Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6
Fernando Gont <fgont@si6networks.com> Tue, 18 April 2017 13:11 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CDAB12EBBB; Tue, 18 Apr 2017 06:11:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id giy4j33YWZqD; Tue, 18 Apr 2017 06:11:33 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA0951274D0; Tue, 18 Apr 2017 06:11:32 -0700 (PDT)
Received: from [100.78.23.17] (unknown [94.117.66.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id D9ADB80D2A; Tue, 18 Apr 2017 15:11:30 +0200 (CEST)
To: otroan@employees.org
References: <55cb757e-ee2d-4818-9fc2-67d559006f34@me.com> <3E179F05-ACCD-4290-A65F-57E4202FAA15@icloud.com> <097C5D0E-5708-4CE4-989A-0174B11D1B25@employees.org> <1491877d-b445-af79-1f44-2e5507054a92@si6networks.com> <20391B01-0677-4E55-B83F-B517A32B7066@employees.org>
Cc: opsec@ietf.org, Gunter Van De Velde <guntervandeveldecc@icloud.com>, "v6ops@ietf.org Operations" <v6ops@ietf.org>, 6man@ietf.org
From: Fernando Gont <fgont@si6networks.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <6675ff16-7294-5623-1e44-7bd3d41aed2b@si6networks.com>
Date: Tue, 18 Apr 2017 13:12:03 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20391B01-0677-4E55-B83F-B517A32B7066@employees.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/xtkzMv5oXcKl4thzUR3Za_cLAkM>
Subject: Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 13:11:35 -0000
Hi, Ole, On 04/18/2017 12:44 PM, otroan@employees.org wrote: >>> The ping pong attack is mitigated in RFC4443. >> >> I must be missing something.. what does RFC4443 have to do with this? A >> ping pong attack does not require the attack packets to be ICMPv6 echo >> requests... > > https://tools.ietf.org/html/rfc4443#section-3.1 > One specific case in which a Destination Unreachable message is sent > with a code 3 is in response to a packet received by a router from a > point-to-point link, destined to an address within a subnet assigned > to that same link (other than one of the receiving router's own > addresses). In such a case, the packet MUST NOT be forwarded back > onto the arrival link. > > Most implementations I'm aware of now implement this. Why wouldn't an attacker send *any* packet meant for the p2p link, but that not correspond to the address of any of the two endpoints? i.e., I don't see the need to focus on a specific kind of packet... I guess I'm missing something? >>> I am not convinced there is justification that this document should >>> recommend /127 for "security reasons". >> >> Besides ping-pong, there's NCE. While I do agree that the real solution >> to the above two issues is *not* to use a /127, this document being an >> operational one, I can see why the authors may want to recommend /127. > > Neighbour cache exhaustion has to be mitigated anyway. > On router-router links that's a relatively simple problem compared to > links with hosts. > I'm still not convinced that /127 should be recommended over any of the > other addressing models for router to router links. > /64, link-local only, /128s. How do you mitigate it when the implementation does not limit the number of NC entries? (i.e., operationally) >>> Section 2.2: >>> I am not sure that extension headers are one of the most critical >>> differentiators between IPv4 and IPv6. IPv4 had variable length >>> options... >> >> The packet structure does make a big difference. For instance, it's >> trivial to find (in IPv4-based packets) the upper layer protocol type >> and protocol header, while in IPv6 it actually isn't. > > It isn't supposed to be. Which for people running networks translates to "broken by design". >>> Section 2.3.2: >>> Consider Secure DHCPv6? >> >> Question: is that doable? (i.e., widely supported) > > You expect this document to have a short lifetime? > (Which I guess is the exact problem of publishing this type of advice as > an IETF RFC). I didn't even think about the lifetime. But I wouldn't suggest a mitigation that isn't doable at the time of publication. If Secure DHCPv6 is not widely implemented, this would be like saying "secure ND with SEND" ("yeah... in your dreams!"). FWIW, I do support this document. I think it contains valuable and much needed information. >>> Section 3.1: >>> In general update references. e.g. ipv6-eh-filtering is outdated. >>> I question referencing opsec-ipv6-eh-filtering. It has wrong and >>> outdated advice. E.g. on section of HBH header. >>> The advice in ipv6-eh-filtering is essentially to ossify the network. >> >> Have you read the I-D? Because the I-D boils down to: "pass all EHs >> unless they are known to be very harmdful". > > Hmm, I see the latest opsec version has put this right, thanks. > I must have read the earlier individual draft, cause that said "should > drop HBH". We've certainly been improving th document as part of the process. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [OPSEC] WGLC for draft-ietf-opsec-v6 Gunter Van De Velde
- Re: [OPSEC] WGLC for draft-ietf-opsec-v6 Ron Bonica
- Re: [OPSEC] WGLC for draft-ietf-opsec-v6 Ron Bonica
- Re: [OPSEC] [v6ops] Fwd: WGLC for draft-ietf-opse… Lorenzo Colitti
- Re: [OPSEC] FW: [ALU] Re: [v6ops] Fwd: WGLC for d… Erik Kline
- [OPSEC] FW: [ALU] Re: [v6ops] Fwd: WGLC for draft… Van De Velde, Gunter (Nokia - BE/Antwerp)
- Re: [OPSEC] WGLC for draft-ietf-opsec-v6 Eric Vyncke (evyncke)
- [OPSEC] Fwd: Re: [v6ops] WGLC for draft-ietf-opse… Fernando Gont
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6 otroan
- Re: [OPSEC] [v6ops] Fwd: WGLC for draft-ietf-opse… Bernie Volz (volz)
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6 otroan
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6 Fernando Gont
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6 otroan
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6 Fernando Gont
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6 otroan
- Re: [OPSEC] [ALU] Re: [v6ops] Fwd: WGLC for draft… Merike Kaeo
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6 Fernando Gont
- Re: [OPSEC] [ALU] Re: [v6ops] Fwd: WGLC for draft… Merike Kaeo
- [OPSEC] ULAs [was WGLC for draft-ietf-opsec-v6] Brian E Carpenter
- Re: [OPSEC] WGLC for draft-ietf-opsec-v6 Mikael Abrahamsson
- Re: [OPSEC] [v6ops] ULAs [was WGLC for draft-ietf… Ted Lemon
- Re: [OPSEC] ULAs [was WGLC for draft-ietf-opsec-v… james woodyatt
- Re: [OPSEC] [v6ops] ULAs [was WGLC for draft-ietf… Brian E Carpenter
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6 神明達哉
- Re: [OPSEC] [v6ops] ULAs [was WGLC for draft-ietf… Ted Lemon
- Re: [OPSEC] WGLC for draft-ietf-opsec-v6 Merike Kaeo
- Re: [OPSEC] [ALU] WGLC for draft-ietf-opsec-v6 Van De Velde, Gunter (Nokia - BE/Antwerp)
- Re: [OPSEC] [ALU] WGLC for draft-ietf-opsec-v6 Merike Kaeo
- Re: [OPSEC] [ALU] WGLC for draft-ietf-opsec-v6 Fernando Gont
- Re: [OPSEC] [ALU] WGLC for draft-ietf-opsec-v6 Tobias Fiebig
- Re: [OPSEC] [ALU] WGLC for draft-ietf-opsec-v6 Merike Kaeo
- Re: [OPSEC] [ALU] WGLC for draft-ietf-opsec-v6 Merike Kaeo