IETF Logo Mail Archive

Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt

Mikael Abrahamsson <swmike@swm.pp.se> Fri, 19 October 2018 13:48 UTC

Return-Path: <swmike@swm.pp.se>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EE3F130EEA for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 06:48:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=swm.pp.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kVDEgVtI_dCX for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 06:48:04 -0700 (PDT)
Received: from uplift.swm.pp.se (swm.pp.se [212.247.200.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16773130EE7 for <ipv6@ietf.org>; Fri, 19 Oct 2018 06:48:04 -0700 (PDT)
Received: by uplift.swm.pp.se (Postfix, from userid 501) id 3987CB0; Fri, 19 Oct 2018 15:48:02 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail; t=1539956882; bh=7Lxd+K5WbjtuHlu4awZguf/QGrQWL3IdvHqP3Xpjl48=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=PlnOW3KzRQkIeIV3hzERgpaYQyJBJdfaZvlPKOpZOgtvGGpw2+GQP49ogyqTz6I2Q MOGJqHqS1amVCHxkud4tyEW0h3z8Ghzb/NIvpbW/2P0ECQAjF/4HnMvh0X/pzHQR10 86DBsNhTfwwn5hZNyPjXVMlOHkNX1l2xVGnJDsDI=
Received: from localhost (localhost [127.0.0.1]) by uplift.swm.pp.se (Postfix) with ESMTP id 37DF3AF; Fri, 19 Oct 2018 15:48:02 +0200 (CEST)
Date: Fri, 19 Oct 2018 15:48:02 +0200
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Job Snijders <job@ntt.net>
cc: 6man WG <ipv6@ietf.org>
Subject: Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt
In-Reply-To: <CACWOCC-u7aAPwAOcixYvt2On=-o_8X25GhqdXTfA+tWRC1o2XA@mail.gmail.com>
Message-ID: <alpine.DEB.2.20.1810191534430.26856@uplift.swm.pp.se>
References: <153973137181.9473.10666616544238076833@ietfa.amsl.com> <092346e1-6350-e54e-e711-9c5ee6dc4e6b@gmail.com> <CAFU7BASO_ByzbanhLKnWV280O_fASd-8W+ujpj3sN6d2-whw2w@mail.gmail.com> <CACWOCC-u7aAPwAOcixYvt2On=-o_8X25GhqdXTfA+tWRC1o2XA@mail.gmail.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
Organization: People's Front Against WWW
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="-137064504-350680598-1539956882=:26856"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/-giapNiXCQQzwsRLDhxB9311P7s>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2018 13:48:07 -0000

On Fri, 19 Oct 2018, Job Snijders wrote:

> Operating system implementers will be able to provide valuable feedback 
> to the working group on how to mitigate risk for some of the suspected 
> attack vectors - and it’ll be educational to see how this works in 
> practice. I think running code will improve this specification.

I don't see how it would, since it doesn't mandate the hosts to do 
anything.

"Dual stack hosts that have a good reason to use IPv4, for example for
    a specific IPv4 link-local service, can attempt to do so.  Therefore
    respect of the IPv6-Only flag is recommended, not mandatory, for
    hosts."

So this is just one more input into whatever heuristics a host might have 
to decide how to behave. For instance do more agressive exponential 
backoff for IPv4 operations but not turn it off completely.

For security... as long as you have a shared LAN without first-hop 
security (SAVI), you're screwed 50 times already. There is nothing you can 
do to fix this at the edges of this L2 network. It just doesn't work. SEND 
doesn't fix it, nothing can fix it. Without network control, anyone can 
send anything and pretend to be anything, spoof whatever MAC address they 
choose and trick the MAC learning mechanism etc.

I am actually quite disappointed people keep bringing up "oh, but if we do 
this then someone can do that". This has been known for 20 years at least, 
that an "open and stupid" LAN presents unfixable security and/or denial of 
service problems. Can we just agree on this and declare this unfixable in 
the hosts?

If you don't run IPv6 and the network doesn't have IPv6 first-hop 
security, the network needs to filter 0x86dd packets. Whatever ethertype 
it forwards, it need to have some kind of security mechanism to stop hosts 
from pretending to be network equipment such as routers/dhcp servers etc.

This is already done using SAVI (which I am disappointed of the lack of 
interest in these crucial mechanisms from people participating in the 
IETF).

https://datatracker.ietf.org/wg/savi/documents/

There are proprietary implementations of these and they go by many names, 
RA guard, forced-forwarding etc. These mechanisms are ~15-16 years old at 
least. I first ran into the need for these when doing ETTH deployments in 
circa 2001.

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se

v2.23.0 | Report a Bug | By Email