Re: [secdir] Routing loop attacks using IPv6 tunnels
Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 15 September 2009 21:34 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 73C7F3A6ACE; Tue, 15 Sep 2009 14:34:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.419
X-Spam-Level:
X-Spam-Status: No, score=-2.419 tagged_above=-999 required=5 tests=[AWL=0.180, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kFtDmmrVLG1T; Tue, 15 Sep 2009 14:34:25 -0700 (PDT)
Received: from mail-pz0-f193.google.com (mail-pz0-f193.google.com [209.85.222.193]) by core3.amsl.com (Postfix) with ESMTP id DABE528C1F3; Tue, 15 Sep 2009 14:33:50 -0700 (PDT)
Received: by pzk31 with SMTP id 31so3757999pzk.23 for <multiple recipients>; Tue, 15 Sep 2009 14:34:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=qNBmavgV5LjxCSjFVXWTHfls6Sxr2zwUwna+sXM04QQ=; b=Wrl62G58Aq4l1JZRY/KPHjnMZQpfTn6mAJaSC9TeYQaIBqtGDcep53N2GxOYaV9tix 3Rbou23k3mm11NRvIvLm06OeR7T6V+mDL6+mFE1vYZLYDnYyMVT0bnMTkPLvHIZOJIWB 0x8W6j3+B8Bl1lPWGJI4uq27QoY2PGrCrrDV0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=cLU36cJRNzgsXS/AlVQmPqPINfFnwJOZq5vfM2yZxGcoTPKwDdbjeac0kjK5dNIrTC RvSdHQkM3kmaY4l46FHLRB3zxVeA3OG6rA0X6stnBjgo+yqyOMajzmu9kY0m2ZSID74m pYNoo6Nc0PCvY0DkA/3ydBxwbbgFLluNk/7Ms=
Received: by 10.114.55.7 with SMTP id d7mr14647461waa.129.1253050476092; Tue, 15 Sep 2009 14:34:36 -0700 (PDT)
Received: from ?130.216.38.124? (stf-brian.sfac.auckland.ac.nz [130.216.38.124]) by mx.google.com with ESMTPS id 23sm1654857pxi.5.2009.09.15.14.34.34 (version=SSLv3 cipher=RC4-MD5); Tue, 15 Sep 2009 14:34:35 -0700 (PDT)
Message-ID: <4AB00868.4000107@gmail.com>
Date: Wed, 16 Sep 2009 09:34:32 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Templin, Fred L" <Fred.L.Templin@boeing.com>
References: <31484.26522.qm@web45503.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106555B38@XCH-NW-7V2.nw.nos.boeing.com> <373420.97768.qm@web45509.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106599177@XCH-NW-7V2.nw.nos.boeing.com> <342868.34354.qm@web45502.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D7CB7@XCH-NW-7V2.nw.nos.boeing.com> <6B55F0F93C3E9D45AF283313B8D342BA0440F47F@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com> <702481.50824.qm@web45515.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D80A0@XCH-NW-7V2.nw.nos.boeing.com> <309242.20809.qm@web45513.mail.sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A106624B24@XCH-NW-7V2.nw.nos.boeing.com><4AAAD7C1.2060709@gmail.com><39C363776A4E8C4A94691D2BD9D1C9A106624BD7@XCH-NW-7V2.nw.nos.boeing.com><4AAAF8C8.6010103@gmail.com><39C363776A4E8C4A94691D2BD9D1C9A10665C90F@XCH-NW-7V2.nw.nos.boeing.com> <4AAF11ED.3000300@gmail.com> <39C363776A4E8C4A94691D2BD9D1C9A10665CEB5@XCH-NW-7V2.nw.nos.boeing .com>
In-Reply-To: <39C363776A4E8C4A94691D2BD9D1C9A10665CEB5@XCH-NW-7V2.nw.nos.boeing.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: v6ops <v6ops@ops.ietf.org>, Christian Huitema <huitema@microsoft.com>, ipv6@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2009 21:34:26 -0000
(one word reply in line...) On 2009-09-16 03:34, Templin, Fred L wrote: > Brian, > >> -----Original Message----- >> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] >> Sent: Monday, September 14, 2009 9:03 PM >> To: Templin, Fred L >> Cc: v6ops; Christian Huitema; ipv6@ietf.org; secdir@ietf.org >> Subject: Re: Routing loop attacks using IPv6 tunnels >> >> On 2009-09-15 04:25, Templin, Fred L wrote: >>> Brian, >>> >>>> -----Original Message----- >>>> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] >>>> Sent: Friday, September 11, 2009 6:27 PM >>>> To: Templin, Fred L >>>> Cc: v6ops; Christian Huitema; ipv6@ietf.org; secdir@ietf.org >>>> Subject: Re: Routing loop attacks using IPv6 tunnels >>>> >>>> On 2009-09-12 11:12, Templin, Fred L wrote: >>>>> Brian, >>>>> >>>>>> -----Original Message----- >>>>>> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] >>>>>> Sent: Friday, September 11, 2009 4:06 PM >>>>>> To: Templin, Fred L >>>>>> Cc: Christian Huitema; v6ops; ipv6@ietf.org; secdir@ietf.org >>>>>> Subject: Re: Routing loop attacks using IPv6 tunnels >>>>>> >>>>>> On 2009-09-12 09:13, Templin, Fred L wrote: >>>>>> >>>>>> (much text deleted) >>>>>> >>>>>>> Otherwise, the best solution IMHO >>>>>>> would be to allow only routers (and not hosts) on the >>>>>>> virtual links. >>>>>> This was of course the original intention for 6to4, so >>>>>> that any misconfiguration issues could be limited to presumably >>>>>> trusted staff and boxes. Unfortunately, reality has turned out >>>>>> to be different, with host-based automatic tunnels becoming >>>>>> popular. >>>>> Thanks. I was rethinking this a bit after sending, and >>>>> I may have been too premature in saying routers only >>>>> and not hosts. >>>>> >>>>> What I would rather have said was that mechanisms such as >>>>> SEcure Neighbor Discovery (SEND) may be helpful in private >>>>> addressing domains where spoofing is possible. Let me know >>>>> if this makes sense. >>>> Except for the practical problems involved in deploying SEND. >>> Can it be said that there is any appreciable operational >>> experience with SEND yet? Are there implementations? >> I'd like to know that too. >> >>>> We still have an issue in unmanaged networks. >>> By "unmanaged", how unmanaged do you mean? >> I was thinking of home networks, the kind where Teredo or >> 6to4 starts up spontaneously. Probably not a concern for >> ISATAP sites. > > OK, thanks for the clarification. I think you probably > mean home networks where the home gateway has not yet > been turned into an ISATAP router - else, it would be > a managed network. Does that sound right? Yes Brian > > Fred > fred.l.templin@boeing.com > >> Brian >> >>> ISATAP is >>> intended for networks where there is at least some modicum >>> of cooperative management. We want that it can also be used >>> in "loosly" managed networks where there is an overall mutual >>> spirit of cooperation but where site-internal link-layer >>> address spoofing may still be possible. Can SEND be used >>> for that, or do we need something else in addition (e.g., >>> a nonce with every message)? >>> >>> Thanks - Fred >>> fred.l.templin@boeing.com >>> >>>> Brian >>>> > -------------------------------------------------------------------- >>>> IETF IPv6 working group mailing list >>>> ipv6@ietf.org >>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >>>> > -------------------------------------------------------------------- >> -------------------------------------------------------------------- >> IETF IPv6 working group mailing list >> ipv6@ietf.org >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >> -------------------------------------------------------------------- >
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- [secdir] Routing loop attacks using IPv6 tunnels Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Denis-Courmont
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Denis-Courmont
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Després
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Després
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Després
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Christian Huitema
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Brian E Carpenter
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Brian E Carpenter
- Re: [secdir] Routing loop attacks using IPv6 tunn… Dong Zhang
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Brian E Carpenter
- Re: [secdir] Routing loop attacks using IPv6 tunn… Hesham Soliman
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Brian E Carpenter
- Re: [secdir] Routing loop attacks using IPv6 tunn… Dong Zhang
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Dmitry Anipko
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Dmitry Anipko