Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)
Alexandre Petrescu <alexandre.petrescu@gmail.com> Fri, 09 June 2017 06:17 UTC
Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1350127275 for <ipv6@ietfa.amsl.com>; Thu, 8 Jun 2017 23:17:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.332
X-Spam-Level:
X-Spam-Status: No, score=-0.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5YOUsrfFxby for <ipv6@ietfa.amsl.com>; Thu, 8 Jun 2017 23:17:39 -0700 (PDT)
Received: from oxalide-smtp-out.extra.cea.fr (oxalide-smtp-out.extra.cea.fr [132.168.224.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CD3F120721 for <ipv6@ietf.org>; Thu, 8 Jun 2017 23:17:39 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by oxalide-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id v596Ha4d106614 for <ipv6@ietf.org>; Fri, 9 Jun 2017 08:17:36 +0200
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 40A7A203496 for <ipv6@ietf.org>; Fri, 9 Jun 2017 08:17:36 +0200 (CEST)
Received: from muguet1.intra.cea.fr (muguet1.intra.cea.fr [132.166.192.6]) by pisaure.intra.cea.fr (Postfix) with ESMTP id 36D40202A4A for <ipv6@ietf.org>; Fri, 9 Jun 2017 08:17:36 +0200 (CEST)
Received: from [132.166.84.95] ([132.166.84.95]) by muguet1.intra.cea.fr (8.15.2/8.15.2/CEAnet-Intranet-out-1.4) with ESMTP id v596HZQX011734 for <ipv6@ietf.org>; Fri, 9 Jun 2017 08:17:35 +0200
Subject: Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)
To: ipv6@ietf.org
References: <CAO42Z2ziUZnK+n2f9N_Xvb5TZBppApXgNSmDsRLxaT1_taLvFw@mail.gmail.com> <4a6969ba-4cd3-ba30-2f3b-9ec4cc3fcf60@si6networks.com> <CAKD1Yr2x_EevJ37NnOg59Xk5+r3YYHmHEQKg_YCCSycuPpBzwA@mail.gmail.com> <bb3abd49-5ddc-076c-64a4-fe5f7dcd47d1@si6networks.com> <CAO42Z2zgRQscdJqtwSsF+BQJEQ9v9DOCrbDHU+CmZk-xC206Kw@mail.gmail.com> <CALx6S36pQe3vJS8H2s3AJ8e5ZdLaKQh+_zeb_Vu+OkOVRYp2yA@mail.gmail.com>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <4c510f4e-f6cb-4b9d-490f-9b873db7d2f0@gmail.com>
Date: Fri, 09 Jun 2017 08:17:34 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <CALx6S36pQe3vJS8H2s3AJ8e5ZdLaKQh+_zeb_Vu+OkOVRYp2yA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: fr
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/EDMTM5ZzZ7bGyGRpbFpCMKEMaxA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2017 06:17:42 -0000
Le 09/06/2017 à 05:03, Tom Herbert a écrit : > On Thu, Jun 8, 2017 at 7:46 PM, Mark Smith <markzzzsmith@gmail.com> > wrote: >> On 9 June 2017 at 03:17, Fernando Gont <fgont@si6networks.com> >> wrote: >>> On 06/08/2017 02:41 PM, Lorenzo Colitti wrote: >>>> On Wed, Jun 7, 2017 at 9:03 PM, Fernando Gont >>>> <fgont@si6networks.com <mailto:fgont@si6networks.com>> wrote: >>>> >> <snip> >>> >>> The point is that when employing manual configuration, addresses >>> always have small entropy. Hence employing a lot of bits doesn't >>> buy much, because folks simply do not use them for additional >>> entropy. >>> >> >> So I was specifically talking about network infrastructure devices >> benefiting from large entropy in 64 bit IIDs. >> >> My view comes from slides like this one, showing in 2012 there were >> 268 000 Cisco IOS devices SNMP exposed to the Internet with a >> 'public' community, and 18 000 with 'private'. >> >> https://speakerdeck.com/hdm/derbycon-2012-the-wild-west?slide=54 >> >> Cisco IOS devices obviously aren't hosts. People have very >> successfully scanned for and discovered devices that network >> operators should be securing. >> >> Here's more recent similar data from 2016. Much better, however >> still a lot of targets. >> >> https://www.shodan.io/report/mTVIRLZi >> >> >> I'm not aware of similar data for other network equipment vendors. >> Cisco is going to be the biggest target. >> >> This is about raising the security bar, and with manually >> configured addresses with high entropy, or RFC7217 on routers and >> switches out of the box, raising it by default. If the device >> can't be discovered, it isn't possible to send a packet to it. >> > Mark, > > I don't quite understand this statement. Isn't is true that If I send > a packet to any IID in the prefix for a device it will reach the > device and be processed? Well depends on the link on which that device is. If it is on a ptp link like current cellular then yes, it receives all the packets addressed to all IIDs within the /64 it is allocated. It is this property that is exploited by '64share' technique to make such devices routers. It is not a good property, but yes there is. On another hand, if it is a device on a more shared link more like true Ethernet, then it receives only packets addressed to the addresses within that /64 that have been configured on the interface (for which it answers with NA). Remark also that there are proposals of acting more like ptp even in the second case (the 'WiFi /64 unique prefix per host' document). So - it depends on the link. > I may not get a response because that's not the IID randomly chosen > as the address of the device, but it still seems like that could be > used for DOS (like a tuple attack on a NIC queue) if the prefix is > discovered or predictable. This is the case if the link is ptp, or if it is WiFi with a /64 assigned per host. It is not the case (not all packets to all IIDs in a /64 reach a host which has not configured them on the iface) if the link is WiFi and the /64 is shared among all hosts on that link. (which makes think what you say above is a security risk that could be literally be pointed to the /64-per-host draft-v6ops-unique-ipv6-prefix-per-host proposal in v6ops WG; and that there are some RFCs about network scanning like RFC5157 "Implications of IPv6 Network Scanning"). And, even if the /64 is shared among multiple hosts on that link, sending an arbitrary packet (TCP Ack?) in a D-DoS manner to all addresses in a /64 prefix is an attack to the Router in charge of that link and on the link itself: there could be very many NSs sent to the link (a 'storm'). The larger the plen the bigger the storm. Alex > Tom > >> If you choose to specifically lower device security against >> discovery by putting routers in DNS, or allowing routers to >> respond to traceroutes, you consciously know you're lowering it for >> the specific device and can be vigilant when taking other measures >> to raise it again (ACLs etc.) >> >> Note that I'm not saying this is the only security measure you >> should have. It is an additional defence in depth measure that IPv6 >> addressing can provide to network infrastructure devices that IPv4 >> addressing could not. >> >> Regards, Mark. >> >> -------------------------------------------------------------------- >> >> >> IETF IPv6 working group mailing list >> ipv6@ietf.org Administrative Requests: >> https://www.ietf.org/mailman/listinfo/ipv6 >> -------------------------------------------------------------------- > >> >> > -------------------------------------------------------------------- > IETF IPv6 working group mailing list ipv6@ietf.org Administrative > Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
- Giving up security & privacy when manually config… Mark Smith
- Re: Giving up security & privacy when manually co… David Farmer
- Re: Giving up security & privacy when manually co… Fred Baker
- Re: Giving up security & privacy when manually co… Job Snijders
- Re: Giving up security & privacy when manually co… Christopher Morrow
- Re: Giving up security & privacy when manually co… Tom Herbert
- Re: Giving up security & privacy when manually co… sthaug
- Re: Giving up security & privacy when manually co… Erik Kline
- Re: Giving up security & privacy when manually co… sthaug
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Mark Andrews
- Re: Giving up security & privacy when manually co… Nick Hilliard
- Re: Giving up security & privacy when manually co… Mark Smith
- Re: Giving up security & privacy when manually co… Philip Homburg
- Re: Giving up security & privacy when manually co… Lorenzo Colitti
- Re: Giving up security & privacy when manually co… Simon Hobson
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Lorenzo Colitti
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Mark Smith
- Re: Giving up security & privacy when manually co… Tom Herbert
- Re: Giving up security & privacy when manually co… Lorenzo Colitti
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Alexandre Petrescu
- Re: Giving up security & privacy when manually co… Mark Smith
- Re: Giving up security & privacy when manually co… Simon Hobson
- Re: Giving up security & privacy when manually co… Tom Herbert
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Fernando Gont