IETF Logo Mail Archive

Re: [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops

神明達哉 <jinmei@wide.ad.jp> Fri, 22 August 2014 16:38 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BB0A1A041D; Fri, 22 Aug 2014 09:38:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iW2fYM6M3EXO; Fri, 22 Aug 2014 09:38:34 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0202E1A0413; Fri, 22 Aug 2014 09:38:33 -0700 (PDT)
Received: by mail-wi0-f174.google.com with SMTP id d1so10438464wiv.7 for <multiple recipients>; Fri, 22 Aug 2014 09:38:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=ce+U01500Zz23EY8CbvMR5WVG+MHnbJkYsfvi5PGtzo=; b=G3fEepgXC5xHmXd+QMGfHAUkOT+CrBmhpJ5lTsK5B8LOLM4y4WRvVvpsToLkrtcPV+ f+z5vpp/iTgvBJkGRtYVXCQyHKUqurYAg/XtzCai9nReGm27N0RsD4jQCcaU2CTRZx5q 74cgxlU+VAC9p+QS6MSFAcvYO9Hfvd5L7IVFJkCzQb0t5rvzJ9O3j+GY+P1Kz0TCOWKP rwwPPUKodW6+5uObOI4fh3sIcvKR2yilBh8IkqQP10EcSt5qUSjypUYFfTf4xh7xcRXp 6LHkS1nsIkBsO0rmqgxoVU5fwnX9hhXl3ph714xYlfYil4AgYVT7aqlOlNRCKQavy9zu mUxg==
MIME-Version: 1.0
X-Received: by 10.194.20.230 with SMTP id q6mr6428201wje.43.1408725512679; Fri, 22 Aug 2014 09:38:32 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.194.123.164 with HTTP; Fri, 22 Aug 2014 09:38:32 -0700 (PDT)
In-Reply-To: <53F590A2.2090101@si6networks.com>
References: <53F33C4F.2070807@si6networks.com> <CAJE_bqfb+v9p-PO8-7xzuYx3rs6Lpvob-Zh8ummgUEqsy764Tg@mail.gmail.com> <53F3931F.9050601@si6networks.com> <CAJE_bqeJBBghP=qXcYUOqQwTPky0uqoog=ifu0pqGi0zycu8kw@mail.gmail.com> <53F51269.8070506@si6networks.com> <CAJE_bqfgp-dpGnPFGKqYNGQK_TszZ8656AJbnQihenks=t9d1w@mail.gmail.com> <53F590A2.2090101@si6networks.com>
Date: Fri, 22 Aug 2014 09:38:32 -0700
X-Google-Sender-Auth: J7kaeZ6ImAauuyVClgZmEgumTjY
Message-ID: <CAJE_bqdrN6K3z2JzYH2ArHdrTERfSS+UYDH-YO=sPKpp0K-tDA@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Fernando Gont <fgont@si6networks.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/DPZykQzOhs7Onf8vtWtNcSLw1o8
Cc: IPv6 Operations <v6ops@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>
Subject: Re: [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Aug 2014 16:38:35 -0000

At Thu, 21 Aug 2014 03:24:34 -0300,
Fernando Gont <fgont@si6networks.com> wrote:

> >> [...] The one you suggested addresses
> >> only one of the two kinds of translators (if I understood correctly),
> >> and may still leave the door open in some scenarios.
> >
> > Specifically?
>
> Well, you can only really apply the suggested check to the stateless
> translation scenario.

Yes, and I thought we'd be okay with that, based on the
assumption/understanding that PTB<1280 is only useful for stateless
translation scenarios (and that's why I first asked this in my very
original message of this thread).

> But since a host does not now where it will be
> deployed, it cannot (out of the box) require that e.g. ICMPv6 PTB<1280
> use any specific part of the address space.
>
> Put another way, the mitigation would not "just work out of the box" for
> any of the servers running on the public Internet.
>
> And then, for the scenarios "a" or "c" from Section 2 of RFC6144, you
> still need to enforce filtering to prevent attacks within the IPv6 network.

Do you mean this mitigation isn't effective if the well-known prefix
(64:ff9b::/96) isn't used for the IPv4-Embedded IPv6 Addresses in
the stateless translation scenario?  If so, that's correct, and I have
to confess I don't remember all details and variations of translation
technologies and I assumed that stateless translation always uses the
well-known prefix.  Maybe I was incorrect about that?

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email