IETF Logo Mail Archive

Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 19 October 2018 19:47 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1529F130DD1 for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 12:47:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rpOdne7Q-IdP for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 12:47:20 -0700 (PDT)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E87F8130DE6 for <ipv6@ietf.org>; Fri, 19 Oct 2018 12:47:19 -0700 (PDT)
Received: by mail-pg1-x535.google.com with SMTP id r190-v6so4566383pgr.13 for <ipv6@ietf.org>; Fri, 19 Oct 2018 12:47:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=N0AcEy6d6HBqzgrwUgB7nc1icJZDM1dTzyRYolDFLQM=; b=tfGZlAmFD+7Q4aBL8qN7t78ty0XU0PL1fTeSZ3jCc8nhuo/fHJFg0phFobVdLBY0Tr VszRrk8f/Gsw6KRt9UeQywlVKfl+Sud57ZBjfZ1/91fOlERhQlm9puaCMHSYvI8haeQa pLdw0MIgCCLCeVdJmlM+ZFFpGcx8peoBl89x6B5JxkjHgOos28Ngu4rQYFmACwXh6za9 2o3zIlBWfC7EL7zkyYtynDFRI5URnweq5HqHhIAZoqhcOvnx4L3kk9JplKAvqsIvM1Fq /ADnGpBZmdqHN5xT9tSMeZewscMInQis0yEN1vSUIlCZOq6DwFPg424zWipgs35+jNPD dHcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=N0AcEy6d6HBqzgrwUgB7nc1icJZDM1dTzyRYolDFLQM=; b=LW7fPTYSyX5vUMZT0FLssX1x8snVTOeAeUX3TzriqfhfuL+2TQjcwTv/T3aQBYUsDw j+xa5kbYwytXDHjiP7ZIK1KqwASF8zWLkbrIJ39D3H7b8bHmFiUZ42OSdgWJp9ckgAZd NYvK1EhQpOhKTjX57Thfqy8jiwhBV5Jwok6W0DWcpwSVBGH9A7SRpM+5T0IdLrmToWd1 s36q0V6RwAmqZPzs5rS8vT+3urBN9pq4zcDmXJyuzjdse1bPlC5my6H5+Rp06lhid2hn F95dWVdbNXQO/zz6rTjYtfyrNftBmCZP7cQm+eIfw9qRPtmI73hjAiioZuMzYSC0AcMl uu6g==
X-Gm-Message-State: ABuFfoiDH30JJXJI7eVcCqj4ie0J/pV2PuMmIAtuOHDyiSmWXX1Ifd1C bb9Sx/32KqONu2TrQZ4j2hH4S/Sn
X-Google-Smtp-Source: ACcGV60W0zJ4CfvezERM0FODk5pq6VOncaZ5Tl9T6ExXlUtPFB7GXT+hxyx54Pcq2vOJQABC6tSnXg==
X-Received: by 2002:a63:fa09:: with SMTP id y9-v6mr33731580pgh.177.1539978439046; Fri, 19 Oct 2018 12:47:19 -0700 (PDT)
Received: from [192.168.178.30] ([118.148.76.40]) by smtp.gmail.com with ESMTPSA id h6-v6sm32816188pfc.6.2018.10.19.12.47.17 for <ipv6@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 Oct 2018 12:47:18 -0700 (PDT)
Subject: Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt
To: ipv6@ietf.org
References: <153973137181.9473.10666616544238076833@ietfa.amsl.com> <092346e1-6350-e54e-e711-9c5ee6dc4e6b@gmail.com> <CAFU7BASO_ByzbanhLKnWV280O_fASd-8W+ujpj3sN6d2-whw2w@mail.gmail.com> <CACWOCC-u7aAPwAOcixYvt2On=-o_8X25GhqdXTfA+tWRC1o2XA@mail.gmail.com> <alpine.DEB.2.20.1810191534430.26856@uplift.swm.pp.se> <422E06B9-8A68-4905-9901-7F4E201ADAB2@employees.org> <alpine.DEB.2.20.1810191557270.26856@uplift.swm.pp.se> <alpine.DEB.2.20.1810191604200.26856@uplift.swm.pp.se> <CABB810B-A895-4D1E-ABD8-DA8CA699F056@steffann.nl> <CAFU7BAR1a=DQ_A390Px3jeh=yhSYWLAhQUmn73Qe2ve8DEXutA@mail.gmail.com> <1E09561E-5604-49D5-A725-76CE09B080CD@steffann.nl>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <2b2adaad-d8c9-ea05-eb08-f0ed6987d9ed@gmail.com>
Date: Sat, 20 Oct 2018 08:47:12 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <1E09561E-5604-49D5-A725-76CE09B080CD@steffann.nl>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/dmRBlXrUu-Xfkkv7iwNDBgnsxKg>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2018 19:47:22 -0000

Sander,

A single packet containing a forged RA with the v6-only flag set cannot take
down a network. The condition is that a host sees *only* RAs with the flag
set. The opposite applies: a single RA with the v6-only flag *clear* tells
all hosts that they may try IPv4 as much as they want.

As the draft says, if a bad actor takes over all IPv6 routers on the link,
then they can break IPv4, but so what? They can break anything.

Regards
   Brian

On 2018-10-20 06:09, Sander Steffann wrote:
> Hi,
> 
>> All those people can take the whole network (almost) down with a
>> single packet w/o the v6-only flag anyway.
>> How about this:
>> - kids/students/disgruntled employees/you can send an RA with GUA PIO
>> and RDNSS option;
>> - hosts start sending IPv6 traffic to IPv6-enabled destinations to the
>> rogue host;
>> - it would be enough for the attacker to respond with SYN/ACK to TCP
>> handshake to take Happy Eyeballs out of the picture for TCP traffic;
> 
> And here you go beyond "a single packet".
> 
>> - the attacker can also answer DNS requests and make the situation
>> even worse (if the victims prefer to use RDNSS servers);
> 
> Same here.
> 
>>> Such networks have no capacity for debugging anyway, and because of the low number of packets necessary to sustain the attack won't know what hit them. ISPs will get calls about the internet being broken, ICT consultants will spend hours searching for the cause of the problem, they will all blame "that annoying IPv6 thingy" etc etc etc. Let's avoid all of that.
>>
>> I agree we shall avoid all of that. But the way to do this is not by
>> setting/unsetting some flags in RAs but by implementing proper IPv6
>> security.
> 
> The world of SMBs and home networks is not like that... The vast majority of SMBs don't even have a manageable switch.
> 
> Cheers
> Sander
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
> .
>

v2.23.0 | Report a Bug | By Email