Re: [v6ops] [EXTERNAL] Re: Improving ND security

"Templin (US), Fred L" <Fred.L.Templin@boeing.com> Mon, 03 August 2020 14:22 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F7DB3A0B22; Mon, 3 Aug 2020 07:22:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=boeing.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pxgm9ycnUGiT; Mon, 3 Aug 2020 07:22:49 -0700 (PDT)
Received: from clt-mbsout-01.mbs.boeing.net (clt-mbsout-01.mbs.boeing.net [130.76.144.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4354B3A0B2E; Mon, 3 Aug 2020 07:22:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by clt-mbsout-01.mbs.boeing.net (8.15.2/8.15.2/DOWNSTREAM_MBSOUT) with SMTP id 073EMhoN011525; Mon, 3 Aug 2020 10:22:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=boeing.com; s=boeing-s1912; t=1596464565; bh=NJOcHugngNrPfx3fFTInAbfCXDU1We7X0RNCkyNbzfw=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=mSv8PI40iA1Mj4R/oHBErbRuk1jVZ0Mq/2NBDTLJQ0J6OJnv5MWNrVQnArOISCGmh 9vr5Uu3SmV6UWMVxz3VV9P/sZhhGwvVeADNAfQcNNlWbd5ZLWKfzopkY0KDI0Dhf+f mLUyxq4tL4p3/qizZialmBaxMvY1TY8IaH6+Cf5icaCO0gnhoGKZHxnOsVPakznJcI ld1iSQKfpBqawwgbikGtsWiHN6OenUYX22z6M6Q9FmE5af/pSgs8vrxdOsoOgLhAtv WWjituyDXJsWHKsUJ1KlJATiu1BC6yUoZ+QIUfjVUWvujubvS8YdkMaF8V0FF8fQHN S6xZeynYUFKzg==
Received: from XCH16-07-08.nos.boeing.com (xch16-07-08.nos.boeing.com [144.115.66.110]) by clt-mbsout-01.mbs.boeing.net (8.15.2/8.15.2/8.15.2/UPSTREAM_MBSOUT) with ESMTPS id 073EMWKI010253 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Mon, 3 Aug 2020 10:22:32 -0400
Received: from XCH16-07-10.nos.boeing.com (144.115.66.112) by XCH16-07-08.nos.boeing.com (144.115.66.110) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1979.3; Mon, 3 Aug 2020 07:22:31 -0700
Received: from XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5]) by XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5%2]) with mapi id 15.01.1979.003; Mon, 3 Aug 2020 07:22:31 -0700
From: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
CC: 6man <ipv6@ietf.org>, v6ops list <v6ops@ietf.org>
Thread-Topic: [EXTERNAL] Re: Improving ND security
Thread-Index: AdZnYGykJNK1kk2zSneWe05yLDtm6gAO/XoAAA6T6+D//9BAgIAAcUNg//yt9vA=
Date: Mon, 3 Aug 2020 14:22:31 +0000
Message-ID: <b5043a5446914cb5b12ed76401359c7e@boeing.com>
References: <d5c245f216c3409f826f8132e532a882@boeing.com> <860E06E2-2650-4AAE-AD33-D4D12B0290DC@fugue.com>, <b66ce3d9c75d4a39b5336dcdf9929411@boeing.com> <0DDEBA6C-3933-40FC-BB9C-33FA59DC9D76@cisco.com> <4907a159683346789bef5c495f03f95d@boeing.com>
In-Reply-To: <4907a159683346789bef5c495f03f95d@boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [137.137.12.6]
x-tm-snts-smtp: E8B40F3166717CC7F673BF1FEB56136C163E300CC19CF4F3CF5CE000E83A99092000:8
Content-Type: multipart/alternative; boundary="_000_b5043a5446914cb5b12ed76401359c7eboeingcom_"
MIME-Version: 1.0
X-TM-AS-GCONF: 00
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/ckwiqK9McXy0GEPqB8qya33S3eQ>
Subject: Re: [v6ops] [EXTERNAL] Re: Improving ND security
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 14:22:57 -0000

Here’s another think about SEND. RFC3971 SEND says that it works in conjunction with
Cryptographically Generated addresses (CGA) per RFC3972. But, CGAs are cumbersome
to work with as the source and destination addresses of IPv6 packets, and SEND hints
that it can be used without CGA but does not tell how to do so.

But then, RFC4380 offers a “poor-man’s” alternative to SEND/CGA. It places a message
authentication code in the encapsulation headers of IPv6 ND messages so that the
messages can pass a rudimentary authentication check. So someone with security
experience please help me out here – is RFC4380 authentication an acceptably
secure  replacement for SEND/CGA that might be easier to work with and less
cumbersome?

Thanks - Fred

From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Templin (US), Fred L
Sent: Friday, July 31, 2020 3:13 PM
To: Pascal Thubert (pthubert) <pthubert@cisco.com>
Cc: 6man <ipv6@ietf.org>rg>; v6ops list <v6ops@ietf.org>
Subject: RE: [EXTERNAL] Re: Improving ND security

Hi Pascal, see below:

A major attack vector is an external attacker sending packets to the 2^64 or so possible addresses in the subnet.
[>] Subnet?? As in, an on-link IPv6 prefix? The large NBMA link that I want to use SEND
on will not have any of those – link-local only.

The attack causes a denial of service at the router that MUST store one packet for one second and multicast a NS lookup, which multiplies the effect.
[>] Again, we are talking about different kinds of links; there will not be any sort of
multicast explosion on the NBMA link based on a router receiving a SEND-protected
IPv6 ND message.

The attack is easy to perform from the outside and send offers no protection.
[>] For the OMNI NBMA link, the process is based on a Client sending a SEND-protected
RS message to exactly one router. The router authenticates the RS before processing it
further, which may include returning a unicasted RA. No NCEs are created until the RS
has been authenticated, and no multicast storms are initiated.

The only clear protection is to know in advance all the addresses present in the network and drop the rest. GRAND offers a way to preset the ND cache which is better than nothing but it offers no guarantee that the router has the full set of addresses I. Cache. In fact the concept of a cache is dated from the days memory was scarce and expensive. This concept is not needed And rather harmful in modern networks.
[>] The OMNI routers are not going to require any kind of ND cache presets; they
simply establish NCEs upon receipt *and* authentication of good RS messages.

Thanks - Fred

Regards,

Pascal

Le 31 juil. 2020 à 19:49, Templin (US), Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> a écrit :

Hi Ted,

By “NM” I think you mean “Mobile Node?” That’s not really one of the use cases we’re talking about here. Or am I missing something?
[>]
Or, just call it a (mobile) “Stub-Network” – I think we are talking about the same
thing here.

In any case, you’re presuming some kind of trust establishment for non-router nodes, right? SEND only talks about trust establishment for routers. And, let’s be frank, doesn’t actually give us enough operational guidance that we would expect what _is_ said to be generally practicable.
[>]
OK, the specs I have been working dip their toes into the SEND pool but maybe they
should be updated to dive in completely? With an adoption call in progress, I don’t
know if it would be a good idea to make changes right now but be assured that it
will be added to the TODO list – would that be acceptable for now?

Thanks - Fred