IETF Logo Mail Archive

Re: 6MAN Agenda for IETF86

Nalini Elkins <nalini.elkins@insidethestack.com> Tue, 05 March 2013 15:54 UTC

Return-Path: <nalini.elkins@insidethestack.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 453A221F8606 for <ipv6@ietfa.amsl.com>; Tue, 5 Mar 2013 07:54:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.18
X-Spam-Level:
X-Spam-Status: No, score=-1.18 tagged_above=-999 required=5 tests=[AWL=-0.381, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, J_CHICKENPOX_21=0.6, J_CHICKENPOX_34=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BmAKzYzmSF1x for <ipv6@ietfa.amsl.com>; Tue, 5 Mar 2013 07:53:59 -0800 (PST)
Received: from nm12-vm0.access.bullet.mail.sp2.yahoo.com (nm12-vm0.access.bullet.mail.sp2.yahoo.com [98.139.44.126]) by ietfa.amsl.com (Postfix) with ESMTP id C2BD721F897A for <ipv6@ietf.org>; Tue, 5 Mar 2013 07:53:52 -0800 (PST)
Received: from [98.139.44.104] by nm12.access.bullet.mail.sp2.yahoo.com with NNFMP; 05 Mar 2013 15:53:52 -0000
Received: from [98.139.44.86] by tm9.access.bullet.mail.sp2.yahoo.com with NNFMP; 05 Mar 2013 15:53:52 -0000
Received: from [127.0.0.1] by omp1023.access.mail.sp2.yahoo.com with NNFMP; 05 Mar 2013 15:53:52 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 320005.44798.bm@omp1023.access.mail.sp2.yahoo.com
Received: (qmail 30941 invoked by uid 60001); 5 Mar 2013 15:53:51 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1362498831; bh=lUytstOjA/tZUXfEg/fOlj6XMb+HpjrRpF4bDj2tqYY=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=OZg5qmtKg7tVT2Fwp4qI3I9/Efmm9XBc7fqseR9olYGouhKT7TiR91kIDxh7A02Cmkrnoy+Xl2D7uK52AJs4592hhnh+iw5CSp9XxM85GR1+AQyAI36ufuNFXWGrLCrjhbskbMJeaoeeo25K4vQYnL282VKJtfqP88k1kaUYvWs=
X-YMail-OSG: Own9EVgVM1kGQ8Bg53OuK95Is4NSIkY2wzJ96dKoTS2CUAM N6M4Hoj82kwBuMDcsA6Ayr2rfWX0mWEWAX9TJoTD7cyRyXrFD0Ah0Ne8lezS QkSc182Pckc0fgwyb040KdNQPiD7ZPy4qD7oEh62.OP6uKO2wdzbBzd2fN5s zQmxkvizJc12pbTmXmahDsG1CiUhUYblp649adHrMq5tAI27gkw5EiQm6DbA 9SVJeeHHskKLqTggOvlmbf4BONYoe0LzB0y.SCDAbjbFF923XoAvuGv.X0xU BSLCpepEJq0AoIGzuoqobyMMtPR04CL9lRsm6fLv4cV4g_xh99dAmXvZSobC OhnOVAarCr3OBDKoUgaYmz0NKC9YOyowbJ6QPKXrA0nAzv2YpymDHuldTiFy LiOtHf.YnZVDTGZo93r5s3Am3Lu9qMzjZeLue.opuxgcXyrqZuibZHKEmLGJ btUtwJijYGlGeD2xp6_PlHbF8idXf1tI0tez4bpLuD1e9Q7.BYECy4aIVKkU orguOqlS3B6vcXolcLrf3fRBOLTDs_RMJeJK0JK2fGyAOp7a5tZC9TmDqdqQ 0nHbXXfbomui.TeT9F.rpNuDn04NDNcMOOEruOBM4uMhNZok6qNO2wLqx8Ee rAZmjqqDnQl95jfYeDYv_UUS9q5tCFp24ywyEIXzec6QSD2ujSYeSUqHNiFh iBbB9vK5AbrqA9sXbvcFH6jYJcP496ObEcnoatk111Ay8
Received: from [24.130.37.147] by web2806.biz.mail.ne1.yahoo.com via HTTP; Tue, 05 Mar 2013 07:53:51 PST
X-Rocket-MIMEInfo: 001.001, SG9zbmllaCwKClZlcnkgaW50ZXJlc3RpbmchIMKgV2Ugb3Vyc2VsdmVzIGFyZSB3b3JraW5nIG9uIHRoZSBzYW1lIHByb2plY3QhIMKgQSB0b29sa2l0IHRvIGhlbHAgcGVvcGxlIHByb3RlY3QgdGhlbXNlbHZlcyBhZ2FpbnN0IElQdjYgYXR0YWNrcy4gwqBJIHRoaW5rIHRoZSB0aW1lIGhhcyBkZWZpbml0ZWx5IGNvbWUuCgpQbGVhc2UgY29udGFjdCBtZSBvZmZsaW5lIGlmIHlvdSB3b3VsZCBsaWtlIHRvIGNvbGxhYm9yYXRlLgrCoApUaGFua3MsCgoKTmFsaW5pIEVsa2lucwpJbnNpZGUgUHJvZHVjdHMsIEkBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.135.514
References: <7EE61AD6-2E54-4F17-BBFD-30BE77F7E782@gmail.com> <1362476231.3387.278.camel@karl> <1362490400.37136.YahooMailNeo@web2805.biz.mail.ne1.yahoo.com> <5135F5CA.1090207@gmail.com> <006801ce19a9$0ff8bcd0$2fea3670$@com> <51360424.5030504@gmail.com> <1362497088.22505.YahooMailNeo@web2805.biz.mail.ne1.yahoo.com> <007301ce19b8$25a3c610$70eb5230$@com>
Message-ID: <1362498831.4741.YahooMailNeo@web2806.biz.mail.ne1.yahoo.com>
Date: Tue, 05 Mar 2013 07:53:51 -0800
From: Nalini Elkins <nalini.elkins@insidethestack.com>
Subject: Re: 6MAN Agenda for IETF86
To: Hosnieh Rafiee <ietf@rozanak.com>
In-Reply-To: <007301ce19b8$25a3c610$70eb5230$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: 'Alexandru Petrescu' <alexandru.petrescu@gmail.com>, "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Nalini Elkins <nalini.elkins@insidethestack.com>
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2013 15:54:00 -0000

Hosnieh,

Very interesting!  We ourselves are working on the same project!  A toolkit to help people protect themselves against IPv6 attacks.  I think the time has definitely come.

Please contact me offline if you would like to collaborate.
 
Thanks,


Nalini Elkins
Inside Products, Inc.
(831) 659-8360
www.insidethestack.com



----- Original Message -----
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Nalini Elkins' <nalini.elkins@insidethestack.com>
Cc: ipv6@ietf.org; 'Alexandru Petrescu' <alexandru.petrescu@gmail.com>; 'Karl Auer' <kauer@biplane.com.au>
Sent: Tuesday, March 5, 2013 7:43 AM
Subject: RE: 6MAN Agenda for IETF86

Dear Nalini,

Yes. That RFC is an old RFC that explained the most probable attacks that
could be used against ND. This is the main reason that ND is not at all
secure and the people who think that just privacy is enough (like what was
just implemented in windows) are making a big mistake.

In our lab we are currently working on devising possible attacks against
IPv6 networks in order to find ways of preventing them. We hope to be able
to provide the necessary tools to provide the security necessary to use
against these many different types of attack. 

Thank you,
Hosnieh

-----Original Message-----
From: Nalini Elkins [mailto:nalini.elkins@insidethestack.com] 
Sent: Dienstag, 5. März 2013 16:25
To: Alexandru Petrescu; Hosnieh Rafiee; Karl Auer
Cc: ipv6@ietf.org
Subject: Re: 6MAN Agenda for IETF86

Guys,

I am going to go back and review "IPv6 Neighbor Discovery (ND) Trust Models
and Threats: RFC 3756"

http://datatracker.ietf.org/doc/rfc3756/

For all who think that ND and RA in particular does not have problems, here
is a UTube video of a hacker at work using RA.

http://www.youtube.com/watch?v=TfsfNWHCKK0

Next, there is an interesting web site: http://www.thc.org/thc-ipv6/

You can see the "interesting" tools available:

dnssecwalk - performs NSEC walking including Iv6+IPv4 resolving
firewall6 - various TCP/UDP ACL bypass test cases
fake_pim6 - send fake hello and join/prune pim messages
ndpexhaust26 - very performant ndp exhauster based on ICMP error toobig
messages but can send many types of packets
alive6: ranges are now supported in the input file too
parasite6: enhancements to make it way more effective
fake_router26: added overlap RA guard evasion type (-E o, -E O)
dos-new-ip6: fix that only DAD replies are sent, not full NDP spoofing
flood_router26: Added local LAN privacy extension prevention attack
randicmp6: - added function which dumps icmp answers received - added
funtionality to send a specific type (and also code)
dnsdict6: added SRV result address resolving

and others.

I will review all drafts with the above in mind.

Thanks,

Nalini Elkins
Inside Products, Inc.
(831) 659-8360
www.insidethestack.com



________________________________
From: Alexandru Petrescu <alexandru.petrescu@gmail.com>
To: Hosnieh Rafiee <ietf@rozanak.com>
Cc: ipv6@ietf.org
Sent: Tuesday, March 5, 2013 6:41 AM
Subject: Re: 6MAN Agenda for IETF86

Hosnieh,

I would have to read the draft and feed back about SSAS.

Some of the drafts I mentioned (ND-PD) were presented to 6MAN meeting in
Atlanta, and discussed on the email list.  One of the drafts
(draft-jhlee-mext-mnpp-00) is considered at ISO, but I dont know its status.

Another draft which generates IID from VIN (Vehicular Identification
Number) we discussed recently in the 6MAN email list is:
draft-imadali-its-vinipv6-viid-00.txt

We don't have a WG about vehicular communications but we have an email list
ITS for Intelligent Transportation Systems (ietf.org/mailman/listinfo/its). 
We discuss a Charter proposal there.

Alex

Le 05/03/2013 14:55, Hosnieh Rafiee a écrit :
> In the latest version of my draft RFC,SSAS, l have provided 
> information about using SSAS for mobile nodes and I have specified the 
> sections of the RFCs that can use this mechanism. So maybe this can 
> prove useful for vehicular communication too. Are the drafts that you 
> mentioned discussed in 6man? I have not seen any discussions about 
> them. Maybe I missed it. If it is in another WG, would you please tell 
> me which one?
>
> Thanks, Hosnieh
>
>
>
> -----Original Message----- From: ipv6-bounces@ietf.org 
> [mailto:ipv6-bounces@ietf.org] On Behalf Of Alexandru Petrescu Sent:
> Dienstag, 5. März 2013 14:40 To: ipv6@ietf.org Subject: Re: 6MAN 
> Agenda for IETF86
>
> ND security is an important topic.
>
> Let me explain why.
>
> We consider the use of ND over 802.11p links for vehicular  
>communications. These links dont have ESSID nor link-layer security.
>  (it is not clear whether it is legal to run IP straight over  80211p, 
>being "safety apps") but once it becomes clear the security  question 
>comes up.
>
> (ND drafts for vehicular communications:
> draft-petrescu-autoconf-ra-based-routing draft-kaiser-nd-pd-01
> draft-jhlee-mext-mnpp-00)
>
> The security of ND on these links needs to be fast and easy to set up.
>
> Alex
>
> Le 05/03/2013 14:33, Nalini Elkins a écrit :
>> Karl,
>>
>> I definitely agree that ND needs to be secured.  Also agree that 
>> neither IPSec nor SEND are viable solutions.
>>
>> I do not know if I am missing something but I have not seen a 
>> comprehensive document with these problems detailed.  I certainly 
>> don't have a solution but I have been trying to at least catalog such 
>> problems.   If there is such a document, would appreciate anyone 
>> letting me know.
>>
>> If there isn't, if you would like, we can collaborate on such a 
>> document and create a draft for the IETF meeting in Berlin. Maybe 
>> v6Ops is a place to discuss this topic.  Once many at IETF agree that 
>> indeed there is a problem, then we can discuss a potential solution. 
>> Thanks,
>>
>> Nalini Elkins Inside Products, Inc. (831) 659-8360 
>> www.insidethestack.com
>>
>> ---------------------------------------------------------------------
>> -
>>
>>
>>
--
>>
>>
> *From:* Karl Auer <kauer@biplane.com.au>
>> *To:* ipv6@ietf.org *Sent:* Tuesday, March 5, 2013 1:37 AM
>> *Subject:* Re: 6MAN Agenda for IETF86
>>
>> On Mon, 2013-03-04 at 16:02 -0800, Bob Hinden wrote:
>>> A Simple Secure Addressing Generation Scheme for IPv6  
>>>AutoConfiguration draft-rafiee-6man-ssas-01.txt [...]  DHCPv6/SLAAC 
>>>Address Configuration Interaction Problem Statement
>>>  draft-liu-bonica-dhcpv6-slaac-problem-01.txt
>>>
>>> We did not think there had been enough discussion or interest on the 
>>> w.g. list to guarantee a speaking slot.  We allocated short slots at 
>>> the end of the session if there is time before the meeting ends.  If 
>>> anyone (other than the authors) think one of these should be given 
>>> more time, please speak up.
>>
>> For what it's worth it seems to me that there is a gaping hole around 
>> securing ND. IPSec is obviously ridiculous, SEND is only marginally 
>> less ridiculous. Maybe SSAS is a way forward? Or maybe noone else 
>> thinks ND needs to be secured? Maybe the meeting could attempt to 
>> gauge whether this is actually a real problem. I think it is, and I 
>> urge others to speak up if they too think this should be pursued.
>>
>> If there is a priority to these things, then sorting out the 
>> perceived and actual discrepancies\ and ambiguities in the meaning of 
>> the RA M and O flags would seem pretty important. Otherwise they will 
>> end up cemented into even more implementations than they are now. The 
>> way Windows handles them is just plain broken, and if the RFCs 
>> support that way of handling them, then the RFCs are broken. At very 
>> least this topic needs some impetus.
>>
>> Regards, K.
>>
>> --
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> ~
>>
>>
>>
~
>>
>>
> Karl Auer (kauer@biplane.com.au <mailto:kauer@biplane.com.au>)
>> http://www.biplane.com.au/kauerhttp://www.biplane.com.au/blog
>>
>> GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A 
>> Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
>>
>>
>> --------------------------------------------------------------------
>>
>>
>>
IETF IPv6 working group mailing list ipv6@ietf.org
>> <mailto:ipv6@ietf.org> Administrative Requests:
>> https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>>
>>
>>
>>
>>
>>
>>
--------------------------------------------------------------------
>> IETF IPv6 working group mailing list ipv6@ietf.org Administrative
>> Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>>
>
>>
>>
>
> --------------------------------------------------------------------
>  IETF IPv6 working group mailing list ipv6@ietf.org Administrative
> Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
>
>


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------  

v2.23.0 | Report a Bug | By Email