Re: [v6ops] (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Simon <linux@thehobsons.co.uk> Tue, 14 February 2023 18:11 UTC
Return-Path: <linux@thehobsons.co.uk>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9377C1CAB53 for <v6ops@ietfa.amsl.com>; Tue, 14 Feb 2023 10:11:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pPVttoXHgqwg for <v6ops@ietfa.amsl.com>; Tue, 14 Feb 2023 10:11:41 -0800 (PST)
Received: from patsy.thehobsons.co.uk (patsy.thehobsons.co.uk [80.229.10.150]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90F25C1CAB45 for <v6ops@ietf.org>; Tue, 14 Feb 2023 10:11:41 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at patsy.thehobsons.co.uk
Received: from smtpclient.apple (MacBook-Pro.thehobsons.co.uk [192.168.137.121]) by patsy.thehobsons.co.uk (Postfix) with ESMTPSA id 61D5B104001 for <v6ops@ietf.org>; Tue, 14 Feb 2023 18:11:35 +0000 (UTC)
From: Simon <linux@thehobsons.co.uk>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Tue, 14 Feb 2023 18:11:34 +0000
References: <091075f1-033a-5577-60d9-3c6a009b3e21@si6networks.com> <55adf66d-23cb-0b2c-65d7-8f053a6f9298@si6networks.com>
To: IPv6 Operations <v6ops@ietf.org>
In-Reply-To: <55adf66d-23cb-0b2c-65d7-8f053a6f9298@si6networks.com>
Message-Id: <A8F954DA-1F9C-4329-A454-E9D7D17689D1@thehobsons.co.uk>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/H41-bM2wdrj-TeUQ1pQfXS-Bvbc>
Subject: Re: [v6ops] (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2023 18:11:42 -0000
Fernando Gont <fgont@si6networks.com> wrote: > FYI, this one is targeted at opsec, but might be of interest to this group: > > * TXT: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt > * HTML: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html Interesting read. However, I think a few places are perhaps a little misleading. One is discussing blocking a whole /64, and that it will probably block other (innocent) hosts on the same network. This isn’t really any different to the world of IPv4 where blocking a single address will most likely block all hosts in a network behind a NAPT gateway. To an extent, I can see that treating a /64 in much the same way as a /32 in the IPv4 world will become commonplace for the reasons you mention. I’ve definitely dealt with the situation where the email for a whole office keeps going down because one device was misconfigured and kept triggering fail2ban on our servers. As for fail2ban (as mentioned by Henri) and similar techniques. I can see scope (though I suspect there isn’t a ready-written module to do it) for banning by individual IP and escalating to banning the whole /64 if multiple addresses get banned. That would deal with the “attack till banned, then move” approach - but as mentioned, won’t stop a more stealthy attack of “attack and keep moving before the ban kicks in”. To deal with the latter would probably need a different filter to aggregate failures by /64 and ban the whole /64 if triggered. So I think there is certainly scope, at the expense of more complicated rules, to be more nuanced with fail2ban (or similar) in the IPv6 world. Simon
- [v6ops] Fwd: (IETF I-D): Implications of IPv6 Add… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Vasilenko Eduard
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… David Conrad
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Ted Lemon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Vasilenko Eduard
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Henri Alves de Godoy
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Simon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Fernando Gont