IETF Logo Mail Archive

Re: [v6ops] Mitigation against IPv6 Router Advertisements flooding - draft-moonesamy-ra-flood-limit-00

S Moonesamy <sm+ietf@elandsys.com> Tue, 16 July 2013 03:58 UTC

Return-Path: <sm@elandsys.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32EE911E81D6 for <v6ops@ietfa.amsl.com>; Mon, 15 Jul 2013 20:58:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.59
X-Spam-Level:
X-Spam-Status: No, score=-102.59 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbVQdhmRIm50 for <v6ops@ietfa.amsl.com>; Mon, 15 Jul 2013 20:58:53 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 77A2311E810A for <v6ops@ietf.org>; Mon, 15 Jul 2013 20:58:51 -0700 (PDT)
Received: from SUBMAN.elandsys.com ([197.224.130.81]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r6G3wbUl010888 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jul 2013 20:58:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1373947129; bh=zf9CHKRbVteCIlfFjznERSdejKl7pbW1iLVpI6tGn0E=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=hGeE5klrbI9Dk+oeNiCorf+6ufx1vBglGHWPAVvZOR0xO/47dlR7X3JlB39ZqRqcx gL0C7Hs7ZTuZ/e3h8wzptrrRiEtVOW9Izsffzr707+M0UqO+TRk8jmz4OJCltcUfy5 9FWKMTnq7HNNqz3Gl7Um5qd6iqCW4sZrRI1EwmRA=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1373947129; i=@elandsys.com; bh=zf9CHKRbVteCIlfFjznERSdejKl7pbW1iLVpI6tGn0E=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=YQqKtDNDk+uR/xssiXBWjUV0DUVMNumtZ0Cype6/J4x9lPe6u3/C3F+pqEdPzRdHs eGtjZ5ivFsEu6E9LsEJ558bzTVRqtfto651EJic7j0Sbh00BFgxanYPyU1qeNRDQnW XrYLeJyvHAznVdS2MI8aw7x3mHNc6kJE5oZtWBOk=
Message-Id: <6.2.5.6.2.20130715201324.0c4a8a88@elandnews.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Mon, 15 Jul 2013 20:57:16 -0700
To: Fernando Gont <fgont@si6networks.com>
From: S Moonesamy <sm+ietf@elandsys.com>
In-Reply-To: <51E3EE20.1080609@si6networks.com>
References: <6.2.5.6.2.20130702145424.0af37160@elandnews.com> <51E3EE20.1080609@si6networks.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Mitigation against IPv6 Router Advertisements flooding - draft-moonesamy-ra-flood-limit-00
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 03:58:54 -0000

Hi Fernando,
At 05:42 15-07-2013, Fernando Gont wrote:
>Isn't this already covered (together with a bunch of other ND-related
>stuff) in:
><http://tools.ietf.org/html/draft-gont-opsec-ipv6-nd-security>? :-)
>
>(this I-D was presented at the OPSEC meeting in Orlando)

I was not aware of that draft or that it was presented In Orlando.  I 
took a quick look at  your draft and I see that it mentions 
CVE-2010-4669 and the limit being enforced in OpenBSD 4.2.

Here's the background that led to the draft.  There was an advisory 
published in 2011 about the IPv6 Router Advertisements flooding 
attack.  One of the workarounds suggested was to disable IPv6 if the 
workaround (see Section 2 of draft-moonesamy-ra-flood-limit-00) was 
not available.  There are multiple reasons for why the workaround was 
not implemented on different platforms (see advisory for some of the 
details) even though the problem is documented in RFC 
6104.  draft-moonesamy-ra-flood-limit-00 is about documenting the 
workaround that has been implemented in NetBSD and OpenBSD.

Someone mentioned to me that it is a short draft.  The draft is a 
small effort so that I do not have to hear the "turn off IPv6" 
argument. :-)  It is also about trying to address a known problem 
affecting a node in a timely manner.  I'll invite you to join the 
small effort as co-author of draft-moonesamy-ra-flood-limit.

Regards,
S. Moonesamy

v2.23.0 | Report a Bug | By Email