IETF Logo Mail Archive

Re: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred address

Jen Linkova <furry13@gmail.com> Thu, 17 September 2020 08:54 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82D9E3A0B87 for <ipv6@ietfa.amsl.com>; Thu, 17 Sep 2020 01:54:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJRuCv6Bkq_U for <ipv6@ietfa.amsl.com>; Thu, 17 Sep 2020 01:54:19 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7131F3A0B6A for <ipv6@ietf.org>; Thu, 17 Sep 2020 01:54:19 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id g72so1442848qke.8 for <ipv6@ietf.org>; Thu, 17 Sep 2020 01:54:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=VgoihGu5viswDJ5TVBqGBoKuXrwwyvkPIb2qHk78pTI=; b=KugjfJEw9bLIRz5iH/DoP6G1OghpXIavEBPWcN1TVodcGxqN/2RMCzIBO+ZkTDAylE SPfW+CZ/tpA8Z8AV11zcB0WHa/LB8J2cdmJsGDPIUf+XIIUr9V8GDE0LRNQzNDVrLsNu gbmQxo7vCYGQAjJiu7OEkQ72+YvlTR+3pkr38R8QbO1xeMUQbZ4mmcgtOMazR4H1uY8Q NoCESEcez4mMvQbCWnm+X0eOqZxfENRkjRxUdha0uxA8PnsMT+mCU9BfL9KQNTiQ7Wh6 yBwebwVBuCqnsBvQWaw5KwCIP98zoFfN8YYoqKUFAaH6WEV65WekXm3UXkqS0SynXDFt Z1Fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=VgoihGu5viswDJ5TVBqGBoKuXrwwyvkPIb2qHk78pTI=; b=q5SzX0L+eOZVizH0JrfwXyjDCuv94we2jvgyqdEyFk0nDNu52aeWgNlpgLEbJmlrnB H/SyjByoP5L2ROTt4nNxnBhA97Vwdt6PA9cS06o1bILzIvqNFe8PCdSa/PT8xuOwZBsl PwtjaDtHgej96qXOUp5IPX8B3XJQSQSca9qE9xS0bfZuo2QVmzzSVCz0+BHEnqJr3NMw 60auMI6zcdL0CNNvf2jbM92g0gFQTwg899hv7HvwsfkILKCtk9610VEpbT5Intz3LztW UYVfmCZXzAB0U+pevljgiurLV+eE7ZthLJ4AyooevBnsAjHRqnB4EDiBC0mZIapnOuPS oilw==
X-Gm-Message-State: AOAM532ytD9QpRbgYOeYTOaRBX2Zein2kH3qR1B28pdfXjdqVNvv6C83 vUMVnW/rTshAYP6XSbhvM338us5ipPtt8zEwZofkA+dS
X-Google-Smtp-Source: ABdhPJxdTwxkfWv+zFeI3baThcAYxjEeb9Q5l+AfNrMnHcnlWIHT5s7afpyczy2AqBFiHo2Ya2hu/XHCz6xHwqIGV5g=
X-Received: by 2002:a37:e211:: with SMTP id g17mr26303860qki.417.1600332858319; Thu, 17 Sep 2020 01:54:18 -0700 (PDT)
MIME-Version: 1.0
References: <7120052452e644dcbf60485cb4224128@huawei.com> <CAFU7BATTpJtAPeKCJtapQCbwD2FFrYOH_ErfuPcZnO8uYar_kA@mail.gmail.com> <9cd9fb5962d44046871e7185ab344e34@huawei.com> <54658b6d40e3476eab9edfb807769b6f@huawei.com>
In-Reply-To: <54658b6d40e3476eab9edfb807769b6f@huawei.com>
From: Jen Linkova <furry13@gmail.com>
Date: Thu, 17 Sep 2020 18:54:07 +1000
Message-ID: <CAFU7BASsOZ7QMaCV9Su1REODUY3L4Wm0PDfT0Z7RcKWyb4xmHg@mail.gmail.com>
Subject: Re: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred address
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/7RXEuFIwnjzJv3i7-6gWhaowp-k>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 08:54:22 -0000

On Wed, Sep 16, 2020 at 8:32 PM Vasilenko Eduard
<vasilenko.eduard@huawei.com> wrote:
> Intruder would not obey ND rules – he would set Override flag (and probably Solicited too).
>
> Hence, GRAND could not improve security by extremely gentle behavior on legal hosts (O=0).

The GRAND goal is NOT to increase security. Not at all. GRAND operates
in the existing ND landscape and threat model.
Whatever attack is possible with the current ND state machine, would
be possible with GRAND. I believe that GRAND does not introduce any
new security issues.

> As we discussed before: address collision on 2^64 space that would follow by DAD lost – is extremely low probability for legal hosts.

I've seen duplicated addresses way too many times.

>Moreover, it assumes that multicast was lost and ND does not operate properly – not good assumption.

It's a reality on the ground. Like it or not. Multicast, especially on
busy WiFi networks, is unreliable.

> You would not lose much setting O=1 for preferred - it is legal by ND architecture if address progressed to Preferred.

Let me explain my concern.
I have an operational issue: not a huge but rather annoying one. I'd
like to solve it with minimal disruption to existing mechanisms.
Whatever works now should work as before.
I'm not trying to drastically improve ND, make it more secure or
anything. I noticed an assumption in the state machine logic which is
not always true, and I'd like to fix it.

Now, you are suggesting a bit more disruptive way of doing things. It
looks to me that your suggestion is a part of a big and ambitious plan
to drastically change the ND logic - sorry, I'm guessing here as I've
not read your draft yet.

When I change smth - a network, a code or  a protocol - I prefer to
minimize the scope of the change and do not make changes of a
different nature in one attempt.
So my suggestion is: let's discuss GRAND in its context and then your
draft can propose updates to RFC4861 which may or may not override the
GRAND changes.

> Because else I have to propose Override GRAND

Looking forward to reading your draft.

> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Vasilenko Eduard
> Sent: 16 сентября 2020 г. 12:29
> To: Jen Linkova <furry13@gmail.com>
> Cc: ipv6@ietf.org
> Subject: RE: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred address
>
>
>
> Hi Jen,
>
> If addresses is promoted to "Preferred", then DAD has passed. Then there is no way to shut up any host (from both duplicates). Very bad things would happen:
>
> Only one would win the fight for neighbor cache record on the router.
>
> 1-way MITM: other one would sent upstream normal, but return traffic would go to first host.
>
> 2-way MITM at the same time: You could not assume what host (first or second) is more valuable - second one could be the important server after reboot. Then other one would get all requests to applications (DB, File Server, Web) from outside of the subnet. At least to collect passwords, and may be much more... depends on application type.
>
>
>
> My problem: router could not see duplicity (and help) if at least legal host would not be persuasive to claim neighbor cache entry on the router.
>
> Override flag set does permit for router to understand that address has achieved Preferred status (not optimistic) - action could be taken now.
>
>
>
> In general, I do not respect this story about "first-come/first-serve" (I propose to block both). I have this text in my draft:
>
> It could be the temptation to minimize Intercepted Victim disruption by blocking only the second node (first-come/first-serve approach). The Intruder would be the second in the majority of cases that would minimize disruption for Intercepted Victim. Unfortunately, there are less probable cases when Intruder would be capable to catch server with popular application in reload or upgrade state - than legal node would be blocked. The Intruder would be capable to pretend to be the particular application and start collection of valuable information from users that would visit this application. It would be at least login credentials and could be much more depending on application type. It is the leakage of information again. The leakage of information is considered much high security problem then DoS, hence such conversion of DoS back into leakage is not acceptable. Vulnerability harm is more important than the probability of vulnerability. It is especially true for [ND] where we have other DoS vulnerabilities anyway.
>
> Only cryptographically based authentication does permit to really minimize DoS disruption for legal node.
>
> Eduard
>
> -----Original Message-----
> From: Jen Linkova [mailto:furry13@gmail.com]
> Sent: 16 сентября 2020 г. 5:29
> To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> Cc: ipv6@ietf.org
> Subject: Re: I-D Action: draft-ietf-6man-grand-02 - override flag for preferred address
>
>
>
> On Tue, Sep 15, 2020 at 10:55 PM Vasilenko Eduard <vasilenko.eduard@huawei.com> wrote:
>
> > I did believe that your draft has already passed last call, I was late. Hence, I did not make one important comment.
>
>
>
> That's perfectly fine - as the IESG asked for both drafts (v6ops-nd-cache-init and 6man-grand) to be merged, there will be another WGLC for 6man-grand.
>
>
>
> > Meanwhile, I was working on my draft how to block MITM in ND. I am very unhappy about the leakage of information - you probably remember.
>
> > I have almost finished - MITM blocked except very corner cases of host-to-host communication (no routers).
>
> > But after many discussions with co-author we have found 1 hole that has been patched in this way:
>
> >
>
> > * Section 7.2.6 (Sending unsolicited NA) of [ND], add at the end:
>
> > A node SHOULD send Neighbor Advertisement message with Override flag set to the all-routers multicast address after respective address would change state to preferred.
>
> >
>
> > There is the section later that explains interoperability with all ND-related extensions. Interoperability to GRAND is explained in this way:
>
> > [Gratuitous ND] operates as intended in the combination with [Optimistic DAD].
>
> > [Gratuitous ND] is effectively replaced by this document for the case when address is progressed to preferred, because stronger form of unsolicited NA (with override bit set) is proposed.
>
> >
>
> > May be I am asking too much (you better know IETF practices).
>
> > 1. Could you consider to set Override flag after address progressed to Preferred? I need SHOULD.
>
> > 2. Could you consider to recommend to send at least 1 unsolicited NA after address would go to preferred? I need SHOULD.
>
>
>
> Setting O=1 would drastically increase the risk of disruption for a 'rightful' address owner, in case of duplicated addresses.
>
> If a host configures a new preferred address while the same address is in use by another host:
>
> - [without GRAND] the rightful owner continues to receive its traffic (and, potentially, some packets which actually belong to the new host). The new host does not have connectivity.
>
> - [with GRAND] the same
>
> - [ GRAND + O=1] the rightful owner losing the connectivity, and the new host starts receiving traffic for its own flows and some traffic which belongs to the rightful address owner.
>
>
>
> --
>
> SY, Jen Linkova aka Furry



-- 
SY, Jen Linkova aka Furry

v2.23.0 | Report a Bug | By Email