IETF Logo Mail Archive

Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt

Sander Steffann <sander@steffann.nl> Fri, 19 October 2018 17:32 UTC

Return-Path: <sander@steffann.nl>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BA2E130E82 for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 10:32:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=steffann.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FbE8BqYil5G3 for <ipv6@ietfa.amsl.com>; Fri, 19 Oct 2018 10:32:47 -0700 (PDT)
Received: from mail.sintact.nl (mail.sintact.nl [83.247.10.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0A4B130DDC for <ipv6@ietf.org>; Fri, 19 Oct 2018 10:32:47 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.sintact.nl (Postfix) with ESMTP id 1ABBE4B; Fri, 19 Oct 2018 19:32:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=steffann.nl; h= x-mailer:references:message-id:content-transfer-encoding:date :date:in-reply-to:from:from:subject:subject:mime-version :content-type:content-type:received:received; s=mail; t= 1539970363; bh=NejyrWb6MlX8CfldOqTXWQtN2vgtz/TPHfwA57PeLwQ=; b=g YP8Vo2T1Y/wbNw/eq9fgP+8o4kySc4i3H/UxikIOtANi1xcyyz4ittpGVva2coIR 5bFLTmsl7UKv8yliHRMidGRvbrT95MokVkBFU6Zd1hnOp2ljf74J3J1Q39MXnOFW 1qbOO+ZubLHMNyBGwrfLv5aA6PXJTx/D2hFtzIYht8=
X-Virus-Scanned: Debian amavisd-new at mail.sintact.nl
Received: from mail.sintact.nl ([127.0.0.1]) by localhost (mail.sintact.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id SJaqSedFlzmY; Fri, 19 Oct 2018 19:32:43 +0200 (CEST)
Received: from [IPv6:2a02:a213:a301:1000:20d2:e4f2:11ec:29f8] (unknown [IPv6:2a02:a213:a301:1000:20d2:e4f2:11ec:29f8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail.sintact.nl (Postfix) with ESMTPSA id 64B8F4A; Fri, 19 Oct 2018 19:32:42 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Subject: Re: I-D Action: draft-ietf-6man-ipv6only-flag-03.txt
X-Clacks-Overhead: GNU Terry Pratchett
From: Sander Steffann <sander@steffann.nl>
In-Reply-To: <CAFU7BARPapatJHnc-uVXmv6ou-NdMgsm6f5tHPG_zG1CC5LD0A@mail.gmail.com>
Date: Fri, 19 Oct 2018 19:32:42 +0200
Cc: Mikael Abrahamsson <swmike@swm.pp.se>, 6man <ipv6@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4A04549E-393A-467C-9308-4DCED7FEC495@steffann.nl>
References: <153973137181.9473.10666616544238076833@ietfa.amsl.com> <092346e1-6350-e54e-e711-9c5ee6dc4e6b@gmail.com> <CAFU7BASO_ByzbanhLKnWV280O_fASd-8W+ujpj3sN6d2-whw2w@mail.gmail.com> <CACWOCC-u7aAPwAOcixYvt2On=-o_8X25GhqdXTfA+tWRC1o2XA@mail.gmail.com> <alpine.DEB.2.20.1810191534430.26856@uplift.swm.pp.se> <422E06B9-8A68-4905-9901-7F4E201ADAB2@employees.org> <alpine.DEB.2.20.1810191557270.26856@uplift.swm.pp.se> <alpine.DEB.2.20.1810191604200.26856@uplift.swm.pp.se> <CABB810B-A895-4D1E-ABD8-DA8CA699F056@steffann.nl> <CAFU7BAR1a=DQ_A390Px3jeh=yhSYWLAhQUmn73Qe2ve8DEXutA@mail.gmail.com> <1E09561E-5604-49D5-A725-76CE09B080CD@steffann.nl> <CAFU7BARPapatJHnc-uVXmv6ou-NdMgsm6f5tHPG_zG1CC5LD0A@mail.gmail.com>
To: Jen Linkova <furry13@gmail.com>
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/sRYqv5lpDYD4aC4Z8qKGunYX8lQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2018 17:32:49 -0000

Hi,

>>> - it would be enough for the attacker to respond with SYN/ACK to TCP
>>> handshake to take Happy Eyeballs out of the picture for TCP traffic;
>> 
>> And here you go beyond "a single packet".
> 
> I don't think so. A single packet is enough to redirect all v6 traffic
> to the attacker.

Yes, but to prevent happy eyeballs from working: "it would be enough for the attacker to respond with SYN/ACK".

>>> I agree we shall avoid all of that. But the way to do this is not by
>>> setting/unsetting some flags in RAs but by implementing proper IPv6
>>> security.
>> 
>> The world of SMBs and home networks is not like that... The vast majority of SMBs don't even have a manageable switch.
> 
> Oh in that case they don't even need an RA to make the network unusable.
> Rogue DHCP server etc.

Again, not a single packet but a much more active attack.

Cheers,
Sander

v2.23.0 | Report a Bug | By Email