Re: [sunset4] to summarize Lorzeno's "drive-by" attack on draft-ietf-sunset4-noipv4
Dan Wing <dwing@cisco.com> Sun, 27 July 2014 16:37 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A9281A0A99 for <sunset4@ietfa.amsl.com>; Sun, 27 Jul 2014 09:37:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.162
X-Spam-Level:
X-Spam-Status: No, score=-13.162 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_24_48=1.34, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W6lr2Axjy4NX for <sunset4@ietfa.amsl.com>; Sun, 27 Jul 2014 09:37:14 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 419121A0A97 for <sunset4@ietf.org>; Sun, 27 Jul 2014 09:37:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2300; q=dns/txt; s=iport; t=1406479034; x=1407688634; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=VGQheLdniCCYrJHJrKdJeXqk8oBAP9rpHHoGF0ZcnSo=; b=S+8xu21CYm6oyZHY/B9q0Pn8RDhe2rXA6WMJo18bcNF3cFqxzyOcl60S xZ3DqSM+QGdn3Gc4RpGF9V42EVOj+SFYOk7sB+of+p6JPvqrHADykigTx +wWbF8wxTcWzScx7afM5TYxEv1f9Y+slXSb4GjcpVkt9TPf458hwpD1Zr w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiUFAJAp1VOtJV2P/2dsb2JhbABOCimCZVJXy1cKhnJTAYEKFneEBAEBAwEBAQE3NAsQC0YnMAYTiDoIDbxsEwSOcCkzB4MvgRsFm0yUTIIDgWIhLw
X-IronPort-AV: E=Sophos;i="5.01,743,1400025600"; d="scan'208";a="343191705"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-6.cisco.com with ESMTP; 27 Jul 2014 16:37:14 +0000
Received: from sjc-vpn1-811.cisco.com (sjc-vpn1-811.cisco.com [10.21.99.43]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id s6RGb9tY016385 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sun, 27 Jul 2014 16:37:11 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <11190.1406240244@sandelman.ca>
Date: Fri, 25 Jul 2014 21:05:05 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <C12A07EA-E27A-4EAF-A9DE-536FF22A0395@cisco.com>
References: <11190.1406240244@sandelman.ca>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/sunset4/pXVUEtRekehCTo3MBS5N8_Smqlw
Cc: sunset4@ietf.org
Subject: Re: [sunset4] to summarize Lorzeno's "drive-by" attack on draft-ietf-sunset4-noipv4
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Jul 2014 16:37:16 -0000
On Jul 24, 2014, at 6:17 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > Lorenzo spoke at the mic about a "drive-by" attack on an IPv4-only network. > I just want to make it clear about who and how people is impacted. > 1) It's an IPv4-only network. > 2) It has "modern" hosts, built after publication of draft-ietf-sunset4-noipv4. > 3) It's open to some form of attackers. Specifically, the network has to allow an arbitrary host to send an IPv6 RA. Doesn't that open the network to a pile of attacks, including an attacker-controlled IPv6 DNS server (RFC6106) and attacker-controlled IPv6 default route? -d > > So the "Starbucks" coffee-shop network of 2018. > It seems somewhat realistic to me. > > I'm excluding home wifi networks, because I assume that they are either > layer-2 secure, or can identify brother/sister attacks through other means. > > The attacker sends a number of IPv6 RAs per second. > They don't have to use a lot of bandwidth to do this; they just need to to > beat the newly booting/connecting host's emitting a DHCPv4 DISCOVER. > > The host, ignoring that this is a hint, has to suppress *all* DHCPv4 DISCOVER > messages when it sees the RA noipv4 option. > > If the host has successfully sent a DISCOVERY message, it might get an DHCPv4 > OFFER, which may or may not be bogus (maybe the RA is legit and the DHCP is > bogus), and if it does, it would assume that there is v4, and would configure > IPv4. > > I think that Lorenzo's concerns are real. > He feels, I think, that given the degree to which the noipv4 option would be > a hint to do DHCPv4 less often, rather than to turn it off completely, that > it would therefore become useless. > > My understanding is that the problem with DHCPv4 discovers is that they are > layer-2 broadcasts, and just asking it killing some larger networks that were > trying to benefit from savings by deploying IPv6. > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > _______________________________________________ > sunset4 mailing list > sunset4@ietf.org > https://www.ietf.org/mailman/listinfo/sunset4
- [sunset4] to summarize Lorzeno's "drive-by" attac… Michael Richardson
- Re: [sunset4] to summarize Lorzeno's "drive-by" a… Dan Wing
- Re: [sunset4] to summarize Lorzeno's "drive-by" a… Ted Lemon
- Re: [sunset4] to summarize Lorzeno's "drive-by" a… Simon Perreault
- Re: [sunset4] to summarize Lorzeno's "drive-by" a… Ted Lemon
- Re: [sunset4] to summarize Lorzeno's "drive-by" a… Dan Wing
- Re: [sunset4] to summarize Lorzeno's "drive-by" a… Ted Lemon
- Re: [sunset4] to summarize Lorzeno's "drive-by" a… Simon Perreault
- Re: [sunset4] to summarize Lorzeno's "drive-by" a… Michael Richardson
- Re: [sunset4] to summarize Lorzeno's "drive-by" a… Simon Perreault