Re: [v6ops] Mitigation against IPv6 Router Advertisements flooding - draft-moonesamy-ra-flood-limit-00
S Moonesamy <sm+ietf@elandsys.com> Tue, 16 July 2013 03:58 UTC
Return-Path: <sm@elandsys.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32EE911E81D6 for <v6ops@ietfa.amsl.com>; Mon, 15 Jul 2013 20:58:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.59
X-Spam-Level:
X-Spam-Status: No, score=-102.59 tagged_above=-999 required=5 tests=[AWL=0.009, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbVQdhmRIm50 for <v6ops@ietfa.amsl.com>; Mon, 15 Jul 2013 20:58:53 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 77A2311E810A for <v6ops@ietf.org>; Mon, 15 Jul 2013 20:58:51 -0700 (PDT)
Received: from SUBMAN.elandsys.com ([197.224.130.81]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r6G3wbUl010888 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Jul 2013 20:58:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1373947129; bh=zf9CHKRbVteCIlfFjznERSdejKl7pbW1iLVpI6tGn0E=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=hGeE5klrbI9Dk+oeNiCorf+6ufx1vBglGHWPAVvZOR0xO/47dlR7X3JlB39ZqRqcx gL0C7Hs7ZTuZ/e3h8wzptrrRiEtVOW9Izsffzr707+M0UqO+TRk8jmz4OJCltcUfy5 9FWKMTnq7HNNqz3Gl7Um5qd6iqCW4sZrRI1EwmRA=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1373947129; i=@elandsys.com; bh=zf9CHKRbVteCIlfFjznERSdejKl7pbW1iLVpI6tGn0E=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=YQqKtDNDk+uR/xssiXBWjUV0DUVMNumtZ0Cype6/J4x9lPe6u3/C3F+pqEdPzRdHs eGtjZ5ivFsEu6E9LsEJ558bzTVRqtfto651EJic7j0Sbh00BFgxanYPyU1qeNRDQnW XrYLeJyvHAznVdS2MI8aw7x3mHNc6kJE5oZtWBOk=
Message-Id: <6.2.5.6.2.20130715201324.0c4a8a88@elandnews.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Mon, 15 Jul 2013 20:57:16 -0700
To: Fernando Gont <fgont@si6networks.com>
From: S Moonesamy <sm+ietf@elandsys.com>
In-Reply-To: <51E3EE20.1080609@si6networks.com>
References: <6.2.5.6.2.20130702145424.0af37160@elandnews.com> <51E3EE20.1080609@si6networks.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Mitigation against IPv6 Router Advertisements flooding - draft-moonesamy-ra-flood-limit-00
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 03:58:54 -0000
Hi Fernando, At 05:42 15-07-2013, Fernando Gont wrote: >Isn't this already covered (together with a bunch of other ND-related >stuff) in: ><http://tools.ietf.org/html/draft-gont-opsec-ipv6-nd-security>? :-) > >(this I-D was presented at the OPSEC meeting in Orlando) I was not aware of that draft or that it was presented In Orlando. I took a quick look at your draft and I see that it mentions CVE-2010-4669 and the limit being enforced in OpenBSD 4.2. Here's the background that led to the draft. There was an advisory published in 2011 about the IPv6 Router Advertisements flooding attack. One of the workarounds suggested was to disable IPv6 if the workaround (see Section 2 of draft-moonesamy-ra-flood-limit-00) was not available. There are multiple reasons for why the workaround was not implemented on different platforms (see advisory for some of the details) even though the problem is documented in RFC 6104. draft-moonesamy-ra-flood-limit-00 is about documenting the workaround that has been implemented in NetBSD and OpenBSD. Someone mentioned to me that it is a short draft. The draft is a small effort so that I do not have to hear the "turn off IPv6" argument. :-) It is also about trying to address a known problem affecting a node in a timely manner. I'll invite you to join the small effort as co-author of draft-moonesamy-ra-flood-limit. Regards, S. Moonesamy
- [v6ops] Mitigation against IPv6 Router Advertisem… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… Rui Paulo
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… David Farmer
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… David Farmer
- Re: [v6ops] Mitigation against IPv6 Router Advert… Arturo Servin
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… Arturo Servin
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… David Farmer
- Re: [v6ops] Mitigation against IPv6 Router Advert… Arturo Servin
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… Fernando Gont
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… Fernando Gont