IETF Logo Mail Archive

Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 05 July 2022 20:24 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C7E0C13C36A for <ipv6@ietfa.amsl.com>; Tue, 5 Jul 2022 13:24:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.984
X-Spam-Level:
X-Spam-Status: No, score=-3.984 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.876, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LrGv3MuccjwC for <ipv6@ietfa.amsl.com>; Tue, 5 Jul 2022 13:24:30 -0700 (PDT)
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 335E9C13C364 for <ipv6@ietf.org>; Tue, 5 Jul 2022 13:24:26 -0700 (PDT)
Received: by mail-pf1-x42b.google.com with SMTP id n12so12588702pfq.0 for <ipv6@ietf.org>; Tue, 05 Jul 2022 13:24:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=jng3J6CB1JUU7vE/ygheupLesjEN0FvZkXCepI0gWDE=; b=CP992sdvJz3AwKo81H+o9Tn53AmORNvTF5mOBMod+WJCZsnvYn8fynGqauMoS4PO1m hyJ3lcYevDGMjBG5SP+UYAiPFNyXWDf7aX4lLgQf+7bmAjbCrSFmqtWiI0h959eJaasc t/DJ6Zv9OsPRAe32ajuChhDWAqvynSfowrECjV4rBw4XElGBp1PkKqLW1GuwSuHdukj5 UcQdkynh6y5yl5IBc8/pUh6EiVCkEWYMYQGhkcAwTGlfi5gFUX4wixNW4dgIBZDyAz7w Bn5pIXznvB53AAEq19nVtgG8pfBwizJhG0GGUqwYRj+JiwBFKbGQSJ701tQoNIXU56lQ BUPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=jng3J6CB1JUU7vE/ygheupLesjEN0FvZkXCepI0gWDE=; b=KjNMyWiJtEBO+IF2imyVkNNzK2Ap0J7iDdr3BfhFi9p+xJX4MLeKiiaDlozJxaOsbh T9QCgjeFNCjg4zoeD1G0vYuRHq/7EGWdKJ/vKKUX1yYSVsRA2n1R2SEFVCivBykwQRQG ptaM9PSEhjJ/ZITZPAP3j+k9xPuFpjeEDOTOKcWhPIWdrSZ6aPh3UD3vD4psOTgvK1BO YL3FXG+zVPYikWlVHldYBNrZGKL8MFXf2cd1me/dilczsSxLgD4Q8pA0F+O18zuAeS2p nh7Zx8HyVTy4vLExUvGVS1uXNgzBJs+SVQkEatWBH+pVCIj5nGED3iexiwLSUPj9P0a0 e5fw==
X-Gm-Message-State: AJIora/PtUf7++2UVwOTd5BCQqAuLyAXYJZwDOxnEZRNUjbineXOha/U xjgFrlJSyaoO28EZN5+/YFvT9Uh/HGmCKOxy
X-Google-Smtp-Source: AGRyM1ujADzevPsCFwUVgy7kknSHfVR3CsAl74qSFxKYwrikuqzDOcc4uCHsV2NdVv+W76VbZfYtkg==
X-Received: by 2002:a63:d554:0:b0:40d:86ec:626b with SMTP id v20-20020a63d554000000b0040d86ec626bmr30759395pgi.530.1657052664976; Tue, 05 Jul 2022 13:24:24 -0700 (PDT)
Received: from ?IPV6:2406:e003:1124:9301:80b2:5c79:2266:e431? ([2406:e003:1124:9301:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id c15-20020a170902c2cf00b0016a268563ecsm23954491pla.23.2022.07.05.13.24.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 05 Jul 2022 13:24:23 -0700 (PDT)
Message-ID: <84051939-be78-731f-fd29-6056f1fcb886@gmail.com>
Date: Wed, 06 Jul 2022 08:24:22 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Subject: Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]
Content-Language: en-US
To: Michael Richardson <mcr+ietf@sandelman.ca>, 6man <ipv6@ietf.org>
References: <164938402532.17740.11717866110301931501@ietfa.amsl.com> <b1780128-2069-b32e-7ca5-86977c119f0c@gmail.com> <11d4e419-11a9-8768-abf2-1335e5f1c3d8@gmail.com> <149924f9-da30-fa79-0509-c01c439d1796@gmail.com> <5BEFA97B-CF09-44D7-8C10-017FEAE4C3A8@tiesel.net> <e6ff75e7-b6c6-ea03-2e10-b1ad95d650f0@gmail.com> <98D15BD9-A631-4D09-AE9E-9D4C750714C9@tiesel.net> <95c82ad3-2138-ab2a-7ba5-57ad80472964@gmail.com> <E5C368C5-9DAE-4C61-ADDE-B881EA11EDA0@tiesel.net> <6968ca7b-dac3-b192-41ed-a193adab7eb4@gmail.com> <529B863C-BCC9-40C1-A5B8-B0598E7DF17C@tzi.org> <bf8c5c54-d548-a40a-0381-0583ef946f26@gmail.com> <CAPt1N1=4wbqrrzvwdr4FD7awa6pkyffhwRZC3zAWLs7uzY3BJQ@mail.gmail.com> <86509E47-77CE-4210-A1B7-C1E9955D9672@tzi.org> <edc17d00-83c7-25df-d125-14c8f15da172@gmail.com> <31680.1657032425@localhost>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <31680.1657032425@localhost>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/9HiVHnuC1Hv9R2R4m0lyj84KSKI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2022 20:24:30 -0000

A bit off topic here perhaps, but:

> PS: how long to scan all of RFC1918 space... 2^24 for 10.xx, and then far
>     less than double that for the rest of 172.16 and 192.168.x.y.

Hardly any time, given that the router's IPv4 address is probably written
on its "getting started" guide. It wouldn't be hard to compile a list.
I'd try 192.168.178.1 first, 10.1.1.1 second, and so on. It always seems
to be x.x.x.1 . So you could probably do it in a matter of minutes.

I still don't think these numbers should be in the draft, because it's
easy to prove them wrong for any particular scenario.

Regards
    Brian

On 06-Jul-22 02:47, Michael Richardson wrote:
> 
> Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>      > The sweet spot seems to be about several thousand threads, which is
>      > impressive. I estimate from my observations that a carefully designed
>      > script could scan about 1000 addresses per second, without alarming the
>      > user that something was going on. That would amount to 585 million
>      > years to scan a 64 bit space, *but* only 4.6 hours to scan a 24 bit
>      > space. (All based on my very ordinary Windows laptop and home network.)
> 
> So if the attacker is looking for a specific device with a known EUI, because
> they have a specific attack in mind against that device, then 4.6 hours.
> I leave some tabs open for weeks (Google calendar), but for many unusual
> ones, if you got me to open the tab just before going to bed, I might leave
> it open all night.
> 
> PS: how long to scan all of RFC1918 space... 2^24 for 10.xx, and then far
>      less than double that for the rest of 172.16 and 192.168.x.y.
> 
>      > That's interesting, because it means that there is no realistic risk if
>      > using a random 64 bit interface identifier, but a real exposure if
>      > using a Modified EUI, since many of the bits are guessable, as
>      > discussed in RFC 7707. The numbers above are clearly specific to a
>      > particular scenario, but we will mention this point in the draft
>      > (update coming very soon).
> 
> I think that this part of the draft might become the most interesting
> argument for IPv6 for home IoT.
> 
> I was thinking that if TLS was required each time, then it would be longer,
> but no point in trying TLS if the TCP SYN does not finish.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>             Sandelman Software Works Inc, Ottawa and Worldwide
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email