Re: Running code, sending (Was: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt)

[Lee Howard <lee@asgard.org>]

On 10/24/18 9:30 AM, Alexandre Petrescu wrote:
> context: I sent this RA with IPv6-only flag in a switched sizeable
> IPv4-only office network.

Thanks for trying this. I don't think it satisfies my desire for 
implementation, which was to see how clients would respond. I gave the 
specific case where clients responding differently might actually stop 
interoperating (i.e., if some used IPv4 and others did not).

>
> To my surprise I now keep receiving TCP SYNs from some neighbours who
> insist on reaching a few particular GUAs starting with 2620:, 2a00: and
> 2a02:. These neighbors self-configured addresses in the "d00d" prefix
> that is specified in that scapy RA howto, and this woke up their IPv6 
> stack.

You sent an "ipv6only" flagged RA to an IPv4-only network, and now some 
devices on the network are trying to use you for IPv6 connectivity?

>
> An hour passed and have not received a call from IT department, which is
> good. (typically they call very soon when there is some security risk).

If it's an IPv4-only network, could it be that they have no tools for 
assessing IPv6 security risks?

This sounds pretty broken. Great example of why all networks need IPv6: 
if you're not running IPv6 on your network, somebody else (maybe 
Alexandre) is.

>
> I think the IPv6-only flag does not break anything at this time (the TCP
> SYN flood I get is because I put a fake prefix there d00d; but IPv6
> Hosts should learn to not blindly trust someone sending an RA for 
> playing.)
>
> Alex


That, too.

Lee


>
>
> Le 24/10/2018 à 15:17, Alexandre Petrescu a écrit :
>> correction: b.res=2 (instead of 1).
>>
>> attached the packet capture
>>
>>
>> Le 24/10/2018 à 14:43, Alexandre Petrescu a écrit :
>>> Hi,
>>>
>>> Le 24/10/2018 à 12:30, Job Snijders a écrit : [...]
>>>> This is not discrimination. If authors don't have the capability
>>>> to develop running code themselves, and also don't have access
>>>> to resources nor are able to convince others to implement a
>>>> protocol specification... the IETF's prime directive of
>>>> interoperability can't be met anyway.
>>>
>>> On windows install python and scapy, then make an RA[*] and write 
>>> b.res=1. This sets the 6th Reserved flag, now called 'IPv6-Only'.
>>>
>>> I just sent one, hoping sky wouldnt fall on my head :-)
>>>
>>> Alex [*] how to make an RA with scapy tool is described at 
>>> https://samsclass.info/124/proj11/proj9xN-scapy-ra.html
>>>
>>> --------------------------------------------------------------------
>>>
>>>
> IETF IPv6 working group mailing list
>>> ipv6@ietf.org Administrative Requests:
>>> https://www.ietf.org/mailman/listinfo/ipv6 
>>> --------------------------------------------------------------------
>>
>>>
>>
>>
>> -------------------------------------------------------------------- 
>> IETF IPv6 working group mailing list ipv6@ietf.org Administrative
>> Requests: https://www.ietf.org/mailman/listinfo/ipv6 
>> --------------------------------------------------------------------
>>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------