IETF Logo Mail Archive

Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt

Sander Steffann <sander@steffann.nl> Fri, 19 October 2018 17:09 UTC

Return-Path: <sander@steffann.nl>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69BE3131031 for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 10:09:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=steffann.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v5mKScB9BNJO for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 10:09:18 -0700 (PDT)
Received: from mail.sintact.nl (mail.sintact.nl [IPv6:2001:9e0:803::6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32D41130F88 for <ipv6@ietf.org>; Fri, 19 Oct 2018 10:09:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.sintact.nl (Postfix) with ESMTP id 7E2B44A; Fri, 19 Oct 2018 19:09:16 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=steffann.nl; h= x-mailer:references:message-id:content-transfer-encoding:date :date:in-reply-to:from:from:subject:subject:mime-version :content-type:content-type:received:received; s=mail; t= 1539968950; bh=VSSoC4YH6q9AEQCQ5u6rVY2AF5Vxvr051fpp/TEhLHY=; b=W h0Oc39wfwlel95+2lf+zz0eazBJ+lnzlMvS57Ffl5gpy89HiM7XjweyCdbAzZgKT n9W10uZIXkH7qwbExzkyBIxtJ/ZfpMuJpAAvcPlPhXO6EP7XpPTzaHBifzfV7xB0 Uqdh0RpnidrOBvsz+6+qdqgHFVPmaP/VkhFEhfd7dM=
X-Virus-Scanned: Debian amavisd-new at mail.sintact.nl
Received: from mail.sintact.nl ([127.0.0.1]) by localhost (mail.sintact.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id hm3aeCkyfnjI; Fri, 19 Oct 2018 19:09:10 +0200 (CEST)
Received: from [IPv6:2a02:a213:a301:1000:95b4:18f1:3a1b:fe23] (unknown [IPv6:2a02:a213:a301:1000:95b4:18f1:3a1b:fe23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail.sintact.nl (Postfix) with ESMTPSA id B3CB049; Fri, 19 Oct 2018 19:09:09 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Subject: Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt
X-Clacks-Overhead: GNU Terry Pratchett
From: Sander Steffann <sander@steffann.nl>
In-Reply-To: <CAFU7BAR1a=DQ_A390Px3jeh=yhSYWLAhQUmn73Qe2ve8DEXutA@mail.gmail.com>
Date: Fri, 19 Oct 2018 19:09:09 +0200
Cc: Mikael Abrahamsson <swmike@swm.pp.se>, 6man <ipv6@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1E09561E-5604-49D5-A725-76CE09B080CD@steffann.nl>
References: <153973137181.9473.10666616544238076833@ietfa.amsl.com> <092346e1-6350-e54e-e711-9c5ee6dc4e6b@gmail.com> <CAFU7BASO_ByzbanhLKnWV280O_fASd-8W+ujpj3sN6d2-whw2w@mail.gmail.com> <CACWOCC-u7aAPwAOcixYvt2On=-o_8X25GhqdXTfA+tWRC1o2XA@mail.gmail.com> <alpine.DEB.2.20.1810191534430.26856@uplift.swm.pp.se> <422E06B9-8A68-4905-9901-7F4E201ADAB2@employees.org> <alpine.DEB.2.20.1810191557270.26856@uplift.swm.pp.se> <alpine.DEB.2.20.1810191604200.26856@uplift.swm.pp.se> <CABB810B-A895-4D1E-ABD8-DA8CA699F056@steffann.nl> <CAFU7BAR1a=DQ_A390Px3jeh=yhSYWLAhQUmn73Qe2ve8DEXutA@mail.gmail.com>
To: Jen Linkova <furry13@gmail.com>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/97LZxoFrAtcfJbRqnl3rQTqiETI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2018 17:09:28 -0000

Hi,

> All those people can take the whole network (almost) down with a
> single packet w/o the v6-only flag anyway.
> How about this:
> - kids/students/disgruntled employees/you can send an RA with GUA PIO
> and RDNSS option;
> - hosts start sending IPv6 traffic to IPv6-enabled destinations to the
> rogue host;
> - it would be enough for the attacker to respond with SYN/ACK to TCP
> handshake to take Happy Eyeballs out of the picture for TCP traffic;

And here you go beyond "a single packet".

> - the attacker can also answer DNS requests and make the situation
> even worse (if the victims prefer to use RDNSS servers);

Same here.

>> Such networks have no capacity for debugging anyway, and because of the low number of packets necessary to sustain the attack won't know what hit them. ISPs will get calls about the internet being broken, ICT consultants will spend hours searching for the cause of the problem, they will all blame "that annoying IPv6 thingy" etc etc etc. Let's avoid all of that.
> 
> I agree we shall avoid all of that. But the way to do this is not by
> setting/unsetting some flags in RAs but by implementing proper IPv6
> security.

The world of SMBs and home networks is not like that... The vast majority of SMBs don't even have a manageable switch.

Cheers
Sander

v2.23.0 | Report a Bug | By Email