IETF Logo Mail Archive

Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt

Jen Linkova <furry13@gmail.com> Fri, 19 October 2018 16:52 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BA4B12F1A6 for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 09:52:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5EBBFv0_3oCP for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 09:52:36 -0700 (PDT)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93447130DDD for <ipv6@ietf.org>; Fri, 19 Oct 2018 09:52:36 -0700 (PDT)
Received: by mail-qt1-x836.google.com with SMTP id e21-v6so2838817qtp.6 for <ipv6@ietf.org>; Fri, 19 Oct 2018 09:52:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=tUN+GON3+6j+DoB2olMWQsAMHfr/ROzg6CogIiXME9U=; b=BIjypH03iEqYH1+14O/cV5oWBVH/A1bVGB7LjpLASrZ7uYkBxCu8SLnfYM5bjyEzDO ZmxDXQZ+qfef0dD1qIpL4aD3dRWiLmm/JQLIKaJpz53giOOqb+WdwYET/t7q5CHFdXdb ju/E+dDTaHk/MHIIWA0o/KQjJG8Gqo/ov5J+ngHQW8vFvqGfyUtPxIa7GwEbDBEQQzjU 1JoW3RCtpHZQq1uia1VG/dbAs6LLvJ33jLrEBjxZNlfk/lFhzC39UgAal8wZVyoC4GZR qeHuoEV6KxrTZFar54ExlaCRrCtx/kzzbvBro93bD5BW7H5+9OWmiUObZSikLQkmZnOu xbmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=tUN+GON3+6j+DoB2olMWQsAMHfr/ROzg6CogIiXME9U=; b=mGRgxHnvt4pOOU7Ij1O9dY5F+vCHxn1A/P7AvPuMQ2jAA7vvKg/3HnmTthOEXRldkY 0Rag7g2d+USjqfEuxgiJqbYphp3BG2Yd5VRGJ0vJuj0eid+gEHfnN6K0Sf4Y/x0so37k Lsgd2BaUFyVtKVd4tx/VJYgHW4ZK8u8lhphp5heInT29a+f8yxq4dwBwdBJvcK/DJJOF q3k/MuF/FQ79KRrCBXdMdTOwK/GzUPqNw2w7+7/gkP4tb2kqAT5Tteqod9AeCRoc/XMi K9eGuUEuwrO4vhcqm4hC/yXwEmvmkJWVF/WkeqWfA9iv0kG/n1pi5kPeHgTu0jAeI6db 3X2g==
X-Gm-Message-State: ABuFfohgsDd9CyJ4IZDwXLyafgiHy/8EQwTNKC2w0zb6yli/0d3Knms1 q6R73fqIqSLxtSexVo1AHJUotdMUC/DztbBuroAtInxaSwg=
X-Google-Smtp-Source: ACcGV60OHGawhhyDhnt0NOou/ySxB0reo3lGFbNbfQg8fBGF6j/t6zxoohfLQV/nqby98hEJVgm6srW1jvbsblRN2Y0=
X-Received: by 2002:aed:210e:: with SMTP id 14-v6mr34281967qtc.9.1539967955520; Fri, 19 Oct 2018 09:52:35 -0700 (PDT)
MIME-Version: 1.0
References: <153973137181.9473.10666616544238076833@ietfa.amsl.com> <092346e1-6350-e54e-e711-9c5ee6dc4e6b@gmail.com> <CAFU7BASO_ByzbanhLKnWV280O_fASd-8W+ujpj3sN6d2-whw2w@mail.gmail.com> <CACWOCC-u7aAPwAOcixYvt2On=-o_8X25GhqdXTfA+tWRC1o2XA@mail.gmail.com> <alpine.DEB.2.20.1810191534430.26856@uplift.swm.pp.se> <422E06B9-8A68-4905-9901-7F4E201ADAB2@employees.org> <alpine.DEB.2.20.1810191557270.26856@uplift.swm.pp.se> <alpine.DEB.2.20.1810191604200.26856@uplift.swm.pp.se> <CABB810B-A895-4D1E-ABD8-DA8CA699F056@steffann.nl>
In-Reply-To: <CABB810B-A895-4D1E-ABD8-DA8CA699F056@steffann.nl>
From: Jen Linkova <furry13@gmail.com>
Date: Sat, 20 Oct 2018 03:52:23 +1100
Message-ID: <CAFU7BAR1a=DQ_A390Px3jeh=yhSYWLAhQUmn73Qe2ve8DEXutA@mail.gmail.com>
Subject: Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt
To: Sander Steffann <sander@steffann.nl>
Cc: Mikael Abrahamsson <swmike@swm.pp.se>, 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/IrkXQJEcf_juEUcRO0rsUIHpwx4>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2018 16:52:38 -0000

On Sat, Oct 20, 2018 at 3:42 AM Sander Steffann <sander@steffann.nl> wrote:
> My main fear is for SMB networks which often are still IPv4-only (which also needs to be fixed, but that's a separate issue), don't have managed switches or WiFi controllers with no RA Guard etc. There are many of such networks. Those networks are vulnerable to rogue RAs already, but happy eyeballs can mitigate the impact of someone messing with that. If this flag can kill IPv4 on the network then hosts become completely disconnected and happy eyeballs won't be able to mitigate anymore.
>
> Yes, a serious attacker can do more harm even without this flag. This flag could however make it possible for kids/students/disgruntled employees/me/etc to bring down the network with a single packet.

All those people can take the whole network (almost) down with a
single packet w/o the v6-only flag anyway.
How about this:
- kids/students/disgruntled employees/you can send an RA with GUA PIO
and RDNSS option;
- hosts start sending IPv6 traffic to IPv6-enabled destinations to the
rogue host;
- it would be enough for the attacker to respond with SYN/ACK to TCP
handshake to take Happy Eyeballs out of the picture for TCP traffic;
- the attacker can also answer DNS requests and make the situation
even worse (if the victims prefer to use RDNSS servers);

>Such networks have no capacity for debugging anyway, and because of the low number of packets necessary to sustain the attack won't know what hit them. ISPs will get calls about the internet being broken, ICT consultants will spend hours searching for the cause of the problem, they will all blame "that annoying IPv6 thingy" etc etc etc. Let's avoid all of that.

I agree we shall avoid all of that. But the way to do this is not by
setting/unsetting some flags in RAs but by implementing proper IPv6
security.


--
SY, Jen Linkova aka Furry

v2.23.0 | Report a Bug | By Email