Re: [secdir] Routing loop attacks using IPv6 tunnels

Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 12 September 2009 01:26 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C9213A6A9B; Fri, 11 Sep 2009 18:26:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.228
X-Spam-Level:
X-Spam-Status: No, score=-2.228 tagged_above=-999 required=5 tests=[AWL=0.371, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6tB-9WCAYCo9; Fri, 11 Sep 2009 18:26:02 -0700 (PDT)
Received: from mail-pz0-f195.google.com (mail-pz0-f195.google.com [209.85.222.195]) by core3.amsl.com (Postfix) with ESMTP id 582C43A6A48; Fri, 11 Sep 2009 18:26:02 -0700 (PDT)
Received: by pzk33 with SMTP id 33so1266128pzk.24 for <multiple recipients>; Fri, 11 Sep 2009 18:26:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=xuR5oTnD1ZqaJJPpnLAX5IoxohkM8v1Fk4QY+Yc8RwI=; b=H8wKcy9nMjHErD/LFJ0CJBJ3r2w3/6CeZPbwo5+YKlvDury/avMYYaZCd1BIJpUZbz OCH+srtNiSRgE5RPsdO7K2bI4nzb+MyMzJteNYN+7lWUt2DcB+164T6sXIvg0dMGMPmF MB1u3nRkB5asx/PRkPLfa+P4WcMzga64H44N4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=FHK8eqrehZj3Z9H7cf/jduPYKuNiSKMMlW4dimw+yApfBD1Ki+PgF+UNb94cajNwpk lgLn3ZaJ34vpkVTbtSyfaBQIGqHMgK7QDqxtPPluajiMN9ufUD/WXiZfXiauS6jMZ82I JCwh6Vv73TDM1iHr0GTusaQ+xgPGRKqB6i0Mw=
Received: by 10.114.163.5 with SMTP id l5mr6598370wae.140.1252718798457; Fri, 11 Sep 2009 18:26:38 -0700 (PDT)
Received: from ?10.1.1.4? (118-92-111-74.dsl.dyn.ihug.co.nz [118.92.111.74]) by mx.google.com with ESMTPS id 21sm1008531pzk.3.2009.09.11.18.26.35 (version=SSLv3 cipher=RC4-MD5); Fri, 11 Sep 2009 18:26:38 -0700 (PDT)
Message-ID: <4AAAF8C8.6010103@gmail.com>
Date: Sat, 12 Sep 2009 13:26:32 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Templin, Fred L" <Fred.L.Templin@boeing.com>
References: <31484.26522.qm@web45503.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106555B38@XCH-NW-7V2.nw.nos.boeing.com> <373420.97768.qm@web45509.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106599177@XCH-NW-7V2.nw.nos.boeing.com> <342868.34354.qm@web45502.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D7CB7@XCH-NW-7V2.nw.nos.boeing.com> <6B55F0F93C3E9D45AF283313B8D342BA0440F47F@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com> <702481.50824.qm@web45515.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D80A0@XCH-NW-7V2.nw.nos.boeing.com> <309242.20809.qm@web45513.mail.sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A106624B24@XCH-NW-7V2.nw.nos.boeing.com> <4AAAD7C1.2060709@gmail.com> <39C363776A4E8C4A94691D2BD9D1C9A106624BD7@XCH-NW-7V2.nw.nos.boeing.com>
In-Reply-To: <39C363776A4E8C4A94691D2BD9D1C9A106624BD7@XCH-NW-7V2.nw.nos.boeing.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: v6ops <v6ops@ops.ietf.org>, Christian Huitema <huitema@microsoft.com>, ipv6@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Sep 2009 01:26:03 -0000

On 2009-09-12 11:12, Templin, Fred L wrote:
> Brian,
> 
>> -----Original Message-----
>> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
>> Sent: Friday, September 11, 2009 4:06 PM
>> To: Templin, Fred L
>> Cc: Christian Huitema; v6ops; ipv6@ietf.org; secdir@ietf.org
>> Subject: Re: Routing loop attacks using IPv6 tunnels
>>
>> On 2009-09-12 09:13, Templin, Fred L wrote:
>>
>> (much text deleted)
>>
>>> Otherwise, the best solution IMHO
>>> would be to allow only routers (and not hosts) on the
>>> virtual links.
>> This was of course the original intention for 6to4, so
>> that any misconfiguration issues could be limited to presumably
>> trusted staff and boxes. Unfortunately, reality has turned out
>> to be different, with host-based automatic tunnels becoming
>> popular.
> 
> Thanks. I was rethinking this a bit after sending, and
> I may have been too premature in saying routers only
> and not hosts.
> 
> What I would rather have said was that mechanisms such as
> SEcure Neighbor Discovery (SEND) may be helpful in private
> addressing domains where spoofing is possible. Let me know
> if this makes sense.

Except for the practical problems involved in deploying SEND.
We still have an issue in unmanaged networks.

    Brian