IETF Logo Mail Archive

Re: [v6ops] Please review the No IPv4 draft

Fernando Gont <fernando@gont.com.ar> Wed, 30 April 2014 08:27 UTC

Return-Path: <fernando@gont.com.ar>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF6BC1A6F28 for <v6ops@ietfa.amsl.com>; Wed, 30 Apr 2014 01:27:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TI2jtQlPm1Ln for <v6ops@ietfa.amsl.com>; Wed, 30 Apr 2014 01:27:17 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CDEA1A6F24 for <v6ops@ietf.org>; Wed, 30 Apr 2014 01:27:17 -0700 (PDT)
Received: from 114-174-17-190.fibertel.com.ar ([190.17.174.114] helo=[192.168.3.106]) by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from <fernando@gont.com.ar>) id 1WfPrE-00072j-Ry; Wed, 30 Apr 2014 10:27:13 +0200
Message-ID: <5360AA69.1050400@gont.com.ar>
Date: Wed, 30 Apr 2014 04:46:49 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Lorenzo Colitti <lorenzo@google.com>, Mikael Abrahamsson <swmike@swm.pp.se>
References: <9B4139A3-77F7-4109-93AD-A822395E5007@nominum.com> <m2mwf59uht.wl%Niall.oReilly@ucd.ie> <7310412C-64E9-4A11-9812-92A969082131@nominum.com> <20140428190804.GK43641@Space.Net> <446A720E-1128-4FFF-BB3B-780EACA9610B@nominum.com> <535EBC20.10900@foobar.org> <20140428213045.GL511@havarti.local> <19B5B5AB-FF86-408B-8E73-D5350853965B@foobar.org> <3563D9EE-CD40-4E75-A1CB-C3FB50EEEBC4@nominum.com> <535F3624.4020801@foobar.org> <alpine.DEB.2.02.1404290726011.29282@uplift.swm.pp.se> <535F3A8C.2050902@foobar.org> <E68028C1-2E6D-4D07-A113-60757457E286@nominum.com> <535F99A9.3030402@foobar.org> <0C03200E-B349-44D4-BE3F-512AD6A7A417@nominum.com> <535FCB2C.3030502@foobar.org> <8DB83B3D-D09C-4977-9B4F-75EA2DD3B71D@nominum.com> <53601BED.4050200@foobar.org> <37DC9152-EEE3-4EEF-81C7-AD5B6D0E9892@nominum.com> <536033DD.8020800@foobar.org> <alpine.DEB.2.02.1404300607110.29282@uplift.swm.pp.se> <CAKD1Yr3o1vEzCQz086KZzUemmsYopDHijZbXivW1+bCGPcPpiQ@mail.gmail.com>
In-Reply-To: <CAKD1Yr3o1vEzCQz086KZzUemmsYopDHijZbXivW1+bCGPcPpiQ@mail.gmail.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/_fms5fWnrbbVUPE0IwVsb-0RLc8
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] Please review the No IPv4 draft
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 08:27:25 -0000

On 04/30/2014 02:36 AM, Lorenzo Colitti wrote:
> On Wed, Apr 30, 2014 at 1:09 PM, Mikael Abrahamsson <swmike@swm.pp.se
> <mailto:swmike@swm.pp.se>> wrote:
> 
>     Nick, if you're not doing this today you're exposing your customers
>     to MITM attacks and all kinds of other bad things. What this
>     proposal is doing is adding one more reason to implement proper L2
>     security. You're already screwed, this mechanism just adds one more
>     way you're screwed.
> 
> 
> Today, you're not too badly screwed if your first-hop security supports
> IPv4 and your network only provides IPv4.
> 
> Yes, it's true that a rogue RA can still blackhole or MITM your traffic,
> but happy eyeballs will protect you to some degree against blackholing,

Not necessarily. For instance, you can send an RA with RDNSS, and then
spoof DNS responses, and not even advertise a single A record.

Or spoof RAs and DHCP-server packets and advertise yourself as the
recursive DNS server.

Or just be very fast to respond to the IPv6-based SYN, such that IPv6
wins the HappyEyeballs race.

Cheers,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

v2.23.0 | Report a Bug | By Email