IETF Logo Mail Archive

Re: [sunset4] to summarize Lorzeno's "drive-by" attack on draft-ietf-sunset4-noipv4

Simon Perreault <sperreault@jive.com> Mon, 28 July 2014 13:52 UTC

Return-Path: <sperreault@jive.com>
X-Original-To: sunset4@ietfa.amsl.com
Delivered-To: sunset4@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D67B1B27FC for <sunset4@ietfa.amsl.com>; Mon, 28 Jul 2014 06:52:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ikn6fT7EeEap for <sunset4@ietfa.amsl.com>; Mon, 28 Jul 2014 06:52:31 -0700 (PDT)
Received: from mail-qg0-f47.google.com (mail-qg0-f47.google.com [209.85.192.47]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A2461A03FD for <sunset4@ietf.org>; Mon, 28 Jul 2014 06:52:31 -0700 (PDT)
Received: by mail-qg0-f47.google.com with SMTP id i50so8465626qgf.20 for <sunset4@ietf.org>; Mon, 28 Jul 2014 06:52:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=IcvslNWF5gJ7pP4DoZ8TO+pDHnjKI3HIxJyeeiXI38Q=; b=g4t5MAD9HNjWNxfuYkYf2A20j17T+SGxVU8rdnsPhgJkvMI0wWBusqmrl+74mrwL6X OS05cEtXJHlw615PLrbXG/PuTOHXgrs9rf8H1qPFyC01Tb5Z9Wtt4eBOicGN74nrBudb LzIdX5V6FziqA9SpbUFDBzJH5T1fI6/lJOhlvdV7OMixIVxYLVzzXu09WCC4coqkl3cL jpO8Q1e+STPKhPvoMqWMFUoj8+DCjA5QFD4cVZrlmRbUa+mFdwvbZNWTM7lfTVGjDuPi 56zDea/viwS7kBE6tcoDn5OZtESLzSaPmDyZB7M1dKl6Qwc2HPYnsBvezvVX5fBycGta HFAQ==
X-Gm-Message-State: ALoCoQnzi3I7Jb4AEPdczY9beOnpoaEj9ivs43AMesMFlRkw33oM1ZG1EY5J+yNlMzsM+fYy4qxv
X-Received: by 10.140.89.197 with SMTP id v63mr47810671qgd.71.1406555549263; Mon, 28 Jul 2014 06:52:29 -0700 (PDT)
Received: from [192.168.1.96] (modemcable233.42-178-173.mc.videotron.ca. [173.178.42.233]) by mx.google.com with ESMTPSA id g35sm22661765qgf.49.2014.07.28.06.52.27 for <sunset4@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 28 Jul 2014 06:52:28 -0700 (PDT)
Message-ID: <53D6559B.2090300@jive.com>
Date: Mon, 28 Jul 2014 09:52:27 -0400
From: Simon Perreault <sperreault@jive.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: sunset4@ietf.org
References: <11190.1406240244@sandelman.ca> <C12A07EA-E27A-4EAF-A9DE-536FF22A0395@cisco.com> <3B647D53-0E22-43C3-892D-319C9109248C@nominum.com>
In-Reply-To: <3B647D53-0E22-43C3-892D-319C9109248C@nominum.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/sunset4/qvPp0IuYybw5feJwzrTlyBDANjk
Subject: Re: [sunset4] to summarize Lorzeno's "drive-by" attack on draft-ietf-sunset4-noipv4
X-BeenThere: sunset4@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: sunset4 working group discussion list <sunset4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sunset4>, <mailto:sunset4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sunset4/>
List-Post: <mailto:sunset4@ietf.org>
List-Help: <mailto:sunset4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sunset4>, <mailto:sunset4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 13:52:33 -0000

Le 2014-07-27 17:45, Ted Lemon a écrit :
> On Jul 25, 2014, at 9:05 PM, Dan Wing <dwing@cisco.com> wrote:
>> Specifically, the network has to allow an arbitrary host to send an IPv6 RA.  Doesn't that open the network to a pile of attacks, including an attacker-controlled IPv6 DNS server (RFC6106) and attacker-controlled IPv6 default route?
>
> It does, but if the network provides DHCP service and the attacker either fails to answer faster, or is prevented from acting as a DHCP server, then happy eyeballs will take care of the broken IPv6 service.

Dan didn't say "broken", he said "attacker-controlled", possibly (my 
guess) thinking of the infamous "SLAAC attack" [*]. Happy eyeballs is 
useless here.

The new vulnerability introduced by No-IPv4 over RA is the "drive by" 
nature of the attack: contrary to the SLAAC attack, the attacker doesn't 
need to remain on the network. It can shut off the victim's IPv4 access 
quickly then drive away.

Simon

[*] http://resources.infosecinstitute.com/slaac-attack/

v2.23.0 | Report a Bug | By Email