IETF Logo Mail Archive

Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)

Alexandre Petrescu <alexandre.petrescu@gmail.com> Fri, 09 June 2017 06:17 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1350127275 for <ipv6@ietfa.amsl.com>; Thu, 8 Jun 2017 23:17:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.332
X-Spam-Level:
X-Spam-Status: No, score=-0.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5YOUsrfFxby for <ipv6@ietfa.amsl.com>; Thu, 8 Jun 2017 23:17:39 -0700 (PDT)
Received: from oxalide-smtp-out.extra.cea.fr (oxalide-smtp-out.extra.cea.fr [132.168.224.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CD3F120721 for <ipv6@ietf.org>; Thu, 8 Jun 2017 23:17:39 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by oxalide-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id v596Ha4d106614 for <ipv6@ietf.org>; Fri, 9 Jun 2017 08:17:36 +0200
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 40A7A203496 for <ipv6@ietf.org>; Fri, 9 Jun 2017 08:17:36 +0200 (CEST)
Received: from muguet1.intra.cea.fr (muguet1.intra.cea.fr [132.166.192.6]) by pisaure.intra.cea.fr (Postfix) with ESMTP id 36D40202A4A for <ipv6@ietf.org>; Fri, 9 Jun 2017 08:17:36 +0200 (CEST)
Received: from [132.166.84.95] ([132.166.84.95]) by muguet1.intra.cea.fr (8.15.2/8.15.2/CEAnet-Intranet-out-1.4) with ESMTP id v596HZQX011734 for <ipv6@ietf.org>; Fri, 9 Jun 2017 08:17:35 +0200
Subject: Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)
To: ipv6@ietf.org
References: <CAO42Z2ziUZnK+n2f9N_Xvb5TZBppApXgNSmDsRLxaT1_taLvFw@mail.gmail.com> <4a6969ba-4cd3-ba30-2f3b-9ec4cc3fcf60@si6networks.com> <CAKD1Yr2x_EevJ37NnOg59Xk5+r3YYHmHEQKg_YCCSycuPpBzwA@mail.gmail.com> <bb3abd49-5ddc-076c-64a4-fe5f7dcd47d1@si6networks.com> <CAO42Z2zgRQscdJqtwSsF+BQJEQ9v9DOCrbDHU+CmZk-xC206Kw@mail.gmail.com> <CALx6S36pQe3vJS8H2s3AJ8e5ZdLaKQh+_zeb_Vu+OkOVRYp2yA@mail.gmail.com>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <4c510f4e-f6cb-4b9d-490f-9b873db7d2f0@gmail.com>
Date: Fri, 09 Jun 2017 08:17:34 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <CALx6S36pQe3vJS8H2s3AJ8e5ZdLaKQh+_zeb_Vu+OkOVRYp2yA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: fr
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/EDMTM5ZzZ7bGyGRpbFpCMKEMaxA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2017 06:17:42 -0000


Le 09/06/2017 à 05:03, Tom Herbert a écrit :
> On Thu, Jun 8, 2017 at 7:46 PM, Mark Smith <markzzzsmith@gmail.com> 
> wrote:
>> On 9 June 2017 at 03:17, Fernando Gont <fgont@si6networks.com> 
>> wrote:
>>> On 06/08/2017 02:41 PM, Lorenzo Colitti wrote:
>>>> On Wed, Jun 7, 2017 at 9:03 PM, Fernando Gont 
>>>> <fgont@si6networks.com <mailto:fgont@si6networks.com>> wrote:
>>>> 
>> <snip>
>>> 
>>> The point is that when employing manual configuration, addresses 
>>> always have small entropy. Hence employing a lot of bits doesn't 
>>> buy much, because folks simply do not use them for additional 
>>> entropy.
>>> 
>> 
>> So I was specifically talking about network infrastructure devices
>>  benefiting from large entropy in 64 bit IIDs.
>> 
>> My view comes from slides like this one, showing in 2012 there were
>> 268 000 Cisco IOS devices SNMP exposed to the Internet with a 
>> 'public' community, and 18 000 with 'private'.
>> 
>> https://speakerdeck.com/hdm/derbycon-2012-the-wild-west?slide=54
>> 
>> Cisco IOS devices obviously aren't hosts. People have very 
>> successfully scanned for and discovered devices that network 
>> operators should be securing.
>> 
>> Here's more recent similar data from 2016. Much better, however 
>> still a lot of targets.
>> 
>> https://www.shodan.io/report/mTVIRLZi
>> 
>> 
>> I'm not aware of similar data for other network equipment vendors.
>>  Cisco is going to be the biggest target.
>> 
>> This is about raising the security bar, and with manually 
>> configured addresses with high entropy, or RFC7217 on routers and 
>> switches out of the box, raising it by default. If the device
>> can't be discovered, it isn't possible to send a packet to it.
>> 
> Mark,
> 
> I don't quite understand this statement. Isn't is true that If I send
> a packet to any IID in the prefix for a device it will reach the
> device and be processed?

Well depends on the link on which that device is.

If it is on a ptp link like current cellular then yes, it receives all
the packets addressed to all IIDs within the /64 it is allocated.  It is
this property that is exploited by '64share' technique to make such
devices routers.  It is not a good property, but yes there is.

On another hand, if it is a device on a more shared link more like true
Ethernet, then it receives only packets addressed to the addresses
within that /64 that have been configured on the interface (for which it
answers with NA).

Remark also that there are proposals of acting more like ptp even in the
second case (the 'WiFi /64 unique prefix per host' document).

So - it depends on the link.

> I may not get a response because that's not the IID randomly chosen 
> as the address of the device, but it still seems like that could be 
> used for DOS (like a tuple attack on a NIC queue) if the prefix is 
> discovered or predictable.

This is the case if the link is ptp, or if it is WiFi with a /64
assigned per host.

It is not the case (not all packets to all IIDs in a /64 reach a host
which has not configured them on the iface) if the link is WiFi and the
/64 is shared among all hosts on that link.

(which makes think what you say above is a security risk that could be
literally be pointed to the /64-per-host
draft-v6ops-unique-ipv6-prefix-per-host proposal in v6ops WG; and that
there are some RFCs about network scanning like RFC5157 "Implications of
IPv6 Network Scanning").

And, even if the /64 is shared among multiple hosts on that link,
sending an arbitrary packet (TCP Ack?) in a D-DoS manner to all
addresses in a /64 prefix is an attack to the Router in charge of that
link and on the link itself: there could be very many NSs sent to the
link (a 'storm').  The larger the plen the bigger the storm.

Alex

> Tom
> 
>> If you choose to specifically lower device security against 
>> discovery by putting routers in DNS, or allowing routers to
>> respond to traceroutes, you consciously know you're lowering it for
>> the specific device and can be vigilant when taking other measures
>> to raise it again (ACLs etc.)
>> 
>> Note that I'm not saying this is the only security measure you 
>> should have. It is an additional defence in depth measure that IPv6
>> addressing can provide to network infrastructure devices that IPv4
>> addressing could not.
>> 
>> Regards, Mark.
>> 
>> --------------------------------------------------------------------
>>
>>
>> 
IETF IPv6 working group mailing list
>> ipv6@ietf.org Administrative Requests: 
>> https://www.ietf.org/mailman/listinfo/ipv6 
>> --------------------------------------------------------------------
>
>>
>> 
> --------------------------------------------------------------------
>  IETF IPv6 working group mailing list ipv6@ietf.org Administrative 
> Requests: https://www.ietf.org/mailman/listinfo/ipv6 
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email