IETF Logo Mail Archive

RE: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]

Vasilenko Eduard <vasilenko.eduard@huawei.com> Thu, 30 June 2022 16:03 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31DC0C14F72F for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 09:03:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6HeEbFXhUme1 for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 09:03:41 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDE09C15A734 for <ipv6@ietf.org>; Thu, 30 Jun 2022 09:03:40 -0700 (PDT)
Received: from fraeml735-chm.china.huawei.com (unknown [172.18.147.226]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4LYjh42ML6z67tXN; Thu, 30 Jun 2022 23:59:32 +0800 (CST)
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by fraeml735-chm.china.huawei.com (10.206.15.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 30 Jun 2022 18:03:36 +0200
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by mscpeml500001.china.huawei.com (7.188.26.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 30 Jun 2022 19:03:36 +0300
Received: from mscpeml500001.china.huawei.com ([7.188.26.142]) by mscpeml500001.china.huawei.com ([7.188.26.142]) with mapi id 15.01.2375.024; Thu, 30 Jun 2022 19:03:36 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Kerry Lynn <kerlyn=40ieee.org@dmarc.ietf.org>, Carsten Bormann <cabo@tzi.org>
CC: Stuart Cheshire <cheshire@apple.com>, 6man <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
Subject: RE: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]
Thread-Topic: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]
Thread-Index: AQHYjAx7s4zi8fh/uE2VNDRT6V/nsa1m0B2AgAAEP4CAAArJgIAAAPyAgAAGxoCAAEWyAIAAAVIAgACgYYCAAE7gwA==
Date: Thu, 30 Jun 2022 16:03:36 +0000
Message-ID: <a5ee1de33964488fa966b14f3ede2d6c@huawei.com>
References: <164938402532.17740.11717866110301931501@ietfa.amsl.com> <b1780128-2069-b32e-7ca5-86977c119f0c@gmail.com> <11d4e419-11a9-8768-abf2-1335e5f1c3d8@gmail.com> <149924f9-da30-fa79-0509-c01c439d1796@gmail.com> <5BEFA97B-CF09-44D7-8C10-017FEAE4C3A8@tiesel.net> <e6ff75e7-b6c6-ea03-2e10-b1ad95d650f0@gmail.com> <98D15BD9-A631-4D09-AE9E-9D4C750714C9@tiesel.net> <95c82ad3-2138-ab2a-7ba5-57ad80472964@gmail.com> <E5C368C5-9DAE-4C61-ADDE-B881EA11EDA0@tiesel.net> <6968ca7b-dac3-b192-41ed-a193adab7eb4@gmail.com> <529B863C-BCC9-40C1-A5B8-B0598E7DF17C@tzi.org> <bf8c5c54-d548-a40a-0381-0583ef946f26@gmail.com> <CAPt1N1=4wbqrrzvwdr4FD7awa6pkyffhwRZC3zAWLs7uzY3BJQ@mail.gmail.com> <86509E47-77CE-4210-A1B7-C1E9955D9672@tzi.org> <CAPt1N1kYBMSA5Y7BZLMd9o96tBxFY7SrRUxb9jxfBNvBiA_OJQ@mail.gmail.com> <d3d9d68a-adff-b29b-4d1b-78f82e6bf282@gmail.com> <A2DD6902-EF02-4EA4-80D3-18820B912DF1@tzi.org> <CABOxzu1VvoGY+Lc5iw81vV+-k98YvDzSYgfzJOxt6Sc04+0+WQ@mail.gmail.com>
In-Reply-To: <CABOxzu1VvoGY+Lc5iw81vV+-k98YvDzSYgfzJOxt6Sc04+0+WQ@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.81.197.212]
Content-Type: multipart/alternative; boundary="_000_a5ee1de33964488fa966b14f3ede2d6chuaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/0kVB096idsndwVPQ6CjX94dGu4w>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2022 16:03:46 -0000

But passive scanner should be on the promiscuous port (receive all traffic, or at least all multicast traffic) which would be a challenge for the attacker.
Hence, the sweep ping (active) assumption here.
Ed/
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Kerry Lynn
Sent: Thursday, June 30, 2022 5:19 PM
To: Carsten Bormann <cabo@tzi.org>
Cc: Stuart Cheshire <cheshire@apple.com>; 6man <ipv6@ietf.org>; Bob Hinden <bob.hinden@gmail.com>
Subject: Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]

On Thu, Jun 30, 2022 at 12:45 AM Carsten Bormann <cabo@tzi.org<mailto:cabo@tzi.org>> wrote:
On 30. Jun 2022, at 06:40, Brian E Carpenter <brian.e.carpenter@gmail.com<mailto:brian.e.carpenter@gmail.com>> wrote:
>
> For the present draft, one thing my small experiment shows is that we won't make things worse by adding zone identifiers to URLs. They too have to be guessed by the attacker, and in modern Linux they are things like "enxb813ebc170a4" out of the box. That makes the attacker's job significantly harder.

Do you know how enxb813ebc170a4 is generated?  (I.e., is the 48-bit thing in there guessable?)

I think I agree with the conclusion (at least, that it is quite hard/costly/lengthy to mount an attack based on this), but I think that it would be good to get a clean argument for that in the security considerations.
Is it sufficient to say there are easier ways to gather LL host addresses?

Maybe I'm missing something, but for LL address scanning mustn't the attacker
already be on the link? Isn't it simpler to deploy a passive scanner and just glean
active LL addresses?

Note there are 6lo data links (e.g. RFC 8163) where SLAAC address construction
is done with many fewer than 48 bits. My argument there was to use 64-bit opaque
IDs for globally-routable addresses, but short IDs for LL addresses to make better
use of header compression. I didn't state the latter recommendation was also
because I felt sniffing on the link was trivial.

See also RFC 8605, where I encouraged Dave Thaler to distinguish between on-
and off-link attacks.

Kerry

Grüße, Carsten

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org<mailto:ipv6@ietf.org>
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email