Re: [secdir] Routing loop attacks using IPv6 tunnels

Dmitry Anipko <Dmitry.Anipko@microsoft.com> Fri, 12 March 2010 20:55 UTC

Return-Path: <Dmitry.Anipko@microsoft.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EABEB3A67E9; Fri, 12 Mar 2010 12:55:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.999
X-Spam-Level:
X-Spam-Status: No, score=-9.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Sy1OdX0dPvJ; Fri, 12 Mar 2010 12:55:16 -0800 (PST)
Received: from smtp.microsoft.com (mail2.microsoft.com [131.107.115.215]) by core3.amsl.com (Postfix) with ESMTP id 107E43A687D; Fri, 12 Mar 2010 12:55:16 -0800 (PST)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (157.54.79.174) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 12 Mar 2010 12:55:21 -0800
Received: from tk5-exmlt-s701.segroup.winse.corp.microsoft.com (157.54.90.63) by TK5EX14MLTC103.redmond.corp.microsoft.com (157.54.79.174) with Microsoft SMTP Server (TLS) id 14.0.639.21; Fri, 12 Mar 2010 12:55:08 -0800
Received: from NA-EXMSG-S702.segroup.winse.corp.microsoft.com ([157.54.98.200]) by tk5-exmlt-s701.segroup.winse.corp.microsoft.com ([157.54.90.63]) with mapi; Fri, 12 Mar 2010 12:54:25 -0800
From: Dmitry Anipko <Dmitry.Anipko@microsoft.com>
To: "Templin, Fred L" <Fred.L.Templin@boeing.com>, Gabi Nakibly <gnakibly@yahoo.com>, v6ops <v6ops@ops.ietf.org>
Date: Fri, 12 Mar 2010 12:54:23 -0800
Thread-Topic: Routing loop attacks using IPv6 tunnels
Thread-Index: AcooErw/GQXNMWvASRqGPthARajqOQACrWeAJoHrlyA=
Message-ID: <DD1A73D9E9C89144A927C5080F70285A9366BCAF28@NA-EXMSG-S702.segroup.winse.corp.microsoft.com>
References: <475898.88672.qm@web45510.mail.sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A106514554@XCH-NW-7V2.nw.nos.boeing.com> <39C363776A4E8C4A94691D2BD9D1C9A1065145AE@XCH-NW-7V2.nw.nos.boeing.com> <39C363776A4E8C4A94691D2BD9D1C9A106555996@XCH-NW-7V2.nw.nos.boeing.com> <212591.98462.qm@web45502.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106555B3D@XCH-NW-7V2.nw.nos.boeing.com>
In-Reply-To: <39C363776A4E8C4A94691D2BD9D1C9A106555B3D@XCH-NW-7V2.nw.nos.boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Fri, 12 Mar 2010 13:11:16 -0800
Cc: "ipv6@ietf.org" <ipv6@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2010 20:55:17 -0000

Hello,

I wanted to follow up on Fred's comment earlier in this thread:

>> OK. That will greatly simplify the checks needed for new
automatic tunneling protocols that have a format other
than ip-proto-41.

For the designers of new tunneling protocols, shall perhaps a recommendation on best practices be included into the draft or another document, that for the new tunnels a different protocol value / format should be used?

Examples of such protocol / formats could include using a different next-protocol value, potentially with some multiplexing schema if just using different next-protocol values is not scalable, or possibly some other format.

Thank you,
Dmitry

-----Original Message-----
From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On Behalf Of Templin, Fred L
Sent: Friday, August 28, 2009 1:25 PM
To: Gabi Nakibly; v6ops
Cc: ipv6@ietf.org; secdir@ietf.org
Subject: RE: Routing loop attacks using IPv6 tunnels

Gabi,

> -----Original Message-----
> From: Gabi Nakibly [mailto:gnakibly@yahoo.com]
> Sent: Friday, August 28, 2009 12:07 PM
> To: Templin, Fred L; v6ops
> Cc: ipv6@ietf.org; secdir@ietf.org
> Subject: Re: Routing loop attacks using IPv6 tunnels
>
> Correct. All the attacks rely on the fact that the ISATAP router
encapsulates/decapsulates a packet
> the 6to4 relay decapsulates/encapsulates, respectively. So the two
tunnels must have the same
> encapsulation type.

OK. That will greatly simplify the checks needed for new
automatic tunneling protocols that have a format other
than ip-proto-41.

Fred
fred.l.templin@boeing.com

> ----- Original Message ----
> > From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
> > To: Gabi Nakibly <gnakibly@yahoo.com>; v6ops <v6ops@ops.ietf.org>
> > Cc: ipv6@ietf.org; secdir@ietf.org
> > Sent: Friday, August 28, 2009 7:23:03 PM
> > Subject: RE: Routing loop attacks using IPv6 tunnels
> >
> > Gabi,
> >
> > Correct me if I am wrong, but if there were a new version
> > of ISATAP that did not use ip-proto-41 encapsulation but
> > instead used a different kind of encapsulation, then it
> > need not concern itself with routing loop interactions
> > with 6to4 relays since 6to4 relays only know about
> > ip-proto-41. Does that match your understanding?
> >
> > Thanks - Fred
> > fred.l.templin@boeing.com
>
>
>
>
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------