Re: [v6ops] [secdir] Secdir last call review of draft-ietf-v6ops-cpe-slaac-renum-04
Owen DeLong <owen@delong.com> Sun, 11 October 2020 04:30 UTC
Return-Path: <owen@delong.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CE963A09E4; Sat, 10 Oct 2020 21:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=delong.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pP4-IBaBU8Pd; Sat, 10 Oct 2020 21:30:10 -0700 (PDT)
Received: from owen.delong.com (owen.delong.com [IPv6:2620:0:930::200:2]) by ietfa.amsl.com (Postfix) with ESMTP id A8CB83A0E79; Sat, 10 Oct 2020 21:30:05 -0700 (PDT)
Received: from [IPv6:2001:470:496b:0:901d:ceeb:51a:4faf] ([IPv6:2001:470:496b:0:901d:ceeb:51a:4faf]) (authenticated bits=0) by owen.delong.com (8.15.2/8.15.2) with ESMTPSA id 09B4Tqja2997134 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 10 Oct 2020 21:29:53 -0700
DKIM-Filter: OpenDKIM Filter v2.11.0 owen.delong.com 09B4Tqja2997134
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delong.com; s=mail; t=1602390595; bh=aSkwdudthiN93Ss804ZMIop7b1s7S4vvC5UMLDNhBXU=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=CpuTdAVt0BpyFBjOX47Fo/C16ultYu6wLifQ45QV07leBqg18cd2IFACwdrMuxsOS 9yXILCzn5ZjNNdmw4O0OgGywmt4IPhy9VtHd6+pLHG7y4GYm/Fv8cHo2YhAneHpmXM HCpsPT/BD8GYxZ/7fq5fLYQknmuFeHWOf2kq0Hzk=
From: Owen DeLong <owen@delong.com>
Message-Id: <033A6CDA-63DD-4E3B-9AEB-EAF36B7F8AB7@delong.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_61384999-21CE-4B04-B471-5926992A9BC9"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Sat, 10 Oct 2020 21:29:52 -0700
In-Reply-To: <54DA4651-1C55-4DF9-BF3D-7E851B6692F4@mit.edu>
Cc: Ted Lemon <mellon@fugue.com>, "v6ops@ietf.org" <v6ops@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, Christopher Wood via Datatracker <noreply@ietf.org>, "draft-ietf-v6ops-cpe-slaac-renum.all@ietf.org" <draft-ietf-v6ops-cpe-slaac-renum.all@ietf.org>, Christopher Wood <caw@heapingbits.net>
To: Uri Blumenthal <uri@mit.edu>
References: <4FC30E5B-EF9F-4238-A683-CE8235BDD2EF@fugue.com> <54DA4651-1C55-4DF9-BF3D-7E851B6692F4@mit.edu>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (owen.delong.com [IPv6:2620:0:930:0:0:0:200:2]); Sat, 10 Oct 2020 21:29:55 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/dYTLBaw_1yMGzXIuzvO2uniI0Ps>
Subject: Re: [v6ops] [secdir] Secdir last call review of draft-ietf-v6ops-cpe-slaac-renum-04
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Oct 2020 04:30:16 -0000
Virtually anyone that could possibly be on both interfaces has access to do far more damage to the network than would be possible from this particular vulnerability. The northbound interface is between the CPE and the ISP. The southbound interface is to the site local area networks. Only the site administrator(s) should (theoretically) have access to both networks. An attacker who has access to both can override virtually any automated network provisioning at the local site. Owen > On Sep 9, 2020, at 7:17 PM, Uri Blumenthal <uri@mit.edu> wrote: > > Capability-wise, what's the likelihood that the attacker would be present on the southbound interface, but *not* on the northbound one? > > Sent from my test iPhone > >> On Sep 9, 2020, at 19:32, Ted Lemon <mellon@fugue.com> wrote: >> >> On Sep 9, 2020, at 7:16 PM, Christopher Wood via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org>> wrote: >>> - Section 3: is it possible for an attacker to send DHCPv6 Prefix Delegations >>> with lifetime=0 to CE routers that support LAN-side DHCPv6 and amplify >>> Reconfigure messages to supporting clients? (I don't know if this is a concern >>> or part of the threat model, but this did seem to be a case of possible >>> request/response asymmetry.) - Section 4: rationale for these default values, >>> if available, might be worth including. (Why not make them shorter? What are >>> the tradeoffs?) - Section 6: it might be worth noting what happens if stable >>> storage is unavailable or otherwise compromised when trying to store prefix >>> information. What happens if the "A" or "L" bits are modified? (I suspect >>> nothing dangerous, but it's not clear to me whether or not integrity is >>> important.) >> >> The attacker on the southbound link would have to know the transaction ID of the DHCP request/confirm/renew message, which is only sent on the northbound interface, and would have to know the DUID and IAID used by the client, again never seen on the southbound link, and would have to know the server’s DUID, again only visible northbound. I don’t think this is a feasible attack. It’s hard to see what the benefit of such an attack would be—in order to effect this attack without knowledge of the exchange on the northbound interface, the client would have to be continuously spamming the southbound link with attempts, so that would be a negative amplication factor of perhaps 2^256, perhaps less if the identifiers can be predicted and renewal times can be predicted. >> >> And this assumes that the DHCPv6 PD client on the CPE device will even accept a DHCP Reply on its southbound interface. >> >> :) >> >> _______________________________________________ >> secdir mailing list >> secdir@ietf.org >> https://www.ietf.org/mailman/listinfo/secdir >> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] Secdir last call review of draft-ietf-v6o… Christopher Wood via Datatracker
- Re: [v6ops] Secdir last call review of draft-ietf… Ted Lemon
- Re: [v6ops] [secdir] Secdir last call review of d… Uri Blumenthal
- Re: [v6ops] [secdir] Secdir last call review of d… Ted Lemon
- Re: [v6ops] Secdir last call review of draft-ietf… Fernando Gont
- Re: [v6ops] [secdir] Secdir last call review of d… Fernando Gont
- Re: [v6ops] Secdir last call review of draft-ietf… Christopher Wood
- Re: [v6ops] Secdir last call review of draft-ietf… Christopher Wood
- Re: [v6ops] Secdir last call review of draft-ietf… Warren Kumari
- Re: [v6ops] [secdir] Secdir last call review of d… Owen DeLong