Re: [v6ops] SLAAC security concerns

Gert Doering <gert@space.net> Wed, 05 August 2020 18:25 UTC

Return-Path: <gert@space.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B98813A0EB4 for <v6ops@ietfa.amsl.com>; Wed, 5 Aug 2020 11:25:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=space.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id praPX8ZFQ79a for <v6ops@ietfa.amsl.com>; Wed, 5 Aug 2020 11:24:58 -0700 (PDT)
Received: from gatekeeper1-relay.space.net (gatekeeper1-relay.space.net [IPv6:2001:608:3:85::38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17D9E3A0E02 for <v6ops@ietf.org>; Wed, 5 Aug 2020 11:24:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=space.net; i=@space.net; q=dns/txt; s=esa; t=1596651898; x=1628187898; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=6IpXkfu6oQ+IXS5qUS8jnxdpGknwJHNOxN7DXkYdzv8=; b=PGDnkCPo0D/RZd12gUyKh5s2Mz4x1aJbwx+cmn7vXEBuFFggciKCYJNn tTrvMdLWJyI22wuBhnEqBe46Xjmk1sBz6UADi86aUoTWBRfNXl+a8/JXk 4QyvpC7KbBNIQX/hkVnQgqGGio8avRPk9pj9LWHTDFY+9WQM43o3wPPh/ sqYsr7iOcXZigAXqfxSZi3El85FFndu4rTeFYOIPgNa84fluumULF0gG+ Tr3EOLH+3+ENz+LZBXyo1WGOm7SEDFxKQ2POyhs/hqgJHVwqrNgHaEt9q /w1IaQqVul67RjRqNCntUeNLJa2LaFwtFGoPg7UHnkc9pq6nurpqyh29/ A==;
IronPort-SDR: GWamXI7koRn5A2hG799vTGPfWfS3OKucySYwZW3eWmJRxddOBG/zBGNyrHgUm3Zcpne1PX4o7s oyOmROEBHhcq3OFkXUnGn8IiK6NyB4Z8FAo7/RlJZGhudV3CXweAy9l1LjJREbR68wEoAcDk4k 0diYRLcxuo42IWQ2JFBECMSZJbG5oiEzKNxPHEQBz6Rj4xsJpqI+7Kj6+Xh9MzSgcRSCK2M+uL rP5NX061cEo6H74RYTvJXoE03kFuqhSZjl7XzCH7yJcoiaajjtmkAtwAHnk73zHqBbhiAgP/rP uPw=
X-SpaceNet-SBRS: None
Received: from mobil.space.net ([195.30.115.67]) by gatekeeper1-relay.space.net with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Aug 2020 20:24:55 +0200
X-Original-To: v6ops@ietf.org
Received: from mobil.space.net (localhost [IPv6:::1]) by mobil.space.net (Postfix) with ESMTP id A0DDE42055 for <v6ops@ietf.org>; Wed, 5 Aug 2020 20:24:55 +0200 (CEST)
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
Received: from moebius4.space.net (moebius4.space.net [IPv6:2001:608:2:2::251]) by mobil.space.net (Postfix) with ESMTP id 3F82840643; Wed, 5 Aug 2020 20:24:55 +0200 (CEST)
Received: by moebius4.space.net (Postfix, from userid 1007) id 38BFBB1694; Wed, 5 Aug 2020 20:24:55 +0200 (CEST)
Date: Wed, 5 Aug 2020 20:24:55 +0200
From: Gert Doering <gert@space.net>
To: Mark Smith <markzzzsmith@gmail.com>
Cc: Gert Doering <gert@space.net>, Vasilenko Eduard <vasilenko.eduard@huawei.com>, Michael Richardson <mcr+ietf@sandelman.ca>, 6man <ipv6@ietf.org>, v6ops list <v6ops@ietf.org>
Message-ID: <20200805182455.GF2485@Space.Net>
References: <f52c4463862f44b5ba2a9d41db86d231@huawei.com> <20200804194448.GA2485@Space.Net> <CAO42Z2x_AE=W2gQd4t3nZPVvGCxT3u0L0BCGJPZ0RFo+2m8Xbg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="k3VvDwkmTpic9dKg"
Content-Disposition: inline
In-Reply-To: <CAO42Z2x_AE=W2gQd4t3nZPVvGCxT3u0L0BCGJPZ0RFo+2m8Xbg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/ONItcojSfFv-NkNxxt7J1AXA9i0>
Subject: Re: [v6ops] SLAAC security concerns
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2020 18:25:06 -0000

Hi,

On Wed, Aug 05, 2020 at 09:32:56AM +1000, Mark Smith wrote:
> Multicast also shifts and distributes state away from a central device.
> 
> A central device is a much bigger consequence point of failure, and is a
> harder thing to make redundant due to having to invent a state
> synchronisation and load selection or distribution method mechanism between
> a primary and one or more backup nodes.

This asks for "broadcast", not for "multicast".

To get any benefits from multicast, you now require that all the network
elements listen to MLD and understand which multicast packets to hand
where.  And keep state.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279