IETF Logo Mail Archive

Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)

Simon Hobson <linux@thehobsons.co.uk> Fri, 09 June 2017 09:34 UTC

Return-Path: <linux@thehobsons.co.uk>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF5A5129420 for <ipv6@ietfa.amsl.com>; Fri, 9 Jun 2017 02:34:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xzT5wX1rU75n for <ipv6@ietfa.amsl.com>; Fri, 9 Jun 2017 02:34:03 -0700 (PDT)
Received: from patsy.thehobsons.co.uk (patsy.thehobsons.co.uk [80.229.10.150]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 773C5126FDC for <ipv6@ietf.org>; Fri, 9 Jun 2017 02:34:03 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at patsy.thehobsons.co.uk
Received: from [192.168.137.117] (unknown [192.168.137.117]) by patsy.thehobsons.co.uk (Postfix) with ESMTPSA id 272C31BC37 for <ipv6@ietf.org>; Fri, 9 Jun 2017 09:33:51 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
Subject: Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)
From: Simon Hobson <linux@thehobsons.co.uk>
In-Reply-To: <CAKD1Yr2ay5Hn_vdc14jJ7WQbgJzMZ_SE+n1S0ZpYMQ5CoPQ0sg@mail.gmail.com>
Date: Fri, 09 Jun 2017 10:33:50 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <85EDB7AA-6E5C-4834-8E63-14086B4F868B@thehobsons.co.uk>
References: <CAO42Z2ziUZnK+n2f9N_Xvb5TZBppApXgNSmDsRLxaT1_taLvFw@mail.gmail.com> <4a6969ba-4cd3-ba30-2f3b-9ec4cc3fcf60@si6networks.com> <CAKD1Yr2x_EevJ37NnOg59Xk5+r3YYHmHEQKg_YCCSycuPpBzwA@mail.gmail.com> <bb3abd49-5ddc-076c-64a4-fe5f7dcd47d1@si6networks.com> <CAKD1Yr2ay5Hn_vdc14jJ7WQbgJzMZ_SE+n1S0ZpYMQ5CoPQ0sg@mail.gmail.com>
To: 6man WG <ipv6@ietf.org>
X-Mailer: Apple Mail (2.1510)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/aIIpDKBC8JOVU9ajlU9hHFKlaB0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2017 09:34:06 -0000

Lorenzo Colitti <lorenzo@google.com> wrote:

> But they could. If the server had a /64 prefix, then it could store useful information in the 64 bits. For example, SNI (which sends information in the clear) might not be necessary any more.

I don't think that's much of a security feature !

Whether you use SNI or distinct addresses, it's clear what site the packets are going to. If anything, it's easier with distinct addresses as you only need to see the destination address field rather than inspect the contents of the packet to get the SNI element. The sort of people who are going to be looking into packets to get the SNI will have no trouble building a table of addresses-sites to map destination addresses to site just using destination address.


Mark Smith <markzzzsmith@gmail.com> wrote:

> If you choose to specifically lower device security against discovery
> by putting routers in DNS, or allowing routers to respond to
> traceroutes, you consciously know you're lowering it for the specific
> device and can be vigilant when taking other measures to raise it
> again (ACLs etc.)

Firstly, I think you are over-estimating the skills of the "typical" network admin. In my experience, only a small minority would realise the tradeoffs and take any sensible measures - hence the figures given for the number of known Cisco devices with the front doors open. It was interesting when I pointed NetDisco at the campus network I used to admin and saw how many of the customers' routers it was able to interrogate just by following CDP neighbour information from my Cisco switches (which were locked down with non-standard SNMP community strings). These were mostly engineering firms in an industry where you'd expect security to be "somewhat better" !

But then we come to the other aspects. One of my pet peeves is people who disable pings (and/or traceroute) "for security" - and thus making network troubleshooting far more of a problem than it should be.

But if you are going to use well randomised addresses for network devices - you will have to put them in DNS if you want to be able to access them in a convenient manner. Once you put them in DNS, then you've lost half the benefit of random addresses anyway. Well you could randomise the DNS names - but then you shift the problem to knowing the DNS name !

v2.23.0 | Report a Bug | By Email