IETF Logo Mail Archive

Re: RFC 5006 and draft-ietf-v6ops-rogue-ra-01

Roque Gagliano <rogaglia@cisco.com> Thu, 10 June 2010 13:26 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1BD483A6A18 for <ietfarch-v6ops-archive@core3.amsl.com>; Thu, 10 Jun 2010 06:26:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.744
X-Spam-Level:
X-Spam-Status: No, score=-8.744 tagged_above=-999 required=5 tests=[AWL=-0.249, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_HI=-8, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WeUXX0oLjONh for <ietfarch-v6ops-archive@core3.amsl.com>; Thu, 10 Jun 2010 06:26:44 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A96613A696E for <v6ops-archive@lists.ietf.org>; Thu, 10 Jun 2010 06:26:43 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1OMhjl-000FK2-EW for v6ops-data0@psg.com; Thu, 10 Jun 2010 13:24:01 +0000
Received: from [64.102.122.148] (helo=rtp-iport-1.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <rogaglia@cisco.com>) id 1OMhji-000FJH-Gl for v6ops@ops.ietf.org; Thu, 10 Jun 2010 13:23:58 +0000
Authentication-Results: rtp-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-Files: smime.p7s : 3815
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEANeDEExAZnwN/2dsb2JhbACeXHGkAposhRgEi0KETA
X-IronPort-AV: E=Sophos; i="4.53,398,1272844800"; d="p7s'?scan'208"; a="120036596"
Received: from rtp-core-2.cisco.com ([64.102.124.13]) by rtp-iport-1.cisco.com with ESMTP; 10 Jun 2010 13:23:56 +0000
Received: from dhcp-144-254-20-199.cisco.com (dhcp-144-254-20-199.cisco.com [144.254.20.199]) by rtp-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id o5ADNnpC026691; Thu, 10 Jun 2010 13:23:49 GMT
Received: from [127.0.0.1] by dhcp-144-254-20-199.cisco.com (PGP Universal service); Thu, 10 Jun 2010 15:23:55 +0200
X-PGP-Universal: processed; by dhcp-144-254-20-199.cisco.com on Thu, 10 Jun 2010 15:23:55 +0200
Subject: Re: RFC 5006 and draft-ietf-v6ops-rogue-ra-01
Mime-Version: 1.0 (Apple Message framework v1078)
From: Roque Gagliano <rogaglia@cisco.com>
In-Reply-To: <EMEW3|dd6df153f280868f3fff0a6658747efcm59DXr03tjc|ecs.soton.ac.uk|C1E1C597-CC56-48F0-AFD0-35C4496DBED5@ecs.soton.ac.uk>
Date: Thu, 10 Jun 2010 15:23:44 +0200
Cc: v6ops@ops.ietf.org
Message-Id: <7786E853-9157-487E-BE8F-55D69F79C8AF@cisco.com>
References: <291B137B-7316-49A9-8C19-A606DCFCD019@wisc.edu> <5A07BF4F-33AB-4DB5-847B-EA1DF944C9C3@ecs.soton.ac.uk> <EMEW3|561d2bae90c9ddf8f65add274697b1eem58ESQ03tjc|ecs.soton.ac.uk|5A07BF4F-33AB-4DB5-847B-EA1DF944C9C3@ecs.soton.ac.uk> <A2C63160-0157-43E1-BCF7-2CC96B673AE7@cisco.com> <801675CF-788A-4583-9F2C-9362859DFBD6@cisco.com> <C1E1C597-CC56-48F0-AFD0-35C4496DBED5@ecs.soton.ac.uk> <EMEW3|dd6df153f280868f3fff0a6658747efcm59DXr03tjc|ecs.soton.ac.uk|C1E1C597-CC56-48F0-AFD0-35C4496DBED5@ecs.soton.ac.uk>
To: Tim Chown <tjc@ecs.soton.ac.uk>
X-Mailer: Apple Mail (2.1078)
Content-Type: multipart/signed; boundary="Apple-Mail-76--631202464"; protocol="application/pkcs7-signature"; micalg="sha1"
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

Hi Tim,

My comment still stands. You can also have "badness" (just using your words) in other ICMPv6 ND options:  Source link-layer address or MTU or Nonce or Timestamp options.... The rogue RA document up to now only focused on the Prefix Information option.

Probably the core is that the definition in the P2 of section 1 of what a "bogus" or "bad" RA in the context of the document should be improved.

Regards,
Roque.


On Jun 10, 2010, at 2:33 PM, Tim Chown wrote:

> Hi Roque,
> 
> The draft is focused on rogue RAs as that has been an operational issue for us in our dual-stack enterprise for quite some time.   The potential for additional forms of 'badness' to come from RA-based DNS configuration are worth noting, but the mitigations in general are the same.     There may be some additional mitigation methods specific to the DNS option/configuration.
> 
> While we do run tools to detect various forms of NDP 'abuse' on our network, e.g. use of the THC toolkit, we don't (yet) see evidence of that.    The rogue RA problem is far more heavily observed and cited and thus having a consolidated informational problem statement that also describes some potential mitigations focused on that problem is, we believe, useful.   Malicious rogue RAs are quite rare - ones caused by Windows ICS, accidental misconfiguration or devices being moved where their role changes (e.g. 6to4 router at home, client at work) are far more common.   But then we're in a CS dept, so our users tend to be more 'creative'.
> 
> We released ramond (http://ramond.sourceforge.net/) as an enhancement to rafixd as one tool for people to use.   RA Guard also has good potential.
> 
> Tim
> 
> On 10 Jun 2010, at 10:26, Roque Gagliano wrote:
> 
>> Sorry,
>> 
>> I should have said NDP options and not ICMPv6 options.
>> 
>> Roque.
>> 
>> On Jun 10, 2010, at 11:15 AM, Roque Gagliano wrote:
>> 
>>> Hi Tim,
>>> 
>>>> We could add text about this.   That would involve some mention of the problem in Section 1 (introduction), perhaps a brief discussion as an extra point in Section 5, and adding the mitigation mentioned in draft-ietf-6man-dns-options-bis-02 of disabling the host from processing DNS options in the RA (assuming the host implementation supports that of course, which isn't a MUST in the draft as far as I can see).   Other than that, I think the text in the draft about rogue RA 'badness' is generic enough to cover bad DNS information.   I'm happy to work with Stig on such text if it's deemed useful, and won't hold up publication too much more.
>>>> 
>>>> I note that draft-ietf-6man-dns-options-bis-02, which passed 6man WG last call, makes no reference to the rogue RA draft in its own security discussion, and also no mention of RA Guard.
>>>> 
>>> 
>>> Why would the dns-option be different from any other ICMPv6 option in this draft context? I would keep the text generic on reference to ICMP options.
>>> 
>>> Roque
>>> 
>>>> Tim
>>> 
>> 
> 
>

v2.23.0 | Report a Bug | By Email