Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)
Mark Smith <markzzzsmith@gmail.com> Fri, 09 June 2017 02:47 UTC
Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0D96129408 for <ipv6@ietfa.amsl.com>; Thu, 8 Jun 2017 19:47:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.497
X-Spam-Level:
X-Spam-Status: No, score=-1.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CmvipMZwrWPG for <ipv6@ietfa.amsl.com>; Thu, 8 Jun 2017 19:47:16 -0700 (PDT)
Received: from mail-ua0-x22f.google.com (mail-ua0-x22f.google.com [IPv6:2607:f8b0:400c:c08::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23CC91200F3 for <ipv6@ietf.org>; Thu, 8 Jun 2017 19:47:16 -0700 (PDT)
Received: by mail-ua0-x22f.google.com with SMTP id 68so10495618uas.0 for <ipv6@ietf.org>; Thu, 08 Jun 2017 19:47:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3OSQQovNlYm2bKSdictFM75SvoHbxftnbxx5xcFlGw8=; b=ppNyF/RspNoM2CCF4ob6L8A4S49P8ukgIV/V1pVDbjlRFxQ2XNv/ZoHOil/LWQPHv3 tVw9dcEgh6AKH3thcnu4dhBlUJU9rY0PEbeHVeL/cHmWOSRff1Q0Fpxs+Y3597Ctrf0r QF+x/vf7xsY3ur/tvBavOckoGEfuNbPs9uTrKR9jFFy5Wc77KllZ12ZU75Vbg2v5RHLx yUfOAT2dvo5AZmoJZHlgvG4GSbuWljZqmXUntyXqLX9opHG8A23/l4X6gP0ktU+64bwK gS+P/9WOaEoWx+5gCenVHU+bkwTrsvz7H9CZDQvEbCJq7dbAoeT0WB1cU+zX2LKVgsrr FykQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3OSQQovNlYm2bKSdictFM75SvoHbxftnbxx5xcFlGw8=; b=LjlMMxFZXJPkAZvz3iID5+hsAEJSTompBOCvizuFmyT/2MrfjGXjljt6au4RPdB77Z p1yyGkNCV1JqajyAo7QR8FHsGJiVjZ17hp8twlMh7qgdbG+/pZNsj68fo2+UP899IiGx 3i6hRVkDwWMb7BaqXo7XeSWgPeApsMhwYI6h3/kEViPCfwP7sGFPlRZ7epAN1/JriLuy UF3jE9YBjWw0refir7XpAcLAriRnKldWkz+l40ps+ibVjeLYbZuv40VOGxf0ytY/7lTA xkI0t0cbXs7mpJ/umyNPuKOn8+5W4QFzFtIBZgjIL8chXX3GLrYO//905YUoy77dnJui ynPA==
X-Gm-Message-State: AODbwcDjqKmwMF8FbLwiKUbdeN674BzSIJKYUT6U3zOX0e291ETMGxmt PPPNfvS+k2Bt5N0XTTKEpjPg7OthNA==
X-Received: by 10.176.23.41 with SMTP id j41mr24052811uaf.32.1496976435249; Thu, 08 Jun 2017 19:47:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.92.67 with HTTP; Thu, 8 Jun 2017 19:46:44 -0700 (PDT)
In-Reply-To: <bb3abd49-5ddc-076c-64a4-fe5f7dcd47d1@si6networks.com>
References: <CAO42Z2ziUZnK+n2f9N_Xvb5TZBppApXgNSmDsRLxaT1_taLvFw@mail.gmail.com> <4a6969ba-4cd3-ba30-2f3b-9ec4cc3fcf60@si6networks.com> <CAKD1Yr2x_EevJ37NnOg59Xk5+r3YYHmHEQKg_YCCSycuPpBzwA@mail.gmail.com> <bb3abd49-5ddc-076c-64a4-fe5f7dcd47d1@si6networks.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Fri, 09 Jun 2017 12:46:44 +1000
Message-ID: <CAO42Z2zgRQscdJqtwSsF+BQJEQ9v9DOCrbDHU+CmZk-xC206Kw@mail.gmail.com>
Subject: Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)
To: Fernando Gont <fgont@si6networks.com>
Cc: Lorenzo Colitti <lorenzo@google.com>, Job Snijders <job@instituut.net>, Erik Kline <ek@google.com>, 6man WG <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/n5Ly6NX2nu86zdoyT0oy3R0eJu4>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2017 02:47:18 -0000
On 9 June 2017 at 03:17, Fernando Gont <fgont@si6networks.com> wrote: > On 06/08/2017 02:41 PM, Lorenzo Colitti wrote: >> On Wed, Jun 7, 2017 at 9:03 PM, Fernando Gont <fgont@si6networks.com >> <mailto:fgont@si6networks.com>> wrote: >> <snip> > > The point is that when employing manual configuration, addresses always > have small entropy. Hence employing a lot of bits doesn't buy much, > because folks simply do not use them for additional entropy. > So I was specifically talking about network infrastructure devices benefiting from large entropy in 64 bit IIDs. My view comes from slides like this one, showing in 2012 there were 268 000 Cisco IOS devices SNMP exposed to the Internet with a 'public' community, and 18 000 with 'private'. https://speakerdeck.com/hdm/derbycon-2012-the-wild-west?slide=54 Cisco IOS devices obviously aren't hosts. People have very successfully scanned for and discovered devices that network operators should be securing. Here's more recent similar data from 2016. Much better, however still a lot of targets. https://www.shodan.io/report/mTVIRLZi I'm not aware of similar data for other network equipment vendors. Cisco is going to be the biggest target. This is about raising the security bar, and with manually configured addresses with high entropy, or RFC7217 on routers and switches out of the box, raising it by default. If the device can't be discovered, it isn't possible to send a packet to it. If you choose to specifically lower device security against discovery by putting routers in DNS, or allowing routers to respond to traceroutes, you consciously know you're lowering it for the specific device and can be vigilant when taking other measures to raise it again (ACLs etc.) Note that I'm not saying this is the only security measure you should have. It is an additional defence in depth measure that IPv6 addressing can provide to network infrastructure devices that IPv4 addressing could not. Regards, Mark.
- Giving up security & privacy when manually config… Mark Smith
- Re: Giving up security & privacy when manually co… David Farmer
- Re: Giving up security & privacy when manually co… Fred Baker
- Re: Giving up security & privacy when manually co… Job Snijders
- Re: Giving up security & privacy when manually co… Christopher Morrow
- Re: Giving up security & privacy when manually co… Tom Herbert
- Re: Giving up security & privacy when manually co… sthaug
- Re: Giving up security & privacy when manually co… Erik Kline
- Re: Giving up security & privacy when manually co… sthaug
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Mark Andrews
- Re: Giving up security & privacy when manually co… Nick Hilliard
- Re: Giving up security & privacy when manually co… Mark Smith
- Re: Giving up security & privacy when manually co… Philip Homburg
- Re: Giving up security & privacy when manually co… Lorenzo Colitti
- Re: Giving up security & privacy when manually co… Simon Hobson
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Lorenzo Colitti
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Mark Smith
- Re: Giving up security & privacy when manually co… Tom Herbert
- Re: Giving up security & privacy when manually co… Lorenzo Colitti
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Alexandre Petrescu
- Re: Giving up security & privacy when manually co… Mark Smith
- Re: Giving up security & privacy when manually co… Simon Hobson
- Re: Giving up security & privacy when manually co… Tom Herbert
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Fernando Gont