Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.txt
"Ebalard, Arnaud" <Arnaud.Ebalard@eads.net> Thu, 10 May 2007 15:21 UTC
Return-path: <ipv6-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HmAST-0001En-0m; Thu, 10 May 2007 11:21:33 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HmASR-0001Eh-3w for ipv6@ietf.org; Thu, 10 May 2007 11:21:31 -0400
Received: from mx1.its.eads.net ([193.56.40.66]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HmASP-00043R-Pr for ipv6@ietf.org; Thu, 10 May 2007 11:21:31 -0400
Received: from fr-gate2.mailhub.intra.corp ([53.154.16.34]) by mx1.its.eads.net with Microsoft SMTPSVC(6.0.3790.2499); Thu, 10 May 2007 17:19:04 +0200
Received: from sfrsu800.hq.corp ([10.21.8.22]) by fr-gate2.mailhub.intra.corp with Microsoft SMTPSVC(5.0.2195.6713); Thu, 10 May 2007 17:24:22 +0200
Received: from [172.16.23.99] (10.251.5.23 [10.251.5.23]) by gecko.hq.corp with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id H92ZL76H; Thu, 10 May 2007 17:21:29 +0200
X-Mailer: Apple Mail (2.752.2)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Thu, 10 May 2007 17:21:27 +0200
Message-ID: <570FBEF5-2CF0-4C06-A5B5-C07A0586C6AB@eads.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.txt
Thread-Index: AceTFuIAN3B6duJ2QxyqU7f62mXkYg==
From: "Ebalard, Arnaud" <Arnaud.Ebalard@eads.net>
To: Pekka Savola <pekkas@netcore.fi>
X-OriginalArrivalTime: 10 May 2007 15:24:22.0625 (UTC) FILETIME=[4946B510:01C79317]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3
Cc: Brian Haberman <brian@innovationslab.net>, IETF IPv6 Mailing List <ipv6@ietf.org>
Subject: Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.txt
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Errors-To: ipv6-bounces@ietf.org
Oy, Le 10 mai 07 à 16:49, Pekka Savola a écrit : > On Thu, 10 May 2007, Jeroen Massar wrote: >> As such, when you are a transit provider, and you have on the >> edges of >> your network some vulnerable hosts, those hosts can be used to apply >> this attack to your network. >> >> The documentation should thus specify that, where possible, RH0 >> should >> be filtered at customer borders. > > Well, IMHO that's a bit unnecessary. > > If you see packet ping-pong on the Internet, it's an indication that > ingress and egress filters haven't been adequately set up. Adding > those will stop your network's bandwidth being wasted. > > Maybe this RH0 vulnerability will turn out for the good after all if > it means better BCP38/84 deployment :-) I agree. To sum up : - ingress filtering will prevent the use of clients unpatched/non compliant clients nodes for bouncing RH0 traffic towards the internet. This will limit potential attacks to internal networks in the worst case scenario (if nothing is done by site administrators). This is efficiently implemented as this is done on the leaves. This does not impacts clients for regular traffic (including MIPv6). - on core routers, if RH0 are not processed as a result of deprecation/deactivation, this prevents their use for bouncing RH0 traffic: this also makes the Hop Limit an effective mean for limiting things too as the average distance between 2 possible waypoints (non compliant / unpatched) will be far higher than at the moment. In worst case scenario, an attacker could use 2 leaves in the network (i.e. in a single ISP network) and locally wastes some bandwidth. Basically, this will motivate the network operator to implement ingress filtering ;-) As deprecation also guarantees attackers won't be able to target service on compliant hosts, only unpatched/unfiltered ones will undergo attacks (in worst case scenario). Cheers, a+ -- Arnaud Ebalard EADS Innovation Works - IT Sec Research Engineer PGP KeyID:047A5026 FingerPrint:47EB85FEB99AAB85FD0946F30255957C047A5026 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.txt Jeroen Massar
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Joe Abley
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Pekka Savola
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Brian Haberman
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jari Arkko
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jeroen Massar
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Pekka Savola
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jeroen Massar
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… George V. Neville-Neil
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Joe Abley
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… gnn
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… JINMEI Tatuya / 神明達哉
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… JINMEI Tatuya / 神明達哉
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jun-ichiro itojun Hagino 2.0
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jun-ichiro itojun Hagino 2.0
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Guillaume Valadon / ギョーム バラドン
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jun-ichiro itojun Hagino 2.0
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Guillaume Valadon / ギョーム バラドン
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… JINMEI Tatuya / 神明達哉
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… George V. Neville-Neil
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Tim Enos
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jun-ichiro itojun Hagino 2.0
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Joe Abley
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Joe Abley
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Guillaume Valadon / ギョーム バラドン
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Routing Header Type 0 way forward Brian Haberman