Re: [v6ops] [secdir] Secdir last call review of draft-ietf-v6ops-cpe-slaac-renum-04

Fernando Gont <fernando@gont.com.ar> Thu, 10 September 2020 07:18 UTC

Return-Path: <fernando@gont.com.ar>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F10B3A0FA0; Thu, 10 Sep 2020 00:18:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.836
X-Spam-Level:
X-Spam-Status: No, score=-2.836 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.948, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pfxuYc2Wtc4o; Thu, 10 Sep 2020 00:18:20 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEBED3A0F9E; Thu, 10 Sep 2020 00:18:18 -0700 (PDT)
Received: from [10.0.0.134] (unknown [186.19.8.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 24342283B9E; Thu, 10 Sep 2020 07:18:10 +0000 (UTC)
To: Uri Blumenthal <uri@mit.edu>, Ted Lemon <mellon@fugue.com>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, Christopher Wood via Datatracker <noreply@ietf.org>, "draft-ietf-v6ops-cpe-slaac-renum.all@ietf.org" <draft-ietf-v6ops-cpe-slaac-renum.all@ietf.org>, Christopher Wood <caw@heapingbits.net>
References: <4FC30E5B-EF9F-4238-A683-CE8235BDD2EF@fugue.com> <54DA4651-1C55-4DF9-BF3D-7E851B6692F4@mit.edu>
From: Fernando Gont <fernando@gont.com.ar>
Message-ID: <67d44e29-942a-9d32-5bdc-9746c245eed4@gont.com.ar>
Date: Thu, 10 Sep 2020 03:11:25 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <54DA4651-1C55-4DF9-BF3D-7E851B6692F4@mit.edu>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/LvljfhlBYThMIFZEu2AmeacS3VY>
Subject: Re: [v6ops] [secdir] Secdir last call review of draft-ietf-v6ops-cpe-slaac-renum-04
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 07:18:22 -0000

On 9/9/20 23:17, Uri Blumenthal wrote:
> Capability-wise, what's the likelihood that the attacker would be 
> present on the southbound interface, but *not* on the northbound one?

I'm not sure I could talk about "likelihood" in any measurable way.

But I'd argue that, generally speaking, anyone that shares the same 
LAN/Connection will be on the southbound interface (e.g., think of a 
cyber-cafe, university network, enterprise network, or whatever) whereas 
in order to be present on the northbound interface you'd probably 
normally be:

* A rogue ISP
* A state actor, or,
* Somebody that managed to get to the right cable.


For the "normal" attacker, I'd say it's much more likely to be present 
on the south-bound interface, whereas for other cases, I guess it could 
be both.

Thanks,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1