IETF Logo Mail Archive

Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 14 August 2012 12:32 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA6EE21F8682 for <opsec@ietfa.amsl.com>; Tue, 14 Aug 2012 05:32:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.419
X-Spam-Level:
X-Spam-Status: No, score=-10.419 tagged_above=-999 required=5 tests=[AWL=0.180, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dUeln4i50TPH for <opsec@ietfa.amsl.com>; Tue, 14 Aug 2012 05:32:55 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 041C821F86A7 for <opsec@ietf.org>; Tue, 14 Aug 2012 05:32:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=evyncke@cisco.com; l=3137; q=dns/txt; s=iport; t=1344947575; x=1346157175; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=4ZNmm4J151CesAggFYS0tqu09/1KKupQoRDulOWOHBU=; b=ZJFFWDgXlgVdAog9QEO4F6GiTk7xaoAViTbJPXgZD5VzEm4pVjF1zelN tOD+P3VSZ1HDA7I3XF7yugEuY1G6234VLUsuei0LPlukBFZE1VhZhRh/F 48I+8ToqiSBIcoZgUg+/PEQSZMp+qWgVnSX2JzobvbwcM2BU2RuZ4lZS6 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EADZEKlCtJV2c/2dsb2JhbABEuhCBB4IgAQEBBAEBAQ8BWwsMBAIBCA4DBAEBAQodBycLFAkIAgQBDQUIGoVvgXwLmCShBgSLBRqFN2ADiBmbXIFmgl+BXw
X-IronPort-AV: E=Sophos;i="4.77,766,1336348800"; d="scan'208";a="111407919"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-8.cisco.com with ESMTP; 14 Aug 2012 12:32:54 +0000
Received: from xhc-aln-x09.cisco.com (xhc-aln-x09.cisco.com [173.36.12.83]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id q7ECWsLF022640 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 14 Aug 2012 12:32:54 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.72]) by xhc-aln-x09.cisco.com ([173.36.12.83]) with mapi id 14.02.0298.004; Tue, 14 Aug 2012 07:32:54 -0500
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Fernando Gont <fgont@si6networks.com>, "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
Thread-Topic: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review
Thread-Index: AQHNehTRuV3KNKdQu0KndP1+5av25JdZPTFA
Date: Tue, 14 Aug 2012 12:32:53 +0000
Message-ID: <97EB7536A2B2C549846804BBF3FD47E10C4473@xmb-aln-x02.cisco.com>
References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <67832B1175062E48926BF3CB27C49B2406BE1F@xmb-aln-x12.cisco.com> <1C9F17D1873AFA47A969C4DD98F98A7504E928@xmb-rcd-x10.cisco.com> <5028F27A.5070404@si6networks.com> <1C9F17D1873AFA47A969C4DD98F98A75051261@xmb-rcd-x10.cisco.com> <502A3E54.1030102@si6networks.com>
In-Reply-To: <502A3E54.1030102@si6networks.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.185.71]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19112.005
x-tm-as-result: No--54.392900-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2012 12:32:56 -0000

Regarding the filtering of Teredo 'data' packets, several IPS are actually dropping all UDPv4 packets where 2001:0::/32 appears at the right place with also another IPv6 address as well as the IPv6 version indicator. So, this is one way to block Teredo

But, the most efficient (often used unknowingly) is to use only application proxies ;)

> -----Original Message-----
> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of
> Fernando Gont
> Sent: mardi 14 août 2012 14:02
> To: Panos Kampanakis (pkampana)
> Cc: opsec@ietf.org
> Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets
> Review
> 
> Hi, Panos,
> 
> While trying to address your feedback, I came up with additional comments.
> Please do let me know what you think...
> 
> On 08/13/2012 05:52 PM, Panos Kampanakis (pkampana) wrote:
> > - I see that you are mentioning RA-Guard for SLAAC-based attacks. Is
> > the ND-Shield worth mentioning for L2 attacks?
> 
> I ended up referencing DHCPv6-Shield rather than ND-Shield, since the goal
> here is to prevent attackers from enabling "global IPv6 connectivity" -- ND-
> Shield, on the other hand mitigates Neighbor Cache sppofing attacks, which
> is not the subject of this section.
> 
> 
> > - In 6to4 subsection, a couple of protections state "(embedded in the
> > IPv4 payload)". This is not our traditional ACL filtering. It requires
> > equipment that can look and inspect the encapsulated packet, or match
> > on specific fields of the packet payload, or actually understand 6 in
> > 4 encapsulation in order to be able to filter. Maybe it would be worth
> > the put a sentence to clarify that to prevent readers from think this
> > is traditional ACL filtering.
> 
> I've added a clarification about this. Additionally, I added a note
> mentioning that an attacker might fragment its 6to4 packets into tiny
> fragments such that the filtering device does not really have access to the
> embedded IPv6 Addresses.
> 
> 
> 
> > - For Teredo, would it be worth mentioning that blocking UDP packets
> > with embedded IPv6 addresses 2001::/32 on a device that can
> > match/"understand"/inspect Teredo encapsulation is another mitigation
> > option (as in 6to4 "(embedded in the IPv4 payload)")?
> 
> The problem here is that, IIRC (and of the top of my head), no specific UDP
> port numbers are used for the "data" packets, and hence you cannot really
> tell to which UDP packets you should apply these filtering rules.
> 
> Does this make sense?
> 
> As a result, I have not yet added any text regarding filtering Teredo
> packets based on the embedded IPv6 addresses. But please do let me know if
> you feel otherwise.
> 
> Thanks!
> 
> Best regards,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> 
> 
> 
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email