Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns

Tony Finch <dot@dotat.at> Fri, 31 July 2020 16:14 UTC

Return-Path: <dot@dotat.at>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 513713A1056; Fri, 31 Jul 2020 09:14:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q0MG0olgN__l; Fri, 31 Jul 2020 09:14:12 -0700 (PDT)
Received: from ppsw-43.csi.cam.ac.uk (ppsw-43.csi.cam.ac.uk [131.111.8.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D75903A0F1C; Fri, 31 Jul 2020 09:13:25 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:42710) by ppsw-43.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.139]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1k1Xet-000KX2-mV (Exim 4.92.3) (return-path <dot@dotat.at>); Fri, 31 Jul 2020 17:13:23 +0100
Date: Fri, 31 Jul 2020 17:13:22 +0100
From: Tony Finch <dot@dotat.at>
To: Owen DeLong <owen@delong.com>
cc: Ted Lemon <mellon@fugue.com>, "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
In-Reply-To: <F56A89D4-0DA3-4A9B-ADC1-FC51ECAB193B@delong.com>
Message-ID: <alpine.DEB.2.20.2007311707380.16320@grey.csi.cam.ac.uk>
References: <96fa6d80137241dd9b57fcd871c8a897@huawei.com> <CAFU7BARePzdeU5DFgoOWyrF0xZCj67_xkC2t8vMN2nH0d8aUig@mail.gmail.com> <37e2a7110f6b423eba0303811913f533@huawei.com> <CAFU7BATiD8RkiWXjrxGuAJU-BUwRQCErYZivUPZ-Mc_up_qGxQ@mail.gmail.com> <aebc46c9b813477b9ae0db0ef33e7bd9@huawei.com> <CAO42Z2yL7+GbO6QRaNzFYoBXLF-JZ2NfwgTTt2zerKhJLwt2Lw@mail.gmail.com> <3C1ECB6F-E667-4200-964F-AB233A0A56E9@cisco.com> <91D98D51-4045-4331-A711-8387ECE73400@fugue.com> <F56A89D4-0DA3-4A9B-ADC1-FC51ECAB193B@delong.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="1870870841-315556031-1596212003=:16320"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/5upSQS3wo7kJo6b2plDrqK6VJHA>
Subject: Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 16:14:21 -0000

Owen DeLong <owen@delong.com> wrote:
>
> Indeed, as an operator, IMHO, if there’s a place we need to focus on
> improving L2 attack surface in v6, it’s in finding better ways for
> {routers, hosts, switches} to mitigate/absorb this type of resource
> exhaustion attack. Unfortunately, this is a hard problem to solve, so we
> focus on moving the deck chairs we can move while ignoring the
> elephant-sized hole in the bulkheads that we don’t know how to patch.

If GRAND is deployed, would that allow routers to assume their neighbour
tables are complete, so they can just drop ND exhaustion attacks?

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Shannon, Southeast Rockall: Westerly or southwesterly 4 or 5. Moderate or
rough. Showers. Good, occasionally moderate.