Re: [v6ops] [EXTERNAL] Re: Improving ND security

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Fri, 31 July 2020 21:47 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B7623A0C55; Fri, 31 Jul 2020 14:47:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.619
X-Spam-Level:
X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=KATYn7kn; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=DtT+I62D
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BaCcU_4Y3nBx; Fri, 31 Jul 2020 14:47:16 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D34DA3A0C54; Fri, 31 Jul 2020 14:47:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10897; q=dns/txt; s=iport; t=1596232035; x=1597441635; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=LW+Xd43ArDh/uW1eACNfVVPGn4g8rOMiRlefgh6px/0=; b=KATYn7kni1KEkG9xdih+OVrDPv2yB5v8aphYviIYtdN03KfgpX6GDdYI yDaoCCg0R9C7Qy8ivoJJvv438RHi5y6LACnx1AHce53NchUfxVNk4jaM4 IkHOy9UWiO9G/h+bMcNTicLRYGxm1rMC/ePvavHYxcb1HeEP8Y/TWw1jF k=;
IronPort-PHdr: =?us-ascii?q?9a23=3ACmymtRNhxPumlbrCwNol6mtXPHoupqn0MwgJ65?= =?us-ascii?q?Eul7NJdOG58o//OFDEvKwx3lHUUpjWrflDjrmev6PhXDkG5pCM+DAHfYdXXh?= =?us-ascii?q?AIwcMRg0Q7AcGDBEG6SZyibyEzEMlYElMw+Xa9PBtbBcnjahvZpXjhpTIXEw?= =?us-ascii?q?/0YAxyIOm9E4XOjsOxgua1/ZCbYwhBiDenJ71oKxDjpgTKvc5Qioxneas=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DeDQAZkCRf/5xdJa1gHgEBCxIMgy0?= =?us-ascii?q?vUQeBRy8shDWDRgONK5QbhGyCUwNVCwEBAQwBAS0CBAEBhEwCF4IcAiQ4EwI?= =?us-ascii?q?DAQELAQEFAQEBAgEGBG2FXAyFcgIEEhEKEwEBNwEPAgEGAkICAgIwJQEBBA4?= =?us-ascii?q?FIoMEgX9NAy4BlhiQaAKBOYhhdoEygwEBAQWCSoJSGIIOCYE4gnCCUktCgjq?= =?us-ascii?q?BOoJLGoFBP4ERJwwQgk0+hEuDCDOCLY9ggxOGXYtYkGYKgmCaBAMen3etIYQ?= =?us-ascii?q?lAgQCBAUCDgEBBYFqI4FXcBU7KgGCPlAXAg2OHwwXg06KVnQCNQIGAQcBAQM?= =?us-ascii?q?JfI9nAQE?=
X-IronPort-AV: E=Sophos;i="5.75,419,1589241600"; d="scan'208,217";a="806027021"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 31 Jul 2020 21:47:14 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 06VLlEVu003134 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 31 Jul 2020 21:47:14 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 31 Jul 2020 16:47:14 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 31 Jul 2020 16:47:14 -0500
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 31 Jul 2020 16:47:13 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RkqiE7do/JGqD+g9UraY+CeM16qpFnWdLbqm9bIHFKIJXABmOFnIcQKNNIZBqQ7Atk2OuBziZrbPY/tEwLlU+OaCMuCLumDGcgM6t3i2QMvPbCYFKzG2NFgoow6Fa1LiMuyJnFyxa+4++JiLjggXNa10VTLXeXDGr4CEQxsOjUemC+bgKZBeFJcPtfCQRWN++d2qaWcKu12XqHMNG7umbCTa3GqBfy9pOYaTznWrsOAdqoOq/5egxuSzNnhWRIW1bF2O/LB5lUq76Hn22kJRRlo2Oe1d2ggPb2kPa9M5Rfxy6HypHIuKyTWDpVw90zzpabBE9iAmhKU7W52IjNKuAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LW+Xd43ArDh/uW1eACNfVVPGn4g8rOMiRlefgh6px/0=; b=aulriJqErJplN+ognLXncxk9ScXR/Ad5IhKXMC4wl+QU9O0LfFVymsetChA32OHjgCDhgnshgtjfaWsnedMRckgme2/6DJb7ufBFcWGdjgPnI5UCLqGSpcQA8lVF1hEu3hkthF6DVYdjswYD4Ds3qeDNPcNqBuSm9N0a8KpySo3fv6+9PcEO97kBgPu7vjk5gcBS+BgHR8tlFt3Kq681KNP9s4b9zkL2XIEGqge/kXzAPpuAKkdbEsVX3Nb4W+3WpSVQQpGTwFZqB9EXrJ3sA0IWYRgc0DlrcQHSWo+D5kD7sdw02zeBJtVeUwKdikikcNM7zDDOUobLWvm+xYWj+w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LW+Xd43ArDh/uW1eACNfVVPGn4g8rOMiRlefgh6px/0=; b=DtT+I62DBRj3ncKZ4tpvgh98Odfob/m01g6TbeNGh/QSgaIFKYiOb/9kggDfNwTZ/uMECrGoNh1cMpiJA+bSpBS3q6h/U+HUFzHDT/NbZ0Yccj5xly9mAyM4iVNYeA7arvY5uc79X2jtYjdwRHicMrKNcrtIc64iS/rRht70854=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (2603:10b6:208:ea::31) by MN2PR11MB3726.namprd11.prod.outlook.com (2603:10b6:208:ef::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.16; Fri, 31 Jul 2020 21:47:13 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::a53e:5801:92cc:3204]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::a53e:5801:92cc:3204%5]) with mapi id 15.20.3239.020; Fri, 31 Jul 2020 21:47:13 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
CC: Ted Lemon <mellon@fugue.com>, v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Thread-Topic: [EXTERNAL] Re: Improving ND security
Thread-Index: AdZnYGykJNK1kk2zSneWe05yLDtm6gAAUmIAAABNVoAACE6vdg==
Date: Fri, 31 Jul 2020 21:47:13 +0000
Message-ID: <0DDEBA6C-3933-40FC-BB9C-33FA59DC9D76@cisco.com>
References: <d5c245f216c3409f826f8132e532a882@boeing.com> <860E06E2-2650-4AAE-AD33-D4D12B0290DC@fugue.com>, <b66ce3d9c75d4a39b5336dcdf9929411@boeing.com>
In-Reply-To: <b66ce3d9c75d4a39b5336dcdf9929411@boeing.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: fugue.com; dkim=none (message not signed) header.d=none;fugue.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2a01:cb1d:4ec:2200:d36:e0ed:810e:7901]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 586c6df4-1ccc-4747-bd33-08d8359b48e8
x-ms-traffictypediagnostic: MN2PR11MB3726:
x-microsoft-antispam-prvs: <MN2PR11MB37268893840DD0D5BDE75FA4D84E0@MN2PR11MB3726.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HeXUngqCciGdNbxFPqRhbCcaPMB/fWCfDY5oo4XNyl2Skz5c+3cUgAlHqv3lWgAoonDEYNjhD0lobgYO0tzJ7x+mXZyIX1QsCmIKmjvzI3aSD+0RKaxI8+pA406qKDqAqA0T9hz5hkPJNSF6QG5jMLrW3xkEScxTXV8BGIEgBVukxz6pEZhOsFOuN0gS5zwv9vFB2iZsdSVe3/NUZWfhIGaQvyrXCnQcgyP+ZwZIGg/OhcawKoi8cAaYH6dEAwYYVj6khDI3wLFzCan+wrCdLc5r4XkhcQqncZf05qQndBz5IZuSwQioSQmW6RiNftc3KaQ+ZDU7SjEkS8jAwnBtPDq9DefjHo4NfVZlE4ehF7/eJ7bPGPHDubad7KH3qTW5
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB3565.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(136003)(396003)(366004)(376002)(346002)(186003)(2906002)(8936002)(66574015)(76116006)(91956017)(83380400001)(6506007)(33656002)(64756008)(66446008)(66556008)(66476007)(15650500001)(66946007)(8676002)(2616005)(478600001)(71200400001)(6916009)(5660300002)(6486002)(316002)(36756003)(54906003)(4326008)(6512007)(86362001)(244885003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: fbqnhXhaYd+FEJJk4F6OereRLI20yv8ztwT6YJWn7fssi42Q8uVnAyb/5lhHpETkBhDHyGTrhc8WzTAIJRZQ/4Wv+mlSapHJMQSmJM0TjRJQYTEMFn63KAwNpUAU6agT7fBMgd10zAjqfLr94siaLccOHRa6aZOWAQI/M4+2NJmmJ4h1/tfBv+0hIH69/+GNwo23EAiflo/Iz9UbbDe4n1B5dAEei5417VzoEotl0OEXgMVexxaYVukfEz6BLM3pMjziv4yg67qdgbjthBSk2ykh7b0FRloWjX6oTuaHrSd0Zxxx/+LVW6IZD3Aq+7KJk7E4bQizXJ/tgv+CL7P/AccmqmLr6BNtkLvlo/x9rTz0Wxz13C/8X1Lr4LpPY7OiVC4nABwMcBDIjHjeGGqLE0notwCve3D6253aaKY1H9WDAdSoedqg8bX974BoAzSZzVM0cz/gt67RQMDCFIAChP4c6kcAWj2s54QZTJ3wZ3HIZ9mNY8fDEEi9l3OR7CFQ4qi5wnc2uSjCIoJ+fKqCBtMCFIaYhC269rs0v3TczO3hp6G+vmvA+85+ahVyN5b5NY4CcQZ5hDoF0ZRVxHNwWzN7s4oFoKfeOoqY+9vbCGgZyFVjE6S71b5YBRWrUZpPSlw+S5B9UrYNnstaa1IoQWPvQpHbtCff8/Pvc74GHEywV3151nOCQEMJ6rRiVvq8RrzbxukRvfI+QpGMR8sBXA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_0DDEBA6C393340FCBB9C33FA59DC9D76ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB3565.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 586c6df4-1ccc-4747-bd33-08d8359b48e8
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jul 2020 21:47:13.0801 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: x6I3JMAGpEsqVCqfuPfSGZzVJkGbeyYweClbEG1WW6QwNEYVEDzdnX5VzL4OnYZluH4YJDRykbhClC5zYn1ODA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3726
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/P9BQpgRnlq2XBN7c_Kl9bLJIwB4>
Subject: Re: [v6ops] [EXTERNAL] Re: Improving ND security
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 21:47:19 -0000

Hello Fred

A major attack vector is an external attacker sending packets to the 2^64 or so possible addresses in the subnet. The attack causes a denial of service at the router that MUST store one packet for one second and multicast a NS lookup, which multiplies the effect. The attack is easy to perform from the outside and send offers no protection. The only clear protection is to know in advance all the addresses present in the network and drop the rest. GRAND offers a way to preset the ND cache which is better than nothing but it offers no guarantee that the router has the full set of addresses I. Cache. In fact the concept of a cache is dated from the days memory was scarce and expensive. This concept is not needed And rather harmful in modern networks.


Regards,

Pascal

Le 31 juil. 2020 à 19:49, Templin (US), Fred L <Fred.L.Templin@boeing.com> a écrit :


Hi Ted,

By “NM” I think you mean “Mobile Node?” That’s not really one of the use cases we’re talking about here. Or am I missing something?
[>]
Or, just call it a (mobile) “Stub-Network” – I think we are talking about the same
thing here.

In any case, you’re presuming some kind of trust establishment for non-router nodes, right? SEND only talks about trust establishment for routers. And, let’s be frank, doesn’t actually give us enough operational guidance that we would expect what _is_ said to be generally practicable.
[>]
OK, the specs I have been working dip their toes into the SEND pool but maybe they
should be updated to dive in completely? With an adoption call in progress, I don’t
know if it would be a good idea to make changes right now but be assured that it
will be added to the TODO list – would that be acceptable for now?

Thanks - Fred