Re: [secdir] Routing loop attacks using IPv6 tunnels

"Templin, Fred L" <Fred.L.Templin@boeing.com> Mon, 14 September 2009 16:25 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C533D28C18F; Mon, 14 Sep 2009 09:25:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.968
X-Spam-Level:
X-Spam-Status: No, score=-5.968 tagged_above=-999 required=5 tests=[AWL=0.631, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p9GsyEZJ0joV; Mon, 14 Sep 2009 09:25:17 -0700 (PDT)
Received: from blv-smtpout-01.boeing.com (blv-smtpout-01.boeing.com [130.76.32.69]) by core3.amsl.com (Postfix) with ESMTP id AF82528C18A; Mon, 14 Sep 2009 09:25:13 -0700 (PDT)
Received: from slb-av-01.boeing.com (slb-av-01.boeing.com [129.172.13.4]) by blv-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n8EGPrh8001447 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 14 Sep 2009 09:25:54 -0700 (PDT)
Received: from slb-av-01.boeing.com (localhost [127.0.0.1]) by slb-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n8EGPrqZ008939; Mon, 14 Sep 2009 09:25:53 -0700 (PDT)
Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by slb-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n8EGPmi8008646; Mon, 14 Sep 2009 09:25:53 -0700 (PDT)
Received: from XCH-NW-7V2.nw.nos.boeing.com ([130.247.54.35]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 14 Sep 2009 09:25:52 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 14 Sep 2009 09:25:50 -0700
Message-ID: <39C363776A4E8C4A94691D2BD9D1C9A10665C90F@XCH-NW-7V2.nw.nos.boeing.com>
In-Reply-To: <4AAAF8C8.6010103@gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Routing loop attacks using IPv6 tunnels
Thread-Index: AcozSBuZiYSXlZV3Qjy1t5j1F1+faQCCZNUw
References: <31484.26522.qm@web45503.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106555B38@XCH-NW-7V2.nw.nos.boeing.com> <373420.97768.qm@web45509.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106599177@XCH-NW-7V2.nw.nos.boeing.com> <342868.34354.qm@web45502.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D7CB7@XCH-NW-7V2.nw.nos.boeing.com> <6B55F0F93C3E9D45AF283313B8D342BA0440F47F@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com> <702481.50824.qm@web45515.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D80A0@XCH-NW-7V2.nw.nos.boeing.com> <309242.20809.qm@web45513.mail.sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A106624B24@XCH-NW-7V2.nw.nos.boeing.com><4AAAD7C1.2060709@gmail.com><39C363776A4E8C4A94691D2BD9D1C9A106624BD7@XCH-NW-7V2.nw.nos.boeing.com> <4AAAF8C8.6010103@gmail.com>
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: "Brian E Carpenter" <brian.e.carpenter@gmail.com>
X-OriginalArrivalTime: 14 Sep 2009 16:25:52.0179 (UTC) FILETIME=[06D97830:01CA3558]
Cc: v6ops <v6ops@ops.ietf.org>, Christian Huitema <huitema@microsoft.com>, ipv6@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2009 16:25:17 -0000

Brian,

> -----Original Message-----
> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
> Sent: Friday, September 11, 2009 6:27 PM
> To: Templin, Fred L
> Cc: v6ops; Christian Huitema; ipv6@ietf.org; secdir@ietf.org
> Subject: Re: Routing loop attacks using IPv6 tunnels
> 
> On 2009-09-12 11:12, Templin, Fred L wrote:
> > Brian,
> >
> >> -----Original Message-----
> >> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
> >> Sent: Friday, September 11, 2009 4:06 PM
> >> To: Templin, Fred L
> >> Cc: Christian Huitema; v6ops; ipv6@ietf.org; secdir@ietf.org
> >> Subject: Re: Routing loop attacks using IPv6 tunnels
> >>
> >> On 2009-09-12 09:13, Templin, Fred L wrote:
> >>
> >> (much text deleted)
> >>
> >>> Otherwise, the best solution IMHO
> >>> would be to allow only routers (and not hosts) on the
> >>> virtual links.
> >> This was of course the original intention for 6to4, so
> >> that any misconfiguration issues could be limited to presumably
> >> trusted staff and boxes. Unfortunately, reality has turned out
> >> to be different, with host-based automatic tunnels becoming
> >> popular.
> >
> > Thanks. I was rethinking this a bit after sending, and
> > I may have been too premature in saying routers only
> > and not hosts.
> >
> > What I would rather have said was that mechanisms such as
> > SEcure Neighbor Discovery (SEND) may be helpful in private
> > addressing domains where spoofing is possible. Let me know
> > if this makes sense.
> 
> Except for the practical problems involved in deploying SEND.

Can it be said that there is any appreciable operational
experience with SEND yet? Are there implementations?

> We still have an issue in unmanaged networks.

By "unmanaged", how unmanaged do you mean? ISATAP is
intended for networks where there is at least some modicum
of cooperative management. We want that it can also be used
in "loosly" managed networks where there is an overall mutual
spirit of cooperation but where site-internal link-layer
address spoofing may still be possible. Can SEND be used
for that, or do we need something else in addition (e.g.,
a nonce with every message)?

Thanks - Fred
fred.l.templin@boeing.com

>     Brian
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------