IETF Logo Mail Archive

[IPv6]Re: draft-ietf-6man-snac-router-ra-flag-06 ietf last call Secdir review

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 24 May 2026 20:46 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@mail2.ietf.org
Delivered-To: ipv6@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6CEEBF44CA45 for <ipv6@mail2.ietf.org>; Sun, 24 May 2026 13:46:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779655603; bh=WM4v5p3QEzabqFvqAYANzJ6wLi5lgV+zBd/Y1qNDHv4=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=QBvFmPDXoFsk9th8thvN1Ouz4tS9rJT2yoQQAZlzdNXi6n5pbFhdJEJYY5z+Z1H3h cAMFCFhLfEHJvZyc1OfmyCMae1ndTnvPvYUzm/PA22yQ/xX+MwEndoki9CKzJFzrIr ooZDu98WXqyDd4G7aFLhx/BLJnMT53oqUF4fqbZU=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LV_izlTMZ43N for <ipv6@mail2.ietf.org>; Sun, 24 May 2026 13:46:43 -0700 (PDT)
Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 34FBBF44C9CC for <ipv6@ietf.org>; Sun, 24 May 2026 13:46:35 -0700 (PDT)
Received: by mail-pj1-x1035.google.com with SMTP id 98e67ed59e1d1-367cbac9c37so5138957a91.2 for <ipv6@ietf.org>; Sun, 24 May 2026 13:46:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779655588; x=1780260388; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=WM4v5p3QEzabqFvqAYANzJ6wLi5lgV+zBd/Y1qNDHv4=; b=fdGo9oOvLrc8DP9iIeVJmMZlmd1HO8NbXuF7tSLxpTlwcnpBQW13YHax+uhtUeKeyi N+SmtHQFnicwAC8PPToNpYSVDXDVr+IhAP8mvLY+LnQGTYa4p/XHGzXhKzmAUkp9V1Vq baIPU6iIm89cBmKNFo3xxH8b4dT3aA/jM5K3zuO+OHm80GX05H7aqsEepeORYKTU+Waf TJqlkwo8E4eiqcd3FmHfHVwlOuI+9bEuZbsMgZe6bIFtWK/4F6sTD5rqoNdL7/8kUf7K 9SsgXgWzFGoCcmswAeIIBZ9wrxYd/xnwaaG8R+Za0QpEbn+URSti4DR6tq3h8MZ+tmq8 Y1cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779655588; x=1780260388; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WM4v5p3QEzabqFvqAYANzJ6wLi5lgV+zBd/Y1qNDHv4=; b=CYv2XMQehngTxvF5KgBXnjAuc99E7WYOPIbP3S0hYJXbSqV6HinmCPFNToBYMKXO7U I7QnRXtIs8z1EFHIRLLnSQcMLkcjGwCAcXL/f9AqnpPJmsPzlP3yGOY4cPNiHNEJlEGZ jMhJMojUUOHeosUvQfaVKhV5H8YuE2rXkFRvGJAsk5PkmKRSzG/zg9mPZ5TgBc22i0WA oIuog0ZS9H2re+EMa3kj/n9jHl07e6xutX4jTmWM+i6V1UvvkGZ65KK7vQaSqULTM/mw DL9t9t2ixGNjzUyIH+1V/18z8ii6H65p1KhbnUHHcyFcPYTXzYGqJZu16U25pqNPgZBc 71UQ==
X-Forwarded-Encrypted: i=1; AFNElJ+eSw4eyNF9DY1k8PNQbMUyk8P9FVoKD8iRqpBoxe4z4qsTeV0q4+G6UosZW2DF2hwRMJ+k@ietf.org
X-Gm-Message-State: AOJu0YynZNJv1TQoIffFfAa7viavyYh7rUpkMSD7pGaDneR56eUvm1vA VdRS7vx84HDImMAGS9ujl4mm3wykc9u0jfvQT5eAwIm+2GS5o3xd6Gor
X-Gm-Gg: Acq92OGUAoCWu/R6KNQashRVebmcgchNKtdr6jYiTLzUGM1TZ9aqXsqBQ2/VhOIb4RZ adO1wrICpse9JUuEJG4IqSKAecMVzO/sSf0ItyqBxCVIfapH+35g7ZKsR7lV0LSVoDDdC+Xt58/ KeVSrNk90E6DFqh0UWE80IAVF1LpqOmmX+L0QRjRHsKp6neBB5FEmvXZMQMM3zw/pLP/InVkE/P FjcC652DhVM2pZUmMEEqDg5Z1NFSE3OGOs08kbBJB/7TS+gBHfta/LrfZJ2trgt1wpLlIwQM03S gxrUQ8Ftx8pSs46Dy6oMp3yw13hfghP1ANNL4A2nP38tNVqUqt4bdIqp1cvcT2kyhdwYSg9ErjX x18byoXU1osi1TqhLPxSVqacudFDnv1W3FWhqpULivjw4tsVoNpPaH6HbTt+3lHF8XVnJq5z97A dgvP2M3sjmNPrkBUb+j2n+8k/Mt4gX8uXLOp+7qg6bEoIgnFEdLgnQLaNN2nk6HvHY8uZNfrTXu /jYxtEKVkRUwrH91+nkeQAtgYXe
X-Received: by 2002:a17:90b:2c83:b0:368:147b:536a with SMTP id 98e67ed59e1d1-36a67504c8dmr10923256a91.14.1779655587664; Sun, 24 May 2026 13:46:27 -0700 (PDT)
Received: from ?IPV6:2404:4400:a100:1829:5956:ca53:df83:6568? ([2404:4400:a100:1829:5956:ca53:df83:6568]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36a6f07046esm4014120a91.1.2026.05.24.13.46.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 24 May 2026 13:46:26 -0700 (PDT)
Message-ID: <734ac390-1e76-4777-b75a-87b205fb6a3f@gmail.com>
Date: Mon, 25 May 2026 08:46:20 +1200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Ted Lemon <mellon@fugue.com>, Prachi Jain <prachi.jain1288@gmail.com>, IETF SecDir <secdir@ietf.org>
References: <177965151043.521906.15774007669925500882@dt-datatracker-5b4c8598b5-4ztf9> <36655896-ff18-4da7-8ef5-5166e1699e83@app.fastmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <36655896-ff18-4da7-8ef5-5166e1699e83@app.fastmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Message-ID-Hash: BBIFM5GM5VDXZ7GZEBFM5HOMMAQOYQ2M
X-Message-ID-Hash: BBIFM5GM5VDXZ7GZEBFM5HOMMAQOYQ2M
X-MailFrom: brian.e.carpenter@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipv6.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-6man-snac-router-ra-flag.all@ietf.org, IETF IPv6 Mailing List <ipv6@ietf.org>, Last Call <last-call@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [IPv6]Re: draft-ietf-6man-snac-router-ra-flag-06 ietf last call Secdir review
List-Id: "IPv6 Maintenance Working Group (6man)" <ipv6.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/D7_CnXleOHIhYM7UsvEar5UzKxU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Owner: <mailto:ipv6-owner@ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Subscribe: <mailto:ipv6-join@ietf.org>
List-Unsubscribe: <mailto:ipv6-leave@ietf.org>

Would RA Guard mitigate these threats? If yes, then the Security Considerations should RECOMMEND deployment of RA rather than detailing specific threats, IMHO.

Regards/Ngā mihi
    Brian Carpenter

On 25-May-26 07:45, Ted Lemon wrote:
> There are so many ways to DoS a network if you are directly connected to it. Why would you bother with an attack like this that's so limited? Why not just send a rogue RA yourself, for example?
> 
> On Sun, May 24, 2026, at 9:38 PM, Prachi Jain via Datatracker wrote:
>> Document: draft-ietf-6man-snac-router-ra-flag
>> Title: SNAC Router Flag in ICMPv6 Router Advertisement Messages
>> Reviewer: Prachi Jain
>> Review result: Has Issues
>>
>> Sorry for the delay.
>>
>> I have not identified any new security issues. However, I want to note that
>> several concerns raised against earlier versions remain unaddressed in v06 as
>> well. Also it looks like that v06 has regressed. The cross-reference to
>> snac-simple's security considerations was deleted. Section 6 now provides less
>> guidance than earlier.
>>
>> These 2 issues are still unaddressed:
>>
>> * An on-link attacker can forge the SNAC flag and affect SNAC router behavior.
>> RFC 4861's Hop Limit=255 only protects against off-link attackers. * An on-path
>> attacker can strip the SNAC flag from a legitimate RA before forwarding it,
>> causing receiving devices to fall back to degraded behavior silently.
>>
>> If I am missing some conversation here, please let me know but I would like to
>> ensure that we clarify this before moving forward.
>>
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org <mailto:ipv6@ietf.org>
>> List Info: https://mailman3.ietf.org/mailman3/lists/ipv6@ietf.org/ <https://mailman3.ietf.org/mailman3/lists/ipv6@ietf.org/>
>> --------------------------------------------------------------------
>>
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> List Info: https://mailman3.ietf.org/mailman3/lists/ipv6@ietf.org/
> --------------------------------------------------------------------

v2.46.0 | Report a Bug | By Email | System Status