IETF Logo Mail Archive

Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)

Mark Smith <markzzzsmith@gmail.com> Fri, 09 June 2017 02:47 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0D96129408 for <ipv6@ietfa.amsl.com>; Thu, 8 Jun 2017 19:47:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.497
X-Spam-Level:
X-Spam-Status: No, score=-1.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CmvipMZwrWPG for <ipv6@ietfa.amsl.com>; Thu, 8 Jun 2017 19:47:16 -0700 (PDT)
Received: from mail-ua0-x22f.google.com (mail-ua0-x22f.google.com [IPv6:2607:f8b0:400c:c08::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23CC91200F3 for <ipv6@ietf.org>; Thu, 8 Jun 2017 19:47:16 -0700 (PDT)
Received: by mail-ua0-x22f.google.com with SMTP id 68so10495618uas.0 for <ipv6@ietf.org>; Thu, 08 Jun 2017 19:47:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3OSQQovNlYm2bKSdictFM75SvoHbxftnbxx5xcFlGw8=; b=ppNyF/RspNoM2CCF4ob6L8A4S49P8ukgIV/V1pVDbjlRFxQ2XNv/ZoHOil/LWQPHv3 tVw9dcEgh6AKH3thcnu4dhBlUJU9rY0PEbeHVeL/cHmWOSRff1Q0Fpxs+Y3597Ctrf0r QF+x/vf7xsY3ur/tvBavOckoGEfuNbPs9uTrKR9jFFy5Wc77KllZ12ZU75Vbg2v5RHLx yUfOAT2dvo5AZmoJZHlgvG4GSbuWljZqmXUntyXqLX9opHG8A23/l4X6gP0ktU+64bwK gS+P/9WOaEoWx+5gCenVHU+bkwTrsvz7H9CZDQvEbCJq7dbAoeT0WB1cU+zX2LKVgsrr FykQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3OSQQovNlYm2bKSdictFM75SvoHbxftnbxx5xcFlGw8=; b=LjlMMxFZXJPkAZvz3iID5+hsAEJSTompBOCvizuFmyT/2MrfjGXjljt6au4RPdB77Z p1yyGkNCV1JqajyAo7QR8FHsGJiVjZ17hp8twlMh7qgdbG+/pZNsj68fo2+UP899IiGx 3i6hRVkDwWMb7BaqXo7XeSWgPeApsMhwYI6h3/kEViPCfwP7sGFPlRZ7epAN1/JriLuy UF3jE9YBjWw0refir7XpAcLAriRnKldWkz+l40ps+ibVjeLYbZuv40VOGxf0ytY/7lTA xkI0t0cbXs7mpJ/umyNPuKOn8+5W4QFzFtIBZgjIL8chXX3GLrYO//905YUoy77dnJui ynPA==
X-Gm-Message-State: AODbwcDjqKmwMF8FbLwiKUbdeN674BzSIJKYUT6U3zOX0e291ETMGxmt PPPNfvS+k2Bt5N0XTTKEpjPg7OthNA==
X-Received: by 10.176.23.41 with SMTP id j41mr24052811uaf.32.1496976435249; Thu, 08 Jun 2017 19:47:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.92.67 with HTTP; Thu, 8 Jun 2017 19:46:44 -0700 (PDT)
In-Reply-To: <bb3abd49-5ddc-076c-64a4-fe5f7dcd47d1@si6networks.com>
References: <CAO42Z2ziUZnK+n2f9N_Xvb5TZBppApXgNSmDsRLxaT1_taLvFw@mail.gmail.com> <4a6969ba-4cd3-ba30-2f3b-9ec4cc3fcf60@si6networks.com> <CAKD1Yr2x_EevJ37NnOg59Xk5+r3YYHmHEQKg_YCCSycuPpBzwA@mail.gmail.com> <bb3abd49-5ddc-076c-64a4-fe5f7dcd47d1@si6networks.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Fri, 09 Jun 2017 12:46:44 +1000
Message-ID: <CAO42Z2zgRQscdJqtwSsF+BQJEQ9v9DOCrbDHU+CmZk-xC206Kw@mail.gmail.com>
Subject: Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)
To: Fernando Gont <fgont@si6networks.com>
Cc: Lorenzo Colitti <lorenzo@google.com>, Job Snijders <job@instituut.net>, Erik Kline <ek@google.com>, 6man WG <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/n5Ly6NX2nu86zdoyT0oy3R0eJu4>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2017 02:47:18 -0000

On 9 June 2017 at 03:17, Fernando Gont <fgont@si6networks.com> wrote:
> On 06/08/2017 02:41 PM, Lorenzo Colitti wrote:
>> On Wed, Jun 7, 2017 at 9:03 PM, Fernando Gont <fgont@si6networks.com
>> <mailto:fgont@si6networks.com>> wrote:
>>
<snip>
>
> The point is that when employing manual configuration, addresses always
> have small entropy. Hence employing a lot of bits doesn't buy much,
> because folks simply do not use them for additional entropy.
>

So I was specifically talking about network infrastructure devices
benefiting from large entropy in 64 bit IIDs.

My view comes from slides like this one, showing in 2012 there were
268 000 Cisco IOS devices SNMP exposed to the Internet with a
'public' community, and 18 000 with 'private'.

https://speakerdeck.com/hdm/derbycon-2012-the-wild-west?slide=54

Cisco IOS devices obviously aren't hosts. People have very
successfully scanned for and discovered devices that network operators
should be securing.

Here's more recent similar data from 2016. Much better, however still
a lot of targets.

https://www.shodan.io/report/mTVIRLZi


I'm not aware of similar data for other network equipment vendors.
Cisco is going to be the biggest target.

This is about raising the security bar, and with manually configured
addresses with high entropy, or RFC7217 on routers and switches out of
the box, raising it by default. If the device can't be discovered, it
isn't possible to send a packet to it.

If you choose to specifically lower device security against discovery
by putting routers in DNS, or allowing routers to respond to
traceroutes, you consciously know you're lowering it for the specific
device and can be vigilant when taking other measures to raise it
again (ACLs etc.)

Note that I'm not saying this is the only security measure you should
have. It is an additional defence in depth measure that IPv6
addressing can provide to network infrastructure devices that IPv4
addressing could not.

Regards,
Mark.

v2.23.0 | Report a Bug | By Email