IETF Logo Mail Archive

Re: [v6ops] Improving ND security

Ted Lemon <mellon@fugue.com> Fri, 31 July 2020 17:40 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4056A3A096D for <v6ops@ietfa.amsl.com>; Fri, 31 Jul 2020 10:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0BSCQ6yFlZHj for <v6ops@ietfa.amsl.com>; Fri, 31 Jul 2020 10:40:46 -0700 (PDT)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEDDB3A08E6 for <v6ops@ietf.org>; Fri, 31 Jul 2020 10:40:45 -0700 (PDT)
Received: by mail-qt1-x833.google.com with SMTP id c12so14529130qtn.9 for <v6ops@ietf.org>; Fri, 31 Jul 2020 10:40:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=YtwQ5dx3S1BB8hOkvC6e+3D0wguaHTW4Zph+6fBMuZg=; b=hxbadQ/L6ditv9NrQxxbmlrtUV1mFUB2UsH1CK/55Q0Dfkidc6+a+ybsiGKJy7RC8L rgB+ZB8HHxrERd7E7pE+ackgXLNBv/dfPeS0WY8BRB96vOTzC0sM7eRm3LMnhAL9FYnL XaQraCTOafysamNIPS0Pf95FN+5BbTvdsztQv0K41Zb4jOuN5cebqsFoP9f79viDnVwt boP0rEKv+fm9Hk3sdl2sKEUpwRMx0qz3zaVHWoQMhuslTYLPel0Gs75sZqy8GyBudoay bES01b2uHuI684Kg9/ESzLO0SxJ80mASEL5mwoDsjs/3+FMqobZ92JdFCIQf1PnHbz6c MhYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=YtwQ5dx3S1BB8hOkvC6e+3D0wguaHTW4Zph+6fBMuZg=; b=UgpqohV7QYjAo0o29kb5N2pfZHb1RaW2ZNAOVVZD+HYL8md8guLjYy9bqMJwaLdKlA GMU5RNcJ0C/tDnF1blmECj5qBrcBxDa4NGUUwTwy9/9szC9zudJqm0OgWZvHZfacgT83 KLyBhKjOeuoH+A78yi2b6zYOV+kikCb5850pkfj1ZpJyt7ECcaBmRFVlgSVQl4WVdTz4 v/JZpzZZYsMA+TRTPMdx+uzT02xhIFzMtPrpW6ILasUYuHdYfUlSZl94ppffIOMxfhIi Pi89s3GaqvNYVEouYwuCOYWkhDDCfye7zYIeHd/JDderkXtAOnYDuJYF/ViEjU0tyjII sgqA==
X-Gm-Message-State: AOAM531u4pb04L4qp9RtLJ9PeZBlnQBRu16KwpsHt3lwXk+dNKZ0xyxU hUIhJPKRFnyPpW2hm4e5cdMLrA==
X-Google-Smtp-Source: ABdhPJy1Ptz7qCBPwdUaQEPHUOA0NK0EQqPS9xse9AmjozXL/4UkfRz4eUh5aWJ6zNM48jHxCn2GYA==
X-Received: by 2002:ac8:1486:: with SMTP id l6mr4853530qtj.195.1596217244784; Fri, 31 Jul 2020 10:40:44 -0700 (PDT)
Received: from ?IPv6:2601:18b:300:36ee:1d5e:d83c:760:89f9? ([2601:18b:300:36ee:1d5e:d83c:760:89f9]) by smtp.gmail.com with ESMTPSA id o17sm9092097qtr.13.2020.07.31.10.40.44 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 31 Jul 2020 10:40:44 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <860E06E2-2650-4AAE-AD33-D4D12B0290DC@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7951215C-D4FF-4301-B74D-C9BA0BA9FFB9"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Fri, 31 Jul 2020 13:40:42 -0400
In-Reply-To: <d5c245f216c3409f826f8132e532a882@boeing.com>
Cc: "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
To: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
References: <d5c245f216c3409f826f8132e532a882@boeing.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/VQujTDdIGZ65YVPRzp8iisj5hKo>
Subject: Re: [v6ops] Improving ND security
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 17:40:51 -0000

On Jul 31, 2020, at 1:35 PM, Templin (US), Fred L <Fred.L.Templin@boeing.com> wrote:
> I think as long as the network has a way of associating the key pair with another piece
> of information that accompanies the IPv6 ND message then the network would be able
> to know when the mobile node is using its (single) authorized key. So, for example, if
> the IPv6 ND message included an identity for the MN (sort of like a DHCPv6 DUID), the
> network would know when the MN is using the correct key pair – right? (BTW, I am
> not saying to use DHCPv6 DUID – that is just one example of a MN identity…)

By “NM” I think you mean “Mobile Node?” That’s not really one of the use cases we’re talking about here. Or am I missing something?

In any case, you’re presuming some kind of trust establishment for non-router nodes, right? SEND only talks about trust establishment for routers. And, let’s be frank, doesn’t actually give us enough operational guidance that we would expect what _is_ said to be generally practicable.

v2.23.0 | Report a Bug | By Email