Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]
Fernando Gont <fgont@si6networks.com> Thu, 30 June 2022 17:26 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4E98C13CDB1 for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 10:26:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.771
X-Spam-Level:
X-Spam-Status: No, score=-3.771 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c7EDcbFmAQEZ for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 10:26:18 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C18EEC14CF02 for <ipv6@ietf.org>; Thu, 30 Jun 2022 10:24:54 -0700 (PDT)
Received: from [IPV6:2800:810:464:8944:ed8e:69e2:6a03:b2d7] (unknown [IPv6:2800:810:464:8944:ed8e:69e2:6a03:b2d7]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 573732805CD; Thu, 30 Jun 2022 17:24:48 +0000 (UTC)
Message-ID: <0150b3b4-5ecb-c589-22aa-8a1ed6fcc926@si6networks.com>
Date: Thu, 30 Jun 2022 14:24:44 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Subject: Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]
Content-Language: en-US
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, "Philipp S. Tiesel" <philipp@tiesel.net>
Cc: 6man <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>, Stuart Cheshire <cheshire@apple.com>
References: <164938402532.17740.11717866110301931501@ietfa.amsl.com> <b1780128-2069-b32e-7ca5-86977c119f0c@gmail.com> <11d4e419-11a9-8768-abf2-1335e5f1c3d8@gmail.com> <149924f9-da30-fa79-0509-c01c439d1796@gmail.com> <5BEFA97B-CF09-44D7-8C10-017FEAE4C3A8@tiesel.net> <e6ff75e7-b6c6-ea03-2e10-b1ad95d650f0@gmail.com> <98D15BD9-A631-4D09-AE9E-9D4C750714C9@tiesel.net> <95c82ad3-2138-ab2a-7ba5-57ad80472964@gmail.com> <E5C368C5-9DAE-4C61-ADDE-B881EA11EDA0@tiesel.net> <6968ca7b-dac3-b192-41ed-a193adab7eb4@gmail.com>
From: Fernando Gont <fgont@si6networks.com>
In-Reply-To: <6968ca7b-dac3-b192-41ed-a193adab7eb4@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/HGaobmj7BLBQwvmmvP-rFfKv0jM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2022 17:26:21 -0000
Hi, Brian, (It looks like this is a spin-off thread from another thread, so my apologies if I'm missing something) If the address you are trying to test is assumed to be that of a CE router, an attacker would probably try: fe80:: and/or PREFIX:: instead. works as charm in my dual-stack home scenario :) P.S.: not to mention the obvious ff02::1 and ff02::2 -- but these might or might not work with JS. Thanks, Fernando On 29/6/22 20:02, Brian E Carpenter wrote: > One more item about scripting attacks on link-local literal URLs: > > I spent a little time investigating this, using LL addresses > without a zone ID, but with current browsers on Windows 10, > where a default (null) zone ID is supported. > > I won't give details here, but it is quite possible to test > whether a specific LL address is present or absent on the local > link, in fewer than 20 lines of Javascript embedded in an > HTML document. However, it takes about 3500 milliseconds, > because I could not time out the HTTP request sooner than that > and still detect an active address. (The target that I tested > was my CE router, the browser was FireFox. The result for > Chrome was similar.) > > That means that a full search of the 64-bit IID space would > take 2^64 x 3500 ms, or about 2047 billion years. > > Even a full search of the 24-bit low order bits of a Modified EUI > identifier would take 2^24 x 3500 ms, or about 1.9 years. > (We can assume that a smart attacker would know the possible > manufacturer ID values for popular CE routers, so would only need > to brute-force search the low order bits: see RFC7707.) > > I don't think we should put these numbers in the draft, but I > think they illustrate (a) that a successful exploit is probably > not practical today and (b) using Modified EUI identifiers > is a really bad idea (which we knew, of course). > > Regards > Brian > > On 22-Jun-22 20:28, Philipp S. Tiesel wrote: >> Hi Brian, >> >>> On 21. Jun 2022, at 22:32, Brian E Carpenter >>> <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> >>> wrote: >>> >>> On 21-Jun-22 22:07, Philipp S. Tiesel wrote: >>>> Hi Brian, >>>>> On 17. Jun 2022, at 06:27, Brian E Carpenter >>>>> <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> >>>>> wrote: >>>>> >>>>> Philipp, >>>>> >>>>> First, thanks for taking the time to read the draft. Some comments >>>>> in line: >>>>> >>>>> On 15-Jun-22 01:54, Philipp S. Tiesel wrote: >>>>>> Dear authors and WG, >>>>>> based on this WG last call, I reviewed the document. Overall, it >>>>>> is well written and mostly ready to publish, >>>>>> but I have a) one issue with the Security considerations section >>>>>> and b) a possibly stupid question on usefulness in web context: >>>>>> a) The Security Considerations Section states: >>>>>>> It is conceivable that this format could be misused to probe a local >>>>>>> network configuration in some way. However, that would only be >>>>>>> possible for an attacker that had already gained sufficient control >>>>>>> of a host to originate HTTP messages. Such an attacker could more >>>>>>> easily probe using basic mechanisms such as the "ping" command. >>>>>> Is this true? What prevents an attack from embedding scoped IPv6 >>>>>> addresses in HTML documents, e.g., as part of an AD. >>>>> >>>>> Nothing, except that the attacker has no way of knowing a >>>>> link-local address in advance, and the search space for interface >>>>> identifiers is 2^64 (since we abandoned Modified EUI64). >>>> The CPEs I used recently, e.g,, products from AVM, still do EUI64 >>>> for link-local, secured IIDs are only used for GUAs. >>> >>> I have a FritzBox and indeed it uses EUI64, both for link-local (its >>> address as the default router) and for its address as a DNS server >>> (GUA or ULA). >>> >>>> Assuming an attacker who wants to use this as a >>>> fingerprinting-attack and has some idea which CPEs are used from >>>> which provider, this dramatically reduces the search space and may >>>> make fingerprinting feasible. >>> >>> Indeed. However, I am not sure that the browser itself supporting the >>> link-local zone ID will change that, especially on hosts that support >>> a default zone for link-local, where RFC6874[bis] is not even required. >> >> I guess the problem is rather exposing Link-Local networking as an URL >> that the Zone-ID itself. >> Adding the Zone-ID is just moving it from “something broken no-one >> really implemented” to “something that has a fair chance getting >> implemented. >> >> So, I agreed that the attack vector is not new and not really changed >> by draft-ietf-6man-rfc6874bis. Still I would prefer mentioning it in >> the security considerations and being less optimistic about EUI64 (and >> other schemes that enable fingerprinting) going away. >> >> AVE! >> Philipp >> >>> Brian >>> >>>>> >>>>> So, as I realised while reading Ted Lemon's comment, the only >>>>> available mechanism seems to be Javascript that would search the >>>>> fe80::/64 space for a valid address. I just don't know enough about >>>>> what JS can do to investigate this. Any further input would be very >>>>> welcome. >>>>> >>>>>> While the security model of the browser/device should prevent >>>>>> abusing it from taking action REST calls to your home router, >>>>>> including a well-known image from such a device should be possible >>>>>> and could be used to verify an identity by linking to the EUI64 >>>>>> address of your home router and verifying the image was loaded. >>>>>> This is far easier than “pinging” the router. >>>>> >>>>> I suppose there are many old home routers still using Modified >>>>> EUI64, but even so, the Interface ID contains 48 arbitrary bits >>>>> (even the OUI bits have to be guessed). So there is quite a >>>>> guessing game, and by the way, guessing the IPv4 address of the >>>>> home router should be *much* easier. Is this an exploit that anyone >>>>> will find useful? >>>> Based on the experience in the cookie and tracker wars, this seems >>>> not too far-fetched to assume someone tries to use CPE IIDs as >>>> super-cookie. >>>> Still, this kind of attack seems relatively easy to mitigate by >>>> restricting the usage of IPv6 literals with zone-identifiers. >>>>> >>>>>> b) Assuming a device has only link-local connectivity and a web >>>>>> interface, is there a way to reference “same interface as used for >>>>>> this connection”? >>>>> >>>>> Not that I can think of. In an o/s that assumes a default zone >>>>> (recommended by RFC 4007, but not always implemented) the same >>>>> effect might be possible, but that is true today, at least on Windows. >>>>> >>>>>> If not, such a web interface could only use relative links and >>>>>> things like re-direction to https will become hard. >>>>> >>>>> Thanks again. I think we need to ask for an early security review >>>>> to get this right. >>>>> >>>>> Brian >>>>> >>>>>> AVE! >>>>>> Philipp >>>>>>> On 11. Jun 2022, at 03:56, Brian E Carpenter >>>>>>> <brian.e.carpenter@gmail.com >>>>>>> <mailto:brian.e.carpenter@gmail.com>> wrote: >>>>>>> >>>>>>> Dear 6man-chairs (especially Jen), >>>>>>> >>>>>>> The authors believe that this draft is now stable and we request >>>>>>> a WG Last Call. It would be nice to get this done before the IETF >>>>>>> meeting. >>>>>>> >>>>>>> Regards >>>>>>> Brian Carpenter >>>>>>> >>>>>>> On 19-May-22 12:52, Brian E Carpenter wrote: >>>>>>>> There's been no more discussion for several weeks. Can we move >>>>>>>> on to a WG Last Call? >>>>>>>> Regards >>>>>>>> Brian Carpenter >>>>>>>> On 08-Apr-22 14:29, Brian E Carpenter wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> This version reflects comments at the IETF and on the list. >>>>>>>>> Change log: >>>>>>>>> * Extended use cases (added Microsoft WSD) >>>>>>>>> * Clarified relationship with RFC3986 language >>>>>>>>> * Allow for legacy use of RFC6874 format >>>>>>>>> * Augmented security considerations >>>>>>>>> * Editorial and reference improvements >>>>>>>>> >>>>>>>>> Note that some of the text about RFC3986 that Shang Ye >>>>>>>>> suggested to remove has been retained, but modified. Further >>>>>>>>> comments about this, or any other aspect, are very welcome. >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Brian + co-authors >>>>>>>>> >>>>>>>>> On 08-Apr-22 14:13, internet-drafts@ietf.org >>>>>>>>> <mailto:internet-drafts@ietf.org> wrote: >>>>>>>>>> >>>>>>>>>> A New Internet-Draft is available from the on-line >>>>>>>>>> Internet-Drafts directories. >>>>>>>>>> This draft is a work item of the IPv6 Maintenance WG of the IETF. >>>>>>>>>> >>>>>>>>>> Title : Representing IPv6 Zone Identifiers in Address Literals >>>>>>>>>> and Uniform Resource Identifiers >>>>>>>>>> Authors : Brian Carpenter >>>>>>>>>> Stuart Cheshire >>>>>>>>>> Robert M. Hinden >>>>>>>>>> Filename : draft-ietf-6man-rfc6874bis-01.txt >>>>>>>>>> Pages : 13 >>>>>>>>>> Date : 2022-04-07 >>>>>>>>>> >>>>>>>>>> Abstract: >>>>>>>>>> This document describes how the zone identifier of an IPv6 scoped >>>>>>>>>> address, defined as <zone_id> in the IPv6 Scoped Address >>>>>>>>>> Architecture >>>>>>>>>> (RFC 4007), can be represented in a literal IPv6 address and in a >>>>>>>>>> Uniform Resource Identifier that includes such a literal >>>>>>>>>> address. It >>>>>>>>>> updates the URI Generic Syntax and Internationalized Resource >>>>>>>>>> Identifier specifications (RFC 3986, RFC 3987) accordingly, and >>>>>>>>>> obsoletes RFC 6874. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> The IETF datatracker status page for this draft is: >>>>>>>>>> https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6874bis/ >>>>>>>>>> <https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6874bis/> >>>>>>>>>> >>>>>>>>>> There is also an HTML version available at: >>>>>>>>>> https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-01.html >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> A diff from the previous version is available at: >>>>>>>>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-rfc6874bis-01 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Internet-Drafts are also available by rsync at >>>>>>>>>> rsync.ietf.org::internet-drafts >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> I-D-Announce mailing list >>>>>>>>>> I-D-Announce@ietf.org >>>>>>>>>> https://www.ietf.org/mailman/listinfo/i-d-announce >>>>>>>>>> Internet-Draft directories: http://www.ietf.org/shadow.html >>>>>>>>>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt >>>>>>>>>> >>>>>>> >>>>>>> -------------------------------------------------------------------- >>>>>>> IETF IPv6 working group mailing list >>>>>>> ipv6@ietf.org <mailto:ipv6@ietf.org> >>>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >>>>>>> -------------------------------------------------------------------- >>>>>>> >>>>>> -- >>>>>> Philipp S. Tiesel >>>>>> https://philipp.tiesel.net/ <https://philipp.tiesel.net/> >>>>>> . >>>> AVE! >>>> Philipp S. Tiesel >>>> -- >>>> Philipp S. Tiesel >>>> https://philipp.tiesel.net/ <https://philipp.tiesel.net/> >> >> AVE! >> Philipp S. Tiesel / phils… >> -- >> {phils}--->---(phils@in-panik.de >> <mailto:phils@in-panik.de>)--->---(http://phils.in-panik.de >> <http://phils.in-panik.de>)----, >> wenn w eine aube ist dn man au dran dre en >> | >> o Schr an muss hc h (Kurt >> Schwitters) | >> :wq! <----(phone: +49-179-6737439)---<---(jabber: phils@in-panik.de >> <mailto:phils@in-panik.de>)----' >> > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- I-D Action: draft-ietf-6man-rfc6874bis-01.txt internet-drafts
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Brian E Carpenter
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt… tom petch
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt… Brian E Carpenter
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt… tom petch
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Brian E Carpenter
- Next step for draft-ietf-6man-rfc6874bis Brian E Carpenter
- Re: Next step for draft-ietf-6man-rfc6874bis Philipp S. Tiesel
- Re: Next step for draft-ietf-6man-rfc6874bis Bob Hinden
- Re: Next step for draft-ietf-6man-rfc6874bis Brian E Carpenter
- Re: Next step for draft-ietf-6man-rfc6874bis Jen Linkova
- Re: Next step for draft-ietf-6man-rfc6874bis Brian E Carpenter
- Re: Next step for draft-ietf-6man-rfc6874bis Philipp S. Tiesel
- Re: Next step for draft-ietf-6man-rfc6874bis Brian E Carpenter
- Re: Next step for draft-ietf-6man-rfc6874bis Philipp S. Tiesel
- Re: Next step for draft-ietf-6man-rfc6874bis Brian E Carpenter
- Scripting attacks [was Next step for draft-ietf-6… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Carsten Bormann
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Ted Lemon
- Re: Scripting attacks [was Next step for draft-ie… Carsten Bormann
- Re: Scripting attacks [was Next step for draft-ie… Ted Lemon
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Carsten Bormann
- RE: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Vasilenko Eduard
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Brian Carpenter
- RE: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Vasilenko Eduard
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Ted Lemon
- RE: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Vasilenko Eduard
- Re: Scripting attacks [was Next step for draft-ie… Kerry Lynn
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Ted Lemon
- RE: Scripting attacks [was Next step for draft-ie… Vasilenko Eduard
- RE: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Vasilenko Eduard
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Ted Lemon
- Re: Scripting attacks [was Next step for draft-ie… Fernando Gont
- Re: Scripting attacks [was Next step for draft-ie… Fernando Gont
- Re: Scripting attacks [was Next step for draft-ie… Fernando Gont
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: I-D Action: draft-ietf-6man-rfc6874bis-01.txt Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Simon
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Michael Richardson
- Re: Scripting attacks [was Next step for draft-ie… Ted Lemon
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter
- Re: Scripting attacks [was Next step for draft-ie… Michael Richardson
- Re: Scripting attacks [was Next step for draft-ie… Brian E Carpenter