Re: Overview of IPv6 first-hop issues and solutions - was: RE: IPv6 first-hop risks and threats and mitigations
Christopher Morrow <christopher.morrow@gmail.com> Mon, 21 December 2020 18:29 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B2F53A1322; Mon, 21 Dec 2020 10:29:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oe6uvW1eBEUl; Mon, 21 Dec 2020 10:29:17 -0800 (PST)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 517493A1314; Mon, 21 Dec 2020 10:29:17 -0800 (PST)
Received: by mail-qk1-x731.google.com with SMTP id 19so9630817qkm.8; Mon, 21 Dec 2020 10:29:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=mczqz2CcnC5pnKcLkNCmbV5OLsldRTLVvhCfGsFylNw=; b=pD7ON4Vu/pv6OKbrQJP08Fzl43ovJDHdAxvjXATMpL740+6opVnWGVZyIOO2+l8kiJ +vhwmIFq4rvxOetL7ZSc6Oecq+elQZGYIo6eMFYGwdO6hNrAeyC04rQlXgMhSwK5/4gZ LipKIwatsWeiwlLeQEoFRBNBQOhq0yxNC3v3QDLgNPx96frqPGtxRkqveOnaczriaejX jtEWxEEaC2rnqzUUgmiuUNlTgXXUoBRQOBXuiQ+ibOWqGH2EkCzn9gQsjpoH+bFRSG5B LxnaeAJvegG0fB7E0f8eZc/dklNPq1YArX4vuFetGElIRvHWsQfwzqJdVDsf4kLHD1Pg rrjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=mczqz2CcnC5pnKcLkNCmbV5OLsldRTLVvhCfGsFylNw=; b=k/E3yAwwouqrS9Reu4uez//CUhKyYhyueH5wlMkAZNgDXqN1lqiy0yZwsHeK2TEpsy 4qJkZMRjpwZDg5BduHMIyYGlom+BQDfWh6MwyyTcT7/MxqO/rJ/py0GY4pvuQaMs6GaG Wh9cSSurjPsTm2BVxz5x9nFziWESOj+8yf1g7j5pJWTPKIv9mtwsHWzaLtiG6hCBhiKQ bT/J/f6kV32oppYGCvW4LLlvLrt4ghkx/I9OCbyJ+59jynQSqzZfS25BI0ruiizStuvS COYNuEV1oMncBDGMdX77lfUH/K95aNDBOe7rcOU7OYYz/ta29/w1CK0FafB1oQQcLUvI n2Cg==
X-Gm-Message-State: AOAM532vJbOnZovrgAHTDDWjneCaWTFMuuMZN4LJPOCNTBUjv1TgfXyj a0RY2RxJdnT3IvNY4HXn+HndYGbu1QjEBefdfG0=
X-Google-Smtp-Source: ABdhPJx2Wp9xY6ibsWbg2B8KLA4+Xmx0FYSgtKBGmxpAoi+5HvXHIWmFRi6E//A90vFhDDQnSaIqNSuBDHn5zQBfbIY=
X-Received: by 2002:ae9:ef8b:: with SMTP id d133mr17519727qkg.50.1608575356053; Mon, 21 Dec 2020 10:29:16 -0800 (PST)
MIME-Version: 1.0
References: <87a5f7330de54a968b34d199d4d40f19@huawei.com>
In-Reply-To: <87a5f7330de54a968b34d199d4d40f19@huawei.com>
From: Christopher Morrow <christopher.morrow@gmail.com>
Date: Mon, 21 Dec 2020 13:29:05 -0500
Message-ID: <CAL9jLaYvXOo2WK+hNNw3AvrWt19m9UWBhy8ubv7uaz5qGv=F4A@mail.gmail.com>
Subject: Re: Overview of IPv6 first-hop issues and solutions - was: RE: IPv6 first-hop risks and threats and mitigations
To: Xipengxiao <xipengxiao@huawei.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, Nabil Benamar <benamar73@gmail.com>, "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, 6man Chairs <6man-chairs@ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/7HFjk_IXMnycb43ZE2mEBF1JgFY>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2020 18:29:19 -0000
On Fri, Dec 18, 2020 at 5:28 AM Xipengxiao <xipengxiao@huawei.com> wrote: > > Hi Christopher, > > Firstly I assume that by "work Fernando / Jen" you meant RA-guard(+) / Grand. If you are talking about something else please let me know. I want to make sure that we are talking about the same things. > there's a set of things other than just ra-guard in their document lists. > With that assumption, my answer to your question is: > > I think ND has some issues, e.g. (1) trust model - ND trust all messages (2) heavily utilizing multicast (3) not considering sleeping nodes (4) reactive not proactive. This is because ND was designed many years ago when many things like smartphones, Wi-Fi didn't exist. Fernando/Jen's works solved (1) & (4), Pascal's WiND (arguably) solved all these issues. But it changed ND fundamentally. Should it be used only in wireless environment or both wireless & wired environment? Recently Ole also published a P2P Ethernet draft to deal with (2). Long story short, I don't think Fernando/Jen have solved all the issues. There are many different solutions, each with its pros and cons. > > Furthermore, first-hop protocols are more than ND. There are also SLAAC, DHCPv6 etc. They also have some unsolved issues. Variable SLAAC, universal-ra-option-04 are examples to deal with those issues. > sure. > So in summary, I (and several other people in the WG) think there are issues in various first-hop protocols. Some are solved, some are not. For those solved issues, the solutions have pros and cons. All of these are dispersed in many RFCs/drafts. We believe it's helpful to summarize all the first-hop issues, and compare the solutions, in a single document. This is just like Eric's draft-ietf-opsec-v6-21 summarize many IPv6 security issues into a single document. We believe this would provide an opportunity for the WG to discuss the issues and existing solutions, and to decide the next steps. For this reason, I've changed the subject to reflect our intention more accurately. We in fact have a table of content reflecting some early thoughts of this work. If anybody is interested please drop me a line. We will send the TOC to you, and we welcome your participation. > it'd be good to see perhaps a threat-analysis document and from that smoe requirements discussion. as I noted in a different mail I guess while whacking at fires around the camp fernando/jen have hit some highlights, but there could be useful (threat analysis/etc) done still and cleanup of the remaining problems. > Thanks and happy holidays to all! > > XiPeng > > > > -----Original Message----- > From: Christopher Morrow [mailto:christopher.morrow@gmail.com] > Sent: Thursday, December 17, 2020 6:29 PM > To: Xipengxiao <xipengxiao@huawei.com> > Cc: Michael Richardson <mcr+ietf@sandelman.ca>; Nabil Benamar <benamar73@gmail.com>; Pascal Thubert (pthubert) <pthubert=40cisco.com@dmarc.ietf.org>; 6man Chairs <6man-chairs@ietf.org>; ipv6@ietf.org > Subject: Re: IPv6 first-hop risks and threats and mitigations > > I thought this was work Fernando Gont / Jen Linkova already undertook... or had already taking some large steps to cover at any rate. > Were their docs not helpful here? > > On Wed, Dec 16, 2020 at 3:37 PM Xipengxiao <xipengxiao@huawei.com> wrote: > > > > Hi Michael, > > > > > > > > >> So, the idea being to write down the issues, give the attacks names, and then clarify what defenses we have already and how well they work? > > > > > > > > Yes. Are you interested in working on this together? Happy holidays! > > > > > > > > XiPeng > > > > > > > > -----Original Message----- > > From: Michael Richardson [mailto:mcr+ietf@sandelman.ca] > > Sent: Monday, November 23, 2020 1:24 AM > > To: Xipengxiao <xipengxiao@huawei.com>; Nabil Benamar > > <benamar73@gmail.com>; Pascal Thubert (pthubert) > > <pthubert=40cisco.com@dmarc.ietf.org>; 6man Chairs > > <6man-chairs@ietf.org>; ipv6@ietf.org > > Subject: IPv6 first-hop risks and threats and mitigations > > > > > > > > > > > > Xipengxiao <xipengxiao@huawei.com> wrote: > > > > > I also think that it’s a good piece of work, and shouldn’t be given up. > > > > > > > > > I would also like to take this opportunity to propose that the > > WG start > > > > > a “problem statement of IPv6 first-hop protocols” draft. The > > rationale > > > > > is: many IPv6 first-hop protocols like ND, SLAAC were designed > > long > > > > > time ago; many things have changed over the years, e.g. the > > advent of > > > > > wireless, mobility, IoT, overlays; lately there are multiple > > drafts > > > > > trying to fix various issues in a number of IPv6 first-hop > > protocols, > > > > > including: > > > > > > > > So, the idea being to write down the issues, give the attacks names, and then clarify what defenses we have already and how well they work? > > > > > > > > -- > > > > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > > > > Sandelman Software Works Inc, Ottawa and Worldwide > > > > -------------------------------------------------------------------- > > IETF IPv6 working group mailing list > > ipv6@ietf.org > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > --------------------------------------------------------------------
- Overview of IPv6 first-hop issues and solutions -… Xipengxiao
- Re: Overview of IPv6 first-hop issues and solutio… Christopher Morrow
- RE: Overview of IPv6 first-hop issues and solutio… Xipengxiao
- Re: Overview of IPv6 first-hop issues and solutio… Gyan Mishra