IETF Logo Mail Archive

Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6

Fernando Gont <fgont@si6networks.com> Tue, 18 April 2017 13:27 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07D2912EBFD; Tue, 18 Apr 2017 06:27:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j6afuF0QdKh0; Tue, 18 Apr 2017 06:27:34 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2245D12EBFB; Tue, 18 Apr 2017 06:27:34 -0700 (PDT)
Received: from [100.78.23.17] (unknown [94.117.66.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 48AC68013E; Tue, 18 Apr 2017 15:27:32 +0200 (CEST)
To: otroan@employees.org
References: <55cb757e-ee2d-4818-9fc2-67d559006f34@me.com> <3E179F05-ACCD-4290-A65F-57E4202FAA15@icloud.com> <097C5D0E-5708-4CE4-989A-0174B11D1B25@employees.org> <1491877d-b445-af79-1f44-2e5507054a92@si6networks.com> <20391B01-0677-4E55-B83F-B517A32B7066@employees.org> <6675ff16-7294-5623-1e44-7bd3d41aed2b@si6networks.com> <BBE95D76-13FF-4FAA-A3FA-AA1E4923EB91@employees.org>
Cc: Gunter Van De Velde <guntervandeveldecc@icloud.com>, opsec@ietf.org, 6man@ietf.org, "v6ops@ietf.org Operations" <v6ops@ietf.org>
From: Fernando Gont <fgont@si6networks.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <3edf94e6-3fde-03f8-21ec-f02b37fa83fa@si6networks.com>
Date: Tue, 18 Apr 2017 14:27:11 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <BBE95D76-13FF-4FAA-A3FA-AA1E4923EB91@employees.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/kLUTyMJXKkez9Siu9hNDGE06sn8>
Subject: Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 13:27:40 -0000

On 04/18/2017 02:15 PM, otroan@employees.org wrote:
> Fernando,
> 
>>>>> The ping pong attack is mitigated in RFC4443.
>>>> 
>>>> I must be missing something.. what does RFC4443 have to do with
>>>> this? A ping pong attack does not require the attack packets to
>>>> be ICMPv6 echo requests...
>>> 
>>> https://tools.ietf.org/html/rfc4443#section-3.1 One specific case
>>> in which a Destination Unreachable message is sent with a code 3
>>> is in response to a packet received by a router from a 
>>> point-to-point link, destined to an address within a subnet
>>> assigned to that same link (other than one of the receiving
>>> router's own addresses).  In such a case, the packet MUST NOT be
>>> forwarded back onto the arrival link.
>>> 
>>> Most implementations I'm aware of now implement this.
>> 
>> Why wouldn't an attacker send *any* packet meant for the p2p link,
>> but that not correspond to the address of any of the two
>> endpoints?
>> 
>> i.e., I don't see the need to focus on a specific kind of packet...
>> I guess I'm missing something?
> 
> Yes, you are missing something. RFC4443 specifies what behaviour
> should be if a router receives a packet on a point to point link that
> would end up being forwarded back out the same link. The specified
> behaviour is drop and send destination unreachable. That solves the
> problem for any packet obviously. And any prefix length assigned to
> the link.

How could RFC4443 possibly address this for all packets without formally
updating RFC2460?

P.S.: For a specification pov, this shouldn't be buried in RFC4443, and,
as noted, no matter where this "patch" is specified, such doc should
certainly update RFC2460.

Thanks!

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email