RE: New draft-vasilenko-6man-nd-mitm-protection-00.txt against SAVI (RFC6620)
Vasilenko Eduard <vasilenko.eduard@huawei.com> Mon, 28 September 2020 13:13 UTC
Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 349F63A113A for <ipv6@ietfa.amsl.com>; Mon, 28 Sep 2020 06:13:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KvYUyxrRUBA7 for <ipv6@ietfa.amsl.com>; Mon, 28 Sep 2020 06:13:33 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B673A3A1135 for <ipv6@ietf.org>; Mon, 28 Sep 2020 06:13:33 -0700 (PDT)
Received: from lhreml728-chm.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 714B4FB3253B0F48D6AF; Mon, 28 Sep 2020 14:13:32 +0100 (IST)
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by lhreml728-chm.china.huawei.com (10.201.108.79) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Mon, 28 Sep 2020 14:13:32 +0100
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by msceml703-chm.china.huawei.com (10.219.141.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Mon, 28 Sep 2020 16:13:31 +0300
Received: from msceml703-chm.china.huawei.com ([10.219.141.161]) by msceml703-chm.china.huawei.com ([10.219.141.161]) with mapi id 15.01.1913.007; Mon, 28 Sep 2020 16:13:31 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Fernando Gont <fgont@si6networks.com>, Fernando Gont <fernando@gont.com.ar>, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: RE: New draft-vasilenko-6man-nd-mitm-protection-00.txt against SAVI (RFC6620)
Thread-Topic: New draft-vasilenko-6man-nd-mitm-protection-00.txt against SAVI (RFC6620)
Thread-Index: AdaVl8h38/AD6u4ERpujbn36xZwqfQ==
Date: Mon, 28 Sep 2020 13:13:31 +0000
Message-ID: <e388cee88b2c49659d41d2dc8f193261@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.201.168]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/D2n050uWPpTYV90243xnpSGBw80>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Sep 2020 13:13:35 -0000
Hi All, The comment from Fernando is reasonable: > > https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-sy/ip6-nd-inspect.html Proposed draft is the replacement of SAVI. Proposed draft is a little better: - SAVI is very complicated and expensive on switches, available only on small portion of vendors - Intruder could be 1st to claim address (if server is in reload), then SAVI would create MITM: all users (from other subnets) would contact server and show credentials to intruder - it is better to fix L3 problem at L3, not rely on L2 for L3 security But in principle - it is possible to rely on SAVI. Before WG would make a decision to leave this ND security problem to L2. Fernando, I have googled who else support RFC 6620 (in addition to Cisco). These are HPE and Aruba. Is it the full list whom is protected against leakage of information? Is it enough to consider problem solved? Ed/
- RE: New draft-vasilenko-6man-nd-mitm-protection-0… Vasilenko Eduard