IETF Logo Mail Archive

Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)

Tom Herbert <tom@herbertland.com> Fri, 09 June 2017 03:03 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A139D1200F3 for <ipv6@ietfa.amsl.com>; Thu, 8 Jun 2017 20:03:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M1t2ElfcLbJH for <ipv6@ietfa.amsl.com>; Thu, 8 Jun 2017 20:03:36 -0700 (PDT)
Received: from mail-wr0-x234.google.com (mail-wr0-x234.google.com [IPv6:2a00:1450:400c:c0c::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1736D127286 for <ipv6@ietf.org>; Thu, 8 Jun 2017 20:03:33 -0700 (PDT)
Received: by mail-wr0-x234.google.com with SMTP id v111so25041518wrc.3 for <ipv6@ietf.org>; Thu, 08 Jun 2017 20:03:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SL1lSfNnR9onmBE+2R5xK2sL1I5d/4sNt2d4pCNmXsE=; b=nL6rSa1QhHRpsdiLmgx2lH83iE/Ho+380KocK2RQ9TdjJSTyZV8YnV8S7wQCQoTJ5O Zf3PzcN3PHnb/5730d2+GygNYC5m0aWf4xb9ixROowVgvwOHI8vnBkyAH41TAB90Dm4A +iaKCXL88GnqDLw++cCMr33UisXWW+Y8d7adPV3f35Pro6nPI0wyLKpbfBdmQgRcvP1i uEW7jGsmsbsN7nF0b3qaV/uyTgos3qQetLHvRGEPVOFUpkbXJMkDaG0YdWQaXbNtazYS 9fceTS2vPZpRc0gA6IOGVG3pVE5HtUDAsD4XhIo4dld6nBmGb96T5QwWjCX8rY7Wav68 P3vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SL1lSfNnR9onmBE+2R5xK2sL1I5d/4sNt2d4pCNmXsE=; b=QkPyt6z/+zM2f4Nlkuw0skHRim1rUJ11sOk7gyZAXVk8ZfoaOpekW8POE6TifN8QRr fUZi64zBGfK3Ts64OTe6npiz5+ghpgZvHWhZ+XfTcTSrzFRR0HZ8DqQEPDQIy/RAkWIV U7c/LjW/41EzEo4m77dPo58vjG5VHU8PMuT6Q2pNUNUBM/YOidOWFHay9b1KwjEWUFcb 2XSG6FIb0ZHf9O0csmtt3TkX2tbYP+9EsIx9v+vFqICB5WGxnKdE7B0Y7afyl7XST5yp BgIhm0sfO7I34YpEH400U6IXZqNuQVQyb09JRfH1YchLaIFiHxRfp6x5CicH0XDTM4BS t+Tw==
X-Gm-Message-State: AODbwcBk2LZMsnTsHDIf5FC1Hd5sXAqPYAv6x9KWEmugppRRsu1PvWMQ 1iEGbRkRdovBXi/HOlG6yB3QawClIylA
X-Received: by 10.223.128.80 with SMTP id 74mr32503955wrk.30.1496977411585; Thu, 08 Jun 2017 20:03:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.128.2 with HTTP; Thu, 8 Jun 2017 20:03:30 -0700 (PDT)
In-Reply-To: <CAO42Z2zgRQscdJqtwSsF+BQJEQ9v9DOCrbDHU+CmZk-xC206Kw@mail.gmail.com>
References: <CAO42Z2ziUZnK+n2f9N_Xvb5TZBppApXgNSmDsRLxaT1_taLvFw@mail.gmail.com> <4a6969ba-4cd3-ba30-2f3b-9ec4cc3fcf60@si6networks.com> <CAKD1Yr2x_EevJ37NnOg59Xk5+r3YYHmHEQKg_YCCSycuPpBzwA@mail.gmail.com> <bb3abd49-5ddc-076c-64a4-fe5f7dcd47d1@si6networks.com> <CAO42Z2zgRQscdJqtwSsF+BQJEQ9v9DOCrbDHU+CmZk-xC206Kw@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 08 Jun 2017 20:03:30 -0700
Message-ID: <CALx6S36pQe3vJS8H2s3AJ8e5ZdLaKQh+_zeb_Vu+OkOVRYp2yA@mail.gmail.com>
Subject: Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text (Re: draft-bourbaki-6man-classless-ipv6-00)
To: Mark Smith <markzzzsmith@gmail.com>
Cc: Fernando Gont <fgont@si6networks.com>, Job Snijders <job@instituut.net>, Erik Kline <ek@google.com>, 6man WG <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/xUZUwOLz-aguwPDJ9-G_B9HHIQM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2017 03:03:38 -0000

On Thu, Jun 8, 2017 at 7:46 PM, Mark Smith <markzzzsmith@gmail.com> wrote:
> On 9 June 2017 at 03:17, Fernando Gont <fgont@si6networks.com> wrote:
>> On 06/08/2017 02:41 PM, Lorenzo Colitti wrote:
>>> On Wed, Jun 7, 2017 at 9:03 PM, Fernando Gont <fgont@si6networks.com
>>> <mailto:fgont@si6networks.com>> wrote:
>>>
> <snip>
>>
>> The point is that when employing manual configuration, addresses always
>> have small entropy. Hence employing a lot of bits doesn't buy much,
>> because folks simply do not use them for additional entropy.
>>
>
> So I was specifically talking about network infrastructure devices
> benefiting from large entropy in 64 bit IIDs.
>
> My view comes from slides like this one, showing in 2012 there were
> 268 000 Cisco IOS devices SNMP exposed to the Internet with a
> 'public' community, and 18 000 with 'private'.
>
> https://speakerdeck.com/hdm/derbycon-2012-the-wild-west?slide=54
>
> Cisco IOS devices obviously aren't hosts. People have very
> successfully scanned for and discovered devices that network operators
> should be securing.
>
> Here's more recent similar data from 2016. Much better, however still
> a lot of targets.
>
> https://www.shodan.io/report/mTVIRLZi
>
>
> I'm not aware of similar data for other network equipment vendors.
> Cisco is going to be the biggest target.
>
> This is about raising the security bar, and with manually configured
> addresses with high entropy, or RFC7217 on routers and switches out of
> the box, raising it by default. If the device can't be discovered, it
> isn't possible to send a packet to it.
>
Mark,

I don't quite understand this statement. Isn't is true that If I send
a packet to any IID in the prefix for a device it will reach the
device and be processed? I may not get a response because that's not
the IID randomly chosen as the address of the device, but it still
seems like that could be used for DOS (like a tuple attack on a NIC
queue) if the prefix is discovered or predictable.

Tom

> If you choose to specifically lower device security against discovery
> by putting routers in DNS, or allowing routers to respond to
> traceroutes, you consciously know you're lowering it for the specific
> device and can be vigilant when taking other measures to raise it
> again (ACLs etc.)
>
> Note that I'm not saying this is the only security measure you should
> have. It is an additional defence in depth measure that IPv6
> addressing can provide to network infrastructure devices that IPv4
> addressing could not.
>
> Regards,
> Mark.
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email