RE: New draft-vasilenko-6man-nd-mitm-protection-00.txt

[Vasilenko Eduard <vasilenko.eduard@huawei.com>]

Fernando,
> The point is that you simply can't address all ND-based MITM vectors -- basically
> because ND has been designed with the premise that you trust your neighbors.
Read the draft. I believe that rogue NA is blocked.

> Additionally, if you require layer-2 cooperation to address some of them, I'm not
> sure why you'd not require cooperation to address all of them.
No need for L2 cooperation for MITM based on rogue NA - it is solved just on ND level by current draft.

> Not sure what you mean: DHCP snooping is the equivalent of RA-guard.
No.
DHCP snooping creates ARP filtering table dynamically (for all ports).
RA-guard is static filter (router ports are at the stable location). RA-guard is very simple and easy to implement.

> Please see draft-ietf-opsec-nd-security.
OK. later

> However, you wither trust your neighbors, or you don't.
The life is in general not always black and white. Some things are more complicated (like distributed ND) - other possibilities exist.

Ed/
> -----Original Message-----
> From: Fernando Gont [mailto:fgont@si6networks.com]
> Sent: 28 сентября 2020 г. 14:03
> To: Vasilenko Eduard <vasilenko.eduard@huawei.com>; Fernando Gont
> <fernando@gont.com.ar>; ipv6@ietf.org
> Subject: Re: New draft-vasilenko-6man-nd-mitm-protection-00.txt
> 
> Hello, Eduard,
> 
> On 28/9/20 07:13, Vasilenko Eduard wrote:
> > Hi Fernando,
> >> If you consider RA-guard a mitigation for RA-based attacks, then,
> >> things like "First Hop Security"/ND inspection/SAVI would solve the ND
> counterpart.
> > I have not understood what you mean by "First Hop Security"/ND inspection" -
> it looks as very general term.
> 
> See e.g.:
> https://www.cisco.com/c/en/us/td/docs/ios-
> xml/ios/ipv6_fhsec/configuration/15-sy/ip6-nd-inspect.html
> 
> 
> 
> > I agree that SAVI deep assistance from L2 could be an alternative to
> > what I am proposing in the draft. But
> > - it is very complicated and expensive on switches, available only on
> > small portion of vendors
> > - it is better to fix L3 problem at L3 (if possible - I do not know
> > how to fix RA MITM without simple filtering on switch)
> > - 1st could be intruder, then SAVI would not block MITM: all users
> > (from other subnets) would contact server and show credentials to
> > intruder
> 
> The point is that you simply can't address all ND-based MITM vectors -- basically
> because ND has been designed with the premise that you trust your neighbors.
> 
> Additionally, if you require layer-2 cooperation to address some of them, I'm not
> sure why you'd not require cooperation to address all of them.
> 
> 
> 
> > I do not agree that IPv4 and IPv6 are equal on ND/ARP security.
> > IPv4 has DHCP - it is possible to snoop all messages and do filtering on the
> switch. It is simple and widely supported by switches.
> > IPv6 has no centralized authority to snoop, solution should be much more
> complex like SAVI. Hence, it is not widely supported by switch vendors.
> 
> Not sure what you mean: DHCP snooping is the equivalent of RA-guard.
> FHS is the equivalent of ARP policing.
> 
> 
> > Reference to "Trusted model" does not explain anything. Because this RFC has
> forgotten to document all attack vectors discussed in my current draft.
> 
> Please see draft-ietf-opsec-nd-security.
> 
> 
> 
> > Any MITM is the leakage if information, because man-in-the-middle is capable
> to record and even change it.
> 
> MITM does not necesarily imply information leakage.
> 
> 
> 
> > I do reference in the draft that encrypted authentication is the solution that
> supersede this draft by security protection.
> > Just one problem: it has been refused by the market.
> 
> Indeed.
> 
> However, you wither trust your neighbors, or you don't.
> 
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> 
> 
>