Re: [secdir] Security review of draft-ietf-6man-enhanced-dad-12

"Hemant Singh (shemant)" <> Tue, 03 February 2015 19:27 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0C6F01A1B3E; Tue, 3 Feb 2015 11:27:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HSIl-NXEVr-0; Tue, 3 Feb 2015 11:27:25 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9F28A1A87A9; Tue, 3 Feb 2015 11:27:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=4126; q=dns/txt; s=iport; t=1422991644; x=1424201244; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=OGkGmz0Fcg6b+VB5k15QygKVgy/kM+4jx1SdZ7InDyQ=; b=YV3R7oJGy6ykUu5AMiFoDL1D1izQJhF0Kmi6ET8sUqQVvgyxrdpvgvJJ BVMAhsYShsySmQBPRcjffn+EMj8QjgXDRpfZqUmvlTsQqVYfR9brYH8In AcyZz10zzu2QJ+FPWlUPX0ciHaFXh2CC20klTzy7/16B+TzPKBOl6wBo7 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.09,514,1418083200"; d="scan'208";a="120148288"
Received: from ([]) by with ESMTP; 03 Feb 2015 19:27:23 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id t13JRNtW007816 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 3 Feb 2015 19:27:23 GMT
Received: from ([]) by ([]) with mapi id 14.03.0195.001; Tue, 3 Feb 2015 13:27:23 -0600
From: "Hemant Singh (shemant)" <>
To: Hilarie Orman <>, "" <>, "" <>, "" <>
Thread-Topic: Security review of draft-ietf-6man-enhanced-dad-12
Thread-Index: AQHQP0LsE7zTJW6wuUm13YvZwTWf/pzfUA+g
Date: Tue, 03 Feb 2015 19:27:22 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
X-Mailman-Approved-At: Wed, 04 Feb 2015 02:40:19 -0800
Subject: Re: [secdir] Security review of draft-ietf-6man-enhanced-dad-12
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Feb 2015 19:27:27 -0000


Thanks for the review.   We are looking into your comments.

Please stay tuned.


-----Original Message-----
From: Hilarie Orman [] 
Sent: Monday, February 02, 2015 6:48 PM
Subject: Security review of draft-ietf-6man-enhanced-dad-12

Security review of Enhanced Duplicate Address Detection

Do not be alarmed ...
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

Enhanced DAD (duplicate address detection) is intended to help network administrators with some debugging and measurement functions by allowing IPv6 routers to detect that the network has been configured for loopback testing.  Without this new feature, routers would treat the recurring messages (the looped-back messages) as evidence of an address duplication.  Currently, such an error should result in disabling the interface until manual commands are entered.

The goal is to define a simple and reliable way for routers to detect that loopback is in effect.  During the loopback testing, the detection of duplicate addresses will not result in disabling the interface.

The proposed detection method, as mentioned in the Security Considerations, results in a new kind of attack, one in which duplicate addresses are allowed because an attacker can easily imitate or disable the loopback messages.  The authors believe that SEND and SAVI protect against these attacks.  If these are not already in place, an administrator must ask if the benefits of loopback are worth the increased risk of operating, at least temporarily, without DAD.  If not, then is it worth the trouble of adding additional protections?

The document intends to describe an algorithm and a state machine, but it does not have the terse language and diagrams that one would expect to accompany the prose descriptions.  It does not explicitly describe what constitutes loopback detection.

There is a grammo in the following crucial sentence:
   If there is a collision because two nodes using the same Target
   Address in their NS(DAD) and generated the same random nonce, then
   the algorithm will incorrectly detect a looped back NS(DAD) when a
   genuine address collision has occurred. 

I think that the sentence can be repaired by changing "using" to "used".  With that, we implicitly get the definition of loopback
detection: seeing two NS(DAD) messages with the same Target Address and the same Nonce.  There is also a time window for the detection.

The document refers to the normal (non-loopback) case of duplicate address detection as leading to the "DAD failed state".  This term occurs almost nowhere else in the world.  It may be the case that an interface in a failed state is not usually further qualified by the cause; maybe this draft should avoid the term.  "Disabled because of DAD" perhaps?

In section 5, I am confused by this statement:
   Any other network that follows the same trust model MAY use the
   automated actions proposed in this section.
The problem is that as nearly as I can tell, there is only one such action in the section, the one in the immediately preceding sentence.

It seems to me that the time interval for detection might be usefully replaced by a message count.  This is because the probability of a nonce collision is the defining security metric, and that will depend on the size of the nonce space and the number of messages in the possible collision window.  The minimum nonce size is 48 bits, a collision would be expected once in 16 million messages.  I suppose that might happen on a very busy network with a small address space.