IETF Logo Mail Archive

Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 01 July 2022 03:10 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46538C14CF17 for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 20:10:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.982
X-Spam-Level:
X-Spam-Status: No, score=-8.982 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4hJKZseOO22K for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 20:10:06 -0700 (PDT)
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1CC8C14F606 for <ipv6@ietf.org>; Thu, 30 Jun 2022 20:10:06 -0700 (PDT)
Received: by mail-pl1-x62d.google.com with SMTP id m14so1129949plg.5 for <ipv6@ietf.org>; Thu, 30 Jun 2022 20:10:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language :from:to:cc:references:in-reply-to:content-transfer-encoding; bh=jC6bNHlMn3N17dljwBp3OcW8a/VlOwgtThzhX76SiHw=; b=b/u032W9Wqz/UTymmfK15hv5xJt8L4ZI2hVO/MrpvKP9OzW4kuVZPN+DwQKQDNf22F Rr3R24RRVm1RLAR/uchL6htf+VzJJqeo5VgZ3FYK9tr6WTm7PMyX8HYycNyOi8HTu168 8kah1g2AqGkZ5imeCxThcmb/VaWnNiJRZninMvhP+0t6U7ztQjqVTuNC36TDD92BBIQ7 BKC9Vxr2kdc0UM+MP4NOsOL3juBTBwXCoGpJPAYYSqzViFkQ5yd9WXT7AEUBp/OCxcOM nK7KtLpwEOxBcVLF2yVvQHwGQ4DldMl/rStZkFcbsMf3Lza5uxkSdlCw6Hr7HI/nZKQn lrfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:from:to:cc:references:in-reply-to :content-transfer-encoding; bh=jC6bNHlMn3N17dljwBp3OcW8a/VlOwgtThzhX76SiHw=; b=Ql5qtc+WfcoYo6w4ZhhDD3flGZh/TcWE0Ei7FXHRcMtYsPkIrY95fmwXJV0nk7KKZm 9ZElTnnWCc0qo7KK+YkVEG022aXkp4iStP5tQCgCsRcUPPDQEgFrqnVuFkfiYCvHeqBd ZOMYuZgcyFtwAF4UzhKoiQOovIVtT+sAhYDMyfKMxU/jAo+mkAVbmRfN1J0CvyYy72yA NG7+ULKDNRdXssIf1/b1MrqCHgTYHdtLzBXwg6AhGjCiyEBRMm30Z2E5wg6zbXF1lUyD AU8iijijqQDkQsZjc9hXtpg36ho75yly/YVoOnc/BAcnRAsQ4RZnZMhpTGPLZPAwwnsX mFkA==
X-Gm-Message-State: AJIora9oYnJUg9DJ9V5h0O6On32th8LsikFn19+eJxYk6mvsICcAE4lr c3IAoVt5vY2mgEMOsN6gf8s=
X-Google-Smtp-Source: AGRyM1t/7cnYaTW2BxxlIwn7Mt/da7kzcrtPoUv4STm0VLBuotOk8eBDEsq0vfeOJbAakyqFRhUviA==
X-Received: by 2002:a17:903:1209:b0:16b:81f6:e952 with SMTP id l9-20020a170903120900b0016b81f6e952mr18172768plh.48.1656645006287; Thu, 30 Jun 2022 20:10:06 -0700 (PDT)
Received: from ?IPV6:2406:e003:1124:9301:80b2:5c79:2266:e431? ([2406:e003:1124:9301:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id a79-20020a621a52000000b0051bb61c0eacsm4250168pfa.20.2022.06.30.20.10.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jun 2022 20:10:05 -0700 (PDT)
Message-ID: <0b62fab0-74cb-d3ed-7e3e-afdcda8d55b0@gmail.com>
Date: Fri, 01 Jul 2022 15:10:00 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Subject: Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]
Content-Language: en-US
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Cc: Ted Lemon <mellon@fugue.com>, Stuart Cheshire <cheshire@apple.com>, Bob Hinden <bob.hinden@gmail.com>, 6man <ipv6@ietf.org>
References: <164938402532.17740.11717866110301931501@ietfa.amsl.com> <b1780128-2069-b32e-7ca5-86977c119f0c@gmail.com> <11d4e419-11a9-8768-abf2-1335e5f1c3d8@gmail.com> <149924f9-da30-fa79-0509-c01c439d1796@gmail.com> <5BEFA97B-CF09-44D7-8C10-017FEAE4C3A8@tiesel.net> <e6ff75e7-b6c6-ea03-2e10-b1ad95d650f0@gmail.com> <98D15BD9-A631-4D09-AE9E-9D4C750714C9@tiesel.net> <95c82ad3-2138-ab2a-7ba5-57ad80472964@gmail.com> <E5C368C5-9DAE-4C61-ADDE-B881EA11EDA0@tiesel.net> <6968ca7b-dac3-b192-41ed-a193adab7eb4@gmail.com> <529B863C-BCC9-40C1-A5B8-B0598E7DF17C@tzi.org> <bf8c5c54-d548-a40a-0381-0583ef946f26@gmail.com> <CAPt1N1=4wbqrrzvwdr4FD7awa6pkyffhwRZC3zAWLs7uzY3BJQ@mail.gmail.com> <86509E47-77CE-4210-A1B7-C1E9955D9672@tzi.org> <CAPt1N1kYBMSA5Y7BZLMd9o96tBxFY7SrRUxb9jxfBNvBiA_OJQ@mail.gmail.com> <d3d9d68a-adff-b29b-4d1b-78f82e6bf282@gmail.com> <A2DD6902-EF02-4EA4-80D3-18820B912DF1@tzi.org> <fac9959a-5675-fb7f-7f00-3542e260d6a9@gmail.com>
In-Reply-To: <fac9959a-5675-fb7f-7f00-3542e260d6a9@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/CaK89plry-tYgEu8DTDPJu67q7Q>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jul 2022 03:10:12 -0000

On 01-Jul-22 10:12, Brian E Carpenter wrote:
> On 30-Jun-22 16:45, Carsten Bormann wrote:
>> On 30. Jun 2022, at 06:40, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>>>
>>> For the present draft, one thing my small experiment shows is that we won't make things worse by adding zone identifiers to URLs. They too have to be guessed by the attacker, and in modern Linux they are things like "enxb813ebc170a4" out of the box. That makes the attacker's job significantly harder.
>>
>> Do you know how enxb813ebc170a4 is generated?  (I.e., is the 48-bit thing in there guessable?)
> 
> No, I don't and it seems to be a complicated issue and very dependent on the exact Linux version:
> https://wiki.debian.org/NetworkInterfaceNames
> 
> It doesn't seem to be a function of the relevant MAC address. Maybe someone with Linux kernel expertise can answer.

Digging a bit more, https://www.freedesktop.org/software/systemd/man/systemd.net-naming-scheme.html claims such names *are* derived from the MAC address. And indeed, when I check again, that is exactly right on my Raspberry PI where the example came from. I was wrong before (no excuse, just a mistake in looking at various hexadecimal numbers). For our present concern, this indeed gives the attacker another whole 2^24 to guess at. There's no consistency. My Linux desktop doesn't use that scheme at all, but things like enp4s0.

I think we can craft text about this, but we can't assume a 2^24 search for the zone identifier.

     Brian

> 
>      Brian
> 
> 
>>
>> I think I agree with the conclusion (at least, that it is quite hard/costly/lengthy to mount an attack based on this), but I think that it would be good to get a clean argument for that in the security considerations.
>>
>> Grüße, Carsten
>>
>> .

v2.23.0 | Report a Bug | By Email