Re: Overview of IPv6 first-hop issues and solutions - was: RE: IPv6 first-hop risks and threats and mitigations
Gyan Mishra <hayabusagsm@gmail.com> Tue, 22 December 2020 14:23 UTC
Return-Path: <hayabusagsm@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E12EF3A10D2; Tue, 22 Dec 2020 06:23:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ACstx0BomsF; Tue, 22 Dec 2020 06:23:04 -0800 (PST)
Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 181003A10CE; Tue, 22 Dec 2020 06:23:04 -0800 (PST)
Received: by mail-pj1-x102d.google.com with SMTP id b5so1427277pjk.2; Tue, 22 Dec 2020 06:23:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PFoJUOmP7FC3QCpOfL3xuqQCxdqGYGcSWAoWtXdchD8=; b=oZeqFipycvx9AjVlREPBMXDl273DJoJTg1HR2tHfV07ergiCnynmQnS+aUsl38U0iU gVKBq52TT1pyoKleqN+nPZyUeodeUSAe6NIJt6Rakhef63VVJc/XPauk1qEe2/uE/5UW Ki/oYMUFwlIVriUmsE80q1pYKdvJqbqMQia63FEPYObBT89MerrLdKjJ7YqIGUPmbLwT hczNBpPtONqhqYnmAXV5m0g9DrLIJgsM19CaeBJ8oEwNVOjUDiDjBKVmmu/lY5NHhFeP tpI4nadvnboGypmDn3APZsEoodyK+1M1zhZulBsSH1qTLmW+UWEOWwTGxYXY2HfvqeZf igmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PFoJUOmP7FC3QCpOfL3xuqQCxdqGYGcSWAoWtXdchD8=; b=YK/jIUdxVSkrqSGC1DyGtA+EAsopEdRSaE7TYgSAWBHl/1XV/J4hePMZlDIHeM2tFr SUG4DSaEuVMQo7k47coDTDrdxrW+/XXi5w3KWlLJzcgHLvHfmS9izPJIHOXAdwIw8ToL Jp3jI5B7Mv0debBGNjM94y97e4y7h3NoXDJF/sCZpXHLAbzi55Ya3+h5zEUibbY2JAGZ g6UHoSwNOYxhF4QzWtot9vYflxTIHF1wEucRLl4bozpqgGZn+B45u3ZMCRnUfbfzBsyj 78Vfl/7BpnjbLtXkr4XSbRZ6qir5wR4N2U1D9oYecznAomaRz5A2ivUjkaBuufFORriu s4AA==
X-Gm-Message-State: AOAM532m1HTHFsS0skYmZtiAKhvLeGeZkMjChdivhFfZ7teaz6020zwf e6hlIFlX0wHJoivmOQb8CyrEyv1KC7T178i2U0s=
X-Google-Smtp-Source: ABdhPJw+KermSZomlGbEWhN1BE/T5vTt7LQeirNOO7fVGcUh37FvfNxkuRJHA92UHzQN+1DhzbhTnHA0zJut9jR+l14=
X-Received: by 2002:a17:90a:6809:: with SMTP id p9mr21664843pjj.112.1608646983526; Tue, 22 Dec 2020 06:23:03 -0800 (PST)
MIME-Version: 1.0
References: <87a5f7330de54a968b34d199d4d40f19@huawei.com> <CAL9jLaYvXOo2WK+hNNw3AvrWt19m9UWBhy8ubv7uaz5qGv=F4A@mail.gmail.com> <cdadade293a8494eb69b14e2c502aba5@huawei.com>
In-Reply-To: <cdadade293a8494eb69b14e2c502aba5@huawei.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Tue, 22 Dec 2020 09:22:52 -0500
Message-ID: <CABNhwV2x2tVp4gBn7cHLtdA-tz+RoFE0PUMAcW_cv00V=ecLNA@mail.gmail.com>
Subject: Re: Overview of IPv6 first-hop issues and solutions - was: RE: IPv6 first-hop risks and threats and mitigations
To: Xipengxiao <xipengxiao@huawei.com>
Cc: 6man Chairs <6man-chairs@ietf.org>, Christopher Morrow <christopher.morrow@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000005aeb005b70e5027"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/wPvvVshUpUxDe9p06SviN3TB-Jk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2020 14:23:07 -0000
On Tue, Dec 22, 2020 at 3:25 AM Xipengxiao <xipengxiao@huawei.com> wrote: > Hi Christopher, > > >> there's a set of things other than just ra-guard in their document > lists. > > Understood. I used "RA-guard(+)" as an example. There are also the SAVI > related works. > > >> it'd be good to see perhaps a threat-analysis document and from that > smoe requirements discussion. as I noted in a different mail I guess while > whacking at fires around the camp fernando/jen have hit some highlights, > but there could be useful (threat analysis/etc) done still and cleanup of > the remaining problems. > > Good suggestion. Will try to work out a skeleton during the holiday break > and send to the ML. Again, if anybody is interested in participating in > this, please contact us. So far we have Pascal, Eduard Metz, and myself. Gyan> I would be interested in first hop IPv6 security. This is a critical topic for all operators. > > > Happy holidays and stay safe! > > XiPeng > > -----Original Message----- > From: Christopher Morrow [mailto:christopher.morrow@gmail.com] > Sent: Monday, December 21, 2020 7:29 PM > To: Xipengxiao <xipengxiao@huawei.com> > Cc: Michael Richardson <mcr+ietf@sandelman.ca>; Nabil Benamar < > benamar73@gmail.com>; Pascal Thubert (pthubert) <pthubert= > 40cisco.com@dmarc.ietf.org>; 6man Chairs <6man-chairs@ietf.org>; > ipv6@ietf.org > Subject: Re: Overview of IPv6 first-hop issues and solutions - was: RE: > IPv6 first-hop risks and threats and mitigations > > On Fri, Dec 18, 2020 at 5:28 AM Xipengxiao <xipengxiao@huawei.com> wrote: > > > > Hi Christopher, > > > > Firstly I assume that by "work Fernando / Jen" you meant RA-guard(+) / > Grand. If you are talking about something else please let me know. I want > to make sure that we are talking about the same things. > > > > there's a set of things other than just ra-guard in their document lists. > > > With that assumption, my answer to your question is: > > > > I think ND has some issues, e.g. (1) trust model - ND trust all messages > (2) heavily utilizing multicast (3) not considering sleeping nodes (4) > reactive not proactive. This is because ND was designed many years ago > when many things like smartphones, Wi-Fi didn't exist. Fernando/Jen's > works solved (1) & (4), Pascal's WiND (arguably) solved all these issues. > But it changed ND fundamentally. Should it be used only in wireless > environment or both wireless & wired environment? Recently Ole also > published a P2P Ethernet draft to deal with (2). Long story short, I don't > think Fernando/Jen have solved all the issues. There are many different > solutions, each with its pros and cons. > > > > Furthermore, first-hop protocols are more than ND. There are also > SLAAC, DHCPv6 etc. They also have some unsolved issues. Variable SLAAC, > universal-ra-option-04 are examples to deal with those issues. > > > > sure. > > > So in summary, I (and several other people in the WG) think there are > issues in various first-hop protocols. Some are solved, some are not. For > those solved issues, the solutions have pros and cons. All of these are > dispersed in many RFCs/drafts. We believe it's helpful to summarize all > the first-hop issues, and compare the solutions, in a single document. > This is just like Eric's draft-ietf-opsec-v6-21 summarize many IPv6 > security issues into a single document. We believe this would provide an > opportunity for the WG to discuss the issues and existing solutions, and to > decide the next steps. For this reason, I've changed the subject to > reflect our intention more accurately. We in fact have a table of content > reflecting some early thoughts of this work. If anybody is interested > please drop me a line. We will send the TOC to you, and we welcome your > participation. > > > > it'd be good to see perhaps a threat-analysis document and from that smoe > requirements discussion. as I noted in a different mail I guess while > whacking at fires around the camp fernando/jen have hit some highlights, > but there could be useful (threat analysis/etc) done still and cleanup of > the remaining problems. > > > Thanks and happy holidays to all! > > > > XiPeng > > > > > > > > -----Original Message----- > > From: Christopher Morrow [mailto:christopher.morrow@gmail.com] > > Sent: Thursday, December 17, 2020 6:29 PM > > To: Xipengxiao <xipengxiao@huawei.com> > > Cc: Michael Richardson <mcr+ietf@sandelman.ca>; Nabil Benamar > > <benamar73@gmail.com>; Pascal Thubert (pthubert) > > <pthubert=40cisco.com@dmarc.ietf.org>; 6man Chairs > > <6man-chairs@ietf.org>; ipv6@ietf.org > > Subject: Re: IPv6 first-hop risks and threats and mitigations > > > > I thought this was work Fernando Gont / Jen Linkova already undertook... > or had already taking some large steps to cover at any rate. > > Were their docs not helpful here? > > > > On Wed, Dec 16, 2020 at 3:37 PM Xipengxiao <xipengxiao@huawei.com> > wrote: > > > > > > Hi Michael, > > > > > > > > > > > > >> So, the idea being to write down the issues, give the attacks > names, and then clarify what defenses we have already and how well they > work? > > > > > > > > > > > > Yes. Are you interested in working on this together? Happy holidays! > > > > > > > > > > > > XiPeng > > > > > > > > > > > > -----Original Message----- > > > From: Michael Richardson [mailto:mcr+ietf@sandelman.ca] > > > Sent: Monday, November 23, 2020 1:24 AM > > > To: Xipengxiao <xipengxiao@huawei.com>; Nabil Benamar > > > <benamar73@gmail.com>; Pascal Thubert (pthubert) > > > <pthubert=40cisco.com@dmarc.ietf.org>; 6man Chairs > > > <6man-chairs@ietf.org>; ipv6@ietf.org > > > Subject: IPv6 first-hop risks and threats and mitigations > > > > > > > > > > > > > > > > > > Xipengxiao <xipengxiao@huawei.com> wrote: > > > > > > > I also think that it’s a good piece of work, and shouldn’t be > given up. > > > > > > > > > > > > > I would also like to take this opportunity to propose that the > > > WG start > > > > > > > a “problem statement of IPv6 first-hop protocols” draft. The > > > rationale > > > > > > > is: many IPv6 first-hop protocols like ND, SLAAC were designed > > > long > > > > > > > time ago; many things have changed over the years, e.g. the > > > advent of > > > > > > > wireless, mobility, IoT, overlays; lately there are multiple > > > drafts > > > > > > > trying to fix various issues in a number of IPv6 first-hop > > > protocols, > > > > > > > including: > > > > > > > > > > > > So, the idea being to write down the issues, give the attacks names, > and then clarify what defenses we have already and how well they work? > > > > > > > > > > > > -- > > > > > > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT > consulting ) > > > > > > Sandelman Software Works Inc, Ottawa and Worldwide > > > > > > -------------------------------------------------------------------- > > > IETF IPv6 working group mailing list ipv6@ietf.org Administrative > > > Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > > -------------------------------------------------------------------- > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -- <http://www.verizon.com/> *Gyan Mishra* *Network Solutions A**rchitect * *M 301 502-134713101 Columbia Pike *Silver Spring, MD
- Overview of IPv6 first-hop issues and solutions -… Xipengxiao
- Re: Overview of IPv6 first-hop issues and solutio… Christopher Morrow
- RE: Overview of IPv6 first-hop issues and solutio… Xipengxiao
- Re: Overview of IPv6 first-hop issues and solutio… Gyan Mishra