IETF Logo Mail Archive

Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]

Kerry Lynn <kerlyn@ieee.org> Thu, 30 June 2022 14:19 UTC

Return-Path: <kerlyn2001@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53239C15C7CE for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 07:19:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.254
X-Spam-Level:
X-Spam-Status: No, score=-1.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ieee.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ms37htpEkzt for <ipv6@ietfa.amsl.com>; Thu, 30 Jun 2022 07:19:14 -0700 (PDT)
Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71906C15AE38 for <ipv6@ietf.org>; Thu, 30 Jun 2022 07:19:14 -0700 (PDT)
Received: by mail-pf1-x429.google.com with SMTP id x4so18326200pfq.2 for <ipv6@ietf.org>; Thu, 30 Jun 2022 07:19:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4S8yMPN45/5K9oECL8cV2GqDooIoF0ommJj+ldCqyN0=; b=MGXxcU+gGFeXLi7R1/GampQKMuo5oJjgVMfRb1g1k0+FxzsKT2iGtA+ZZ9gAWSl7Ls uRh5TEUORCDmLFjKhLr6DMgf9JXREUeWJU7PLKoeXkYNco+Eh6jjRMRXxZz432o/5jPA nYpMurABwg0CHieLvP8KbaEZjGEs6RAKpJkeg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4S8yMPN45/5K9oECL8cV2GqDooIoF0ommJj+ldCqyN0=; b=lFZrQUYYkB7MhSzGrpKP/YW24Odk2I41IQdIlMWF6pRAQrg5CimAlKGC7dk7EikplZ 178P3mKUGsLm1574Px9UKAxcKf0f2OMDaNsEut9Ga2OAbEQ94elJkgeg3yOxuN9maAGi /wcvpQBO0o6wahRwUos7XaqrQnKmbKYJzOhHqwQH4F5cn09eCYjNX61IvCn3nKOKhMzU 45DrdH7oBzoHpNlwB3MVWg3gTk6UmWM4T5yv3J6dLlqjTg63MLxM/b3XzPN9sfTMSBfT 1YX9kKsCegg55Sn+CXgm6v5PYGwqXxpKs5mhIV383UX5u2O8juI21umpVb6vz8BvQVNh giCw==
X-Gm-Message-State: AJIora/dKm8Y0rISKnIy8+ln4ng5/ad2zOaFGffsiw05aHG+9RgEjKz2 YmqCC6FVnfEApForiJILIRZ2IpeivVdesuQHQ/I=
X-Google-Smtp-Source: AGRyM1vr3ueBjTVZCgUXM35R3woKfKNpSiYifmEaLyWQGvR29dI4YpRty57N29/D59aZJDhPfbef+FytCKfs9qhz1Ok=
X-Received: by 2002:a63:3713:0:b0:40c:b98c:5e4b with SMTP id e19-20020a633713000000b0040cb98c5e4bmr7803633pga.8.1656598753455; Thu, 30 Jun 2022 07:19:13 -0700 (PDT)
MIME-Version: 1.0
References: <164938402532.17740.11717866110301931501@ietfa.amsl.com> <b1780128-2069-b32e-7ca5-86977c119f0c@gmail.com> <11d4e419-11a9-8768-abf2-1335e5f1c3d8@gmail.com> <149924f9-da30-fa79-0509-c01c439d1796@gmail.com> <5BEFA97B-CF09-44D7-8C10-017FEAE4C3A8@tiesel.net> <e6ff75e7-b6c6-ea03-2e10-b1ad95d650f0@gmail.com> <98D15BD9-A631-4D09-AE9E-9D4C750714C9@tiesel.net> <95c82ad3-2138-ab2a-7ba5-57ad80472964@gmail.com> <E5C368C5-9DAE-4C61-ADDE-B881EA11EDA0@tiesel.net> <6968ca7b-dac3-b192-41ed-a193adab7eb4@gmail.com> <529B863C-BCC9-40C1-A5B8-B0598E7DF17C@tzi.org> <bf8c5c54-d548-a40a-0381-0583ef946f26@gmail.com> <CAPt1N1=4wbqrrzvwdr4FD7awa6pkyffhwRZC3zAWLs7uzY3BJQ@mail.gmail.com> <86509E47-77CE-4210-A1B7-C1E9955D9672@tzi.org> <CAPt1N1kYBMSA5Y7BZLMd9o96tBxFY7SrRUxb9jxfBNvBiA_OJQ@mail.gmail.com> <d3d9d68a-adff-b29b-4d1b-78f82e6bf282@gmail.com> <A2DD6902-EF02-4EA4-80D3-18820B912DF1@tzi.org>
In-Reply-To: <A2DD6902-EF02-4EA4-80D3-18820B912DF1@tzi.org>
From: Kerry Lynn <kerlyn@ieee.org>
Date: Thu, 30 Jun 2022 10:19:01 -0400
Message-ID: <CABOxzu1VvoGY+Lc5iw81vV+-k98YvDzSYgfzJOxt6Sc04+0+WQ@mail.gmail.com>
Subject: Re: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]
To: Carsten Bormann <cabo@tzi.org>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, Stuart Cheshire <cheshire@apple.com>, Bob Hinden <bob.hinden@gmail.com>, 6man <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003c357805e2aaf4da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/nhH2koKlpt3LrOzbdjVIWf1rrVA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2022 14:19:18 -0000

On Thu, Jun 30, 2022 at 12:45 AM Carsten Bormann <cabo@tzi.org> wrote:

> On 30. Jun 2022, at 06:40, Brian E Carpenter <brian.e.carpenter@gmail.com>
> wrote:
> >
> > For the present draft, one thing my small experiment shows is that we
> won't make things worse by adding zone identifiers to URLs. They too have
> to be guessed by the attacker, and in modern Linux they are things like
> "enxb813ebc170a4" out of the box. That makes the attacker's job
> significantly harder.
>
> Do you know how enxb813ebc170a4 is generated?  (I.e., is the 48-bit thing
> in there guessable?)
>
> I think I agree with the conclusion (at least, that it is quite
> hard/costly/lengthy to mount an attack based on this), but I think that it
> would be good to get a clean argument for that in the security
> considerations.
>
> Is it sufficient to say there are easier ways to gather LL host addresses?

Maybe I'm missing something, but for LL address scanning mustn't the
attacker
already be on the link? Isn't it simpler to deploy a passive scanner and
just glean
active LL addresses?

Note there are 6lo data links (e.g. RFC 8163) where SLAAC address
construction
is done with many fewer than 48 bits. My argument there was to use 64-bit
opaque
IDs for globally-routable addresses, but short IDs for LL addresses to make
better
use of header compression. I didn't state the latter recommendation was also
because I felt sniffing on the link was trivial.

See also RFC 8605, where I encouraged Dave Thaler to distinguish between on-
and off-link attacks.

Kerry

Grüße, Carsten
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email