IETF Logo Mail Archive

Re: Errata for RFC4862

神明達哉 <jinmei@wide.ad.jp> Mon, 09 January 2017 17:39 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EC97129443 for <ipv6@ietfa.amsl.com>; Mon, 9 Jan 2017 09:39:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z16f236s9f42 for <ipv6@ietfa.amsl.com>; Mon, 9 Jan 2017 09:39:12 -0800 (PST)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4FB7129445 for <ipv6@ietf.org>; Mon, 9 Jan 2017 09:39:11 -0800 (PST)
Received: by mail-qt0-x235.google.com with SMTP id l7so93490990qtd.1 for <ipv6@ietf.org>; Mon, 09 Jan 2017 09:39:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=1bKrcSyrLDBZLPVp2p2g92ocRfJDH2snixqvn6Laxnw=; b=lTFTlJwDcaiY0RxxRKBUr5mzsjkhRsggm1X3vkg8DBXHUF7Z7qC3T5WMenbBtugJQv BXVte6A9eM0u4REILUMZ2yenZectwA+NCWSCEkWbHoV5pc2aitnnNNVu8E7DLXWJIhzK Skzh94oTgKpKnatbFUsYVS1vjalrT9/oDFM8Y73huL89puEomitY+2T7ecKq1K9WK5hH ojVu/Os8oIp2oZk8WUMSU2y+ixcf1FeycKt+A3Kr3lOgqw/s7/yQXszdrNmDM5/5Zxg0 ihO2+8p0lcCdFX6Z3C+Tqsakaa+H7SLZj67lV25kWbEnwwh0B9mFEiEI1NuPgAw914Nt fbjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=1bKrcSyrLDBZLPVp2p2g92ocRfJDH2snixqvn6Laxnw=; b=IT5sdiP34bF+GB8c7scP3a26/F+T8yxHHSX7z3awmMUuzFXkr6I9x0eO4a5GIGbwHl GW7BkoRjUfMjCz10DfMD1V3J3j4b9WAjBJQhYc2rLEJyAwRvKMayQ9qjAaVS/fcuu0bx LdLELp/URWVjSMjB6wpPNJ/UJOIiJcf0C25LJyqKSeHbbWdtwGf5/hUYfRCWOMSievXX TE5Cuyt2kyzwNjptC0Jzc642R3/P3FcjRM9SqE0XsBvdMVe6NYSfmaAW9ZHUe5+1SkmV Ap/lIMYXIQMpxYoWBM+hLVm7iRCH81dDVlki+eEUE4oIcGZJyxpbPxgN+Kqsquc2zyYF nnyw==
X-Gm-Message-State: AIkVDXIv6jCGs9yGeXhVpvwKQRpNBKhBkiLEdmUbgm4srqh58EU7hSL5DZ1BkC/t55SeXm2qNZFxW72xJ5d0dA==
X-Received: by 10.200.42.93 with SMTP id l29mr94710662qtl.289.1483983550822; Mon, 09 Jan 2017 09:39:10 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.60.29 with HTTP; Mon, 9 Jan 2017 09:39:10 -0800 (PST)
In-Reply-To: <CAO42Z2xH9wqXKFjtAbv6isQ3cG1=FNUmkNFq2DGJdqj9BFDVaQ@mail.gmail.com>
References: <CAO42Z2xH9wqXKFjtAbv6isQ3cG1=FNUmkNFq2DGJdqj9BFDVaQ@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Mon, 09 Jan 2017 09:39:10 -0800
X-Google-Sender-Auth: DGcEHk_cyKF6-vEk9c3eRUbfVls
Message-ID: <CAJE_bqdFECFgZnqNjVmMEnWe93ucPOuYcqjXyeVtPvhoVHObjw@mail.gmail.com>
Subject: Re: Errata for RFC4862
To: Mark Smith <markzzzsmith@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/WCvnK8senkUrX0sstBJM46hwoA4>
Cc: 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2017 17:39:13 -0000

At Sun, 8 Jan 2017 16:30:04 +1100,
Mark Smith <markzzzsmith@gmail.com> wrote:

> An attacker could take advantage of this by doing the following:
>
> 1. Send an initial RA with a ValidLifetime of 2 hours, which would pass Check 1.
> 2. Wait until around 1 hour and 59.5 minutes, and then send an RA with
> a ValidLifetime of 61 seconds.

I guess the unstated assumption behind this defense of RFC4862 is that
at least some legitimate RA containing a PIO with a sufficiently long
valid lifetime updates the lifetime during this 1-hour-and-59.5-minute
period.  Of course, we cannot always assume this, but as I believe
everyone understands, this defense is supposed to be quite basic and
weak anyway, and does not intend to prevent all kinds of DoS attempt
by most sophisticated attackers under all possible circumstances.

In that sense the current text of RFC4862 actually does what it
intended to do with originally perceived limitations, so I don't see
the need for the proposed update.

At the very least I don't think this is an editorial error.  If we now
agree that the currently described defense is too weak, it should be
addressed as a protocol update to the RFC.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email