Re: [v6ops] [EXTERNAL] Improving ND security

"Templin (US), Fred L" <Fred.L.Templin@boeing.com> Fri, 31 July 2020 17:17 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43F2B3A0BB0; Fri, 31 Jul 2020 10:17:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=boeing.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5h1Yo1M8faq; Fri, 31 Jul 2020 10:17:51 -0700 (PDT)
Received: from clt-mbsout-02.mbs.boeing.net (clt-mbsout-02.mbs.boeing.net [130.76.144.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42DAB3A0BA5; Fri, 31 Jul 2020 10:17:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by clt-mbsout-02.mbs.boeing.net (8.15.2/8.15.2/DOWNSTREAM_MBSOUT) with SMTP id 06VHHmh9028232; Fri, 31 Jul 2020 13:17:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=boeing.com; s=boeing-s1912; t=1596215868; bh=mwqlFzSrV2IEh8y+hf5nTiQmnd60SSghdtKX4fqKyUQ=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=hDMrdNBZo3CK8Tf/m8/rtK9oIuYFeYdPJHWRxCvQR7lllCNEnxvhzuj3x9wVfq2Gc EJ5LwASJp79V3UNXgTiNzGq/QtlqRpS2IVF98I+8DIj2plPpeU1yevkJmOdvMSlkRj QiJ26nwlmHB+E8+wpMnfuMZk5mEM0rcrNUOFkKBqHr+JV0dqJJvFdAHRJkyD1LoksE ZYqI0De6j8s7765zkmTQP5yFJ4tcd34iq4f2VTsbmhV8ZTaCrw98wh7HVkjTFntKnJ HSM0kS8PtraFIZi54N2mscfQx5evqflwXtx3xdDtEllybNtoKtrjkaIM6mz4AP6GvB PydSrkG0u1MUw==
Received: from XCH16-07-09.nos.boeing.com (xch16-07-09.nos.boeing.com [144.115.66.111]) by clt-mbsout-02.mbs.boeing.net (8.15.2/8.15.2/8.15.2/UPSTREAM_MBSOUT) with ESMTPS id 06VHHj6O028208 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Fri, 31 Jul 2020 13:17:45 -0400
Received: from XCH16-07-10.nos.boeing.com (144.115.66.112) by XCH16-07-09.nos.boeing.com (144.115.66.111) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1979.3; Fri, 31 Jul 2020 10:17:43 -0700
Received: from XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5]) by XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5%2]) with mapi id 15.01.1979.003; Fri, 31 Jul 2020 10:17:43 -0700
From: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
To: Ted Lemon <mellon@fugue.com>
CC: "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, "v6ops list" <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Thread-Topic: [EXTERNAL] Improving ND security
Thread-Index: AQHWZ1UXpJjqh6zAPESbZadyenD7WakiUY2A//+bayA=
Date: Fri, 31 Jul 2020 17:17:43 +0000
Message-ID: <a1881d0c6d3748fa8cec8ea2b2c6559b@boeing.com>
References: <96fa6d80137241dd9b57fcd871c8a897@huawei.com> <CAFU7BARePzdeU5DFgoOWyrF0xZCj67_xkC2t8vMN2nH0d8aUig@mail.gmail.com> <37e2a7110f6b423eba0303811913f533@huawei.com> <CAFU7BATiD8RkiWXjrxGuAJU-BUwRQCErYZivUPZ-Mc_up_qGxQ@mail.gmail.com> <aebc46c9b813477b9ae0db0ef33e7bd9@huawei.com> <CAO42Z2yL7+GbO6QRaNzFYoBXLF-JZ2NfwgTTt2zerKhJLwt2Lw@mail.gmail.com> <3C1ECB6F-E667-4200-964F-AB233A0A56E9@cisco.com> <91D98D51-4045-4331-A711-8387ECE73400@fugue.com> <a43ffd94d6364a0f869cd4c694ab7432@boeing.com> <5FB3E98B-6CEE-458C-90B7-E6FD73C7AFDE@fugue.com> <caa62d8d93594f7ea445a403fac8c140@boeing.com> <25FAEE9A-3D14-4428-A573-5EFE863219D2@fugue.com>
In-Reply-To: <25FAEE9A-3D14-4428-A573-5EFE863219D2@fugue.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [137.137.12.6]
x-tm-snts-smtp: 17A50C88FD721F11942461EC3E5915BA33D6A042C6BE6FA66AB40AFAF0C23D592000:8
Content-Type: multipart/alternative; boundary="_000_a1881d0c6d3748fa8cec8ea2b2c6559bboeingcom_"
MIME-Version: 1.0
X-TM-AS-GCONF: 00
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/XDm1pX6Ndt4mvzzmiH2SovsepdQ>
Subject: Re: [v6ops] [EXTERNAL] Improving ND security
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 17:17:55 -0000

Does it solve the problem Owen was talking about (overloading neighbor tables as an attack)?  Is there agreement that this is a serious problem in any case?

Ted, I think SEND would solve the neighbor cache resource exhaustion attack since a NCE is
only created on receipt of an authentic (SEND-protected) IPv6 ND message.

I believe that for aviation networks, intelligent transportation systems, and other mobile node
use cases there will certainly be cases where the mobile node comes onto the network via an
unprotected open-access wireless access network. In that case, the only mitigations would be
for the MN to stand up a VPN (which is expensive overkill) or somehow use IPv6 ND with
appropriate authentication controls applied. SEND seems like agood fit for the latter.

Thanks - Fred


From: Ted Lemon [mailto:mellon@fugue.com]
Sent: Friday, July 31, 2020 9:13 AM
To: Templin (US), Fred L <Fred.L.Templin@boeing.com>
Cc: Pascal Thubert (pthubert) <pthubert=40cisco.com@dmarc.ietf.org>rg>; v6ops list <v6ops@ietf.org>rg>; 6man <ipv6@ietf.org>
Subject: Re: [EXTERNAL] Improving ND security




On Jul 31, 2020, at 12:10 PM, Templin (US), Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> wrote:
I like SEND, and it is written into my documents – is that enough of a push, or do I need
to do more aggressive marketing? Interested in helping?

The push would have to be from somebody producing software that has broad reach. And it would have to solve a real problem or nobody with that reach would try to do it.

Does it solve the problem Owen was talking about (overloading neighbor tables as an attack)?  Is there agreement that this is a serious problem in any case?