IETF Logo Mail Archive

Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Tue, 04 August 2020 10:01 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AEB83A1051; Tue, 4 Aug 2020 03:01:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.698
X-Spam-Level:
X-Spam-Status: No, score=-7.698 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=VWXd7H5H; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=sW6pYZqi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jmZQZcUYwt4q; Tue, 4 Aug 2020 03:01:22 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06B8E3A1053; Tue, 4 Aug 2020 03:01:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8528; q=dns/txt; s=iport; t=1596535281; x=1597744881; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ug/Uqfm06MSdw6A5BVZ+8ld+Iq0egcP9IEb3rnyJsx0=; b=VWXd7H5HD06O+R9A98TxPYCS+2ZE+yIjtpQBAEnhS7hfWFvO5D2mYXmd XY7HIq7YmedZSAF7xH16ahmFZ5NulrvElGT+iu0TZf2op1IojUPOHnWix fX+x9YmBWPSqLD6SqDCKd6Ucw2nIBiNpydC60MfuISiTAeFelG887QQml k=;
IronPort-PHdr: 9a23:bptmcR1Li+ojYvBFsmDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxWGu6dtkVbWUISd4PVB2KLasKHlDGoH55vJ8HUPa4dFWBJNj8IK1xchD8iIBQyeTrbqYiU2Ed4EWApj+He2YkhIEdnzZhvZpXjhpTIXEw/0YAxyIOm9E4XOjsOxgua1/ZCbYwhBiDenJ71oKxDjpgTKvc5Qioxneas=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B0AABFMSlf/5xdJa1gDg0BAQEBAQEBAQUBAQESAQEBAwMBAQFAgTkDAQEBCwGBUVEHb1gvLIQ1g0YDjVGYY4JTA1ULAQEBDAEBIwoCBAEBgVaCdgIXggwCJDcGDgIDAQELAQEFAQEBAgEGBG2FXAyFcQEBAQQSEREMAQEpDgELBAIBBgIRAQMBAQECAiMDAgICMBQBAgYIAgQBDQUIEwMEgwWCSwMuAQ6WXZBoAoE5iGF2gTKDAQEBBYFHQYMXGIIOAwaBDioBgm+CUktCgjqBOoEIgSYdGoFBP4ERQ4JNPoJcAgIBAYEyKwUxAoJcM4ItjzwrKAGCaKMfCoJiiGGRS5pIhTOFUIxWijOQTYQlAgQCBAUCDgEBBYFpJIFXcBU7gmlQFwINjh+DcYUUhQQ+dAI1AgYBBwEBAwl8jDGCRgEB
X-IronPort-AV: E=Sophos;i="5.75,433,1589241600"; d="scan'208";a="809228132"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 04 Aug 2020 10:01:20 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 074A1KkM010083 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 4 Aug 2020 10:01:20 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 4 Aug 2020 05:01:19 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 4 Aug 2020 06:01:18 -0400
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 4 Aug 2020 06:01:18 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cNmeDrHEPxe5D0nybqbXgUNtQjqB2o+YnvfYWxesmqHo9Hoe1DhCTm17BFSAMGevpZ3txNG8I/1OMz2GcFhpZWgOa1aFsnsH542/2+7XDGbezyBUUl5+i2w7IVYPBM2Nauo4xhdZeFN8UAp6vWfriERpy8WXZniQtfpYQR4gCoAAzRvIL+a1pOgwdyO0d06L2f9eCj4R5mvZNcXkujYZ1o/BVUXxjwfI6S305u3CsO9w6+cRn2DrB4IUVM0wip908rhD4o438b35rBWhKNa5DDXp0m2p9NUYVtTzRhTwLSD7p699ITECZYQr5vuXz5IsmCwQWIf3IXcTEgMVH4STkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ug/Uqfm06MSdw6A5BVZ+8ld+Iq0egcP9IEb3rnyJsx0=; b=HJsR2doiOmFGhFHuaolDMWn/oaFEFfCtXJKzyKquQKTt9GlLjNfaieSfqD2uHBnIOmbTrY1zLj+2LzrJ7PHEhAZzLBLFar/INbAwdeJiq+ovdNVFk/izCW4/ZFfkubR9pF2jHedx2mZriNOY9S0iYvSHakwcfZPDNAMdB9MjfmCJz9X/RDqvil9J35utD/FQrERd3W5prTvlAIeYT7jIY7bCrGThcdtr+RpWpTB3TsCCh7hVzBXEbrwFAjPOJy+FQ4WZK1Pyo3Mp6kbc3dqzCtds4qqHSotbFTcv/pBiggNNbIKSwrktFpUs24ssLgdaFQbnl7Pd4nq1kfEhNCE53A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ug/Uqfm06MSdw6A5BVZ+8ld+Iq0egcP9IEb3rnyJsx0=; b=sW6pYZqiQ8s+f+/Z8pBzwzVe6ct8cEGCTVgrnkOEPEN7/O4jUyHNaJEi12AaBaSLE05xyRUMhaVhcykqF+Odz0YpgVuf136VReRPAVDO7xrAl1eGJSNLZUn8ckOW0EG+GLQmBitoKDrTH+YNYVfvRseQm9dEj4UrYpYFv88CV7U=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (2603:10b6:208:ea::31) by MN2PR11MB3949.namprd11.prod.outlook.com (2603:10b6:208:138::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.19; Tue, 4 Aug 2020 10:01:17 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::a53e:5801:92cc:3204]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::a53e:5801:92cc:3204%5]) with mapi id 15.20.3239.021; Tue, 4 Aug 2020 10:01:17 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
CC: v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Thread-Topic: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns
Thread-Index: AQHWZkg+bCqL1AqpGEC9totP9gCMpakf412AgACQQgCAAC8SAIAAEaZdgAENTICABVVtAIAAmdKAgAAHOBA=
Date: Tue, 04 Aug 2020 10:01:00 +0000
Deferred-Delivery: Tue, 4 Aug 2020 10:00:31 +0000
Message-ID: <MN2PR11MB3565E0E206799B95AE6295D7D84A0@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <96fa6d80137241dd9b57fcd871c8a897@huawei.com> <CAFU7BARePzdeU5DFgoOWyrF0xZCj67_xkC2t8vMN2nH0d8aUig@mail.gmail.com> <37e2a7110f6b423eba0303811913f533@huawei.com> <CAFU7BATiD8RkiWXjrxGuAJU-BUwRQCErYZivUPZ-Mc_up_qGxQ@mail.gmail.com> <aebc46c9b813477b9ae0db0ef33e7bd9@huawei.com>, <CAO42Z2yL7+GbO6QRaNzFYoBXLF-JZ2NfwgTTt2zerKhJLwt2Lw@mail.gmail.com> <3C1ECB6F-E667-4200-964F-AB233A0A56E9@cisco.com> <dfb9ccbfd87140cfba01c69447581aef@boeing.com> <15197.1596499036@localhost> <63afd5c67e7c4520b8b7ebabec69cab7@huawei.com>
In-Reply-To: <63afd5c67e7c4520b8b7ebabec69cab7@huawei.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2a01:cb15:25e:cc00:7488:7bae:611b:569e]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d44889a7-5b03-4491-725b-08d8385d547d
x-ms-traffictypediagnostic: MN2PR11MB3949:
x-microsoft-antispam-prvs: <MN2PR11MB39496577877E60147449B8BED84A0@MN2PR11MB3949.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YuGRH/WAnWBaBBKUtn+KsrhvHqlbuqdUKY56GvaTOxfThByK9aNtdR6bRPC9B/Z+SfQ2xqgZanF3MJ8tgXgJ4OtPuLmz/B9yGqOLDk9DOmxGadLNSX+53FW1qsr7q/0Hl/HLt8sQU+K5jl/ikLp9nrThN5XrZ+WA+3Hj1lEA1Af3ptlp3mm+ymPiRge5DG3axE2QvbTbachgluSDDYpRO7xTt+4V8DhT6Lda/948pnMeuuQq54++Ys+9poCAy73Oy1FsiaIJ6v5EEzXXC20+n/GCd+pPF1PaZphH3Qf211GQL5boLEjDChDx8iaDvzn4zIZ6sp+Y9RcRWAkMBSjhS6PHWO5OgMit0ABq4Vcm25J8oaFgnmK0pgKZ0Lz3p2idVWm3UNBlldKlV1aPJ6pJrg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB3565.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(376002)(366004)(136003)(39860400002)(346002)(316002)(478600001)(83380400001)(66574015)(8936002)(6506007)(186003)(15650500001)(7696005)(53546011)(52536014)(64756008)(66946007)(6666004)(4326008)(86362001)(66446008)(966005)(66556008)(8676002)(76116006)(5660300002)(33656002)(71200400001)(110136005)(55016002)(54906003)(66476007)(2906002)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: uD6agG8rXZv0Uh+meTWXx997qp3Lep1TQzkyST/OUimxveXJ1zm3cjywm6E9Sl/9G3aZ1FYLKbIwnoYT7pAqi3h8dGJ447JI1sQKaPw2vIcmrirt8Ucyp5THBKa5VDu+0NJkYwyik+0fRP01yW1+RxxggRSHyDPYy2Kn0ABfvLFaC8CkaBooYqhIkd1hL0ckuNsXbVshM+8obkzcgGSFSEHlWyTyIM7YILKW4olxP7tIA7sCzbjmu2hDH0L3y6lQuEpsy3VOz101bd3n/HorIEELioipaNjpIRk2uzu/tf0KefxKFTJtsJ5STlgkrqagQwDOF0zZmKgFeqnz0uFLf8cuFb0Z8OAM/Wwr6ODJVdEk3i3aubZ77hIFWkT06GVVyifO7oGVyShY4ryTOnkT8dfUF3/eVoNJ2aRJ3CvI7yZZ+hK/oTwPk7AEklR0JBz6zphCcl7lw/KaEwZLkWBxsR+P0kA/JjFk4rfN6LFj7/QcghIApaC2K5Tcnjt2vYdfUzzOPZTJnCeIlYhzq8am1ZhQqkSb3JHyxVZqteL7dCcUz3pwMw+5cUfIVEqGw6KpHojrGR3EKE6r3TC+lf2DjJ5rEuZNT8Ydhn6hi81DTSyFFWwwpWZy7IIvStHQ29jPLZuRMtVXym/dZfmKPJp1YnFaP9q2ErLfuNfY/35oEDWzC6eU5dWrweYttRtjZjEzfZmH/DZssfMQ8Kqo3oxSxw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB3565.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d44889a7-5b03-4491-725b-08d8385d547d
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Aug 2020 10:01:17.1927 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wO9yEAIr8s+n+XYm7GMkJgw2muGfHubdvc37CjvHRRo/zrLGd0IznAIR3nC88WdfzXKIGcJR5qL91LGQAJZJuA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3949
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.13, xch-rcd-003.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/4soCkRmOv5gyH9FpAnQ5gWCAkvM>
Subject: Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 10:01:24 -0000

Hello Eduard

You need to qualify what you mean by dangerous. In my book an attack that is easy to trigger remotely and anonymously is more "dangerous" than the same attack if it has to be done from within the local network. Reactive (cache and lookup) ND enables a remote DoS attack on the ND cache by scanning 2^64 addresses with pings. Proactive (Stateful) ND avoids that attack but can be more sensitive to local attacks.

SLAAC has 2 main properties, the Distributed Address Allocation and the Reactive ND Binding Cache management. Those properties are orthogonal: DHCPv6 today uses the latter but not the former. RFC 8505 allows former but does not use the latter. => I guess that by SLAAC you mean that you 'prefer' the Reactive Binding Cache management and are not talking about the Address Allocation piece since that piece is not at stake here. "Preference" is another thing that you'll have to specify (vs. operational requirements).

The current situation is (to my best knowledge):
1) DHCPv6 allocation is not available in some stacks (Android). 
2) SLAAC is globally available in hosts and routers but it happens to be barred by some enterprise policies
3) In many modern environments the switches and routers need to maintain the full tables of the attached nodes (e.g., fabrics like eVPN, proxy ND for Wi-Fi APs). Today they do it by snooping the protocols so we get the worst of both worlds.
4) RFC 8505 is not limited to IoT devices. It is very generic. It allows to build a network where the remote ND cache DOS becomes inefficient.
5) It is possible to build a network that uses both stateful and stateless, see https://datatracker.ietf.org/doc/draft-ietf-6lo-backbone-router/. This looks a lot like what you seems to be asking, Proactive at the WiFi edge and Stateless on the wire. If you mix, the remote DOS is still possible, but there are more ways to alleviate it.

All the best

Pascal

> -----Original Message-----
> From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> Sent: mardi 4 août 2020 11:08
> To: Michael Richardson <mcr+ietf@sandelman.ca>; Templin (US), Fred L
> <Fred.L.Templin@boeing.com>
> Cc: Pascal Thubert (pthubert) <pthubert@cisco.com>; v6ops list
> <v6ops@ietf.org>; 6man <ipv6@ietf.org>
> Subject: RE: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security
> concerns
> 
> Hi Michael,
> It is strange that most dangerous attack (unsolicited NA - leading to leakage of
> information) was not mentioned in RFC 3756.
> 
> >We need a for nodes to reserve resources on the router.
> Then router would be stateful (in respect of ND) - it is a very big architecture
> change. The industry has the big inertia - I do not believe that it is possible to
> return IPv6 address management to stateful model (except government
> intrusion - see below).
> By the way, stateful DHCPv6 exist. Switch could easily snoop all messages and
> assist to IPv6 in security (like it is done for IPv4).
> I propose do not push SLAAC in stateful direction - anyone who would like -
> could use DHCPv6 or 6lo (stateful on router too).
> I propose to think how to save SLAAC - keeping it with distributed address
> management.
> 
> > Many of us would prefer that we avoid making it stateful, but in wifi
> networks, are already allocate crypto state, and we should just leverage that.
> Our days big campuses are deployed without CAT5/6 cabling - everything is
> WiFi.
> SLAAC for WiFi looks like not the best technology. State repository (AP) is
> mandatory anyway. But anyone could use 6lo - it is developed specifically for
> such environment (not effective multicast, frame loss).
> IMHO: It does not make sense to reinvent the wheel. RFC 6775 and 8505 do
> have good stateful solution for WiFi.
> SLAAC has been left with the small niche for the future - if it would have fixes
> for biggest security problems (personal data protection).
> 
> Looking to all these "data privacy protection legislation" world-wide (in many
> countries): SLAAC could be banned by some government at any movement.
> Experts would easily point to alternative: (1) stateful DHCPv6 (natural IPv4
> prolong); (2) 6lo (it is optimized for wireless).
> Probably DHCPv6 would win, because it is easy to understand for IT&IP
> professionals.
> If any government would push - switchover to DHCPv6 would be fast.
> Then fixing SLAAC would be too late. It would be the time for deprecation RFC.
> 
> Eduard
> -----Original Message-----
> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Michael Richardson
> Sent: 4 августа 2020 г. 2:57
> To: Templin (US), Fred L <Fred.L.Templin@boeing.com>
> Cc: Pascal Thubert (pthubert) <pthubert=40cisco.com@dmarc.ietf.org>; v6ops
> list <v6ops@ietf.org>; 6man <ipv6@ietf.org>
> Subject: Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security
> concerns
> 
> 
> Templin (US), Fred L <Fred.L.Templin@boeing.com> wrote:
>     > I wish this group could open its eyes. ND as defined in the last
>     > century is not suited for modern fabrics, virtual machines and
>     > wireless. It is a pain for silicon-based forwarding. Time to upgrade is
>     > overdue.
> 
> You are right!
> 
> We either need SEND (RFC3971), or some technology that addresses the same
> use case (RFC3756).
> We need a for nodes to reserve resources on the router.
> 
> Many of us would prefer that we avoid making it stateful, but in wifi networks,
> are already allocate crypto state, and we should just leverage that. (ND is just
> wasted effort on encrypted wifi in my opinion)
> 
>     > There is nothing broken with IPv6 ND that needs changing; it just needs a
> new option.
>     > We have seen how that is possible through publications like RFC8801.
> 
> Also RFC8505.
> I think, it's really really time to stop pretending everything is big-blue coaxial
> ethernet.
> 
>     > BTW, IPv6 itself is a last-century technology but the architects had the
> wisdom to allow
>     > for future extensions without needing to modify the core architecture..
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -
> = IPv6 IoT consulting =-
> 
>

v2.23.0 | Report a Bug | By Email