IETF Logo Mail Archive

Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]

Ted Lemon <mellon@fugue.com> Tue, 05 July 2022 14:50 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A56FFC13C526 for <ipv6@ietfa.amsl.com>; Tue, 5 Jul 2022 07:50:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FMEm1jOr6jgz for <ipv6@ietfa.amsl.com>; Tue, 5 Jul 2022 07:50:44 -0700 (PDT)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FD93C15A75A for <ipv6@ietf.org>; Tue, 5 Jul 2022 07:50:44 -0700 (PDT)
Received: by mail-oi1-x234.google.com with SMTP id i126so16424070oih.4 for <ipv6@ietf.org>; Tue, 05 Jul 2022 07:50:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5NNmue/yskRR9Tw3EgF2FoRBxNR9vkBaqGR84G0TwOI=; b=wcFjZ4ItZoFr2vbC9DYaHLtPK6a0TtjU2GE3pAkF1KxKwWs7wn0KYvNGaL+U/Ig0Oz ZYEkzUcErfzoHMIdEPh156z/FS1aJ3txK0VtWahWLNuY5rrtd++tw+bepSJbepZLB69Q L3PIkPNNWLAwh7SYlU2amY3d3VNXmltMzRjNwtFaI0mBTPKOCpWYOErGNpzfr3s76l2v GW1kOsUe4JgvuBlrFmBTXfKJRvC1NLWp6I6uKv+wEHMSL8MXv82uo5ds37lOSOZe8p/I R0y4vlLaefYK8HO9+b3OPoUog1eJcsMQuCJ2g62DYCJSJdo/kEFAbTLpuE2Ri9tr1M/H UtFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5NNmue/yskRR9Tw3EgF2FoRBxNR9vkBaqGR84G0TwOI=; b=AV613xf0tuBUsW/UPZAdvdr5/QAPXCSLb6WntEzam5oVy7SQ1wIQjkNGWTGWd+hLFm thm5s9KDSky3AbBIrLsC60J/cAkvK7qR0ZB8elmqimIOAKGxxYQ+42dI6QWPh0kgLD5A pm59MsPLSCgxgF1y2pWRFuk7ysIl5H//QTqQk1oTVeJ7s2kDKlH2WSLnwzE5fEpdgSc5 0kGRN9nq0nc2EHMHBLE4yeGhcFzwivrKDNJrx+qpdl8fKBJEntVJB+JvViRmj0ecHQWI XtGBnO5ylso490laaesPf63jEGgLUaIIaS+/DBmOeUXdlThk1VrgAbbVo00qotmfU8Q7 8IfA==
X-Gm-Message-State: AJIora8Z6GNWlpqyagSxeae2eIqUPG+srSRy1dNqD/VAQk8dFcNwB3RB 4E/2c1D9ycl++A1/IwH/chJuLPmrdxStltCEo4C5fw==
X-Google-Smtp-Source: AGRyM1vTBoeXmK7MXgYeN/maMbmG7jCwhtPHAHatIhrtyg2QJJy3jAZQDY1HFafgUYbx9gDFVZIJLKhvN2plZyc4g9Y=
X-Received: by 2002:a05:6808:1595:b0:335:6294:788a with SMTP id t21-20020a056808159500b003356294788amr19152557oiw.12.1657032642928; Tue, 05 Jul 2022 07:50:42 -0700 (PDT)
MIME-Version: 1.0
References: <164938402532.17740.11717866110301931501@ietfa.amsl.com> <b1780128-2069-b32e-7ca5-86977c119f0c@gmail.com> <11d4e419-11a9-8768-abf2-1335e5f1c3d8@gmail.com> <149924f9-da30-fa79-0509-c01c439d1796@gmail.com> <5BEFA97B-CF09-44D7-8C10-017FEAE4C3A8@tiesel.net> <e6ff75e7-b6c6-ea03-2e10-b1ad95d650f0@gmail.com> <98D15BD9-A631-4D09-AE9E-9D4C750714C9@tiesel.net> <95c82ad3-2138-ab2a-7ba5-57ad80472964@gmail.com> <E5C368C5-9DAE-4C61-ADDE-B881EA11EDA0@tiesel.net> <6968ca7b-dac3-b192-41ed-a193adab7eb4@gmail.com> <529B863C-BCC9-40C1-A5B8-B0598E7DF17C@tzi.org> <bf8c5c54-d548-a40a-0381-0583ef946f26@gmail.com> <CAPt1N1=4wbqrrzvwdr4FD7awa6pkyffhwRZC3zAWLs7uzY3BJQ@mail.gmail.com> <86509E47-77CE-4210-A1B7-C1E9955D9672@tzi.org> <edc17d00-83c7-25df-d125-14c8f15da172@gmail.com> <31680.1657032425@localhost>
In-Reply-To: <31680.1657032425@localhost>
From: Ted Lemon <mellon@fugue.com>
Date: Tue, 05 Jul 2022 07:50:07 -0700
Message-ID: <CAPt1N1kKvbSa1DzYFmLF77xKty5VebpV4HCaPvMH9PQ8pF70eQ@mail.gmail.com>
Subject: Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, 6man <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001038a605e30ffa8a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/ksL_6rorFoIsd2dd39Vg8tQF8Rk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2022 14:50:46 -0000

Of course, if you try to attack an 802.15.4 network this way, it will
definitely be noticed, if only in the sense that your lights will stop
being controllable. But there you're going to have to guess the prefix of
the 802.15.4 network, so that's not a very likely attack anyway.

On Tue, Jul 5, 2022 at 7:47 AM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>     > The sweet spot seems to be about several thousand threads, which is
>     > impressive. I estimate from my observations that a carefully designed
>     > script could scan about 1000 addresses per second, without alarming
> the
>     > user that something was going on. That would amount to 585 million
>     > years to scan a 64 bit space, *but* only 4.6 hours to scan a 24 bit
>     > space. (All based on my very ordinary Windows laptop and home
> network.)
>
> So if the attacker is looking for a specific device with a known EUI,
> because
> they have a specific attack in mind against that device, then 4.6 hours.
> I leave some tabs open for weeks (Google calendar), but for many unusual
> ones, if you got me to open the tab just before going to bed, I might leave
> it open all night.
>
> PS: how long to scan all of RFC1918 space... 2^24 for 10.xx, and then far
>     less than double that for the rest of 172.16 and 192.168.x.y.
>
>     > That's interesting, because it means that there is no realistic risk
> if
>     > using a random 64 bit interface identifier, but a real exposure if
>     > using a Modified EUI, since many of the bits are guessable, as
>     > discussed in RFC 7707. The numbers above are clearly specific to a
>     > particular scenario, but we will mention this point in the draft
>     > (update coming very soon).
>
> I think that this part of the draft might become the most interesting
> argument for IPv6 for home IoT.
>
> I was thinking that if TLS was required each time, then it would be longer,
> but no point in trying TLS if the TCP SYN does not finish.
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email