RE: [EXTERNAL] Improving ND security
"Templin (US), Fred L" <Fred.L.Templin@boeing.com> Fri, 31 July 2020 17:17 UTC
Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43F2B3A0BB0; Fri, 31 Jul 2020 10:17:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=boeing.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5h1Yo1M8faq; Fri, 31 Jul 2020 10:17:51 -0700 (PDT)
Received: from clt-mbsout-02.mbs.boeing.net (clt-mbsout-02.mbs.boeing.net [130.76.144.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42DAB3A0BA5; Fri, 31 Jul 2020 10:17:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by clt-mbsout-02.mbs.boeing.net (8.15.2/8.15.2/DOWNSTREAM_MBSOUT) with SMTP id 06VHHmh9028232; Fri, 31 Jul 2020 13:17:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=boeing.com; s=boeing-s1912; t=1596215868; bh=mwqlFzSrV2IEh8y+hf5nTiQmnd60SSghdtKX4fqKyUQ=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=hDMrdNBZo3CK8Tf/m8/rtK9oIuYFeYdPJHWRxCvQR7lllCNEnxvhzuj3x9wVfq2Gc EJ5LwASJp79V3UNXgTiNzGq/QtlqRpS2IVF98I+8DIj2plPpeU1yevkJmOdvMSlkRj QiJ26nwlmHB+E8+wpMnfuMZk5mEM0rcrNUOFkKBqHr+JV0dqJJvFdAHRJkyD1LoksE ZYqI0De6j8s7765zkmTQP5yFJ4tcd34iq4f2VTsbmhV8ZTaCrw98wh7HVkjTFntKnJ HSM0kS8PtraFIZi54N2mscfQx5evqflwXtx3xdDtEllybNtoKtrjkaIM6mz4AP6GvB PydSrkG0u1MUw==
Received: from XCH16-07-09.nos.boeing.com (xch16-07-09.nos.boeing.com [144.115.66.111]) by clt-mbsout-02.mbs.boeing.net (8.15.2/8.15.2/8.15.2/UPSTREAM_MBSOUT) with ESMTPS id 06VHHj6O028208 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Fri, 31 Jul 2020 13:17:45 -0400
Received: from XCH16-07-10.nos.boeing.com (144.115.66.112) by XCH16-07-09.nos.boeing.com (144.115.66.111) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1979.3; Fri, 31 Jul 2020 10:17:43 -0700
Received: from XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5]) by XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5%2]) with mapi id 15.01.1979.003; Fri, 31 Jul 2020 10:17:43 -0700
From: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
To: Ted Lemon <mellon@fugue.com>
CC: "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Subject: RE: [EXTERNAL] Improving ND security
Thread-Topic: [EXTERNAL] Improving ND security
Thread-Index: AQHWZ1UXpJjqh6zAPESbZadyenD7WakiUY2A//+bayA=
Date: Fri, 31 Jul 2020 17:17:43 +0000
Message-ID: <a1881d0c6d3748fa8cec8ea2b2c6559b@boeing.com>
References: <96fa6d80137241dd9b57fcd871c8a897@huawei.com> <CAFU7BARePzdeU5DFgoOWyrF0xZCj67_xkC2t8vMN2nH0d8aUig@mail.gmail.com> <37e2a7110f6b423eba0303811913f533@huawei.com> <CAFU7BATiD8RkiWXjrxGuAJU-BUwRQCErYZivUPZ-Mc_up_qGxQ@mail.gmail.com> <aebc46c9b813477b9ae0db0ef33e7bd9@huawei.com> <CAO42Z2yL7+GbO6QRaNzFYoBXLF-JZ2NfwgTTt2zerKhJLwt2Lw@mail.gmail.com> <3C1ECB6F-E667-4200-964F-AB233A0A56E9@cisco.com> <91D98D51-4045-4331-A711-8387ECE73400@fugue.com> <a43ffd94d6364a0f869cd4c694ab7432@boeing.com> <5FB3E98B-6CEE-458C-90B7-E6FD73C7AFDE@fugue.com> <caa62d8d93594f7ea445a403fac8c140@boeing.com> <25FAEE9A-3D14-4428-A573-5EFE863219D2@fugue.com>
In-Reply-To: <25FAEE9A-3D14-4428-A573-5EFE863219D2@fugue.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [137.137.12.6]
x-tm-snts-smtp: 17A50C88FD721F11942461EC3E5915BA33D6A042C6BE6FA66AB40AFAF0C23D592000:8
Content-Type: multipart/alternative; boundary="_000_a1881d0c6d3748fa8cec8ea2b2c6559bboeingcom_"
MIME-Version: 1.0
X-TM-AS-GCONF: 00
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/-pR89H8z3bg5bsrPTzugICf7U8o>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 17:17:55 -0000
Does it solve the problem Owen was talking about (overloading neighbor tables as an attack)? Is there agreement that this is a serious problem in any case? Ted, I think SEND would solve the neighbor cache resource exhaustion attack since a NCE is only created on receipt of an authentic (SEND-protected) IPv6 ND message. I believe that for aviation networks, intelligent transportation systems, and other mobile node use cases there will certainly be cases where the mobile node comes onto the network via an unprotected open-access wireless access network. In that case, the only mitigations would be for the MN to stand up a VPN (which is expensive overkill) or somehow use IPv6 ND with appropriate authentication controls applied. SEND seems like agood fit for the latter. Thanks - Fred From: Ted Lemon [mailto:mellon@fugue.com] Sent: Friday, July 31, 2020 9:13 AM To: Templin (US), Fred L <Fred.L.Templin@boeing.com> Cc: Pascal Thubert (pthubert) <pthubert=40cisco.com@dmarc.ietf.org>; v6ops list <v6ops@ietf.org>; 6man <ipv6@ietf.org> Subject: Re: [EXTERNAL] Improving ND security On Jul 31, 2020, at 12:10 PM, Templin (US), Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> wrote: I like SEND, and it is written into my documents – is that enough of a push, or do I need to do more aggressive marketing? Interested in helping? The push would have to be from somebody producing software that has broad reach. And it would have to solve a real problem or nobody with that reach would try to do it. Does it solve the problem Owen was talking about (overloading neighbor tables as an attack)? Is there agreement that this is a serious problem in any case?
- I-D Action: draft-ietf-6man-grand-01 - additional… Vasilenko Eduard
- Re: I-D Action: draft-ietf-6man-grand-01 - additi… Jen Linkova
- RE: I-D Action: draft-ietf-6man-grand-01 - additi… Vasilenko Eduard
- Re: I-D Action: draft-ietf-6man-grand-01 - additi… Jen Linkova
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Nick Hilliard
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Lorenzo Colitti
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Nick Hilliard
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Mark Smith
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … joel jaeggli
- RE: I-D Action: draft-ietf-6man-grand-01 - additi… Vasilenko Eduard
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Mark Smith
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Pascal Thubert (pthubert)
- RE: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Templin (US), Fred L
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Ted Lemon
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Owen DeLong
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Ted Lemon
- RE: [EXTERNAL] Re: [v6ops] I-D Action: draft-ietf… Templin (US), Fred L
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Bob Hinden
- Improving ND security Ted Lemon
- RE: [EXTERNAL] Improving ND security Templin (US), Fred L
- Re: [EXTERNAL] Improving ND security Ted Lemon
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Tony Finch
- draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- Re: Improving ND security Ted Lemon
- RE: [EXTERNAL] Improving ND security Templin (US), Fred L
- RE: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Vasilenko Eduard
- Re: [EXTERNAL] Improving ND security Ted Lemon
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Ted Lemon
- RE: Improving ND security Templin (US), Fred L
- RE: [EXTERNAL] Re: Improving ND security Templin (US), Fred L
- Re: [v6ops] [EXTERNAL] Improving ND security Fernando Gont
- Re: [v6ops] [EXTERNAL] Improving ND security Bjoern A. Zeeb
- RE: [v6ops] [EXTERNAL] Improving ND security Templin (US), Fred L
- RE: [v6ops] Improving ND security Templin (US), Fred L
- RE: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Vasilenko Eduard
- Re: [v6ops] [EXTERNAL] Improving ND security Fernando Gont
- RE: [v6ops] [EXTERNAL] Improving ND security Templin (US), Fred L
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Owen DeLong
- Re: [EXTERNAL] Re: Improving ND security Pascal Thubert (pthubert)
- RE: [EXTERNAL] Re: Improving ND security Templin (US), Fred L
- RE: [EXTERNAL] Re: Improving ND security Templin (US), Fred L
- RE: [EXTERNAL] Re: Improving ND security Vasilenko Eduard
- RE: [EXTERNAL] Re: Improving ND security Templin (US), Fred L
- Re: [v6ops] [EXTERNAL] Re: Improving ND security Philip Homburg
- Re: [v6ops] [EXTERNAL] Re: Improving ND security Fernando Gont
- RE: [v6ops] [EXTERNAL] Re: Improving ND security Templin (US), Fred L
- Re: [v6ops] [EXTERNAL] Re: Improving ND security Christian Huitema
- RE: [v6ops] [EXTERNAL] Re: Improving ND security Templin (US), Fred L
- RE: [v6ops] [EXTERNAL] Re: Improving ND security Vasilenko Eduard
- RE: [v6ops] Re: Improving ND security Templin (US), Fred L
- Re: [v6ops] [EXTERNAL] Re: Improving ND security Fernando Gont
- RE: [v6ops] [EXTERNAL] Re: Improving ND security Templin (US), Fred L
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Michael Richardson
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Michael Richardson
- Re: [EXTERNAL] Re: [v6ops] I-D Action: draft-ietf… Michael Richardson
- Re: [EXTERNAL] Improving ND security Michael Richardson
- RE: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Vasilenko Eduard
- RE: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Pascal Thubert (pthubert)
- RE: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Vasilenko Eduard
- Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 … Mark Smith
- RE: [EXTERNAL] Improving ND security Templin (US), Fred L
- Re: [v6ops] [EXTERNAL] Re: Improving ND security Fernando Gont
- Re: [v6ops] [EXTERNAL] Re: Improving ND security Pascal Thubert (pthubert)
- RE: [v6ops] [EXTERNAL] Re: Improving ND security Vasilenko Eduard
- RE: [v6ops] [EXTERNAL] Re: Improving ND security Vasilenko Eduard
- RE: [v6ops] [EXTERNAL] Re: Improving ND security Pascal Thubert (pthubert)
- RE: [v6ops] [EXTERNAL] Re: Improving ND security Pascal Thubert (pthubert)
- RE: [v6ops] [EXTERNAL] Re: Improving ND security Vasilenko Eduard
- RE: [v6ops] [EXTERNAL] Re: Improving ND security Vasilenko Eduard
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Jen Linkova
- RE: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- RE: [v6ops] draft-ietf-6man-grand : saving lookups Vasilenko Eduard
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- RE: [v6ops] draft-ietf-6man-grand : saving lookups Vasilenko Eduard
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Jen Linkova
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Jen Linkova
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Mark Smith
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Philip Homburg
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Ted Lemon
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Bob Hinden
- distributed vs centralized approaches to ND secur… Michael Richardson
- Re: distributed vs centralized approaches to ND s… Nick Hilliard
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Mark Smith
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Jen Linkova
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Bob Hinden
- RE: [v6ops] draft-ietf-6man-grand : saving lookups Vasilenko Eduard
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Jen Linkova
- RE: [v6ops] draft-ietf-6man-grand : saving lookups Vasilenko Eduard
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Nick Hilliard
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Bob Hinden
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Michael Richardson
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Philip Homburg
- RE: [EXTERNAL] Re: [v6ops] draft-ietf-6man-grand … Templin (US), Fred L
- Re: [EXTERNAL] [v6ops] draft-ietf-6man-grand : sa… Ted Lemon
- RE: [v6ops] draft-ietf-6man-grand : saving lookups Templin (US), Fred L
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Ted Lemon
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Templin (US), Fred L
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Ted Lemon
- RE: [EXTERNAL] Re: [v6ops] draft-ietf-6man-grand … Templin (US), Fred L
- Re: [EXTERNAL] [v6ops] draft-ietf-6man-grand : sa… Ted Lemon
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Warren Kumari
- RE: [EXTERNAL] [v6ops] draft-ietf-6man-grand : sa… Templin (US), Fred L
- RE: [EXTERNAL] [v6ops] draft-ietf-6man-grand : sa… Manfredi (US), Albert E
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Fred Baker
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Ted Lemon
- RE: [EXTERNAL] [v6ops] draft-ietf-6man-grand : sa… Templin (US), Fred L
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Ted Lemon
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- RE: [v6ops] draft-ietf-6man-grand : saving lookups Templin (US), Fred L
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Jen Linkova
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Philip Homburg
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Philip Homburg
- RE: [v6ops] draft-ietf-6man-grand : saving lookups Templin (US), Fred L
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Lorenzo Colitti
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Gyan Mishra
- RE: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)
- RE: [v6ops] draft-ietf-6man-grand : saving lookups Templin (US), Fred L
- RE: [v6ops] draft-ietf-6man-grand : saving lookups Templin (US), Fred L
- Re: [v6ops] draft-ietf-6man-grand : saving lookups Pascal Thubert (pthubert)