Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns

Nick Hilliard <nick@foobar.org> Thu, 30 July 2020 11:18 UTC

Return-Path: <nick@foobar.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 840523A1091; Thu, 30 Jul 2020 04:18:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CCVDHe7nhhkB; Thu, 30 Jul 2020 04:17:58 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BC6A3A108F; Thu, 30 Jul 2020 04:17:31 -0700 (PDT)
X-Envelope-To: ipv6@ietf.org
Received: from cupcake.local (089-101-195156.ntlworld.ie [89.101.195.156] (may be forged)) (authenticated bits=0) by mail.netability.ie (8.15.2/8.15.2) with ESMTPSA id 06UBHFUh004234 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 30 Jul 2020 12:17:15 +0100 (IST) (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host 089-101-195156.ntlworld.ie [89.101.195.156] (may be forged) claimed to be cupcake.local
To: Lorenzo Colitti <lorenzo@google.com>
Cc: Vasilenko Eduard <vasilenko.eduard@huawei.com>, 6man <ipv6@ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
References: <96fa6d80137241dd9b57fcd871c8a897@huawei.com> <CAFU7BARePzdeU5DFgoOWyrF0xZCj67_xkC2t8vMN2nH0d8aUig@mail.gmail.com> <37e2a7110f6b423eba0303811913f533@huawei.com> <CAKD1Yr1BJTAfp4PE+DY1yxeMm64kHetqBGYc5iaqZd3u0XrWpA@mail.gmail.com> <1e34f59d-4355-9984-e3e9-8c3e4fffffbd@foobar.org> <CAKD1Yr3iwSzZsfDVnihTc+c0Zs7HioqC2F+fCQ4EqyxqUi66tg@mail.gmail.com>
From: Nick Hilliard <nick@foobar.org>
Autocrypt: addr=nick@foobar.org; keydata= mQENBE5XyVsBCADeRjKMYehEt/qzcWEHVCg0OMY+wVM5wSrym1OpknH1YeIe5vaObSAID9ck ig676gCZ2YG4CHTmWb0tu7cMzf1Mx+K3FmRbTbk/6W4XXEJq1M4aiNY4BLbLqikMiXHY/pX/ LFj1SPjP+LWz0GLFm6LvijVBPs0P0ID6FW8BrKUqbOgzifHURKBQAwgAPvw1zjEzCNRf1B3y kCfTsnKI9HLwcjhdM49nrTYXAwQVHlxjQgIbX9zEH4j/pCb05UfygPi6+4gBLj6IsUiJJG2H eqN+P/w82IIN4WkU+akS5bAvVaytTbckABLTO8wSuc6I8RjpnNYCjSHQiHG/iei4QNS1ABEB AAG0H05pY2sgSGlsbGlhcmQgPG5pY2tAZm9vYmFyLm9yZz6JAT4EEwECACgFAk5XyVsCGwMF CQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJECOxk/MZgyq9cnEH/iB2NY5DuNjN dO7qbakE8s2LCNRUGKcJ5Dhofw8StJUf6/IxldlLye3rAJCbkUS0amU6EBJM3g2rfStshPV8 FYDEzRYBRJstg/glyo58g65V0L5/nxkCBhXw8tgnVZbUQYITsoJj09cKmQCjZQqbG43dS0nQ 6tdPrb1A5IPjkIqBrTC9UOjZdTeAqwMxDZf1AEwKgqfC+V9ySlWTWyt8AhV69Rl7vVr91NT5 ssGC5p8ftsVYjz8zj9T2oMc8lGAiny/PpmveqsrCP5MOU4ljSFikwJxSQEJS71BRetsZ/1up dujliK7fCkJKlWGtsuoBOutN+IoBryZQ7T9EIKAlGbg=
Message-ID: <5058abe1-cd3c-8268-10f8-7dff487f93c3@foobar.org>
Date: Thu, 30 Jul 2020 12:17:14 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:52.0) Gecko/20100101 PostboxApp/7.0.24
MIME-Version: 1.0
In-Reply-To: <CAKD1Yr3iwSzZsfDVnihTc+c0Zs7HioqC2F+fCQ4EqyxqUi66tg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/ayfbRI9o-Id0L6dmTMZhYfPke78>
Subject: Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 11:18:02 -0000

Lorenzo Colitti wrote on 30/07/2020 12:06:
> On Thu, Jul 30, 2020 at 8:01 PM Nick Hilliard <nick@foobar.org
> <mailto:nick@foobar.org>> wrote:
> 
>     > Traffic snooping is not very useful (not zero
>     > utility, but difficult to use well) when all traffic is encrypted, and
>     > on-link DoS attacks just aren't very useful these days given that many
>     > devices have a variety of connectivity options.
> 
>     Surely you're joking?
> 
> Actually I should say on-link snooping. Defeating on-link snooping
> doesn't seem very useful when it's possible for an on-path attacker to
> snoop the traffic at any point between the local link and the destination.

on-link DoS is a significant security problem for ipv6, all the more so
due to ND's protocol weaknesses.

Nick