Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Nick Buraglio <buraglio@forwardingplane.net> Tue, 07 February 2023 20:22 UTC
Return-Path: <nick@buraglio.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11508C159A1D for <v6ops@ietfa.amsl.com>; Tue, 7 Feb 2023 12:22:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.644
X-Spam-Level:
X-Spam-Status: No, score=-6.644 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=forwardingplane-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gDGtDuxkHKyL for <v6ops@ietfa.amsl.com>; Tue, 7 Feb 2023 12:22:54 -0800 (PST)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 550E0C14CEFF for <v6ops@ietf.org>; Tue, 7 Feb 2023 12:22:54 -0800 (PST)
Received: by mail-wr1-x430.google.com with SMTP id m14so14726612wrg.13 for <v6ops@ietf.org>; Tue, 07 Feb 2023 12:22:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forwardingplane-net.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=b57pDEkyL/tdpZkRbvtSMtK3FbNlh3KSR8sCEMpIYO4=; b=l7J1RJWvQxYEL8zMkzaBa1TAknnYms8c3ZklqYk9n11I47sQ2VDS4G6Cg7TaldTjL7 h2P4P1ZGj6Ty85rJ1Du/Yoz7Ku1e/mC/LVHHj/NlfTMXm6bEQh/vaw+88ytP0B225Cly KVzkDQNVc0bcvXjRnUyhQYE8LdaoDdin/14oLl4/lABWcIs1zAoN7jDodf61lpV+BF9y X8uzrkdv1bRdKHEkVNitI/4XLUPyoZFa7FfbGXp+/P6NFw9pJdm1okt+9c9V2r4PT15x vQccuIJunOy53KMqO1d+MKAiMtWL5U+Fapy7D+nsNgYDEEaLCqioSuoCBQjNDR9mOQAF 8pqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=b57pDEkyL/tdpZkRbvtSMtK3FbNlh3KSR8sCEMpIYO4=; b=lOOBzZ2okT1eqU+Q2V4YC6zazx86Y5Bu8FtQlA6p1aceGw0Je7lchHTJu6eK8312LB YXZT8zBHu0DvVhv8ndF/Q3f6IxsYNmFFm3kptPsilDrzZ4Q1vRK7dFhbjmID9vFEHLAD 1L6p/D9DkRLadmIF5FV8X52XDyQo7deGM/MMXfHCRTCUbOOCD5BoJ3+6RU0+dSICMtnM 91CnuI213ypRfyqey6jQDHr5eyCf7Uaaa9OylYZRbGtKayePz+Ux4Q0ej5f9FQ/EKmrc zv/GXsDvWXJ4twNHQiJqW8dtAJ4JesMCvJijK7xfJXtLVkz2tuyPtw1TlPrhXd+at0yT bBcA==
X-Gm-Message-State: AO0yUKV1UEA2/hUDeuTHEe2UEmzE754rw0ktFfUJCDtK+/+VoE1HHJ97 a+Xla0dLhu8pdWCs8/HKdmYi45wUeKo1iK+tX0N82+e+yQ/XjlybOPg=
X-Google-Smtp-Source: AK7set+9SjuEY00BjER1XRVkT2ywB+oDbUzN7QhvDYan09bHXwpK1TvsE+AqjWCHbW4BWyFh97jjElL+so43aHOgqkw=
X-Received: by 2002:a5d:4605:0:b0:2c3:1985:8965 with SMTP id t5-20020a5d4605000000b002c319858965mr104152wrq.529.1675801372171; Tue, 07 Feb 2023 12:22:52 -0800 (PST)
MIME-Version: 1.0
References: <091075f1-033a-5577-60d9-3c6a009b3e21@si6networks.com> <55adf66d-23cb-0b2c-65d7-8f053a6f9298@si6networks.com>
In-Reply-To: <55adf66d-23cb-0b2c-65d7-8f053a6f9298@si6networks.com>
From: Nick Buraglio <buraglio@forwardingplane.net>
Date: Tue, 07 Feb 2023 14:22:39 -0600
Message-ID: <CAGB08_dQyXLobLu5bjYkCrOUg7kbU8EAtn+OfzMSQqV4qmn8AQ@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: IPv6 Operations <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000080bb5805f421e98a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/ZxDEUU9XQt7kuE3d1kyZMCpgePY>
Subject: Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 20:22:58 -0000
On Mon, Feb 6, 2023 at 10:28 PM Fernando Gont <fgont@si6networks.com> wrote: > Folks, > > FYI, this one is targeted at opsec, but might be of interest to this group: > > * TXT: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt > * HTML: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html > > Thanks! > > Regards, > Fernando > > > > > -------- Forwarded Message -------- > Subject: (IETF I-D); Implications of IPv6 Addressing on Security > Operations (Fwd: New Version Notification for > draft-gont-opsec-ipv6-addressing-00.txt) > Date: Fri, 3 Feb 2023 01:28:17 -0300 > From: Fernando Gont <fgont@si6networks.com> > To: opsec@ietf.org > > Hi, All, > > I happened to participate in an IPv6 deployment meeting with some large > content provider. Eventually there was a discussion about how to > mitigate some attacks using block-lists, and they argued that they ban > offending addresses (/128 for the IPv6 case), following IPv4 practices. > While they had already deployed IPv6, some of the associated > implications arising from the increased address space seemed to be > non-obvious to them. > > A few things that may be useful to add: Using data enrichment such as correlation of address to behavior (i.e. use of a passive system to look for patterns in addressing to behavior) may decrease false positives. This is how we determine if we should or should not filter ephemeral addresses, both v4 and v6, and it works well. It does not lend itself to reputation lists in the larger sense, but over time it will absolutely show patterns and curves in behavior to specific blocks just like in IPv4. Adding in some data about the detrimental effects of over-filtering, and the very real possibility of creating DoS events based on too many routes in the blackhole table, etc. Easy enough to alleviate with filters, but also leaves a bit of exposure in doing so (as you mentioned in the filter FIFO addressing behavior). Having blackhole behavior or filter behavior that is expected to be ephemeral and increasing in duration may aid in some of the resource and minimize false positive impact. e.g. IP resource misbehaves, it is filtered for n minutes and then unblocked. second offense is 15 minutes, third offense is a day, whatever, you get the point. This is, again, how orgs I have worked with for years have chosen to do things it works well for those use cases. Operationally I have never felt that reputation lists are terribly useful, personally (likely due to the old RBL days and pain caused by them), but having them there as a guide is sometimes useful. > So that's what motivated the publication of this document. > > * TXT: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt > * HTML: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html FWIW, I didn't read it as implying that SLAAC was undesirable, but I did only give it a quick skim. > > > Comments welcome! > > Thanks, > Fernando > > > > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-gont-opsec-ipv6-addressing-00.txt > Date: Thu, 02 Feb 2023 19:48:40 -0800 > From: internet-drafts@ietf.org > To: Fernando Gont <fgont@si6networks.com>, Guillermo Gont > <ggont@si6networks.com> > > > A new version of I-D, draft-gont-opsec-ipv6-addressing-00.txt > has been successfully submitted by Fernando Gont and posted to the > IETF repository. > > Name: draft-gont-opsec-ipv6-addressing > Revision: 00 > Title: Implications of IPv6 Addressing on Security Operations > Document date: 2023-02-02 > Group: Individual Submission > Pages: 8 > URL: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt > Status: https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-addressing/ > Htmlized: > https://datatracker.ietf.org/doc/html/draft-gont-opsec-ipv6-addressing > > > Abstract: > The increased address availability provided by IPv6 has concrete > implications on security operations. This document discusses such > implications, and sheds some light on how existing security > operations techniques and procedures might need to be modified > accommodate the increased IPv6 address availability. > > > > > The IETF Secretariat > > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops > ᐧ
- [v6ops] Fwd: (IETF I-D): Implications of IPv6 Add… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Vasilenko Eduard
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… David Conrad
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Ted Lemon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Vasilenko Eduard
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Henri Alves de Godoy
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Simon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Fernando Gont