Re: [OPSEC] (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Oliver Gasser <oliver.gasser@mpi-inf.mpg.de> Thu, 09 February 2023 07:58 UTC
Return-Path: <oliver.gasser@mpi-inf.mpg.de>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D21DC153CBF for <opsec@ietfa.amsl.com>; Wed, 8 Feb 2023 23:58:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.297
X-Spam-Level:
X-Spam-Status: No, score=-4.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mpi-inf.mpg.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8l5h4_dmsuNf for <opsec@ietfa.amsl.com>; Wed, 8 Feb 2023 23:58:41 -0800 (PST)
Received: from jupiter.mpi-klsb.mpg.de (jupiter.mpi-klsb.mpg.de [139.19.86.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2CD9C14CF1E for <opsec@ietf.org>; Wed, 8 Feb 2023 23:58:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mpi-inf.mpg.de; s=mail201904; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:From:Cc:References:To:Subject:MIME-Version:Date:Message-ID:sender :reply-to:content-id:content-description:resent-date:resent-from: resent-sender:resent-to:resent-cc:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:list-owner:list-archive; bh=4bg9wYPrshhcIWqqKlTQhIq0x2RuAmZ69MLt+cIIMA0=; b=T6uajbpc7CeM/KNgxXlwI80DGk JZe5a5uHdV3Ne0QPiYxkoI1F1TJmtigYPfyusNdy0eLR3UQssudKAyDHPMadddHVA0EVA9pOtoOgd SMsOJJjlbrpqC1f2cIAMmcc77fyJdHOiRquxwFVZ9tk1FLKuLDeeqUJwKibWmawC3hkw=;
Received: from srv-00-62.mpi-klsb.mpg.de ([139.19.86.27]:40358 helo=max.mpi-klsb.mpg.de) by jupiter.mpi-klsb.mpg.de (envelope-from <oliver.gasser@mpi-inf.mpg.de>) with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) id 1pQ1p7-0001MV-TR; Thu, 09 Feb 2023 08:58:36 +0100
Received: from pd955a342.dip0.t-ipconnect.de ([217.85.163.66]:54586 helo=[192.168.2.110]) by max.mpi-klsb.mpg.de (envelope-from <oliver.gasser@mpi-inf.mpg.de>) with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128) (Exim 4.94.2) id 1pQ1p7-009hd4-DW; Thu, 09 Feb 2023 08:58:29 +0100
Message-ID: <fc77b63a-6051-dc02-43f0-ccc66d99ae6d@mpi-inf.mpg.de>
Date: Thu, 09 Feb 2023 08:58:28 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.2
Content-Language: en-US-large
To: Fernando Gont <fgont@si6networks.com>
References: <167539612053.40479.6488206666590835722@ietfa.amsl.com> <11639991-0f73-bb82-56a8-ff96e9f5575c@si6networks.com>
Cc: opsec@ietf.org
From: Oliver Gasser <oliver.gasser@mpi-inf.mpg.de>
In-Reply-To: <11639991-0f73-bb82-56a8-ff96e9f5575c@si6networks.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-RSPAMD-Score: -0.1 (/)
X-RSPAMD-Report: Action: no action Symbol: RCVD_VIA_SMTP_AUTH(0.00) Symbol: ARC_NA(0.00) Symbol: MID_RHS_MATCH_FROM(0.00) Symbol: FROM_HAS_DN(0.00) Symbol: TO_DN_SOME(0.00) Symbol: TO_MATCH_ENVRCPT_ALL(0.00) Symbol: R_SPF_NEUTRAL(0.00) Symbol: MIME_GOOD(-0.10) Symbol: DMARC_NA(0.00) Symbol: RCPT_COUNT_TWO(0.00) Symbol: NEURAL_HAM(-0.00) Symbol: FROM_EQ_ENVFROM(0.00) Symbol: R_DKIM_NA(0.00) Symbol: MIME_TRACE(0.00) Symbol: ASN(0.00) Symbol: RCVD_COUNT_TWO(0.00) Symbol: RCVD_TLS_ALL(0.00) Symbol: RECEIVED_SPAMHAUS_PBL(0.00) Message-ID: fc77b63a-6051-dc02-43f0-ccc66d99ae6d@mpi-inf.mpg.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/f0t9Ez3v0NF2zGyNHybDAw9kMnA>
Subject: Re: [OPSEC] (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2023 07:58:46 -0000
Hi Fernando, Together with researchers from Akamai, we also stumbled upon this issue last year. See here for the paper on IPv6 scanning published at ACM IMC 2022 (especially relevant is the second paragraph in the Discussion section): https://olivergasser.net/papers/richter2022illuminating.pdf As you write in the I-D the attribution of IPv6 activity (which includes scanning) is a major unresolved problem. It is completely unclear to what level operators should aggregate IPv6 addresses. Aggregating too little will result in (unwanted) activity remaining undetected, aggregating too much will result in collateral damage by putting together different users (be it ISP users, cloud infrastructure users, VM users, etc.). This could be a real problem when we think about automated blocking or rate-limiting of IPv6 addresses/prefixes. Cheers, Oliver On 2/5/23 11:44, Fernando Gont wrote: > Hi, All, > > Recently, I happened to participate in an IPv6 deployment meeting with > some large content provider, and said meeting included a discussion > about how to mitigate some attacks using block-lists. These folks argued > that they ban offending IPv6 addresses as /128s, following IPv4 practices. > > So it seemed to me that some of the implications arising from the > increased IPv6 address space were non-obvious to them. -- that has been > the motivation for the publication of this document. > > * TXT: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt > * HTML: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html > > Comments welcome! > > P.S.: The document is targeted at the IETF opsec wg > (https://www.ietf.org/mailman/listinfo/opsec), but I'll be happy to > discuss it on this mailing-list, off-list, or at the opsec wg > mailing-list... > > Thanks! > > Regards, > Fernando > > > > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-gont-opsec-ipv6-addressing-00.txt > Date: Thu, 02 Feb 2023 19:48:40 -0800 > From: internet-drafts@ietf.org > To: Fernando Gont <fgont@si6networks.com>, Guillermo Gont > <ggont@si6networks.com> > > > A new version of I-D, draft-gont-opsec-ipv6-addressing-00.txt > has been successfully submitted by Fernando Gont and posted to the > IETF repository. > > Name: draft-gont-opsec-ipv6-addressing > Revision: 00 > Title: Implications of IPv6 Addressing on Security Operations > Document date: 2023-02-02 > Group: Individual Submission > Pages: 8 > URL: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt > Status: https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-addressing/ > Htmlized: > https://datatracker.ietf.org/doc/html/draft-gont-opsec-ipv6-addressing > > > Abstract: > The increased address availability provided by IPv6 has concrete > implications on security operations. This document discusses such > implications, and sheds some light on how existing security > operations techniques and procedures might need to be modified > accommodate the increased IPv6 address availability. > > > > > The IETF Secretariat > > -- Dr. Oliver Gasser Max Planck Institute for Informatics Web: https://olivergasser.net PGP FP: 79A3 FB45 1F03 930C 9B5F 2192 2967 A665 11A8 FADB
- Re: [OPSEC] (IETF I-D): Implications of IPv6 Addr… Oliver Gasser