IETF Logo Mail Archive

Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)

David Farmer <farmer@umn.edu> Wed, 07 June 2017 03:24 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCED0129B55 for <ipv6@ietfa.amsl.com>; Tue, 6 Jun 2017 20:24:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.8
X-Spam-Level:
X-Spam-Status: No, score=-3.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rALm8L3kG59Q for <ipv6@ietfa.amsl.com>; Tue, 6 Jun 2017 20:24:52 -0700 (PDT)
Received: from mta-p5.oit.umn.edu (mta-p5.oit.umn.edu [134.84.196.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3850124D6C for <ipv6@ietf.org>; Tue, 6 Jun 2017 20:24:51 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 5D7C8B42 for <ipv6@ietf.org>; Wed, 7 Jun 2017 03:24:51 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wqDvVoKvGFd0 for <ipv6@ietf.org>; Tue, 6 Jun 2017 22:24:51 -0500 (CDT)
Received: from mail-ua0-f197.google.com (mail-ua0-f197.google.com [209.85.217.197]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 0AD3CB39 for <ipv6@ietf.org>; Tue, 6 Jun 2017 22:24:50 -0500 (CDT)
Received: by mail-ua0-f197.google.com with SMTP id j32so220391uaj.12 for <ipv6@ietf.org>; Tue, 06 Jun 2017 20:24:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4ZWmw+DGSnaq/26qWvEeD/FSPA7lItZ6QdEPjAusdas=; b=QVjbaK2co6JDxYACR466Vu8PYsICAgc6iW6d2yY4FIPnKUQdDWtlPtsSjQUluZOWT6 /Totjh/82oi1SEoZQUUnYjZ//qI5DGOIUOzr/Jf9ZFdQ7l7QSX2N5hyDhScFefZvppI+ 9MbZha/+lg2Ey6kH6QeWU4424CboCcjmzepmYnDUUyTamVg4V7JN4MadQe1LcBv7S0PY EeRUCaxoQGCfMxuPm6RVuip2fVkrABwScXOU3j8QmOtNJ68fAwVFbT5W915G3+NF5eRi jLn/e1HRZV8C1JPKR2nvITNQ8fv5AXx2dNUdSdgki4O8Qtr4gJNWSUsgw/ZhXI5OAjLh otzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4ZWmw+DGSnaq/26qWvEeD/FSPA7lItZ6QdEPjAusdas=; b=Zrhdh45SV8J7Atw5E5uoXx9NI7s2tLIJV9KgKM9tRh4I16eHbyS0VNGYwyTzRcW5xa aZM8KKQwP2wjAvWV1CJEH7hC7+xz3H23SQP3BoMZz7rJpnJLMAhytW2baS44JlWmxtTw DAEOCW6QrFX6J6q/vm3cXQWNDt558j6buUzj96zG4GcnwNuUzAZaBzdd+r5NQHmcfqxN fDl7AEeLY1/oUAlOHFxkdHRe9n9E6/8gYcrh/7BQ6kdhFnmZjHMvUwb2Eo3v8T7uWSbe PgzH/gh5lgOhvBJ0G9TwlfjSnVEOwN9M5bQEfNIdw0+8NXdBTH37I0ZTdi5wDh861YR6 tDVg==
X-Gm-Message-State: AODbwcCflz9qIK7NOOpprHXexeXwqMquBCMuWIc5XorjHqG2m4W7HTvY BkyaeIpHqX2ejz2rTM8dTV83qsrKMhWcbFuZ69hrLkIE++WSkUPd+n5bX3xjnrDy5jVcoZXLmVu CynRKU83i+x2No3c=
X-Received: by 10.31.65.197 with SMTP id o188mr14875006vka.7.1496805890064; Tue, 06 Jun 2017 20:24:50 -0700 (PDT)
X-Received: by 10.31.65.197 with SMTP id o188mr14875000vka.7.1496805889850; Tue, 06 Jun 2017 20:24:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.183.11 with HTTP; Tue, 6 Jun 2017 20:24:49 -0700 (PDT)
In-Reply-To: <CAO42Z2ziUZnK+n2f9N_Xvb5TZBppApXgNSmDsRLxaT1_taLvFw@mail.gmail.com>
References: <CAO42Z2ziUZnK+n2f9N_Xvb5TZBppApXgNSmDsRLxaT1_taLvFw@mail.gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Tue, 06 Jun 2017 22:24:49 -0500
Message-ID: <CAN-Dau3ymnph8q5vxtPV+nvErmiaX4=scpSSm5D8dVKcLfCzwg@mail.gmail.com>
Subject: Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)
To: Mark Smith <markzzzsmith@gmail.com>
Cc: Job Snijders <job@instituut.net>, Erik Kline <ek@google.com>, 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="001a114dde625ccd4705515647fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/3T4ZXpq7bM1yxDZCzzCo1N2gwms>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 03:24:54 -0000

On Tue, Jun 6, 2017 at 8:23 PM, Mark Smith <markzzzsmith@gmail.com> wrote:

> On 7 June 2017 at 09:30, Job Snijders <job@instituut.net> wrote:
> > On Tue, 6 Jun 2017 at 16:28, Brian E Carpenter <
> brian.e.carpenter@gmail.com>
> > wrote:
> >>
>
> <snip>
>
> >> >
> >> > is this draft exactly:
> >> >
> >> >    IPv6 unicast routing is based on prefixes of any valid length up to
> >> >    128 [BCP198].  Interface Identifiers should be 64 bit long except
> >> >    when the addresses are manually configured, or by exceptions
> defined
> >> >    in standards track documents.  For example, [RFC6164] standardises
> >> >    127 bit prefixes on inter-router point-to-point links.  The
> rationale
> >> >    for using 64 bit Interface Identifiers can be found in [RFC7421]
> >> >
> >> > ?
> >>
> >> Yes. Put those words in 4291bis and I will be very happy. Oh ;-).
> >
>
>
> "Interface Identifiers should be 64 bit long except when the addresses
> are manually configured, or by exceptions defined in standards track
> documents."
>
> That doesn't mention that security and privacy properties of addresses
> will be compromised if the manually configured addresses are from a
> small prefix.
>
> Security and privacy properties of addresses are independent of the
> method used to configure them. Addresses configured via SLAAC, DHCPv6
> or manual configuration from within a small prefix/address range all
> lose privacy and security properties and value.
>

The security considerations for RFC4291bis-07 already says the following;

   One area relavant to IPv6 addressing is privacy.  IPv6 addresses can
   be created using interface identifiers constructed with unique stable
   tokens.  The addresses created in this manner can be used to track
   the movement of devices across the Internet.  Since earlier versions
   of this document were published, several approaches have been
   developed that mitigate these problems.  These are described in
   "Security and Privacy Considerations for IPv6 Address Generation
   Mechanisms" [RFC7721], "Privacy Extensions for Stateless Address
   Autoconfiguration in IPv6" [RFC4941], and "A Method for Generating
   Semantically Opaque Interface Identifiers with IPv6 Stateless Address
   Autoconfiguration (SLAAC)"[RFC7217].

Section 4.2 or RFC7721 already discusses manual configuration of addresses,
if you think more is necessary then maybe RFC7721 needs to be updated.

Job and others might say those privacy and security properties of
> large addresses is only useful to hosts, not infrastructure such as
> routers. I disagree.
>
> Large addresses can be of value in infrastructure addressing too. If a
> network operator wants to significantly mitigate if not prevent an
> attack such as a BGP listener TCP SYN attack from the Internet, they
> can hide the router's interface address somewhere inside a /64 so that
> the attacker can't find it via unsolicited inbound probing. If the
> attacker decides to persist, they'll have to resort to other methods
> to discover the device that are or can be made more costly.
>
> If a network operator's router vendor supports RFC7217 for interface
> addresses, they get that security advantage of large addresses by
> default when they add the /64 to the interface. Router interfaces are
> one of the motivations for RFC7217 being able to use the interface
> ifIndex value for the Net_Iface parameter (Appendix A) - the comment
> about ifIndexes being enabled to be consistent across network
> interface changes was my suggestion, and the use case in my mind was
> router interface module swaps.
>
> It is self evident that a packet that cannot reach a device cannot be
> used to attack the device.
>
> Perhaps those who commented during rfc4291bis last call and who may
> not have seen the WG's addressing privacy and security discussions
> over the last 4 years haven't realised that many more addressing bits
> can provide more capability and value than just the ability to connect
> more hosts.
>

I agree security and privacy are relevant issues for infrastructure
addressing plans, but they are by no means the only or even necessarily the
dominant considerations involved.  I'll note that at least in my network
relying on address obfuscation is not sufficient, I have to assume that the
users on my network are untrusted, I have to tell them the first hop router
one way or another, and finding the intermediate routers isn't that hard
(traceroute).

That said, I'll be poking at my routing vendors about RFC7217 support.
However, I have a long list of issues for them already, so I'm not sure
where this sits on the list of priorities with them. :)

Thanks
-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email