IETF Logo Mail Archive

RE: Overview of IPv6 first-hop issues and solutions - was: RE: IPv6 first-hop risks and threats and mitigations

Xipengxiao <xipengxiao@huawei.com> Tue, 22 December 2020 08:25 UTC

Return-Path: <xipengxiao@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB52E3A0E6C; Tue, 22 Dec 2020 00:25:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pcG4TKZrN1Tj; Tue, 22 Dec 2020 00:25:14 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40FFD3A0E71; Tue, 22 Dec 2020 00:25:14 -0800 (PST)
Received: from fraeml711-chm.china.huawei.com (unknown [172.18.147.200]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4D0TnH4JCJz67PyT; Tue, 22 Dec 2020 16:21:07 +0800 (CST)
Received: from fraeml712-chm.china.huawei.com (10.206.15.61) by fraeml711-chm.china.huawei.com (10.206.15.60) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Tue, 22 Dec 2020 09:25:06 +0100
Received: from fraeml712-chm.china.huawei.com ([10.206.15.61]) by fraeml712-chm.china.huawei.com ([10.206.15.61]) with mapi id 15.01.2106.002; Tue, 22 Dec 2020 09:25:06 +0100
From: Xipengxiao <xipengxiao@huawei.com>
To: Christopher Morrow <christopher.morrow@gmail.com>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, Nabil Benamar <benamar73@gmail.com>, "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, 6man Chairs <6man-chairs@ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: RE: Overview of IPv6 first-hop issues and solutions - was: RE: IPv6 first-hop risks and threats and mitigations
Thread-Topic: Overview of IPv6 first-hop issues and solutions - was: RE: IPv6 first-hop risks and threats and mitigations
Thread-Index: AdbVKDTrlw1R97+kT8i63e2fBNDa5gClpLmAAB7/M8A=
Date: Tue, 22 Dec 2020 08:25:06 +0000
Message-ID: <cdadade293a8494eb69b14e2c502aba5@huawei.com>
References: <87a5f7330de54a968b34d199d4d40f19@huawei.com> <CAL9jLaYvXOo2WK+hNNw3AvrWt19m9UWBhy8ubv7uaz5qGv=F4A@mail.gmail.com>
In-Reply-To: <CAL9jLaYvXOo2WK+hNNw3AvrWt19m9UWBhy8ubv7uaz5qGv=F4A@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.48.211.156]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/0YHEiCTYirMHBR9jd2iegEEffNQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2020 08:25:17 -0000

Hi Christopher,

>>  there's a set of things other than just ra-guard in their document lists.

Understood.  I used "RA-guard(+)" as an example.  There are also the SAVI related works.

>> it'd be good to see perhaps a threat-analysis document and from that smoe requirements discussion. as I noted in a different mail I guess while whacking at fires around the camp fernando/jen have hit some highlights, but there could be useful (threat analysis/etc) done still and cleanup of the remaining problems.

Good suggestion.  Will try to work out a skeleton during the holiday break and send to the ML.  Again, if anybody is interested in participating in this, please contact us.  So far we have Pascal, Eduard Metz, and myself.

Happy holidays and stay safe!

XiPeng 

-----Original Message-----
From: Christopher Morrow [mailto:christopher.morrow@gmail.com] 
Sent: Monday, December 21, 2020 7:29 PM
To: Xipengxiao <xipengxiao@huawei.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>; Nabil Benamar <benamar73@gmail.com>; Pascal Thubert (pthubert) <pthubert=40cisco.com@dmarc.ietf.org>; 6man Chairs <6man-chairs@ietf.org>; ipv6@ietf.org
Subject: Re: Overview of IPv6 first-hop issues and solutions - was: RE: IPv6 first-hop risks and threats and mitigations

On Fri, Dec 18, 2020 at 5:28 AM Xipengxiao <xipengxiao@huawei.com> wrote:
>
> Hi Christopher,
>
> Firstly I assume that by "work Fernando / Jen" you meant RA-guard(+) / Grand.  If you are talking about something else please let me know.  I want to make sure that we are talking about the same things.
>

there's a set of things other than just ra-guard in their document lists.

> With that assumption, my answer to your question is:
>
> I think ND has some issues, e.g. (1) trust model - ND trust all messages (2) heavily utilizing multicast (3) not considering sleeping nodes (4) reactive not proactive.   This is because ND was designed many years ago when many things like smartphones, Wi-Fi didn't exist.  Fernando/Jen's works solved (1) & (4), Pascal's WiND (arguably) solved all these issues. But it changed ND fundamentally.  Should it be used only in wireless environment or both wireless & wired environment?  Recently Ole also published a P2P Ethernet draft to deal with (2).  Long story short, I don't think Fernando/Jen have solved all the issues.  There are many different solutions, each with its pros and cons.
>
> Furthermore, first-hop protocols are more than ND.  There are also SLAAC, DHCPv6 etc.  They also have some unsolved issues.  Variable SLAAC, universal-ra-option-04 are examples to deal with those issues.
>

sure.

> So in summary, I (and several other people in the WG) think there are issues in various first-hop protocols.  Some are solved, some are not.  For those solved issues, the solutions have pros and cons.  All of these are dispersed in many RFCs/drafts.  We believe it's helpful to summarize all the first-hop issues, and compare the solutions, in a single document.  This is just like Eric's draft-ietf-opsec-v6-21 summarize many IPv6 security issues into a single document.  We believe this would provide an opportunity for the WG to discuss the issues and existing solutions, and to decide the next steps.   For this reason, I've changed the subject to reflect our intention more accurately.  We in fact have a table of content reflecting some early thoughts of this work.  If anybody is interested please drop me a line.  We will send the TOC to you, and we welcome your participation.
>

it'd be good to see perhaps a threat-analysis document and from that smoe requirements discussion. as I noted in a different mail I guess while whacking at fires around the camp fernando/jen have hit some highlights, but there could be useful (threat analysis/etc) done still and cleanup of the remaining problems.

> Thanks and happy holidays to all!
>
> XiPeng
>
>
>
> -----Original Message-----
> From: Christopher Morrow [mailto:christopher.morrow@gmail.com]
> Sent: Thursday, December 17, 2020 6:29 PM
> To: Xipengxiao <xipengxiao@huawei.com>
> Cc: Michael Richardson <mcr+ietf@sandelman.ca>; Nabil Benamar 
> <benamar73@gmail.com>; Pascal Thubert (pthubert) 
> <pthubert=40cisco.com@dmarc.ietf.org>; 6man Chairs 
> <6man-chairs@ietf.org>; ipv6@ietf.org
> Subject: Re: IPv6 first-hop risks and threats and mitigations
>
> I thought this was work Fernando Gont / Jen Linkova already undertook... or had already taking some large steps to cover at any rate.
> Were their docs not helpful here?
>
> On Wed, Dec 16, 2020 at 3:37 PM Xipengxiao <xipengxiao@huawei.com> wrote:
> >
> > Hi Michael,
> >
> >
> >
> > >> So, the idea being to write down the issues, give the attacks names, and then clarify what defenses we have already and how well they work?
> >
> >
> >
> > Yes.  Are you interested in working on this together?  Happy holidays!
> >
> >
> >
> > XiPeng
> >
> >
> >
> > -----Original Message-----
> > From: Michael Richardson [mailto:mcr+ietf@sandelman.ca]
> > Sent: Monday, November 23, 2020 1:24 AM
> > To: Xipengxiao <xipengxiao@huawei.com>; Nabil Benamar 
> > <benamar73@gmail.com>; Pascal Thubert (pthubert) 
> > <pthubert=40cisco.com@dmarc.ietf.org>; 6man Chairs 
> > <6man-chairs@ietf.org>; ipv6@ietf.org
> > Subject: IPv6 first-hop risks and threats and mitigations
> >
> >
> >
> >
> >
> > Xipengxiao <xipengxiao@huawei.com> wrote:
> >
> >     > I also think that it’s a good piece of work, and shouldn’t be given up.
> >
> >
> >
> >     > I would also like to take this opportunity to propose that the 
> > WG start
> >
> >     > a “problem statement of IPv6 first-hop protocols” draft.  The 
> > rationale
> >
> >     > is: many IPv6 first-hop protocols like ND, SLAAC were designed 
> > long
> >
> >     > time ago; many things have changed over the years, e.g. the 
> > advent of
> >
> >     > wireless, mobility, IoT, overlays;  lately there are multiple 
> > drafts
> >
> >     > trying to fix various issues in a number of IPv6 first-hop 
> > protocols,
> >
> >     > including:
> >
> >
> >
> > So, the idea being to write down the issues, give the attacks names, and then clarify what defenses we have already and how well they work?
> >
> >
> >
> > --
> >
> > Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
> >
> >            Sandelman Software Works Inc, Ottawa and Worldwide
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list ipv6@ietf.org Administrative 
> > Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email