Re: [v6ops] [EXTERNAL] Re: Improving ND security

Christian Huitema <huitema@huitema.net> Mon, 03 August 2020 17:03 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 332423A0F72 for <v6ops@ietfa.amsl.com>; Mon, 3 Aug 2020 10:03:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rR4_tkVvWngI for <v6ops@ietfa.amsl.com>; Mon, 3 Aug 2020 10:03:20 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C4093A073D for <v6ops@ietf.org>; Mon, 3 Aug 2020 10:03:15 -0700 (PDT)
Received: from xse353.mail2web.com ([66.113.197.99] helo=xse.mail2web.com) by mx36.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1k2drQ-0001sq-A9 for v6ops@ietf.org; Mon, 03 Aug 2020 19:03:02 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4BL41F5gLxzNrK for <v6ops@ietf.org>; Mon, 3 Aug 2020 10:01:53 -0700 (PDT)
Received: from [10.5.2.49] (helo=xmail11.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1k2dqT-0003jB-MX for v6ops@ietf.org; Mon, 03 Aug 2020 10:01:53 -0700
Received: (qmail 3832 invoked from network); 3 Aug 2020 17:01:53 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.43.61]) (envelope-sender <huitema@huitema.net>) by xmail11.myhosting.com (qmail-ldap-1.03) with ESMTPA for <pthubert@cisco.com>; 3 Aug 2020 17:01:53 -0000
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Christian Huitema <huitema@huitema.net>
Mime-Version: 1.0 (1.0)
Date: Mon, 3 Aug 2020 10:01:52 -0700
Message-Id: <AA568F39-3733-4F73-872E-2E84EDA2F077@huitema.net>
References: <3978163f-8815-1bd4-0fda-d84df9cbe684@gont.com.ar>
Cc: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>, "Pascal Thubert (pthubert)" <pthubert@cisco.com>, v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
In-Reply-To: <3978163f-8815-1bd4-0fda-d84df9cbe684@gont.com.ar>
To: Fernando Gont <fernando@gont.com.ar>
X-Mailer: iPhone Mail (17F80)
X-Originating-IP: 66.113.197.99
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: ham
X-Spampanel-Outgoing-Evidence: Combined (0.08)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0fni+3cnVNNYyS96zEouVZ2pSDasLI4SayDByyq9LIhVNc5mNvODGjeU 2nbPWOdyQUTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDfdTU6Eee5z1rO+RpJLT+hJj9 EvBvwu01uVCaGVBWGqu1aBM27N5dJZmBWDSp5Ek22rBNMmEsKEibQwSU1xBeOHButNDpi1WUXRkr He1vFsYm1aGKgRFqmjZjxZofiz4rgKKlg5rRfJw9pxA0+9OX6byme9ldZJ7uNXfg/GfS8fXOC4kn OJkMS8NGDKsP9r3Khy7LI0kfFnXdPP6btp4oBeJDeKRq5oPj2hFJhLx+qI3HlR3ootg7OlA3N5WN re/oppAGOX5cHTu1yz4pRT/9FGrxEaaKeSxe0Wrx6M4G5/WoLsdfEoJI0BNUQ4KpaNyNCwGqOUcw rXf55E8Tb8bmXq4yH8StrboPphDtmrtUkwkDMc9xayd+oZJo2heFY+g6kVWClPVvbW5lVyQanRxw 5rdY2rW50fd1ekaDpmIWc1Vmt3mnxMTQMQWbvBqEXskTQn6USYs98Imn+lZXe3dwYfgVB1xo6dCf BaU/iegBU8ZonAyCrFuSEmRFyS+0x47b4nuZrRf7bMi0WRR6pZ+nWezee/+BgtOydTbSiiEBGRZX 0SU68ek9wyYNR7nSKrZbQsAM8hGlAkv+YXlQiOyIRazNjLvclnGzlTC8ZgkR3laIWqvAxiBHuIuS y5fCAlEkm3xMJTBKIWbp41V1hrEnGFACVO3tx78u0bG7If2TCVS9WRS/sHv/i+pa5WOiIZruMcQY 8VWcluooNQQvGrrXJlffncYFDRVcOLM39ai6q8sR25hAoclepJn2+X3/xugvJOYIJd4MvQ0Nf4Ec bvHO1diDanHV9KirFAIIecsyj+YNTo81GR+jDXFsz/ZQnbbTizvwlZsrbltGiZoUh+c+5pFVgpT1 b21uZVckGp0ccOa2XhkGbmsUNPNkere1WheNsVXmhO8BzADiszcWR9bz/SDtF09JpSbuuCeiIDK0 C/0=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/ZFoSCMTrgVmx_OhpFiBWkO6GXRU>
Subject: Re: [v6ops] [EXTERNAL] Re: Improving ND security
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 17:03:21 -0000

> On Aug 3, 2020, at 9:35 AM, Fernando Gont <fernando@gont.com.ar> wrote:
> 
> On 3/8/20 11:22, Templin (US), Fred L wrote:
>> ...
> 
> 
> 
>> But then, RFC4380 offers a “poor-man’s” alternative to SEND/CGA. It places a message authentication code in the encapsulation headers of IPv6 ND messages so that the messages can pass a rudimentary authentication check.
> 
> You mean the Teredo spec? If so, I don't think it includes any sort of poor-man's SEND-CGA.

Configuration mistakes were a big concern during the design of Teredo, and that's a reason why Teredo embeds continuity tests. But these tests will not resist an on-path attacker, let alone an on-link attacker.

> 
> 
>> ...

-- Christian Huitema