Re: [v6ops] [EXTERNAL] Re: I-D Action: draft-ietf-6man-grand-01 - additional security concerns

"Templin (US), Fred L" <Fred.L.Templin@boeing.com> Fri, 31 July 2020 15:51 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C22F53A07B0; Fri, 31 Jul 2020 08:51:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=boeing.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D04tfgl2TheP; Fri, 31 Jul 2020 08:51:20 -0700 (PDT)
Received: from clt-mbsout-01.mbs.boeing.net (clt-mbsout-01.mbs.boeing.net [130.76.144.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 949F63A0786; Fri, 31 Jul 2020 08:51:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by clt-mbsout-01.mbs.boeing.net (8.15.2/8.15.2/DOWNSTREAM_MBSOUT) with SMTP id 06VFpG7t009089; Fri, 31 Jul 2020 11:51:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=boeing.com; s=boeing-s1912; t=1596210677; bh=aJbiTGq+7JAxZKLx6JuL3EThzbxvA2JqIH6BXW2I/HM=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=godm1QpwDbkc4s4GUB9cs49AFGrE7u22vlUPc4JH8kdFFJhZAWlUxSnNhWBlf6aTW bFwTIjTGyKKrB1X/AXJ1GjZOrZXTuO026oQ5jJCZ+G63azSdN9AWQj8VIHOvmBFJBO aUYrESlGZM8UWCc5VotWk5E3KHyGOa37aeXSKrBJ+Ef+hk3mh4HnOBGdoTPgdZN9Hq 6lqwqAagBE4gWuDMHipv+6nhLfZ46RbmsOpfp5c27gKBwAeR63Ij7bdr9nuYKRs9rW 7TfpxcLi7YY5BNohMJI05hNLeWr25169a1qbyaWyJ9NrDOoc8WoTHmb5osQ6L/ZiX7 jMCC+tRe/Xz7g==
Received: from XCH16-07-07.nos.boeing.com (xch16-07-07.nos.boeing.com [144.115.66.109]) by clt-mbsout-01.mbs.boeing.net (8.15.2/8.15.2/8.15.2/UPSTREAM_MBSOUT) with ESMTPS id 06VFp9f4007984 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Fri, 31 Jul 2020 11:51:09 -0400
Received: from XCH16-07-10.nos.boeing.com (144.115.66.112) by XCH16-07-07.nos.boeing.com (144.115.66.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1979.3; Fri, 31 Jul 2020 08:51:08 -0700
Received: from XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5]) by XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5%2]) with mapi id 15.01.1979.003; Fri, 31 Jul 2020 08:51:08 -0700
From: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
To: Ted Lemon <mellon@fugue.com>, "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>
CC: v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Thread-Topic: [EXTERNAL] Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns
Thread-Index: AQHWZ003hR9jbtEykkiWN8sYE2hmLqkh1XxA
Date: Fri, 31 Jul 2020 15:51:08 +0000
Message-ID: <a43ffd94d6364a0f869cd4c694ab7432@boeing.com>
References: <96fa6d80137241dd9b57fcd871c8a897@huawei.com> <CAFU7BARePzdeU5DFgoOWyrF0xZCj67_xkC2t8vMN2nH0d8aUig@mail.gmail.com> <37e2a7110f6b423eba0303811913f533@huawei.com> <CAFU7BATiD8RkiWXjrxGuAJU-BUwRQCErYZivUPZ-Mc_up_qGxQ@mail.gmail.com> <aebc46c9b813477b9ae0db0ef33e7bd9@huawei.com> <CAO42Z2yL7+GbO6QRaNzFYoBXLF-JZ2NfwgTTt2zerKhJLwt2Lw@mail.gmail.com> <3C1ECB6F-E667-4200-964F-AB233A0A56E9@cisco.com> <91D98D51-4045-4331-A711-8387ECE73400@fugue.com>
In-Reply-To: <91D98D51-4045-4331-A711-8387ECE73400@fugue.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [137.137.12.6]
x-tm-snts-smtp: 8911F0BE76BA9D1A62A98EF218E2A5157B4664534583AB5AC2A80AEDA720F2AB2000:8
Content-Type: multipart/alternative; boundary="_000_a43ffd94d6364a0f869cd4c694ab7432boeingcom_"
MIME-Version: 1.0
X-TM-AS-GCONF: 00
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/MQkmM6DWBRr-Uteg66Zlma5rpz8>
Subject: Re: [v6ops] [EXTERNAL] Re: I-D Action: draft-ietf-6man-grand-01 - additional security concerns
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 15:51:22 -0000

Hi Ted, et al,

We’ve tried to address it with SEND, but that hasn’t gotten any traction in the market.

I think that means that either SEND was ahead of its time and the market for it is only
now beginning to materialize, or SEND is somehow broken and should be deprecated.
I am interested to know which, since I believe I see a role for SEND.

Thanks - Fred


From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Ted Lemon
Sent: Friday, July 31, 2020 8:13 AM
To: Pascal Thubert (pthubert) <pthubert=40cisco.com@dmarc.ietf.org>
Cc: v6ops list <v6ops@ietf.org>rg>; 6man <ipv6@ietf.org>
Subject: [EXTERNAL] Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns




On Jul 30, 2020, at 6:26 PM, Pascal Thubert (pthubert) <pthubert=40cisco.com@dmarc.ietf.org<mailto:pthubert=40cisco.com@dmarc.ietf.org>> wrote:
I support GRAND because it is better than nothing and progressing just that at 6MAN seems to be an incredible achievement already.

Indeed.  GRAND seems like a thing that one would be tempted to add to a stack even in the absence of a draft describing it. Having a draft that describes how to do it is better, because we can then have a discussion of what the benefits and drawbacks are, and mitigate the drawbacks. This concern about ND security seems like a useless digression: yes, ND is not secure, we know this. We’ve tried to address it with SEND, but that hasn’t gotten any traction in the market.

Are we seeing L2 attacks on ND in the wild? What’s the threat model? If this is a real concern, let’s confront it head-on, rather than trying to address it piecemeal.