Re: [OPSEC] comment on 'draft-ietf-opsec-ipv6-implications-on-ipv4-nets'
"Templin, Fred L" <Fred.L.Templin@boeing.com> Fri, 01 March 2013 16:15 UTC
Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36C1921F9148 for <opsec@ietfa.amsl.com>; Fri, 1 Mar 2013 08:15:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.504
X-Spam-Level:
X-Spam-Status: No, score=-2.504 tagged_above=-999 required=5 tests=[AWL=0.095, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAd-2OAP6ZWZ for <opsec@ietfa.amsl.com>; Fri, 1 Mar 2013 08:15:37 -0800 (PST)
Received: from slb-mbsout-02.boeing.com (slb-mbsout-02.boeing.com [130.76.64.129]) by ietfa.amsl.com (Postfix) with ESMTP id 252F421F913F for <opsec@ietf.org>; Fri, 1 Mar 2013 08:15:36 -0800 (PST)
Received: from slb-mbsout-02.boeing.com (localhost.localdomain [127.0.0.1]) by slb-mbsout-02.boeing.com (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with ESMTP id r21GFZ54003845 for <opsec@ietf.org>; Fri, 1 Mar 2013 08:15:35 -0800
Received: from XCH-NWHT-11.nw.nos.boeing.com (xch-nwht-11.nw.nos.boeing.com [130.247.25.114]) by slb-mbsout-02.boeing.com (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id r21GFXvg003836 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Fri, 1 Mar 2013 08:15:34 -0800
Received: from XCH-PHX-413.sw.nos.boeing.com (10.57.37.45) by XCH-NWHT-11.nw.nos.boeing.com (130.247.25.114) with Microsoft SMTP Server (TLS) id 8.3.297.1; Fri, 1 Mar 2013 08:15:34 -0800
Received: from XCH-BLV-504.nw.nos.boeing.com ([169.254.4.245]) by XCH-PHX-413.sw.nos.boeing.com ([169.254.13.119]) with mapi id 14.02.0328.011; Fri, 1 Mar 2013 08:15:34 -0800
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Fernando Gont <fgont@si6networks.com>
Thread-Topic: [OPSEC] comment on 'draft-ietf-opsec-ipv6-implications-on-ipv4-nets'
Thread-Index: Ac4VGLawnms/XfNvRyuAsQEKPKG3yQBZVngAAAYI8AA=
Date: Fri, 01 Mar 2013 16:15:32 +0000
Message-ID: <2134F8430051B64F815C691A62D98318015445@XCH-BLV-504.nw.nos.boeing.com>
References: <2134F8430051B64F815C691A62D9831801380F@XCH-BLV-504.nw.nos.boeing.com> <51303822.50108@si6networks.com>
In-Reply-To: <51303822.50108@si6networks.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.247.104.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: No
Cc: "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] comment on 'draft-ietf-opsec-ipv6-implications-on-ipv4-nets'
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2013 16:15:38 -0000
Hi Fernando, > -----Original Message----- > From: Fernando Gont [mailto:fgont@si6networks.com] > Sent: Thursday, February 28, 2013 9:10 PM > To: Templin, Fred L > Cc: opsec@ietf.org > Subject: Re: [OPSEC] comment on 'draft-ietf-opsec-ipv6-implications-on- > ipv4-nets' > > Hi, Fred, > > On 02/27/2013 03:31 PM, Templin, Fred L wrote: > > > > "As a result, blocking ISATAP by preventing hosts from > > successfully performing name resolution for the > > aforementioned names and/or by filtering packets with > > specific IPv4 destination addresses is both difficult > > and undesirable." > > > > I would like to understand this better. In particular, the > > ISATAP service is by design disabled by disabling name > > resolution for the name "isatap.domainname" and/or by > > disabling the ISATAP router advertisement service. Can > > you say why this would be difficult and undesirable? > > Preventing name resolution is virtually impossible, since Windows nodes > not only try to perform such resolution with DNS, but also with LLMNR. > In order to block the latter, you should be able to achieve such > filtering at layer 2 -- and that would be a bit onerous (not to mention > how difficult that would be if fragmentation is employed). Nodes that send RAs in response to LLMNR queries for ISATAP when they shouldn't are rogue IPv6 "routers" that have somehow gained access to what should be a protected link. The concern is no different than for any rogue IPv6 router that gains access to an ordinary link. In the case of ISATAP, the router can be located by its IPv4 address. For ordinary routers, the router can be located by its MAC address. The mitigations for the attack profile are the same in either case. Thanks - Fred fred.l.templin@boeing.com > Since you never know what the isata domain names may resolve to, it's > essentially impossible to block isatap packets based on a specific > destination address (you'd need to know such address in advance in order > to create the ACL). > > Please do let me know if this clarification has been of any help. > > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > >
- [OPSEC] comment on 'draft-ietf-opsec-ipv6-implica… Templin, Fred L
- Re: [OPSEC] comment on 'draft-ietf-opsec-ipv6-imp… Fernando Gont
- Re: [OPSEC] comment on 'draft-ietf-opsec-ipv6-imp… Templin, Fred L