IETF Logo Mail Archive

Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)

Tom Herbert <tom@herbertland.com> Fri, 09 June 2017 15:30 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A4B7129B51 for <ipv6@ietfa.amsl.com>; Fri, 9 Jun 2017 08:30:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q5NCh3TKUkxi for <ipv6@ietfa.amsl.com>; Fri, 9 Jun 2017 08:30:06 -0700 (PDT)
Received: from mail-wr0-x231.google.com (mail-wr0-x231.google.com [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 930C7129AE8 for <ipv6@ietf.org>; Fri, 9 Jun 2017 08:30:05 -0700 (PDT)
Received: by mail-wr0-x231.google.com with SMTP id q97so37200844wrb.2 for <ipv6@ietf.org>; Fri, 09 Jun 2017 08:30:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Q2aVQcY5LovHCCpPD3rqrV/PiI+KHxhiSe6XFZ4/dok=; b=xkRMlkOuqzYP8CWd3Lh47t2Z/hULxGeqNPhAglAZd5DVYBmNQSVoubKeWLjgYAk5d0 dZ84jyyoRrgOX2VrLhR7BDURiZRVR4Gia++XMB1oOtHTO1/ufcFbBqlUiL6DqTqg+Fe+ abiDnZZkYlsAYKWurLai2TcH+7rq2KVM6TwNdNPFaPA1wD9ji8VtQsIOrKs14W4qnXr6 yyOs9VGQgOyLuqaI4rGey9DiXtTycHPkN87PyHQ6/nFw2T+MbQRaAv0mXXL1a8Hwo3pg 1+Nx4LzwwOrEeo0NOIPajVgp9qJI789iey1cTewwz7SjuMB56GuHrnU1ZsuCMadRtBYi OiTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Q2aVQcY5LovHCCpPD3rqrV/PiI+KHxhiSe6XFZ4/dok=; b=SRoMwG3cbcGny/graBvgGxxuIrnc3Gr3qgcCTvXLrVHaaUOlRIx2yDD9+8+LY7sdCP dTy1sIU7ZmcPJv9ahS598O6fWnPlk05lsCXI8Yxb+fAqaGWwsLAVqDubHax0YSPxU+Jb N1HE5nwVTjgZ835HQIG9Mtxmi4k5DKwvLrm45EwIYLHMrAyEDu2OrsNSaOBTkAMGiAGV c8PHgbucDNobnGMRguCvxgYuVg21pbsVMbkqTzGPo6NNVnVIoSgfonz3n/HXO9Zl6xsP /GdNvSmdxZnjDaNbg1czs6GVHJJXzKjVDqrhOERbyszrUF4lD0Cq66j3MRVSAiCC+t3W aFGA==
X-Gm-Message-State: AKS2vOyvyKiL07vjj3f/WcX2wazU/d0xIaNPC5V4ETv0LuLyh3Uj8TNG yA+sKNhinPZL4UvgXE24hLROhnIKSDN1
X-Received: by 10.28.23.131 with SMTP id 125mr78195wmx.42.1497022203974; Fri, 09 Jun 2017 08:30:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.128.2 with HTTP; Fri, 9 Jun 2017 08:30:03 -0700 (PDT)
In-Reply-To: <CAO42Z2yMnqTwhSBzG9KX7Ln4x_ccoQHXodgU2DLFySx4DYTySA@mail.gmail.com>
References: <CAO42Z2ziUZnK+n2f9N_Xvb5TZBppApXgNSmDsRLxaT1_taLvFw@mail.gmail.com> <4a6969ba-4cd3-ba30-2f3b-9ec4cc3fcf60@si6networks.com> <CAKD1Yr2x_EevJ37NnOg59Xk5+r3YYHmHEQKg_YCCSycuPpBzwA@mail.gmail.com> <bb3abd49-5ddc-076c-64a4-fe5f7dcd47d1@si6networks.com> <CAO42Z2zgRQscdJqtwSsF+BQJEQ9v9DOCrbDHU+CmZk-xC206Kw@mail.gmail.com> <CALx6S36pQe3vJS8H2s3AJ8e5ZdLaKQh+_zeb_Vu+OkOVRYp2yA@mail.gmail.com> <CAO42Z2yMnqTwhSBzG9KX7Ln4x_ccoQHXodgU2DLFySx4DYTySA@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 09 Jun 2017 08:30:03 -0700
Message-ID: <CALx6S35GTuAY9_sagxgp-d1-ORZ_sLrZ78L-d5eAf6M1ddtObw@mail.gmail.com>
Subject: Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)
To: Mark Smith <markzzzsmith@gmail.com>
Cc: Erik Kline <ek@google.com>, 6man WG <ipv6@ietf.org>, Job Snijders <job@instituut.net>, Fernando Gont <fgont@si6networks.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/bu0x5iKLzRk86aY68bS5zXCzl5w>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2017 15:30:09 -0000

On Fri, Jun 9, 2017 at 1:18 AM, Mark Smith <markzzzsmith@gmail.com> wrote:
> Hi Tom,
>
> On 9 Jun. 2017 13:03, "Tom Herbert" <tom@herbertland.com> wrote:
>
> On Thu, Jun 8, 2017 at 7:46 PM, Mark Smith <markzzzsmith@gmail.com> wrote:
>> On 9 June 2017 at 03:17, Fernando Gont <fgont@si6networks.com> wrote:
>>> On 06/08/2017 02:41 PM, Lorenzo Colitti wrote:
>>>> On Wed, Jun 7, 2017 at 9:03 PM, Fernando Gont <fgont@si6networks.com
>>>> <mailto:fgont@si6networks.com>> wrote:
>>>>
>
> <snip>
>
>> This is about raising the security bar, and with manually configured
>> addresses with high entropy, or RFC7217 on routers and switches out of
>> the box, raising it by default. If the device can't be discovered, it
>> isn't possible to send a packet to it.
>>
> Mark,
>
> I don't quite understand this statement. Isn't is true that If I send
> a packet to any IID in the prefix for a device it will reach the
> device and be processed?
>
>
>
> Yes. You know the IID is valid at the point in time you send the packet,
> meaning the IID is in use by a device and the device can be targetted with
> an attack.
>
> This is mitigation against discovery of IIDs assigned to devices via
> probing, prior to launching the attack on the device.
>
> I'm pointing out that concerns about discovery of valid addresses on
> conventional hosts via probing can also be concerns for networking devices
> with IPv6 addresses as well, such as routers and switches, and that large
> entropy IIDs can provide them with an additional level of defence in depth
> that wasn't possible to have in IPv4. The control planes of networking
> devices are performing host functions too, so host security mitigations are
> applicable.
>
> Some seem to believe that network devices software/firmware is far more
> robust and they're universally configured far more securely such that
> limiting the exposure and discoverability of the devices' addresses provides
> no value. I think the links I provided earlier and the following links to
> network OS vulnerabilities shows that this isn't the case.
>
> https://www.cvedetails.com/vulnerability-list/vendor_id-874/product_id-3989/Juniper-Junos.html
>
> https://www.cvedetails.com/vulnerability-list/vendor_id-16/product_id-19/Cisco-IOS.html
>
And wannacry exploits an OS vulnerability in Windows. I think the
intent of address randomization might be in the right place, but there
too many caveats to call this real security for hosts. As I said, when
we do host development we can never assume that every network
uniformly provides any in sort of security. It is prudent to assume
the opposite: the network is an untrusted entity, anyone can intercept
our packets, there is no firewall to protect us. Anything sent in the
clear, including IP addresses, should be considered as being exposed
to the whole world. If you want to hide something it needs to be
encrypted. This is the correct mindset to start with for building
robust and secure host implementations.

Tom

>
> Regards,
> Mark.
>
>
> I may not get a response because that's not
> the IID randomly chosen as the address of the device, but it still
> seems like that could be used for DOS (like a tuple attack on a NIC
> queue) if the prefix is discovered or predictable.
>
>
> Tom
>
>> If you choose to specifically lower device security against discovery
>> by putting routers in DNS, or allowing routers to respond to
>> traceroutes, you consciously know you're lowering it for the specific
>> device and can be vigilant when taking other measures to raise it
>> again (ACLs etc.)
>>
>> Note that I'm not saying this is the only security measure you should
>> have. It is an additional defence in depth measure that IPv6
>> addressing can provide to network infrastructure devices that IPv4
>> addressing could not.
>>
>> Regards,
>> Mark.
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>
>

v2.23.0 | Report a Bug | By Email