Re: [OPSEC] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Fernando Gont <fgont@si6networks.com> Wed, 08 February 2023 13:07 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45E09C1524C8 for <opsec@ietfa.amsl.com>; Wed, 8 Feb 2023 05:07:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5OAFEaAfvZ8F for <opsec@ietfa.amsl.com>; Wed, 8 Feb 2023 05:07:33 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C14CBC1516F3 for <opsec@ietf.org>; Wed, 8 Feb 2023 05:07:33 -0800 (PST)
Received: from [10.0.0.133] (unknown [186.19.8.47]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 9281F280C25; Wed, 8 Feb 2023 10:07:26 -0300 (-03)
Message-ID: <9290fa69-e127-100b-22f8-a436bf9225e1@si6networks.com>
Date: Wed, 08 Feb 2023 09:02:06 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-US
To: gengnan <gengnan=40huawei.com@dmarc.ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
References: <167539612053.40479.6488206666590835722@ietfa.amsl.com> <091075f1-033a-5577-60d9-3c6a009b3e21@si6networks.com> <938d6bf054ac47caa963efc7a0989900@huawei.com>
From: Fernando Gont <fgont@si6networks.com>
In-Reply-To: <938d6bf054ac47caa963efc7a0989900@huawei.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/4Hg9i5vzWPwAlLroIrV4AV23fJw>
Subject: Re: [OPSEC] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2023 13:07:38 -0000
Hello, Nan, Thanks a lot for your input! In-line.... On 8/2/23 00:52, gengnan wrote: > Hi Fernando, > > Here are some thoughts after I reading the draft: > > 1. To my knowledge, the block-lists can be used for mitigating some > DDoS attacks by putting the Zombie's addresses in the block-lists. Of > course the lists should be updated dynamically in some way so as to > reduce false negatives and false positives. Agreed. Are you suggesting any modifications/changes here? (i.e., anything that we have missed?) > 2. For "Both types of ACLs have a similar challenge in common": IMO, > how to keep high accuracy for address filtering/validation in an > efficient way is really a challenging problem for both manual > configuration-based filtering and automated tool-based filtering. Agreed here. > Particularly, I think (more from the operator's point of view) there > should be zero false positive so that legitimate users are not > affected and operators have confidence to conduct filtering > operations (e.g., deploying some tools). On the basis of zero false > positive, false negatives should be reduced as less as possible. Of course I agree with the theory. But in reality, there's always a possibility of false positives one way or another. In a simple case, e.g.: 1) A user connecting to an ISP performs malicious activity 2) His/her address gets block-lists 3) The user performs a DHCP-release (or equivalent) to try to release the previous address and get leased a new one. 4) A new user connects to the ISP and is leased the IP address from #1 5) This new user gets blocked as a result of the malicious activity of the previous user of the IP address. Similarly, if a user starts attacking from multiple addresses in a /64, a system dynamically creating and/or applying block-lists will have to aggregate such block-lists. -- i.e., you just can't simply employ block-lists with thousands and thousands of addresses. > 3. There are also some methods (e.g., RTBH [RFC 5635], uRPF > [RFC3704]) which do address filtering based on FIB instead of ACL. > Are they in the scope of the draft? At least for this initial version, we have tried to focus on the specific aspects where IPv6 changes the scale of the problem. However, we have also received suggestions to consider other aspects into scope. Anything in particular you think we should/could consider incorporating/discussing? Thanks! Regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494