IETF Logo Mail Archive

Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

Nick Buraglio <buraglio@forwardingplane.net> Wed, 08 February 2023 15:02 UTC

Return-Path: <nick@buraglio.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A31AC136149 for <v6ops@ietfa.amsl.com>; Wed, 8 Feb 2023 07:02:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.644
X-Spam-Level:
X-Spam-Status: No, score=-1.644 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=forwardingplane-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yfJpbuzE0VV2 for <v6ops@ietfa.amsl.com>; Wed, 8 Feb 2023 07:02:14 -0800 (PST)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD1A2C1377F8 for <v6ops@ietf.org>; Wed, 8 Feb 2023 07:02:14 -0800 (PST)
Received: by mail-wr1-x42f.google.com with SMTP id j25so13521150wrc.4 for <v6ops@ietf.org>; Wed, 08 Feb 2023 07:02:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forwardingplane-net.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2QNt/yhhB9ft6Jh/uKt5EGCC1bUGuB+GCI6GpC07yKs=; b=ai2hu98g3GjNfIjZkNZy09XZd2fCHXnpotGztVWgSZeOP0m0m9DtmXJOChL5jDjUKz QndxsJfMJ9b44vcZaLvO1lRr/xosP8UQAa45c7B4xRZ67T2Og8sSy657r55mAV0G8vrU WUJ0eLXl1jskwv3OVrSj+cuR8ZOWNgF9h2qTcQRZFq3MCCPBrN4Vb/r6VuTd61eV0Dyy pAuf6tXJOSIsb8GhtKnCN+13hXrggwyZObXDS/F7HKBcxV+ArvW4dBt9gHFyvAmmg2ao 74QeVK5lxmeYisjLlS0lPUr+tfGmScscBj2eMebNcssUhv4bDbTCehloae+dcXOvM6tI D4+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2QNt/yhhB9ft6Jh/uKt5EGCC1bUGuB+GCI6GpC07yKs=; b=O8Tq1Klxky7kdsYrkGGRXCTBoRe7unwoBjLBuIQSkAPfdRU2cvsjacGpxfdSnx7DTb /rS8XmBjAIgCjGweACUaW/eiq/uET7wyc0Rc0xI4ZvWYUtna15rkMjRSsx/A9JO5q6qb WWtbvEcYZK97WIrtGfYP8DN7hKjL9rD8cyc9A7gWpFw9Kv8wZLMmPYvt+Z36r6lH2JJL GfhK6Og9w0waQsyD0dfYF6OhCs2IjiFwpOM/nMoOvRYY1/H8hHl/gUR1t7yetPbgZp8V hhhAMnOeTRU39N+N1irSaIpQXwtSfPKFL1zR89xyAB1NQTR2WjqWxME1kLYL3B2TI6Dw tedw==
X-Gm-Message-State: AO0yUKWmRn5mN1SpWDFvQuntbErb8gzqnZr93F5AZNcWCN2GSZZMJIW0 PAxRFCIPfWadEc8uE7qeqHDxQEk5Ed3mwq6mx2qhVg==
X-Google-Smtp-Source: AK7set9An1v8oHW264OpNOg+U9Hwo3daC+lBD4D5cbXwnD4FjZM5QqGkYDPhav40a3MIsv+d5Ds8W6910KtDH6/uA2c=
X-Received: by 2002:adf:f783:0:b0:2bf:af06:2c8 with SMTP id q3-20020adff783000000b002bfaf0602c8mr172174wrp.708.1675868532565; Wed, 08 Feb 2023 07:02:12 -0800 (PST)
MIME-Version: 1.0
References: <091075f1-033a-5577-60d9-3c6a009b3e21@si6networks.com> <55adf66d-23cb-0b2c-65d7-8f053a6f9298@si6networks.com> <CAGB08_dQyXLobLu5bjYkCrOUg7kbU8EAtn+OfzMSQqV4qmn8AQ@mail.gmail.com> <7f3737e4-a89d-29cb-f01b-5d032ac1c29f@si6networks.com>
In-Reply-To: <7f3737e4-a89d-29cb-f01b-5d032ac1c29f@si6networks.com>
From: Nick Buraglio <buraglio@forwardingplane.net>
Date: Wed, 08 Feb 2023 09:02:00 -0600
Message-ID: <CAGB08_c-WBanW=H9+hNs24TjFjCwdqQXDe7Kj5F1wqoeQ6wLBw@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: IPv6 Operations <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000092ff9705f4318cb5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/EbuPeOQN7u8sqx2p3m7D0-bEFkQ>
Subject: Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2023 15:02:19 -0000

On Tue, Feb 7, 2023 at 5:42 PM Fernando Gont <fgont@si6networks.com> wrote:

> Hi, Nick,
>
> On 7/2/23 17:22, Nick Buraglio wrote:
> [....]
> >
> > A few things that may be useful to add:
> >
> > Using data enrichment such as correlation of address to behavior (i.e.
> > use of a passive system to look for patterns in addressing to behavior)
> > may decrease false positives.
>
> Could you elaborate a bit here?
>

Cross referencing flow data with syslog data with policy based alerting.
SIEM-type collection with some logic, essentially. Long (and medium) term
behavior analysis on traffic and host behavior. It definitely takes some
effort and probably isn't for everyone, so YMMV here.


>
>
> > This is how we determine if we should or
> > should not filter ephemeral addresses, both v4 and v6, and it works
> > well. It does not lend itself to reputation lists in the larger sense,
> > but over time it will absolutely show patterns and curves in behavior
> > to specific blocks just like in IPv4.
>
> Can you use such a system for, say, proactive defenses?
>

It really depends on how you define "proactive". If you mean leveraging
that data for instatianting filters before the traffic occurs like a
reputation list, probably not, although over time that type of list may be
able to be derived from the data. I am more thinking of a "realtime" black
hole on transit traffic with a passive monitoring system which uses policy
to define "good" and "undesirable" patterns. It is less for a service
provider style network and more suited for a network with no
ingress/egress asymmetry, although based on how you use the data collected
it could (and I have seen deployments where it does) build a list of
addressing that is simply always misbehaving and could be carte blanche
filtered at different locations.  This is fairly common in what I call
"open perimeter" networks, where there is a need to avoid middle
boxes, I've seen and helped implement this a handful of times using
everything from triggered BGP blackhole to flowspec, to simple ACLs.
The advantages are that the RBLs are tailor made for the environment
because they are generated from the actual traffic, and not a consumable
stream. The disadvantage is that they are not vetted at all and require a
lot of care and feeding.

As I type all of this I realize that this may be (and likely is) more
complex / specialized than you're aiming for, as it definitely skirts away
from the simple addressing feeds and essentially operates as a
self-generated RBL.


>
>
>
> > Adding in some data about the detrimental effects of  over-filtering,
> > and the very real possibility of creating DoS events based on too many
> > routes in the blackhole table, etc. Easy enough to alleviate with
> > filters, but also leaves a bit of exposure in doing so (as you mentioned
> > in the filter FIFO addressing behavior).
>
> Will do. Thanks!
>
>
>
> > Having blackhole behavior or filter behavior that is expected to be
> > ephemeral and increasing in duration may aid in some of the resource and
> > minimize false positive impact. e.g. IP resource misbehaves, it is
> > filtered for n minutes and then unblocked. second offense is 15 minutes,
> > third offense is a day, whatever, you get the point. This is, again, how
> > orgs I have worked with for years have chosen to do things it works well
> > for those use cases.
>
> There's also the question of how you "scale" the filters in terms of
> their lifespam. e.g., when you shorten the prefix, you might want to
> reduce the banning time.
>
>
>
> > Operationally I have never felt that reputation lists are terribly
> > useful, personally (likely due to the old RBL days and pain caused by
> > them), but having them there as a guide is sometimes useful.
>
> They are one tool in the toolbox. e.g., while you get the devops folks
> to patch vulnerable ednpoints, you probably don't want to e.g., show up
> in shodan.io (and similar).
>
>
>
> >
> >     So that's what motivated the publication of this document.
> >
> >     * TXT:
> >
> https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt <
> https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt>
> >     * HTML:
> >
> https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html <
> https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html>
> >
> >
> > FWIW, I didn't read it as implying that SLAAC was undesirable, but I did
> > only give it a quick skim.
>
> We certainly didn't mean it. Obviously, ACLs rely on some address
> stability, so temporary addresses will be at odds with /128 ACLs.
> (temporary addresses are theoretically supported by both SLAAC and
> DHCPv6, though)
>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
>
ᐧ

v2.23.0 | Report a Bug | By Email