Re: [Int-area] Route Information Options in Redirect Messages

Zied Bouziri <zied.bouziri@gmail.com> Wed, 11 January 2017 21:47 UTC

Return-Path: <zied.bouziri@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A92C1295A7; Wed, 11 Jan 2017 13:47:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Z1dszB3MIV8; Wed, 11 Jan 2017 13:47:52 -0800 (PST)
Received: from mail-wj0-x244.google.com (mail-wj0-x244.google.com [IPv6:2a00:1450:400c:c01::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E6DD12950E; Wed, 11 Jan 2017 13:47:52 -0800 (PST)
Received: by mail-wj0-x244.google.com with SMTP id dh1so83890wjb.3; Wed, 11 Jan 2017 13:47:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=SSRZkOzCTlMUwft72yrOysL8kCRvX4I3INUEuwcRd4o=; b=siNW+83qRz4/OQh6FIAm/c6NmrrkAuw75yMBGIX7JX4pqON6uwOtZyEphvg2FS4C8V rr1+enfDWuF0oS9TYhlGzJ2VYe4huXqjoaUo5hhOBaI8D0sVxFZB5FVK7XNNip43PhX3 Y8E74KS8qK72CVFZmrK8zlG+5hc9cnhpEbSZAowA1q4CCtW4YWidAyijNV8kNtMxfzOL n5Bc+xF8TT4CMobnY1EVM3EQeAHqopJqzFIaOXo1z3qNwHBo7VMvAv1mbXlKEL0ID6Cm vi+D5CCxN/3jQsWf9fhvTqu6yvWvxOBqNVyKIHlqVWKwoS8VLN9gLoDETZ3mi32EaP8u bb5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=SSRZkOzCTlMUwft72yrOysL8kCRvX4I3INUEuwcRd4o=; b=ley669ezerED6Io1GVJhPaHnpMHCzu+rEFwtW8VXk5nKUWY2kVoY3PqtA0Yku78oti /a4vTieSu83ko5JCdCd2frQzQksX2MG98bBAzNtOkUhfzV0anry1+/u4cvh7WCsaSLdf jkTeYLVPy4FpFSXQFxH06uvpzyf8yqCxJAu6AR8v2846xf6E30AjCV9hi95UDSZXQjGe zcrRPQson1u/bUTbdGj9jNN75sz+hsM/7cUZxXmZ2lSk6UKaj0DMR/sGoP9w8rGuVctA Hn8hVaonm5SwFYDlNEAvO4BBqB1ghLMcS2YkN6W5R6MiKvzQqwJh5SZaFT6MgULjpnk/ sQAw==
X-Gm-Message-State: AIkVDXIf5uhEFyFJBZdrhpHBQkREVRHGaCH6iFVrwM+S49RLEuEZNO+yfxauIzqUP7EVBA==
X-Received: by 10.194.109.168 with SMTP id ht8mr6680198wjb.36.1484171270677; Wed, 11 Jan 2017 13:47:50 -0800 (PST)
Received: from [192.168.1.2] ([41.225.64.83]) by smtp.gmail.com with ESMTPSA id k11sm10893900wmb.18.2017.01.11.13.47.48 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 11 Jan 2017 13:47:49 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_03BAFB09-429E-4614-BCDE-0F6311BE5072"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Subject: Re: [Int-area] Route Information Options in Redirect Messages
From: Zied Bouziri <zied.bouziri@gmail.com>
In-Reply-To: <6d21dd17f0b94a39a71600944878ec39@XCH15-06-08.nw.nos.boeing.com>
Date: Wed, 11 Jan 2017 22:47:46 +0100
Message-Id: <BFB9A939-2CA7-4E00-8B93-5548CDA244E3@gmail.com>
References: <b0d15d2e8b3e414abf4e87c60d39e252@XCH15-06-08.nw.nos.boeing.com> <32fbea25-01c9-aa32-e70f-3e1282f56294@gmail.com> <5cd024891c204a9bb37dcc23796c36c6@XCH15-06-08.nw.nos.boeing.com> <016f01d26b78$870895a0$9519c0e0$@huitema.net> <6d21dd17f0b94a39a71600944878ec39@XCH15-06-08.nw.nos.boeing.com>
To: "Templin, Fred L" <Fred.L.Templin@boeing.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/A3JX73cWAhuxw9MMEkfs4h0rsTA>
Cc: 6man WG <ipv6@ietf.org>, INT Area <int-area@ietf.org>, Christian Huitema <huitema@huitema.net>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2017 21:47:55 -0000

Hi Fred
In section 6 :
"Namely, the protocol must take measures to secure IPv6 ND messages on links where spoofing attacks are possible »
By reading this passage, I have the impression that there are links where attack spoofing is possible and others not !
How can we know if this attack is possible or not in a specified link ?
Thank you 
Zied

> Le 10 janv. 2017 à 22:52, Templin, Fred L <Fred.L.Templin@boeing.com> a écrit :
> 
> Hi Christian,
> 
>> -----Original Message-----
>> From: Christian Huitema [mailto:huitema@huitema.net]
>> Sent: Tuesday, January 10, 2017 11:34 AM
>> To: Templin, Fred L <Fred.L.Templin@boeing.com>om>; 'Brian E Carpenter' <brian.e.carpenter@gmail.com>om>; '6man WG' <ipv6@ietf.org>rg>;
>> 'INT Area' <int-area@ietf.org>
>> Subject: RE: [Int-area] Route Information Options in Redirect Messages
>> 
>> On Tuesday, January 10, 2017 9:55 AM, Fred Templin wrote:
>>> ...
>>> What is being proposed in the document I submitted is the inclusion of
>>> RIOs in Redirect messages for a *prefix* that is not on-link, as opposed
>>> to a singleton destination. So, the same SHOULD in the paragraph above
>>> would seem to apply also to prefix redirection the same as for ordinary
>>> destination redirection.
>> 
>> Fred, I am reading the security section of your draft. I think it needs a
>> bit more work.
>> 
>> Currently, the RIO are only expected in router advertisements. RA are
>> somewhat special, and there is often specific code in switches to check RA
>> and prevent RA spoofing -- e.g., RA-Guard. Allowing the option in Redirect
>> messages could very well bypass the RA specific checks. Doesn't that open
>> the path for new attacks? Should you not say something about that in the
>> security section? How about specific mitigations, such as sanity checks when
>> processing redirect messages?
> 
> Since IP will still operate correctly if transmission of Redirect messages is
> somehow suppressed (i.e., denial of Redirect service), the more serious
> threat to be considered is spoofing. Here is what currently appears under
> Security Considerations:
> 
>   "Security considerations for Redirect messages that include RIOs are
>   the same as for any IPv6 ND messages as specified in Section 11 of
>   [RFC4861].  Namely, the protocol must take measures to secure IPv6 ND
>   messages on links where spoofing attacks are possible.
> 
>   A spoofed Redirect message containing no RIOs could cause corruption
>   in the host's destination cache while a spoofed Redirect message
>   containing RIOs could corrupt the host's routing tables.  While the
>   latter would seem to be a more onerous result, the possibility for
>   corruption is unacceptable in either case."
> 
> So, from the first paragraph, we can see that the protocol must take
> measures to secure IPv6 ND messages on links where spoofing attacks
> are possible. The second paragraph then analyzes the consequences of
> what could happen if a spoofing attack were successful and we see that
> there are unacceptable negative consequences for both traditional
> Redirects and Redirects that include RIOs.
> 
> The text stops short of saying that "no Redirects of any kind should be
> used on links where spoofing attacks are possible". Would adding a
> statement such as this address the concern?
> 
> Thanks - Fred
> fred.l.templin@boeing.com
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

Best Regards, مع تحياتي
Zied BOUZIRI، زياد بوزيري
ISET Charguia, Tunisie
www.bouziri.tn <http://www.bouziri.tn/>