biplane.com.au <mailto:kauer@biplane.com.au>)
>> http://www.biplane.com.au/kauerhttp://www.biplane.com.au/blog
>>
>> GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A 
>> Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
>>
>>
>> --------------------------------------------------------------------
>>
>>
>>
IETF IPv6 working group mailing list ipv6@ietf.org
>> <mailto:ipv6@ietf.org> Administrative Requests:
>> https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>>
>>
>>
>>
>>
>>
>>
--------------------------------------------------------------------
>> IETF IPv6 working group mailing list ipv6@ietf.org Administrative
>> Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>>
>
>>
>>
>
> --------------------------------------------------------------------
>  IETF IPv6 working group mailing list ipv6@ietf.org Administrative
> Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
>
>


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------  

v2.23.0 | Report a Bug | By Email