IETF Logo Mail Archive

Overview of IPv6 first-hop issues and solutions - was: RE: IPv6 first-hop risks and threats and mitigations

Xipengxiao <xipengxiao@huawei.com> Fri, 18 December 2020 10:29 UTC

Return-Path: <xipengxiao@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AABFD3A1206; Fri, 18 Dec 2020 02:29:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vjr-L7-Qv1ni; Fri, 18 Dec 2020 02:28:58 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EE213A1203; Fri, 18 Dec 2020 02:28:58 -0800 (PST)
Received: from fraeml708-chm.china.huawei.com (unknown [172.18.147.201]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Cy4l92l4kz67RLL; Fri, 18 Dec 2020 18:25:57 +0800 (CST)
Received: from fraeml712-chm.china.huawei.com (10.206.15.61) by fraeml708-chm.china.huawei.com (10.206.15.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Fri, 18 Dec 2020 11:28:53 +0100
Received: from fraeml712-chm.china.huawei.com ([10.206.15.61]) by fraeml712-chm.china.huawei.com ([10.206.15.61]) with mapi id 15.01.2106.002; Fri, 18 Dec 2020 11:28:53 +0100
From: Xipengxiao <xipengxiao@huawei.com>
To: Christopher Morrow <christopher.morrow@gmail.com>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, Nabil Benamar <benamar73@gmail.com>, "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, 6man Chairs <6man-chairs@ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: Overview of IPv6 first-hop issues and solutions - was: RE: IPv6 first-hop risks and threats and mitigations
Thread-Topic: Overview of IPv6 first-hop issues and solutions - was: RE: IPv6 first-hop risks and threats and mitigations
Thread-Index: AdbVKDTrlw1R97+kT8i63e2fBNDa5g==
Date: Fri, 18 Dec 2020 10:28:53 +0000
Message-ID: <87a5f7330de54a968b34d199d4d40f19@huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.48.216.17]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/fJU5dN0TliVYkRwsZf-Umo6HQDk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2020 10:29:01 -0000

Hi Christopher,

Firstly I assume that by "work Fernando / Jen" you meant RA-guard(+) / Grand.  If you are talking about something else please let me know.  I want to make sure that we are talking about the same things.

With that assumption, my answer to your question is:

I think ND has some issues, e.g. (1) trust model - ND trust all messages (2) heavily utilizing multicast (3) not considering sleeping nodes (4) reactive not proactive.   This is because ND was designed many years ago when many things like smartphones, Wi-Fi didn't exist.  Fernando/Jen's works solved (1) & (4), Pascal's WiND (arguably) solved all these issues. But it changed ND fundamentally.  Should it be used only in wireless environment or both wireless & wired environment?  Recently Ole also published a P2P Ethernet draft to deal with (2).  Long story short, I don't think Fernando/Jen have solved all the issues.  There are many different solutions, each with its pros and cons.

Furthermore, first-hop protocols are more than ND.  There are also SLAAC, DHCPv6 etc.  They also have some unsolved issues.  Variable SLAAC, universal-ra-option-04 are examples to deal with those issues.

So in summary, I (and several other people in the WG) think there are issues in various first-hop protocols.  Some are solved, some are not.  For those solved issues, the solutions have pros and cons.  All of these are dispersed in many RFCs/drafts.  We believe it's helpful to summarize all the first-hop issues, and compare the solutions, in a single document.  This is just like Eric's draft-ietf-opsec-v6-21 summarize many IPv6 security issues into a single document.  We believe this would provide an opportunity for the WG to discuss the issues and existing solutions, and to decide the next steps.   For this reason, I've changed the subject to reflect our intention more accurately.  We in fact have a table of content reflecting some early thoughts of this work.  If anybody is interested please drop me a line.  We will send the TOC to you, and we welcome your participation.

Thanks and happy holidays to all!

XiPeng 



-----Original Message-----
From: Christopher Morrow [mailto:christopher.morrow@gmail.com] 
Sent: Thursday, December 17, 2020 6:29 PM
To: Xipengxiao <xipengxiao@huawei.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>; Nabil Benamar <benamar73@gmail.com>; Pascal Thubert (pthubert) <pthubert=40cisco.com@dmarc.ietf.org>; 6man Chairs <6man-chairs@ietf.org>; ipv6@ietf.org
Subject: Re: IPv6 first-hop risks and threats and mitigations

I thought this was work Fernando Gont / Jen Linkova already undertook... or had already taking some large steps to cover at any rate.
Were their docs not helpful here?

On Wed, Dec 16, 2020 at 3:37 PM Xipengxiao <xipengxiao@huawei.com> wrote:
>
> Hi Michael,
>
>
>
> >> So, the idea being to write down the issues, give the attacks names, and then clarify what defenses we have already and how well they work?
>
>
>
> Yes.  Are you interested in working on this together?  Happy holidays!
>
>
>
> XiPeng
>
>
>
> -----Original Message-----
> From: Michael Richardson [mailto:mcr+ietf@sandelman.ca]
> Sent: Monday, November 23, 2020 1:24 AM
> To: Xipengxiao <xipengxiao@huawei.com>; Nabil Benamar 
> <benamar73@gmail.com>; Pascal Thubert (pthubert) 
> <pthubert=40cisco.com@dmarc.ietf.org>; 6man Chairs 
> <6man-chairs@ietf.org>; ipv6@ietf.org
> Subject: IPv6 first-hop risks and threats and mitigations
>
>
>
>
>
> Xipengxiao <xipengxiao@huawei.com> wrote:
>
>     > I also think that it’s a good piece of work, and shouldn’t be given up.
>
>
>
>     > I would also like to take this opportunity to propose that the 
> WG start
>
>     > a “problem statement of IPv6 first-hop protocols” draft.  The 
> rationale
>
>     > is: many IPv6 first-hop protocols like ND, SLAAC were designed 
> long
>
>     > time ago; many things have changed over the years, e.g. the 
> advent of
>
>     > wireless, mobility, IoT, overlays;  lately there are multiple 
> drafts
>
>     > trying to fix various issues in a number of IPv6 first-hop 
> protocols,
>
>     > including:
>
>
>
> So, the idea being to write down the issues, give the attacks names, and then clarify what defenses we have already and how well they work?
>
>
>
> --
>
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>
>            Sandelman Software Works Inc, Ottawa and Worldwide
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email