IETF Logo Mail Archive

Re: [v6ops] SLAAC security concerns

Gert Doering <gert@space.net> Wed, 05 August 2020 18:25 UTC

Return-Path: <gert@space.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6F493A0EC5 for <ipv6@ietfa.amsl.com>; Wed, 5 Aug 2020 11:25:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=space.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g1aD-J74k7Dz for <ipv6@ietfa.amsl.com>; Wed, 5 Aug 2020 11:24:59 -0700 (PDT)
Received: from gatekeeper1-relay.space.net (gatekeeper1-relay.space.net [IPv6:2001:608:3:85::38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18C553A0E31 for <ipv6@ietf.org>; Wed, 5 Aug 2020 11:24:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=space.net; i=@space.net; q=dns/txt; s=esa; t=1596651899; x=1628187899; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=6IpXkfu6oQ+IXS5qUS8jnxdpGknwJHNOxN7DXkYdzv8=; b=WQLyVnZ238x1Wmo32ra7rAclobyZY3sFC+CrqVF/9Iy9xzPMGDoVxui0 JfqvIdLglYcYooLN5POcCtYOikHpu4kANrB+Eee/RbU8beHSeKRujO+wd UUqK/lvT0VOuHgzo50ntQMszazDqkIAGvVbiVNx2k1M1GV89k/yNh8P5e rjJ6YC9hxOMXjkrt91akuDcmKOBGGzT0vAfzAO5Kanhh8PtlrNAilH18h OKQOAwpBzf9T0fJ7pcIK5M+M6bmooP6Q4hvCgtna/ak88EDhmt81GDFYM yCv0DlIfXFq6PfvGatSAusM/Rflip0FVbbP9WLoanyBPYcW35Sw6F5qDR g==;
IronPort-SDR: 8dCkSYBXrBfZCpgVdsVFUiG7jaf0TGLBJT8CJWwieUDOfbWoSZMVLtTT9lIN0/ahNOMKXhnoSs Efap2xvaHRnFWlubSFny4afxR6mTIjDvw5uKOrbmKUBaHeJzQYGJ3Wz9Y29HBRmsaNwozIGLzI Wf3LuYINUWBdRP+iEd0AzYQ+Hoo/17SCFBTzsz2NmkE5znej2bs+bl7GZpKEPh2/tzoXvjVkW3 62kaA2xTW5zcL8znGy/DUjmdxcXZHvGMHKMaHyFxpV431K2F9vC9QN/mi8p10KGbx0j6Qg1AC9 PqU=
X-SpaceNet-SBRS: None
Received: from mobil.space.net ([195.30.115.67]) by gatekeeper1-relay.space.net with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Aug 2020 20:24:55 +0200
X-Original-To: ipv6@ietf.org
Received: from mobil.space.net (localhost [IPv6:::1]) by mobil.space.net (Postfix) with ESMTP id A10F542057 for <ipv6@ietf.org>; Wed, 5 Aug 2020 20:24:55 +0200 (CEST)
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
Received: from moebius4.space.net (moebius4.space.net [IPv6:2001:608:2:2::251]) by mobil.space.net (Postfix) with ESMTP id 3F82840643; Wed, 5 Aug 2020 20:24:55 +0200 (CEST)
Received: by moebius4.space.net (Postfix, from userid 1007) id 38BFBB1694; Wed, 5 Aug 2020 20:24:55 +0200 (CEST)
Date: Wed, 05 Aug 2020 20:24:55 +0200
From: Gert Doering <gert@space.net>
To: Mark Smith <markzzzsmith@gmail.com>
Cc: Gert Doering <gert@space.net>, Vasilenko Eduard <vasilenko.eduard@huawei.com>, Michael Richardson <mcr+ietf@sandelman.ca>, 6man <ipv6@ietf.org>, v6ops list <v6ops@ietf.org>
Subject: Re: [v6ops] SLAAC security concerns
Message-ID: <20200805182455.GF2485@Space.Net>
References: <f52c4463862f44b5ba2a9d41db86d231@huawei.com> <20200804194448.GA2485@Space.Net> <CAO42Z2x_AE=W2gQd4t3nZPVvGCxT3u0L0BCGJPZ0RFo+2m8Xbg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="k3VvDwkmTpic9dKg"
Content-Disposition: inline
In-Reply-To: <CAO42Z2x_AE=W2gQd4t3nZPVvGCxT3u0L0BCGJPZ0RFo+2m8Xbg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/eV53dmmVSXi48wYiSD4TccT3kYU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2020 18:25:07 -0000

Hi,

On Wed, Aug 05, 2020 at 09:32:56AM +1000, Mark Smith wrote:
> Multicast also shifts and distributes state away from a central device.
> 
> A central device is a much bigger consequence point of failure, and is a
> harder thing to make redundant due to having to invent a state
> synchronisation and load selection or distribution method mechanism between
> a primary and one or more backup nodes.

This asks for "broadcast", not for "multicast".

To get any benefits from multicast, you now require that all the network
elements listen to MLD and understand which multicast packets to hand
where.  And keep state.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279

v2.23.0 | Report a Bug | By Email