Re: [v6ops] Secdir last call review of draft-ietf-v6ops-cpe-slaac-renum-04
Christopher Wood <caw@heapingbits.net> Thu, 17 September 2020 18:09 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D01613A0EFF; Thu, 17 Sep 2020 11:09:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=40eN17rK; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=MB7N1XLd
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fRlJG59EXbLI; Thu, 17 Sep 2020 11:09:22 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BA143A0EFC; Thu, 17 Sep 2020 11:09:21 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 0070E5C0140; Thu, 17 Sep 2020 14:09:21 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Thu, 17 Sep 2020 14:09:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type:content-transfer-encoding; s=fm2; bh=xH FCwO+FAbRYoowop78UKNArdoyzLYPpfZUdgzglCQ4=; b=40eN17rKEDifEXy1wx 1EdH6S5gifOzLrMNHLpZPHVyxwO6szsgkAPMcxVOWfd21oizesufudZMjxUpl/rw eqINwooEDbnKmE+I2rBfEgM4LoWwc7zCitUaSW80lwjcXydYO0a6+PeaxRgmj/cG Mm07VFJSiDsREs2VTVstIBIwSg9yLDToCTlpAhA2M4wVOFMmRNVf4cFMVnmW9He7 XDEWFYkJ7LzSYiQ7OluWJwpoLhPjLa+jFI5TGMCqQs/Xln/W66iUhAV3TSmwnGrN hXQ4o6kkPP3QlRz57hbqcQ6J71xRwBjoD8Frouxd0YAHlyy8p5oKYyCdxO04jpGs 10RA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=xHFCwO+FAbRYoowop78UKNArdoyzLYPpfZUdgzglC Q4=; b=MB7N1XLdFF3mEkSC3zJHphQIu0U53Tg0n2OuowTHWDgIbZTO9ov/q4r9h wIpKHs/ayxlLtHV8tK0BS/urLxRjESUnmMwKeuGHia3XZ16Rt4mrnqX1LCTeqpl6 zIeiwY0QvUEuFKebbV5rPLMMEajjUaoQGiaXGNS3EDA6ZIo8a/33kPZIWav/9zBE cU4kpEK2XFicU9Xz6XJLA7eEj0IAHx2i0Qs+mA7oUTpfEzzsdWbxaH48axXTYTLh RVfzX5GXX0KGKbCffk4bxE+kUFqsMCwKY6M94n6XFxZdMD7iP4tHcfRsL8UUEmZH cHUICuPQKLIjeHP5MGSNRBYZIGkvQ==
X-ME-Sender: <xms:UKZjX0IxF3kbv67bbCN7J-zpWIoFmxQ4fDiHHsIsz6UPnujKVVg8Yg> <xme:UKZjX0Jh71HX_JSrdptGnGCVXhJgQgxAvYgainG3i8zdEbUI_oN72JYx-T2yVnP54 jwBbwpEnCWLsRPd53o>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrtdeggdduvdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdevhhhrihhsthhophhhvghrucghohhougdfuceotggr fieshhgvrghpihhnghgsihhtshdrnhgvtheqnecuggftrfgrthhtvghrnhepkeffkeevge fhgfdtffeivedugfeltdehhfefvddvheeliedvgeevgeelfeetjedunecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheptggrfieshhgvrghpihhngh gsihhtshdrnhgvth
X-ME-Proxy: <xmx:UKZjX0sNhtAoN3-XxjhwsaQY_HLDNRP5B51u1HYdM1pFigcGKSN40Q> <xmx:UKZjXxZ3DMm32c-Ie0uhJdkTaAj3gXDkngAG4DrO9l4NrxHnjHTzOQ> <xmx:UKZjX7Y82OVHaaGbmpY1yGhtCAEp5xWzf5vdWjIWV-iBhHQrX7xbsQ> <xmx:UKZjX3HJq9rUB4H2dB3uzkzBEU-3SyuU1BfoGes2W-Lhmcsv54upKg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B2F013C011E; Thu, 17 Sep 2020 14:09:20 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-324-g0f99587-fm-20200916.004-g0f995879
Mime-Version: 1.0
Message-Id: <37778f64-1ad6-4f79-914e-9947ef886e14@www.fastmail.com>
In-Reply-To: <4FC30E5B-EF9F-4238-A683-CE8235BDD2EF@fugue.com>
References: <159969337123.15697.6820068156665930267@ietfa.amsl.com> <4FC30E5B-EF9F-4238-A683-CE8235BDD2EF@fugue.com>
Date: Thu, 17 Sep 2020 11:08:59 -0700
From: Christopher Wood <caw@heapingbits.net>
To: Ted Lemon <mellon@fugue.com>, Christopher Wood via Datatracker <noreply@ietf.org>
Cc: "secdir@ietf.org" <secdir@ietf.org>, last-call@ietf.org, v6ops@ietf.org, draft-ietf-v6ops-cpe-slaac-renum.all@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/f6RYp0yI7FNFIMuw4W-bApA9isA>
Subject: Re: [v6ops] Secdir last call review of draft-ietf-v6ops-cpe-slaac-renum-04
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 18:09:24 -0000
On Wed, Sep 9, 2020, at 4:31 PM, Ted Lemon wrote: > On Sep 9, 2020, at 7:16 PM, Christopher Wood via Datatracker > <noreply@ietf.org> wrote: > > - Section 3: is it possible for an attacker to send DHCPv6 Prefix Delegations > > with lifetime=0 to CE routers that support LAN-side DHCPv6 and amplify > > Reconfigure messages to supporting clients? (I don't know if this is a concern > > or part of the threat model, but this did seem to be a case of possible > > request/response asymmetry.) - Section 4: rationale for these default values, > > if available, might be worth including. (Why not make them shorter? What are > > the tradeoffs?) - Section 6: it might be worth noting what happens if stable > > storage is unavailable or otherwise compromised when trying to store prefix > > information. What happens if the "A" or "L" bits are modified? (I suspect > > nothing dangerous, but it's not clear to me whether or not integrity is > > important.) > > The attacker on the southbound link would have to know the transaction > ID of the DHCP request/confirm/renew message, which is only sent on the > northbound interface, and would have to know the DUID and IAID used by > the client, again never seen on the southbound link, and would have to > know the server’s DUID, again only visible northbound. I don’t think > this is a feasible attack. It’s hard to see what the benefit of such an > attack would be—in order to effect this attack without knowledge of the > exchange on the northbound interface, the client would have to be > continuously spamming the southbound link with attempts, so that would > be a negative amplication factor of perhaps 2^256, perhaps less if the > identifiers can be predicted and renewal times can be predicted. > > And this assumes that the DHCPv6 PD client on the CPE device will even > accept a DHCP Reply on its southbound interface. > > :) That makes sense -- thanks for clarifying!
- [v6ops] Secdir last call review of draft-ietf-v6o… Christopher Wood via Datatracker
- Re: [v6ops] Secdir last call review of draft-ietf… Ted Lemon
- Re: [v6ops] [secdir] Secdir last call review of d… Uri Blumenthal
- Re: [v6ops] [secdir] Secdir last call review of d… Ted Lemon
- Re: [v6ops] Secdir last call review of draft-ietf… Fernando Gont
- Re: [v6ops] [secdir] Secdir last call review of d… Fernando Gont
- Re: [v6ops] Secdir last call review of draft-ietf… Christopher Wood
- Re: [v6ops] Secdir last call review of draft-ietf… Christopher Wood
- Re: [v6ops] Secdir last call review of draft-ietf… Warren Kumari
- Re: [v6ops] [secdir] Secdir last call review of d… Owen DeLong