Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157
"Marksteiner, Stefan" <stefan.marksteiner@joanneum.at> Tue, 25 September 2012 09:42 UTC
Return-Path: <stefan.marksteiner@joanneum.at>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CFA021F888E for <v6ops@ietfa.amsl.com>; Tue, 25 Sep 2012 02:42:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.822
X-Spam-Level:
X-Spam-Status: No, score=0.822 tagged_above=-999 required=5 tests=[AWL=0.162, BAYES_05=-1.11, HELO_EQ_AT=0.424, HOST_EQ_AT=0.745, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P0OwAbPZ+d9I for <v6ops@ietfa.amsl.com>; Tue, 25 Sep 2012 02:42:55 -0700 (PDT)
Received: from rzjgate.joanneum.ac.at (rzjgate.joanneum.ac.at [143.224.185.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBD7921F87EF for <v6ops@ietf.org>; Tue, 25 Sep 2012 02:42:52 -0700 (PDT)
Received: from RZJS078.jr1.local (rzjs078.joanneum.ac.at [143.224.71.19]) by rzjgate.joanneum.ac.at (8.13.8/8.13.8) with ESMTP id q8P9ghri024120; Tue, 25 Sep 2012 11:42:43 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joanneum.at; s=sel3; t=1348566164; bh=p1euodXC9wfVCwvKOvNqdajYlg1lT4UKvDUuwYQea1o=; h=From:To:Date:Subject:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=Gi7tfjKiEbLOyyyZkQvNRtedoE4Pdq3J22qucx494xBFpbbtN91tC6A7gDiZ+q3oY jFu7nB8rXydr3E4yf7rfjX5/Jduizc1o1hXXMcyKcfNZDgQ3xbclZvk4RzNejWtaCb qNe35U5VNBz2diX9Ced7fSIe7rWGlwYWvIdZ6XJc=
Received: from RZJC1EX.jr1.local ([169.254.2.9]) by RZJS078.jr1.local ([143.224.71.19]) with mapi; Tue, 25 Sep 2012 11:42:43 +0200
From: "Marksteiner, Stefan" <stefan.marksteiner@joanneum.at>
To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>, IPv6 Ops WG <v6ops@ietf.org>
Date: Tue, 25 Sep 2012 11:42:42 +0200
Thread-Topic: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157
Thread-Index: Ac2alGOmRXLD95pFS5uNww+GZ/7kNQAZ3azR
Message-ID: <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D902@RZJC1EX.jr1.local>
References: <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D8FF@RZJC1EX.jr1.local>, <1348519034.47465.YahooMailNeo@web32503.mail.mud.yahoo.com>
In-Reply-To: <1348519034.47465.YahooMailNeo@web32503.mail.mud.yahoo.com>
Accept-Language: de-DE, de-AT
Content-Language: de-AT
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: de-DE, de-AT
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 09:42:56 -0000
Hi Mark, First of all I think I've forgotten to clarify that I'm talking about IIDs, sorry ;) The aim of my thoughts would be to make it harder for externals to scan for attackable addresses. One often cited (mostly by marketeers) benefit of IPv6 is the vast amount of addresses per subnet making it seemingly harder to scan, which would be nullified if companies used simple sequential addressing. You're of course right that most (potential) attackers are insiders - but they likely wouldn't have to scan anyway, instead the would probably already have knowledge of alive (and maybe even vulnerable) hosts. Thus, they aren't my focus in this matter, but instead are "black box"-scanners and Internet worms. ULA/LLA are, as you've correctly stated, the best choice if you don't need Internet connection, but what about workstations for employees needing the Internet? I'm suggesting to recommend companies to use a different scheme as ::1;::2 or ::BABE;::CAFE or even ::4593;4594 and so on which according to some studies (e.g. [1], pp.65-75, especially 68) most administrators unfortunately do. What might be needed to change this would be a scheme which is practicably administrable in the easiest possible way. This would have, in my opinion, two benefits. Firstly it would render standard scanning procedures for IPv6 like sequential scanning and scanning for "funny" addresses pretty much useless. Secondly, if the numbers are, seen from the outside, seemingly random, it wouldn't help a scanner or worm if he or it discovered a single address by chance (e.g. by a log entry) and took it as a starting point for further scanning. I'm aware of the discussions about security by obscurity and that a good firewall is needed anyway to secure internal assets, but I would find it nice if the often cited "security argument" that IPv6 subnets are merely impossible to scan would be true (again) :) Cheers, Stefan [1]http://www.mh-sec.de/downloads/mh-ipv6_vulnerabilities.pdf ________________________________________ Von: Mark ZZZ Smith [markzzzsmith@yahoo.com.au] Gesendet: Montag, 24. September 2012 22:37 An: Marksteiner, Stefan; IPv6 Ops WG Betreff: Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157 Hi Stefan, ----- Original Message ----- > From: "Marksteiner, Stefan" <stefan.marksteiner@joanneum.at> > To: IPv6 Ops WG <v6ops@ietf.org> > Cc: > Sent: Tuesday, 25 September 2012 4:03 AM > Subject: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157 > > > Hi Folks, > > RFC5157 presents hazards of sequentially numbering IPv6 networks and technical > means (like CGAs and privacy extensions) to mitigate them. Unfortunately these > mitigation methods may be deemed difficult to handle for administrators (SEND > may be too complicated to implement, PEs bring difficulties to keep track of IP > addresses). Therefore there may be demand for an addressing scheme (rather than > a technical method) that makes IPv6 addresses easy to predict for tech staff but > difficult to do so by outsiders, building a low-end supplement for the methods > mentioned in RFC5157. I think it might be worth having a bit more of a think about who might be inclined to attack you - for a typical non-Internet services organisation, I think it's more likely going to be disgruntled ex-staff, and it'll be hard to make them forget "numbers" / addresses or prevent them copying the mapping application if they have an inkling they're going to get fired. > > What I have in mind is an simple mental arithmetic operation, which generates an > address out of a company fixed part plus a sequential number for host. > Alternatively a Hash-Operation consisting again of a secret organisational plus > a sequential host number. The first requires the scheme to be slightly different > in every organisation in order to have a negative impact on IPv6 scanning from > external sources, the second is more secure but requires an internal web site or > smartphone app in order for field engineers to calculate an address out of the > sequential information. > It sounds like here you're talking about a subnet numbering scheme. The common prefix size for most organisations is going to be /56 or 256 /64 subnets, or /48 or 65K /64 subnets. Many providers seem to be leaning towards /56s unless their customers ask for a /48, which provides very little address space to effectively hide the in-use subnet numbers from a scanning based attack (and that's one of the reasons why I'd be giving customers /48s from the outset). One advantage though of IPv6 is that it is possible to phase in and phase out addressing using the address/prefix lifetimes mechanism, so it would be possible to change assigned in your network prefixes on e.g. a weekly basis. If your fundamental goal is to make internal links unreachable from the Internet, they can be not assigned a global prefix, and numbered from either the ULA address space (RFC4193) or left as link-locals only ("unnumbered"). You may be interested in the following, which discusses link-local only addressing - "Using Only Link-Local Addressing Inside an IPv6 Network" http://tools.ietf.org/html/draft-behringer-lla-only-01 Regards, Mark. > My question is, in your opinion, would this be worthwhile to be formulated as an > ID an be drafted or does this idea sound absurd? > > > Cheers, > > Stefan > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] Operational guidelines for a company/orga… Marksteiner, Stefan
- Re: [v6ops] Operational guidelines for a company/… Mark ZZZ Smith
- Re: [v6ops] Operational guidelines for a company/… Marksteiner, Stefan
- Re: [v6ops] Operational guidelines for a company/… Brian E Carpenter
- Re: [v6ops] Operational guidelines for a company/… Marksteiner, Stefan
- Re: [v6ops] Operational guidelines for a company/… Mark ZZZ Smith
- Re: [v6ops] Operational guidelines for a company/… Marksteiner, Stefan
- Re: [v6ops] Operational guidelines for a company/… Brian E Carpenter
- Re: [v6ops] Operational guidelines for a company/… Marksteiner, Stefan
- Re: [v6ops] Operational guidelines for a company/… Philipp Kern
- Re: [v6ops] Operational guidelines for a company/… John Mann
- Re: [v6ops] Operational guidelines for a company/… Fernando Gont
- Re: [v6ops] Operational guidelines for a company/… Fernando Gont