Re: [v6ops] Focused discussion: draft-ietf-v6ops-unique-ipv6-prefix-per-host

["VAN DE VELDE, Gunter (Nokia - BE)" <gunter.van_de_velde@alcatel-lucent.com>]

I am saying that there is no difference between v4 and v6 behaviour on a WiFi (or even most other L2 network type’s) network when MAC address clash. It is not a new problem and same techniques used in v4 can be used in the v6 realm. Clearly when two devices have the same MAC address on the same L2 network something is goofed up. 


G/



07/01/16 17:16, "Templin, Fred L" <Fred.L.Templin@boeing.com> wrote:

>So, are you saying there is an exploitable vulnerability in v4 community WiFi that
>carries forward into v6?
>
>Thanks - Fred
>fred.l.templin@boeing.com
>
>> -----Original Message-----
>> From: VAN DE VELDE, Gunter (Nokia - BE) [mailto:gunter.van_de_velde@alcatel-lucent.com]
>> Sent: Thursday, January 07, 2016 8:13 AM
>> To: Templin, Fred L; draft-ietf-v6ops-unique-ipv6-prefix-per-host@tools.ietf.org
>> Cc: v6ops@ietf.org WG
>> Subject: Re: [v6ops] Focused discussion: draft-ietf-v6ops-unique-ipv6-prefix-per-host
>> 
>> Hi Fred,
>> 
>> This seems no different as with v4 technology at community Wi-Fi…
>> 
>> G/
>> 
>> 
>> 
>> On 07/01/16 16:47, "Templin, Fred L" <Fred.L.Templin@boeing.com> wrote:
>> 
>> >Hi Gunter,
>> >
>> >OK, so you are saying that the MAC address of the UE is used as the UE identifier.
>> >But, both link-local and MAC addresses can be readily spoofed by an attacker,
>> >either to steal the service of the legitimate node or to deny service to the
>> >legitimate node. In order to avoid that, the UE would have to have some form
>> >of identifier that cannot be spoofed, or sign its messages using a certificate
>> >provisioned by the service provider - even though captive portal is being
>> >used to authenticate the user.
>> >
>> >Thanks - Fred
>> >fred.l.templin@boeing.com
>> >
>> >> -----Original Message-----
>> >> From: VAN DE VELDE, Gunter (Gunter) [mailto:gunter.van_de_velde@alcatel-lucent.com]
>> >> Sent: Thursday, January 07, 2016 1:51 AM
>> >> To: Templin, Fred L; draft-ietf-v6ops-unique-ipv6-prefix-per-host@tools.ietf.org
>> >> Cc: v6ops@ietf.org WG
>> >> Subject: Re: [v6ops] Focused discussion: draft-ietf-v6ops-unique-ipv6-prefix-per-host
>> >>
>> >>
>> >> Hi Fred,
>> >>
>> >>
>> >> The WLAN-GW should not care about overlap here, there is a split horizon function and the wlan-gw should be able to handle
>> >> overlapping IPs. Link-local address may be stored to e.g. use when sending RA, but it should not be used as a key, that is the role of
>> >> the MAC address. So as long as MAC addresses don't overlap there should not be a problem distinguishing UEs.
>> >>
>> >>
>> >> That being said, it would be unlikely to happen since link-local addresses in a WiFi context are mostly EUI-64 based and thus encode
>> >> the MAC address which as stated should be unique.
>> >>
>> >> Kind Regards,
>> >> G/
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On 06/01/16 21:01, "Templin, Fred L" <Fred.L.Templin@boeing.com> wrote:
>> >>
>> >> >I have what I hope will be a simple question: what if two or more UEs configure
>> >> >identical IPv6 link-local addresses - will the WLAN-GW be able to tell them apart?
>> >> >Asked another way, what kind of unique node identifier does the WLAN-GW
>> >> >expect each UE to provide in the initial RS?
>> >> >
>> >> >Thanks - Fred
>> >> >fred.l.templin@boeing.com