Re: [secdir] Routing loop attacks using IPv6 tunnels
"Templin, Fred L" <Fred.L.Templin@boeing.com> Tue, 15 September 2009 15:33 UTC
Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4AEBF3A6B3B; Tue, 15 Sep 2009 08:33:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.972
X-Spam-Level:
X-Spam-Status: No, score=-5.972 tagged_above=-999 required=5 tests=[AWL=0.627, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59G9Iwi68CZC; Tue, 15 Sep 2009 08:33:26 -0700 (PDT)
Received: from blv-smtpout-01.boeing.com (blv-smtpout-01.boeing.com [130.76.32.69]) by core3.amsl.com (Postfix) with ESMTP id 562EB3A698F; Tue, 15 Sep 2009 08:33:26 -0700 (PDT)
Received: from blv-av-01.boeing.com (blv-av-01.boeing.com [130.247.48.231]) by blv-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n8FFY3Lf017058 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 15 Sep 2009 08:34:03 -0700 (PDT)
Received: from blv-av-01.boeing.com (localhost [127.0.0.1]) by blv-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n8FFY3QG015746; Tue, 15 Sep 2009 08:34:03 -0700 (PDT)
Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by blv-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n8FFY1N7015602; Tue, 15 Sep 2009 08:34:02 -0700 (PDT)
Received: from XCH-NW-7V2.nw.nos.boeing.com ([130.247.54.35]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 15 Sep 2009 08:34:02 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 15 Sep 2009 08:34:01 -0700
Message-ID: <39C363776A4E8C4A94691D2BD9D1C9A10665CEB5@XCH-NW-7V2.nw.nos.boeing.com>
In-Reply-To: <4AAF11ED.3000300@gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Routing loop attacks using IPv6 tunnels
Thread-Index: Aco1uXBRJ8FVPWcBS/yoBklfXDWHbwAYDQ2g
References: <31484.26522.qm@web45503.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106555B38@XCH-NW-7V2.nw.nos.boeing.com> <373420.97768.qm@web45509.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106599177@XCH-NW-7V2.nw.nos.boeing.com> <342868.34354.qm@web45502.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D7CB7@XCH-NW-7V2.nw.nos.boeing.com> <6B55F0F93C3E9D45AF283313B8D342BA0440F47F@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com> <702481.50824.qm@web45515.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D80A0@XCH-NW-7V2.nw.nos.boeing.com> <309242.20809.qm@web45513.mail.sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A106624B24@XCH-NW-7V2.nw.nos.boeing.com><4AAAD7C1.2060709@gmail.com><39C363776A4E8C4A94691D2BD9D1C9A106624BD7@XCH-NW-7V2.nw.nos.boeing.com><4AAAF8C8.6010103@gmail.com><39C363776A4E8C4A94691D2BD9D1C9A10665C90F@XCH-NW-7V2.nw.nos.boeing.com> <4AAF11ED.3000300@gmail.com>
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
X-OriginalArrivalTime: 15 Sep 2009 15:34:02.0856 (UTC) FILETIME=[F3F62E80:01CA3619]
Cc: v6ops <v6ops@ops.ietf.org>, Christian Huitema <huitema@microsoft.com>, ipv6@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2009 15:33:27 -0000
Brian, > -----Original Message----- > From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] > Sent: Monday, September 14, 2009 9:03 PM > To: Templin, Fred L > Cc: v6ops; Christian Huitema; ipv6@ietf.org; secdir@ietf.org > Subject: Re: Routing loop attacks using IPv6 tunnels > > On 2009-09-15 04:25, Templin, Fred L wrote: > > Brian, > > > >> -----Original Message----- > >> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] > >> Sent: Friday, September 11, 2009 6:27 PM > >> To: Templin, Fred L > >> Cc: v6ops; Christian Huitema; ipv6@ietf.org; secdir@ietf.org > >> Subject: Re: Routing loop attacks using IPv6 tunnels > >> > >> On 2009-09-12 11:12, Templin, Fred L wrote: > >>> Brian, > >>> > >>>> -----Original Message----- > >>>> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] > >>>> Sent: Friday, September 11, 2009 4:06 PM > >>>> To: Templin, Fred L > >>>> Cc: Christian Huitema; v6ops; ipv6@ietf.org; secdir@ietf.org > >>>> Subject: Re: Routing loop attacks using IPv6 tunnels > >>>> > >>>> On 2009-09-12 09:13, Templin, Fred L wrote: > >>>> > >>>> (much text deleted) > >>>> > >>>>> Otherwise, the best solution IMHO > >>>>> would be to allow only routers (and not hosts) on the > >>>>> virtual links. > >>>> This was of course the original intention for 6to4, so > >>>> that any misconfiguration issues could be limited to presumably > >>>> trusted staff and boxes. Unfortunately, reality has turned out > >>>> to be different, with host-based automatic tunnels becoming > >>>> popular. > >>> Thanks. I was rethinking this a bit after sending, and > >>> I may have been too premature in saying routers only > >>> and not hosts. > >>> > >>> What I would rather have said was that mechanisms such as > >>> SEcure Neighbor Discovery (SEND) may be helpful in private > >>> addressing domains where spoofing is possible. Let me know > >>> if this makes sense. > >> Except for the practical problems involved in deploying SEND. > > > > Can it be said that there is any appreciable operational > > experience with SEND yet? Are there implementations? > > I'd like to know that too. > > > > >> We still have an issue in unmanaged networks. > > > > By "unmanaged", how unmanaged do you mean? > > I was thinking of home networks, the kind where Teredo or > 6to4 starts up spontaneously. Probably not a concern for > ISATAP sites. OK, thanks for the clarification. I think you probably mean home networks where the home gateway has not yet been turned into an ISATAP router - else, it would be a managed network. Does that sound right? Fred fred.l.templin@boeing.com > Brian > > > ISATAP is > > intended for networks where there is at least some modicum > > of cooperative management. We want that it can also be used > > in "loosly" managed networks where there is an overall mutual > > spirit of cooperation but where site-internal link-layer > > address spoofing may still be possible. Can SEND be used > > for that, or do we need something else in addition (e.g., > > a nonce with every message)? > > > > Thanks - Fred > > fred.l.templin@boeing.com > > > >> Brian > >> -------------------------------------------------------------------- > >> IETF IPv6 working group mailing list > >> ipv6@ietf.org > >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > >> -------------------------------------------------------------------- > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > --------------------------------------------------------------------
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- [secdir] Routing loop attacks using IPv6 tunnels Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Denis-Courmont
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Denis-Courmont
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Després
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Després
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Després
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Christian Huitema
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Brian E Carpenter
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Brian E Carpenter
- Re: [secdir] Routing loop attacks using IPv6 tunn… Dong Zhang
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Brian E Carpenter
- Re: [secdir] Routing loop attacks using IPv6 tunn… Hesham Soliman
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Brian E Carpenter
- Re: [secdir] Routing loop attacks using IPv6 tunn… Dong Zhang
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Dmitry Anipko
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Dmitry Anipko