IETF Logo Mail Archive

Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Tue, 14 August 2012 13:16 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD73021F86D8 for <opsec@ietfa.amsl.com>; Tue, 14 Aug 2012 06:16:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.524
X-Spam-Level:
X-Spam-Status: No, score=-10.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i4pZ+0h0R6Ne for <opsec@ietfa.amsl.com>; Tue, 14 Aug 2012 06:16:38 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id D4E6621F86BD for <opsec@ietf.org>; Tue, 14 Aug 2012 06:16:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pkampana@cisco.com; l=3042; q=dns/txt; s=iport; t=1344950199; x=1346159799; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=qTrUD5hVAMn70p2MF5KVZeJo4sj/mRE4vCLCHXro96E=; b=eg5JIohc6F0LSJsk3PqzHla/4EuqHc9Vhcx3STlAQSKnROhF4qiIWlFz TCB4sARL8zvp+CPxBfo4oCzbjW5nIQ15/Z/V2OIyxBLJo3KKq8/iI138m FzChe2cziOCaGHD/AHfd337zOapTn87fM5IZcMyRkj3ULMmqXT5UM4hb2 A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAHhOKlCtJXG+/2dsb2JhbABEuhCBB4IgAQEBAwESASc/BQcEAgEIDgMEAQEBChQJBzIUCQgCBA4FCBqFb4F2BpguoQiLBRqFN2ADo3WBZoJfgV8
X-IronPort-AV: E=Sophos;i="4.77,766,1336348800"; d="scan'208";a="111443830"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-3.cisco.com with ESMTP; 14 Aug 2012 13:16:38 +0000
Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id q7EDGcFj021825 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 14 Aug 2012 13:16:38 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.216]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.02.0298.004; Tue, 14 Aug 2012 08:16:38 -0500
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Fernando Gont <fgont@si6networks.com>
Thread-Topic: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review
Thread-Index: AQHNehTOs9TmPTqGR0GvKCKzqIghaZdZR+Rg
Date: Tue, 14 Aug 2012 13:16:37 +0000
Message-ID: <1C9F17D1873AFA47A969C4DD98F98A75051723@xmb-rcd-x10.cisco.com>
References: <67832B1175062E48926BF3CB27C49B240674C2@xmb-aln-x12.cisco.com> <67832B1175062E48926BF3CB27C49B2406BE1F@xmb-aln-x12.cisco.com> <1C9F17D1873AFA47A969C4DD98F98A7504E928@xmb-rcd-x10.cisco.com> <5028F27A.5070404@si6networks.com> <1C9F17D1873AFA47A969C4DD98F98A75051261@xmb-rcd-x10.cisco.com> <502A3E54.1030102@si6networks.com>
In-Reply-To: <502A3E54.1030102@si6networks.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [64.102.89.107]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19112.005
x-tm-as-result: No--43.880200-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2012 13:16:40 -0000

Thank Fernando.

> I ended up referencing DHCPv6-Shield rather than ND-Shield, since the goal here is to prevent attackers from enabling "global IPv6 connectivity" -- ND-Shield, on the other hand mitigates Neighbor Cache sppofing attacks, which is not the subject of this section.

Agreed.


For Teredo, as also Eric Vyncke pointed out, I was thinking IPS or Pattern type matching in UDP payloads. Or even proxies that can understand and inspect the Teredo communication. These are not the traditional ACL filtering of course.

Rgs,
Panos




-----Original Message-----
From: Fernando Gont [mailto:fgont@si6networks.com] 
Sent: Tuesday, August 14, 2012 8:02 AM
To: Panos Kampanakis (pkampana)
Cc: opsec@ietf.org
Subject: Re: [OPSEC] Draft: draft-gont-opsec-ipv6-implications-on-ipv4-nets Review

Hi, Panos,

While trying to address your feedback, I came up with additional comments. Please do let me know what you think...

On 08/13/2012 05:52 PM, Panos Kampanakis (pkampana) wrote:
> - I see that you are mentioning RA-Guard for SLAAC-based attacks. Is 
> the ND-Shield worth mentioning for L2 attacks?

I ended up referencing DHCPv6-Shield rather than ND-Shield, since the goal here is to prevent attackers from enabling "global IPv6 connectivity" -- ND-Shield, on the other hand mitigates Neighbor Cache sppofing attacks, which is not the subject of this section.


> - In 6to4 subsection, a couple of protections state "(embedded in the
> IPv4 payload)". This is not our traditional ACL filtering. It requires 
> equipment that can look and inspect the encapsulated packet, or match 
> on specific fields of the packet payload, or actually understand 6 in 
> 4 encapsulation in order to be able to filter. Maybe it would be worth 
> the put a sentence to clarify that to prevent readers from think this 
> is traditional ACL filtering.

I've added a clarification about this. Additionally, I added a note mentioning that an attacker might fragment its 6to4 packets into tiny fragments such that the filtering device does not really have access to the embedded IPv6 Addresses.



> - For Teredo, would it be worth mentioning that blocking UDP packets 
> with embedded IPv6 addresses 2001::/32 on a device that can 
> match/"understand"/inspect Teredo encapsulation is another mitigation 
> option (as in 6to4 "(embedded in the IPv4 payload)")?

The problem here is that, IIRC (and of the top of my head), no specific UDP port numbers are used for the "data" packets, and hence you cannot really tell to which UDP packets you should apply these filtering rules.

Does this make sense?

As a result, I have not yet added any text regarding filtering Teredo packets based on the embedded IPv6 addresses. But please do let me know if you feel otherwise.

Thanks!

Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email