Re: [v6ops] IPv6 transition technologies vs MITM (DEFCON)

David Farmer <farmer@umn.edu> Thu, 22 August 2013 22:59 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA9CF11E8169 for <v6ops@ietfa.amsl.com>; Thu, 22 Aug 2013 15:59:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mSf-XtsyvQGp for <v6ops@ietfa.amsl.com>; Thu, 22 Aug 2013 15:59:27 -0700 (PDT)
Received: from vs-m.tc.umn.edu (vs-m.tc.umn.edu [134.84.135.97]) by ietfa.amsl.com (Postfix) with ESMTP id 8A29111E813D for <v6ops@ietf.org>; Thu, 22 Aug 2013 15:59:27 -0700 (PDT)
Received: from mail-ob0-f175.google.com (mail-ob0-f175.google.com [209.85.214.175]) by vs-m.tc.umn.edu (UMN smtpd) with ESMTP for <v6ops@ietf.org>; Thu, 22 Aug 2013 17:59:21 -0500 (CDT)
X-Umn-Remote-Mta: [N] mail-ob0-f175.google.com [209.85.214.175] #+LO+TR
X-Umn-Classification: local
Received: by mail-ob0-f175.google.com with SMTP id xn12so4885338obc.34 for <v6ops@ietf.org>; Thu, 22 Aug 2013 15:59:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:message-id:date:from:reply-to:organization :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=tkWKlTQO5bOQFmedPn7BEFBueFjJOmKiYTCHX5xsEfA=; b=OI7BfMAWhjM8p2KoWXw/HKZgzxIsBzYnOcysZd70fEgXiRvt5rRcTyF4H8eppe1wIk srwAQRF8t3tilpvnuxlOq5OWwg6sRCcoZC6NgL5Rzdn5rlxPpL+2QRcXW5jVKgcg9Q2z rjTTO62hcfxS+NqnlgQZawTsoT/uzCLldTEJxXqHmooN1o/l+fQLqLlP3cm9SZhwfTbt rsyz2S6wjiwXxaS2bUu4eHCHxcyby0f/fQRnHwy5pp3+2IR81pBGTUS8t2dgDzS9WRf+ aGBnnC34g6GDkTbvZmd0QbbPWyYn5fAiFW0cYZdL5KyiHPcHiHD7v2yRcT1rA75qU7kD mM1A==
X-Gm-Message-State: ALoCoQk9scsMFGbpp5Gq2k7qdecAhPTToOohrI3v1WNQmB9JIeaXUCL4KQ/k9CzgYDeOB/9i3F+wkIjJCg9TEf/KjtszC6Q3+0tmXypDLygXSWQ7j8cEbqI7IyBtIOYwaTikyZREewP8
X-Received: by 10.60.44.193 with SMTP id g1mr17093116oem.47.1377212360996; Thu, 22 Aug 2013 15:59:20 -0700 (PDT)
X-Received: by 10.60.44.193 with SMTP id g1mr17093106oem.47.1377212360855; Thu, 22 Aug 2013 15:59:20 -0700 (PDT)
Received: from x-134-84-88-90.nts.umn.edu (x-134-84-88-90.nts.umn.edu. [134.84.88.90]) by mx.google.com with ESMTPSA id tz10sm21997856obc.10.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 22 Aug 2013 15:59:19 -0700 (PDT)
Message-ID: <521697C6.8080207@umn.edu>
Date: Thu, 22 Aug 2013 17:59:18 -0500
From: David Farmer <farmer@umn.edu>
Organization: University of Minnesota
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Tim Chown <tjc@ecs.soton.ac.uk>
References: <52165DC0.7090406@scea.com> <CFF483B5-E780-4D8F-B2B4-2F9AE19A4147@ecs.soton.ac.uk> <EMEW3|aa8823c39ca54364e45099ae590c0046p7LLpN03tjc|ecs.soton.ac.uk|CFF483B5-E780-4D8F-B2B4-2F9AE19A4147@ecs.soton.ac.uk>
In-Reply-To: <EMEW3|aa8823c39ca54364e45099ae590c0046p7LLpN03tjc|ecs.soton.ac.uk|CFF483B5-E780-4D8F-B2B4-2F9AE19A4147@ecs.soton.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: IETF v6ops list <v6ops@ietf.org>, Tom Perrine <tperrine@scea.com>
Subject: Re: [v6ops] IPv6 transition technologies vs MITM (DEFCON)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: David Farmer <farmer@umn.edu>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 22:59:33 -0000

On 8/22/13 15:51 , Tim Chown wrote:
>
> On 22 Aug 2013, at 19:51, Tom Perrine <tperrine@scea.com
> <mailto:tperrine@scea.com>> wrote:
>
...
>> But, what I'm seeing is that no one is talking about how the
>> transition strategies will not address this attack at all,
>> at least as far as I can tell. They all seem to seek to leave
>> (allegedly) IPv4-only nodes in place and work at one or
>> more hops away from those nodes. This ignores that so many nodes
>> really aren't IPv4-only. They are really dual-stack
>> nodes that are waiting for the IPv6 configuration to be completed. And
>> you can complete that configuration, or your
>> attacker will!
>>
>> I see two ways to mitigate this attack:  turn off IPv6 on all modern
>> OSes, or fully deploy IPv6.  Guess which one I
>> don't want to see advocated :-)

Yes, deploying IPv6 is the best answer in many, if not most cases.  BUT;

>> Am I missing something, or is this one more point to add to the
>> "deploy IPv6 now, deploy native, skip the transition
>> technologies" ?  (I'm including dual-stack in the native strategy.)

I will expand on the references Tim provides below; On all IPv4 only 
networks you should operationally deploy RA-Guard or filter IPv6 ICMP 
RAs, and DHCPv6 server responses while you are at it too, on all access 
ports where you can, and more drastically filter Ether-Type 86dd all 
together where you don't have RA-Guard or IPv6 filters available.  In my 
view RA-Guard is not only a IPv6 network issue it an issue for all 
networks because of these MITM attacks.

Before World IPv6 day more than two years ago, we had a project to make 
our entire network quad-A safe.  That is we deployed IPv6 every where we 
could, and deployed IPv6 ICMP RA filters on virtually every wired access 
port.  We deployed IPv6 on our 802.1x authenticated wireless.  But we 
had to deploy 86dd filters on our web portal authenticated wireless, as 
the web portal didn't support IPv6, still doesn't, and there was no way 
to properly protect from Rogue RAs, other than to filter all IPv6 
traffic.  These generally weren't malicious MITM attacks, but were 
misconfigured hosts with Internet connection sharing turned on, but they 
still create issues on IPv4 only networks and would break any sites that 
would dare to use quad-As.

So, back to the big BUT above, it is naive to think you can deploy 
native IPv6 absolutely every where.  You may be able to deploy it most 
places, but you must protect from Rouge RAs every where, even IPv4 only 
networks.

For policy reasons, still today, we still haven't turned on IPv6 in 
several parts of our network.  These are mostly areas that deal with 
private data, HIPPI, FERPA, PCI and other compliance regimes, but it was 
extra important that theses areas also got RA-Guard for the very same 
reasons we haven't turned on IPv6 yet.

> There's lots of work within the IETF on this, e.g. take a look at
> http://tools.ietf.org/html/draft-ietf-opsec-ipv6-implications-on-ipv4-nets-05.
>
> The sunset4 WG is also quite interesting.
>
> I'm surprised an event like DEFCON presented something that old.

It's an oldie but goodie. :)

> Tim

-- 
================================================
David Farmer               Email: farmer@umn.edu
Office of Information Technology
University of Minnesota
2218 University Ave SE     Phone: 1-612-626-0815
Minneapolis, MN 55414-3029  Cell: 1-612-812-9952
================================================