IETF Logo Mail Archive

Re: [v6ops] SLAAC security concerns

Gert Doering <gert@space.net> Tue, 04 August 2020 20:28 UTC

Return-Path: <gert@space.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E100B3A0DCC for <ipv6@ietfa.amsl.com>; Tue, 4 Aug 2020 13:28:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=space.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mz3Tk2g813Dd for <ipv6@ietfa.amsl.com>; Tue, 4 Aug 2020 13:28:50 -0700 (PDT)
Received: from gatekeeper1-relay.space.net (gatekeeper1-relay.space.net [IPv6:2001:608:3:85::38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F1903A0745 for <ipv6@ietf.org>; Tue, 4 Aug 2020 13:28:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=space.net; i=@space.net; q=dns/txt; s=esa; t=1596572930; x=1628108930; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=5H7dHKvQLb6vwwLAL1CaYijbZHTZphZmiFycPGDjMLk=; b=OXyIgRzs+MdFGbkWp1Z5ClGadq1mrWG3jBW4PIiV7pvAqYbIPy/dmCOF 2r3vFY3UWa5hAh8ZKuX6pbqcRkVpTgYXfUaz1VcBwnCfjb8FeuH0e/8Fa wrDcifLlsXfUbgu42HSqXZqEghxj4egibjMBienBG6WfElOgnRMWAITP3 a7NgLWnYJexBYGwyc+spn/LnnBV4qfmP/tQHOdA8iwns3pZYY76lWMvSp DmxPM/JwCq10AxOe5wsWnKKiylc5kh6StLZkYez6hk60vzkM0sXGKZmgg gtvLe5VlE3eezPVLjxV+SJ9ldzY6/rugfyDM2DlSUJc/ks7W4OePeBgOj A==;
IronPort-SDR: m5M1NUrOsKktkl51CEp3LzOhVQjVcBhQZ2TB5/EyQ2KkiVXDATEx/T9vWm2fIqDg65G8mbRtKB VdooTl3AEb+3eqx5Q1NCWFstwB9HKzWTqHbokgTnbOn7RJ+FL6g2wx0+UtiBs0NHEwnDemvYth PYaM4dQ60+3/hizJuji9K4WcHeEoj9qcJZSyVpL2m3xaDyfO0mAAFx/d5n447qdIIR40okP49q XG246MKrlYovqCXE5tJ5+wml0luAB+TEnB7h4cekTS6jZEujy9L6k8aUv1gh4/nPCSkqTjLKCl C3A=
X-SpaceNet-SBRS: None
Received: from mobil.space.net ([195.30.115.67]) by gatekeeper1-relay.space.net with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Aug 2020 22:28:48 +0200
X-Original-To: ipv6@ietf.org
Received: from mobil.space.net (localhost [IPv6:::1]) by mobil.space.net (Postfix) with ESMTP id 10A2C41D2B for <ipv6@ietf.org>; Tue, 4 Aug 2020 22:28:48 +0200 (CEST)
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
Received: from moebius4.space.net (moebius4.space.net [IPv6:2001:608:2:2::251]) by mobil.space.net (Postfix) with ESMTP id A2D0141D20; Tue, 4 Aug 2020 22:28:47 +0200 (CEST)
Received: by moebius4.space.net (Postfix, from userid 1007) id 9C4DB1CF94; Tue, 4 Aug 2020 22:28:47 +0200 (CEST)
Date: Tue, 04 Aug 2020 22:28:47 +0200
From: Gert Doering <gert@space.net>
To: Ted Lemon <mellon@fugue.com>
Cc: Gert Doering <gert@space.net>, Vasilenko Eduard <vasilenko.eduard@huawei.com>, Michael Richardson <mcr+ietf@sandelman.ca>, v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Subject: Re: [v6ops] SLAAC security concerns
Message-ID: <20200804202847.GB2485@Space.Net>
References: <f52c4463862f44b5ba2a9d41db86d231@huawei.com> <20200804194448.GA2485@Space.Net> <6370DE53-9EC6-4141-97C6-3B223939012A@fugue.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="sEJ/o/vgcchwAs8V"
Content-Disposition: inline
In-Reply-To: <6370DE53-9EC6-4141-97C6-3B223939012A@fugue.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/HD8GdQtNa-57aWUNsxsbouG2yXo>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 20:28:53 -0000

Hi,

On Tue, Aug 04, 2020 at 04:15:22PM -0400, Ted Lemon wrote:
> On Aug 4, 2020, at 3:44 PM, Gert Doering <gert@space.net> wrote:
> > There is too many broken switch vendors out there that show again and
> > again that "implementing multicast is hard", breaking IPv6 ND in the 
> > process.
> 
> Why don???t you return that switch for a refund?
> 
> (I???ve never run into a switch that had trouble with IPv6 multicast, but admittedly I only have four different switches in my house, so that???s not a very big sample.)

$20 switches tend to be not affected.

It's the more expensive ones where developers intended to "do the right
thing with multicast!" and never came around to actually implement it.

Or where you need to turn on - or *off* - MLD to make link-local multicast
work, but the default is the wrong way around.

I have seen this on devices from three different vendors - Extreme, Juniper,
and "something that DECIX was using like 15 years ago" - and of course not
all models or all firmware versions are affected.  But when it happens, it's
life time you won't get back.


If I were to return every device in my network where a developer messed
up something the IETF made too complex in protocol design, I would have
a very secure, and very power-efficient result - but no network anymore.

(And your response very nicely demonstrates why operators get fed up
trying to participate in IETF)

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279

v2.23.0 | Report a Bug | By Email