IETF Logo Mail Archive

Re: [sunset4] to summarize Lorzeno's "drive-by" attack on draft-ietf-sunset4-noipv4

Dan Wing <dwing@cisco.com> Sun, 27 July 2014 16:37 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A9281A0A99 for <sunset4@ietfa.amsl.com>; Sun, 27 Jul 2014 09:37:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.162
X-Spam-Level:
X-Spam-Status: No, score=-13.162 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_24_48=1.34, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W6lr2Axjy4NX for <sunset4@ietfa.amsl.com>; Sun, 27 Jul 2014 09:37:14 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 419121A0A97 for <sunset4@ietf.org>; Sun, 27 Jul 2014 09:37:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2300; q=dns/txt; s=iport; t=1406479034; x=1407688634; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=VGQheLdniCCYrJHJrKdJeXqk8oBAP9rpHHoGF0ZcnSo=; b=S+8xu21CYm6oyZHY/B9q0Pn8RDhe2rXA6WMJo18bcNF3cFqxzyOcl60S xZ3DqSM+QGdn3Gc4RpGF9V42EVOj+SFYOk7sB+of+p6JPvqrHADykigTx +wWbF8wxTcWzScx7afM5TYxEv1f9Y+slXSb4GjcpVkt9TPf458hwpD1Zr w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiUFAJAp1VOtJV2P/2dsb2JhbABOCimCZVJXy1cKhnJTAYEKFneEBAEBAwEBAQE3NAsQC0YnMAYTiDoIDbxsEwSOcCkzB4MvgRsFm0yUTIIDgWIhLw
X-IronPort-AV: E=Sophos;i="5.01,743,1400025600"; d="scan'208";a="343191705"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-6.cisco.com with ESMTP; 27 Jul 2014 16:37:14 +0000
Received: from sjc-vpn1-811.cisco.com (sjc-vpn1-811.cisco.com [10.21.99.43]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id s6RGb9tY016385 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sun, 27 Jul 2014 16:37:11 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <11190.1406240244@sandelman.ca>
Date: Fri, 25 Jul 2014 21:05:05 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <C12A07EA-E27A-4EAF-A9DE-536FF22A0395@cisco.com>
References: <11190.1406240244@sandelman.ca>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/sunset4/pXVUEtRekehCTo3MBS5N8_Smqlw
Cc: sunset4@ietf.org
Subject: Re: [sunset4] to summarize Lorzeno's "drive-by" attack on draft-ietf-sunset4-noipv4
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Jul 2014 16:37:16 -0000

On Jul 24, 2014, at 6:17 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:

> 
> Lorenzo spoke at the mic about a "drive-by" attack on an IPv4-only network.
> I just want to make it clear about who and how people is impacted.
>  1) It's an IPv4-only network.
>  2) It has "modern" hosts, built after publication of draft-ietf-sunset4-noipv4.
>  3) It's open to some form of attackers.

Specifically, the network has to allow an arbitrary host to send an IPv6 RA.  Doesn't that open the network to a pile of attacks, including an attacker-controlled IPv6 DNS server (RFC6106) and attacker-controlled IPv6 default route?

-d


> 
> So the "Starbucks" coffee-shop network of 2018.
> It seems somewhat realistic to me.
> 
> I'm excluding home wifi networks, because I assume that they are either
> layer-2 secure, or can identify brother/sister attacks through other means.
> 
> The attacker sends a number of IPv6 RAs per second.
> They don't have to use a lot of bandwidth to do this; they just need to to
> beat the newly booting/connecting host's emitting a DHCPv4 DISCOVER.
> 
> The host, ignoring that this is a hint, has to suppress *all* DHCPv4 DISCOVER
> messages when it sees the RA noipv4 option.
> 
> If the host has successfully sent a DISCOVERY message, it might get an DHCPv4
> OFFER, which may or may not be bogus (maybe the RA is legit and the DHCP is
> bogus), and if it does, it would assume that there is v4, and would configure
> IPv4.
> 
> I think that Lorenzo's concerns are real.
> He feels, I think, that given the degree to which the noipv4 option would be
> a hint to do DHCPv4 less often, rather than to turn it off completely, that
> it would therefore become useless.
> 
> My understanding is that the problem with DHCPv4 discovers is that they are
> layer-2 broadcasts, and just asking it killing some larger networks that were
> trying to benefit from savings by deploying IPv6.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
> 
> 
> 
> _______________________________________________
> sunset4 mailing list
> sunset4@ietf.org
> https://www.ietf.org/mailman/listinfo/sunset4

v2.23.0 | Report a Bug | By Email