IETF Logo Mail Archive

Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6

otroan@employees.org Tue, 18 April 2017 13:15 UTC

Return-Path: <otroan@employees.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14D4512EBD5; Tue, 18 Apr 2017 06:15:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=employees.org; domainkeys=pass (1024-bit key) header.from=otroan@employees.org header.d=employees.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6RIgZyp2WSJS; Tue, 18 Apr 2017 06:15:38 -0700 (PDT)
Received: from esa01.kjsl.com (esa01.kjsl.com [IPv6:2607:7c80:54:3::87]) by ietfa.amsl.com (Postfix) with ESMTP id A553412EB9C; Tue, 18 Apr 2017 06:15:38 -0700 (PDT)
Received: from cowbell.employees.org ([198.137.202.74]) by esa01.kjsl.com with ESMTP; 18 Apr 2017 13:15:38 +0000
Received: from cowbell.employees.org (localhost [127.0.0.1]) by cowbell.employees.org (Postfix) with ESMTP id 2D5EFD788D; Tue, 18 Apr 2017 06:15:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=employees.org; h=from :message-id:content-type:mime-version:subject:date:in-reply-to :cc:to:references; s=selector1; bh=VRRaZZt47pYL+C8HqUQlxUV+4A8=; b= qRofvgPqgmbdeHJuLshgb/LHYBH/DXLNyrnfWVC60DDcV27OzBZGGVqtBpxMuv+M GpXYLa9Cz/Cf78DRI+oG/DqvTaAkru9qtqIpb2/hvBPbN85mpPNhi5AThQQCvzbc KPt8yDDV317sZeQmhTObSZ7s2bYcP1VWe3mcIXxhdMw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=employees.org; h=from :message-id:content-type:mime-version:subject:date:in-reply-to :cc:to:references; q=dns; s=selector1; b=GmL5CuWPXegXUNSl0kbxp7N 3xYNN5yOBZGJk7hS1gxapPYRbzisYF6K1k0ORqagxlroaIb6RSnAMiCOkIL0qxVJ qoaMWeRuYkux1rM3/b13aUO2yUgNPtJnD44d5KHJUgZQ8mLA6ugOpRLk3NxUWibE NL9f3xxlK2eQKFU4evI0=
Received: from h.hanazo.no (96.51-175-103.customer.lyse.net [51.175.103.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: otroan) by cowbell.employees.org (Postfix) with ESMTPSA id 0187DD788B; Tue, 18 Apr 2017 06:15:38 -0700 (PDT)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by h.hanazo.no (Postfix) with ESMTP id 7383CAA599EB; Tue, 18 Apr 2017 15:15:36 +0200 (CEST)
From: otroan@employees.org
Message-Id: <BBE95D76-13FF-4FAA-A3FA-AA1E4923EB91@employees.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_68508FCA-D028-472E-9889-BEFFA75A61E4"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 18 Apr 2017 15:15:35 +0200
In-Reply-To: <6675ff16-7294-5623-1e44-7bd3d41aed2b@si6networks.com>
Cc: opsec@ietf.org, Gunter Van De Velde <guntervandeveldecc@icloud.com>, "v6ops@ietf.org Operations" <v6ops@ietf.org>, 6man@ietf.org
To: Fernando Gont <fgont@si6networks.com>
References: <55cb757e-ee2d-4818-9fc2-67d559006f34@me.com> <3E179F05-ACCD-4290-A65F-57E4202FAA15@icloud.com> <097C5D0E-5708-4CE4-989A-0174B11D1B25@employees.org> <1491877d-b445-af79-1f44-2e5507054a92@si6networks.com> <20391B01-0677-4E55-B83F-B517A32B7066@employees.org> <6675ff16-7294-5623-1e44-7bd3d41aed2b@si6networks.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/guE3iKdGMeikGUQfbc748nNyNrA>
Subject: Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 13:15:40 -0000

Fernando,

>>>> The ping pong attack is mitigated in RFC4443.
>>> 
>>> I must be missing something.. what does RFC4443 have to do with this? A
>>> ping pong attack does not require the attack packets to be ICMPv6 echo
>>> requests...
>> 
>> https://tools.ietf.org/html/rfc4443#section-3.1
>>  One specific case in which a Destination Unreachable message is sent
>>  with a code 3 is in response to a packet received by a router from a
>>  point-to-point link, destined to an address within a subnet assigned
>>  to that same link (other than one of the receiving router's own
>>  addresses).  In such a case, the packet MUST NOT be forwarded back
>>  onto the arrival link.
>> 
>> Most implementations I'm aware of now implement this.
> 
> Why wouldn't an attacker send *any* packet meant for the p2p link, but
> that not correspond to the address of any of the two endpoints?
> 
> i.e., I don't see the need to focus on a specific kind of packet... I
> guess I'm missing something?

Yes, you are missing something.
RFC4443 specifies what behaviour should be if a router receives a packet on a point to point link that would end up being forwarded back out the same link. The specified behaviour is drop and send destination unreachable.
That solves the problem for any packet obviously. And any prefix length assigned to the link.

Cheers,
Ole

v2.23.0 | Report a Bug | By Email