IETF Logo Mail Archive

Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt

Jen Linkova <furry13@gmail.com> Fri, 19 October 2018 12:22 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BA3D12D7EA for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 05:22:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BEPqFJzmjc0u for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 05:22:32 -0700 (PDT)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF18A130E79 for <ipv6@ietf.org>; Fri, 19 Oct 2018 05:22:31 -0700 (PDT)
Received: by mail-qk1-x736.google.com with SMTP id v68-v6so20813329qka.2 for <ipv6@ietf.org>; Fri, 19 Oct 2018 05:22:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2nQW8MGiW2Ahm6SO9PvGLJrZKBmNBtIWR2ud9Zo3nNI=; b=SSJnX2wJuWNgroXET1vrLv44DZ9Gw0RkDtVEwkhckPuSbhRakvfw/jAFP+aNrfi4kI lMXa8vasFwKKwoX2C42/wjlfxItbdUUjhVGBYbnKVkL8EeVCGFpQo6ExAaMJYOf9DJzT 9vAhOTj7vuELEXHO72q1+NXYBGyMkhss6nC2CFgfAGcpb84aTD/FGZAkjUYpU+TKbftW xbNZGru7Gsw0QbxtfXpADml1n/B3V5ABg/Z3qt9+1Ot8GrKGEWalRb63/RLjMMy61rR7 ZO7T4XqVOl3YA8B3X7TJmScixa2NWUQB3nOBw7RvtgItZFQprKw9Tzn3RrCXt5nFQXuG QIIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2nQW8MGiW2Ahm6SO9PvGLJrZKBmNBtIWR2ud9Zo3nNI=; b=nqRx+BlY7UHFGAxgO2ecWMAkYKhY+YscNyvCmi28XbHzbm8rSo9oh5GUSzhR5oh2pX uZ08+RQjcouMGSg+yvldQnXnLXdl9Npl8X8EIvR4NTO+q4GH58+X67d1HrA9qqeX2N8M 5oJzPmxuKYCcCf82dx+jpNDMq49zaJIV9N3M/tiKjkFaUXaOoCmsXx3MMifPIdGm9/sH m1fT3BpXEYATIwTOpOSiCpkUV/KQVwKmOHFt3YEcs8WVJYDT3NQx+dkJOktyibSQhXH4 ZGz405NB1186jHsMXl7WfojHjkGR2DLywm9aqUw2+tnMnFtm4mRkypjURNYcjEdn3Nmp 4Zpw==
X-Gm-Message-State: ABuFfogINLKAT8imYYxFy1hPDPNz1NB/s+pKYvgDG3CooTTkvHqLH0sQ xfEL67sGMh9nxeM2GWwARjw9JiFUBTAMA3B/Mqo=
X-Google-Smtp-Source: ACcGV60BpE/tY2tWvSSMdCUDG9zR+zy1d1ftwUB3GnhxVVbIlfzh2XnsjAKjK6Eok8+aT4vpiYw8rTkNKaVWLTdPOE4=
X-Received: by 2002:a37:b10:: with SMTP id 16-v6mr27832005qkl.139.1539951750894; Fri, 19 Oct 2018 05:22:30 -0700 (PDT)
MIME-Version: 1.0
References: <153973137181.9473.10666616544238076833@ietfa.amsl.com> <092346e1-6350-e54e-e711-9c5ee6dc4e6b@gmail.com>
In-Reply-To: <092346e1-6350-e54e-e711-9c5ee6dc4e6b@gmail.com>
From: Jen Linkova <furry13@gmail.com>
Date: Fri, 19 Oct 2018 23:22:16 +1100
Message-ID: <CAFU7BASO_ByzbanhLKnWV280O_fASd-8W+ujpj3sN6d2-whw2w@mail.gmail.com>
Subject: Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/kE6mqK2zIi8LIgxj3eai_YXQHxc>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2018 12:22:34 -0000

Speaking as a network operator: the more I think about this draft the
more I like it.
It looks like the main concern is potential attack vectors. However...

1) IPv6-Only network (== the network which is configured by the
network administrator as Ipv6-only): I do not see any security issues
here. Actually  signalling hosts that IPv4 could be disabled might
even reduce the attack vector (one less protocol to be attacked from
onlink). Attacker might send a rogue RA and *enable* Ipv4 on hosts but
obviously RA Guard should be deployed on v6-only networks. In other
words, there is nothing which could be done with that flag which could
not be done w/o it.

2) Dual-stack networks. As in such a network there will be at least
one router sending RA w/o that flag - I could not see an attack vector
here.

3) IPv4-only network. This is most tricky part.
3.1)  A device accidentally configured as an IPv6-only sends an RA
with GUA PIO and advertised itself as a default gateway. Happy
Eyeballs might help for systems which support them;
3.2) An attacker intentionally sets up an IPv6 router on IPv4-only
network. It should be noted that in case of an intentional attack
Happy Eyeballs would not help at all, as nothing would prevent an
attacker to respond, for example, to TCP SYN.  It's even worse if you
think about RDNSS etc. Basically,  intentional RA_based attacks on
v4-onoy networks are mugh worse than just 'turn off v4 anyway';
3.3) A device accidentally configured as an IPv6-only sends an RA with
v6-only flag set.  Well, not as bad as 3.2, worse than 3.1. However it
would require an explicit action from the device admin (as the flag
need to be explicitly configured). And the easy solution? Routers in
v4-only networks need to support v6 and send RAs with the flag set to
0 (as well as zero default router lifetime) - might help with rogue
RAs too..

Obviously, this draft does not make the situation worse for the
malicious/rougue router scenario. An attacker can easily do more
damage w/o this flag if RA Guard is not deployed. The only concerning
case seems to be accidentally configured devices.  Maybe it would help
to say that the host SHOULD ignore the flag if the RA does not contain
GUA PIO?


Other thing: it looks like there is a real need to implement IPv6
security even on v4-only networks. Sounds like v6ops-scope draft (or
maybe there is one? I'm happy to craft smth if it does not exist).

On Wed, Oct 17, 2018 at 12:40 PM Brian E Carpenter
<brian.e.carpenter@gmail.com> wrote:
>
> Hi,
>
> We've attempted in this version to respond to the comments received during WGLC.
>
> The most important change is this:
>       *  Reorganized text about problem statement and applicability
> We hope the new text makes it clear how the solution relates to other
> solutions (layer 2 filtering or using a DHCPv4 option).
>
> There are a number of other changes:
>       *  Added note about shortage of flag bits
>       *  Clarified text about logging configuration error in Section 6
>       *  Editorial changes.
>
> Regards
>     Brian + Bob
>
>
>
> -------- Forwarded Message --------
> Subject: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt
> Date: Tue, 16 Oct 2018 16:09:31 -0700
> From: internet-drafts@ietf.org
> Reply-To: internet-drafts@ietf.org, ipv6@ietf.org
> To: i-d-announce@ietf.org
> CC: ipv6@ietf.org
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the IPv6 Maintenance WG of the IETF.
>
>         Title           : IPv6 Router Advertisement IPv6-Only Flag
>         Authors         : Robert M. Hinden
>                           Brian Carpenter
>         Filename        : draft-ietf-6man-ipv6only-flag-03.txt
>         Pages           : 12
>         Date            : 2018-10-16
>
> Abstract:
>    This document specifies a Router Advertisement Flag to indicate to
>    hosts that the administrator has configured the router to advertise
>    that the link is IPv6-Only.  This document updates RFC5175.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-6man-ipv6only-flag/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-6man-ipv6only-flag-03
> https://datatracker.ietf.org/doc/html/draft-ietf-6man-ipv6only-flag-03
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-ipv6only-flag-03
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> I-D-Announce mailing list
> I-D-Announce@ietf.org
> https://www.ietf.org/mailman/listinfo/i-d-announce
> Internet-Draft directories: http://www.ietf.org/shadow.html
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------



-- 
SY, Jen Linkova aka Furry

v2.23.0 | Report a Bug | By Email