Re: [OPSEC] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
gengnan <gengnan@huawei.com> Fri, 10 February 2023 03:35 UTC
Return-Path: <gengnan@huawei.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18E18C1575CC for <opsec@ietfa.amsl.com>; Thu, 9 Feb 2023 19:35:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P5Q1o0luOQsS for <opsec@ietfa.amsl.com>; Thu, 9 Feb 2023 19:35:23 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF44FC1524DE for <opsec@ietf.org>; Thu, 9 Feb 2023 19:35:22 -0800 (PST)
Received: from lhrpeml100006.china.huawei.com (unknown [172.18.147.200]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4PCfQl5RMRz686y1 for <opsec@ietf.org>; Fri, 10 Feb 2023 11:31:11 +0800 (CST)
Received: from kwepemm600011.china.huawei.com (7.193.23.229) by lhrpeml100006.china.huawei.com (7.191.160.224) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.17; Fri, 10 Feb 2023 03:35:19 +0000
Received: from kwepemm600009.china.huawei.com (7.193.23.164) by kwepemm600011.china.huawei.com (7.193.23.229) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.34; Fri, 10 Feb 2023 11:35:17 +0800
Received: from kwepemm600009.china.huawei.com ([7.193.23.164]) by kwepemm600009.china.huawei.com ([7.193.23.164]) with mapi id 15.01.2375.034; Fri, 10 Feb 2023 11:35:17 +0800
From: gengnan <gengnan@huawei.com>
To: Fernando Gont <fgont@si6networks.com>, "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: [OPSEC] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Thread-Index: AQHZN4gRlPNX4h/iQEu+qUxtDMYs+a7EWeQwgAAbQwCAAwADUA==
Date: Fri, 10 Feb 2023 03:35:17 +0000
Message-ID: <c3555f450064402c85efd8c4ceaa9f20@huawei.com>
References: <167539612053.40479.6488206666590835722@ietfa.amsl.com> <091075f1-033a-5577-60d9-3c6a009b3e21@si6networks.com> <938d6bf054ac47caa963efc7a0989900@huawei.com> <9290fa69-e127-100b-22f8-a436bf9225e1@si6networks.com>
In-Reply-To: <9290fa69-e127-100b-22f8-a436bf9225e1@si6networks.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.112.40.101]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/B4c2-S9fBP3L7dCSjvFapWvVOh8>
Subject: Re: [OPSEC] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2023 03:35:27 -0000
Hi, Some comments in-line: > -----Original Message----- > From: Fernando Gont <fgont@si6networks.com> > Sent: Wednesday, February 8, 2023 8:02 PM > To: gengnan <gengnan@huawei.com>; opsec@ietf.org > Subject: Re: [OPSEC] (IETF I-D); Implications of IPv6 Addressing on Security > Operations (Fwd: New Version Notification for > draft-gont-opsec-ipv6-addressing-00.txt) > > Hello, Nan, > > Thanks a lot for your input! In-line.... > > On 8/2/23 00:52, gengnan wrote: > > Hi Fernando, > > > > Here are some thoughts after I reading the draft: > > > > 1. To my knowledge, the block-lists can be used for mitigating some > > DDoS attacks by putting the Zombie's addresses in the block-lists. Of > > course the lists should be updated dynamically in some way so as to > > reduce false negatives and false positives. > > Agreed. Are you suggesting any modifications/changes here? (i.e., anything > that we have missed?) > Actually no modification suggestions here. I was sharing a possible use case of block-lists. > > > 2. For "Both types of ACLs have a similar challenge in common": IMO, > > how to keep high accuracy for address filtering/validation in an > > efficient way is really a challenging problem for both manual > > configuration-based filtering and automated tool-based filtering. > > Agreed here. > > > > Particularly, I think (more from the operator's point of view) there > > should be zero false positive so that legitimate users are not > > affected and operators have confidence to conduct filtering operations > > (e.g., deploying some tools). On the basis of zero false positive, > > false negatives should be reduced as less as possible. > > Of course I agree with the theory. But in reality, there's always a possibility of > false positives one way or another. > > In a simple case, e.g.: > > 1) A user connecting to an ISP performs malicious activity > > 2) His/her address gets block-lists > > 3) The user performs a DHCP-release (or equivalent) to try to release the > previous address and get leased a new one. > > 4) A new user connects to the ISP and is leased the IP address from #1 > > 5) This new user gets blocked as a result of the malicious activity of the > previous user of the IP address. > > > > Similarly, if a user starts attacking from multiple addresses in a /64, > a system dynamically creating and/or applying block-lists will have to > aggregate such block-lists. -- i.e., you just can't simply employ > block-lists with thousands and thousands of addresses. > Yes. It is hard to say absolute correctness in a dynamic environment. What I said is more like a design goal for related tools for particular application scenarios. > > > 3. There are also some methods (e.g., RTBH [RFC 5635], uRPF > > [RFC3704]) which do address filtering based on FIB instead of ACL. > > Are they in the scope of the draft? > > At least for this initial version, we have tried to focus on the > specific aspects where IPv6 changes the scale of the problem. However, > we have also received suggestions to consider other aspects into scope. > > Anything in particular you think we should/could consider > incorporating/discussing? I thought about some more security operations can be analyzed to figure out whether there are particular challenges induced by ipv6 addressing. The related operations may be: intrusion detection, attack traceback, source address validation, ddos mitigation, etc. The ipv6 addressing properties such as address scope and reachability have more or less impact on these security operations. Which exact operation should be incorporated depends on the focus of the draft. Some references that may be helpful: [1] https://www.senki.org/operators-security-toolkit/ [2] https://www.manrs.org/netops/guide/antispoofing/ > > Thanks! > > Regards, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494