IETF Logo Mail Archive

Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6

otroan@employees.org Tue, 18 April 2017 13:31 UTC

Return-Path: <otroan@employees.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD665129453; Tue, 18 Apr 2017 06:31:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=employees.org; domainkeys=pass (1024-bit key) header.from=otroan@employees.org header.d=employees.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I6l-0-hm_RvI; Tue, 18 Apr 2017 06:31:19 -0700 (PDT)
Received: from esa01.kjsl.com (esa01.kjsl.com [IPv6:2607:7c80:54:3::87]) by ietfa.amsl.com (Postfix) with ESMTP id 448B4127866; Tue, 18 Apr 2017 06:31:19 -0700 (PDT)
Received: from cowbell.employees.org ([198.137.202.74]) by esa01.kjsl.com with ESMTP; 18 Apr 2017 13:31:19 +0000
Received: from cowbell.employees.org (localhost [127.0.0.1]) by cowbell.employees.org (Postfix) with ESMTP id 05262D788D; Tue, 18 Apr 2017 06:31:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=employees.org; h=from :message-id:content-type:mime-version:subject:date:in-reply-to :cc:to:references; s=selector1; bh=Y2KtCjM84UDsyN4JUvzhwk2HKyM=; b= THcf0psYM5eTzk/HoyHztlsP47niUb+KbWjaEmH7PvTm/HGvFpOKrTcMVdeBjFb+ d26UxTOjmcanUjZ3poqPXKAYHmcIPBuNvfF6ubS2H1HCXqCxgF3zWr+ipZP9EMBb Og3YMMcrva7L3oHdg1IS7i3LVD3Ui7CSulFlCNzpMss=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=employees.org; h=from :message-id:content-type:mime-version:subject:date:in-reply-to :cc:to:references; q=dns; s=selector1; b=UFfxg+UuDTAwQCiFkQvrXkd hK2JJFvJrNHzw2wNtx7gKEz3bk1BPIkPEdQi63zNAMKR1RzVNBEdxPHMsjKfQ7JS 5t3k90VBZ8njWHQsZqTYQGIGJdN7R6o2zKN1dd7ktOjvdQKLKWL3zK42YBRr4vl0 lyE3wDazOiOPCS+tXSZ8=
Received: from h.hanazo.no (96.51-175-103.customer.lyse.net [51.175.103.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: otroan) by cowbell.employees.org (Postfix) with ESMTPSA id 8BE8ED788E; Tue, 18 Apr 2017 06:31:18 -0700 (PDT)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by h.hanazo.no (Postfix) with ESMTP id 0CF52AA5DDE1; Tue, 18 Apr 2017 15:31:17 +0200 (CEST)
From: otroan@employees.org
Message-Id: <D0E3AF6B-D2C1-45E9-95C5-AB216DDD4D66@employees.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_6D08AD0D-4666-4CCC-AD63-6E0D388D21C2"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 18 Apr 2017 15:31:16 +0200
In-Reply-To: <3edf94e6-3fde-03f8-21ec-f02b37fa83fa@si6networks.com>
Cc: Gunter Van De Velde <guntervandeveldecc@icloud.com>, opsec@ietf.org, 6man@ietf.org, "v6ops@ietf.org Operations" <v6ops@ietf.org>
To: Fernando Gont <fgont@si6networks.com>
References: <55cb757e-ee2d-4818-9fc2-67d559006f34@me.com> <3E179F05-ACCD-4290-A65F-57E4202FAA15@icloud.com> <097C5D0E-5708-4CE4-989A-0174B11D1B25@employees.org> <1491877d-b445-af79-1f44-2e5507054a92@si6networks.com> <20391B01-0677-4E55-B83F-B517A32B7066@employees.org> <6675ff16-7294-5623-1e44-7bd3d41aed2b@si6networks.com> <BBE95D76-13FF-4FAA-A3FA-AA1E4923EB91@employees.org> <3edf94e6-3fde-03f8-21ec-f02b37fa83fa@si6networks.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/npehg4JFirHFJt0fPrzNn9g9Z7A>
Subject: Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 13:31:21 -0000

>>>>>> The ping pong attack is mitigated in RFC4443.
>>>>> 
>>>>> I must be missing something.. what does RFC4443 have to do with
>>>>> this? A ping pong attack does not require the attack packets to
>>>>> be ICMPv6 echo requests...
>>>> 
>>>> https://tools.ietf.org/html/rfc4443#section-3.1 One specific case
>>>> in which a Destination Unreachable message is sent with a code 3
>>>> is in response to a packet received by a router from a
>>>> point-to-point link, destined to an address within a subnet
>>>> assigned to that same link (other than one of the receiving
>>>> router's own addresses).  In such a case, the packet MUST NOT be
>>>> forwarded back onto the arrival link.
>>>> 
>>>> Most implementations I'm aware of now implement this.
>>> 
>>> Why wouldn't an attacker send *any* packet meant for the p2p link,
>>> but that not correspond to the address of any of the two
>>> endpoints?
>>> 
>>> i.e., I don't see the need to focus on a specific kind of packet...
>>> I guess I'm missing something?
>> 
>> Yes, you are missing something. RFC4443 specifies what behaviour
>> should be if a router receives a packet on a point to point link that
>> would end up being forwarded back out the same link. The specified
>> behaviour is drop and send destination unreachable. That solves the
>> problem for any packet obviously. And any prefix length assigned to
>> the link.
> 
> How could RFC4443 possibly address this for all packets without formally
> updating RFC2460?
> 
> P.S.: For a specification pov, this shouldn't be buried in RFC4443, and,
> as noted, no matter where this "patch" is specified, such doc should
> certainly update RFC2460.

You will probably save everyone a lot of energy if you just admit you had missed it, and moved on.

Ole

v2.23.0 | Report a Bug | By Email