Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Fernando Gont <fgont@si6networks.com> Tue, 07 February 2023 23:42 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86151C14CE2D for <v6ops@ietfa.amsl.com>; Tue, 7 Feb 2023 15:42:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hGeNdt3_kI1x for <v6ops@ietfa.amsl.com>; Tue, 7 Feb 2023 15:42:37 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61452C14F739 for <v6ops@ietf.org>; Tue, 7 Feb 2023 15:42:36 -0800 (PST)
Received: from [10.0.0.133] (unknown [186.19.8.47]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id CC713280BC7; Tue, 7 Feb 2023 20:42:32 -0300 (-03)
Message-ID: <7f3737e4-a89d-29cb-f01b-5d032ac1c29f@si6networks.com>
Date: Tue, 07 Feb 2023 20:42:29 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-US
To: Nick Buraglio <buraglio@forwardingplane.net>
Cc: IPv6 Operations <v6ops@ietf.org>
References: <091075f1-033a-5577-60d9-3c6a009b3e21@si6networks.com> <55adf66d-23cb-0b2c-65d7-8f053a6f9298@si6networks.com> <CAGB08_dQyXLobLu5bjYkCrOUg7kbU8EAtn+OfzMSQqV4qmn8AQ@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
In-Reply-To: <CAGB08_dQyXLobLu5bjYkCrOUg7kbU8EAtn+OfzMSQqV4qmn8AQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/i1wdROD2gxr4MQaKdx0SODKwveA>
Subject: Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 23:42:41 -0000
Hi, Nick, On 7/2/23 17:22, Nick Buraglio wrote: [....] > > A few things that may be useful to add: > > Using data enrichment such as correlation of address to behavior (i.e. > use of a passive system to look for patterns in addressing to behavior) > may decrease false positives. Could you elaborate a bit here? > This is how we determine if we should or > should not filter ephemeral addresses, both v4 and v6, and it works > well. It does not lend itself to reputation lists in the larger sense, > but over time it will absolutely show patterns and curves in behavior > to specific blocks just like in IPv4. Can you use such a system for, say, proactive defenses? > Adding in some data about the detrimental effects of over-filtering, > and the very real possibility of creating DoS events based on too many > routes in the blackhole table, etc. Easy enough to alleviate with > filters, but also leaves a bit of exposure in doing so (as you mentioned > in the filter FIFO addressing behavior). Will do. Thanks! > Having blackhole behavior or filter behavior that is expected to be > ephemeral and increasing in duration may aid in some of the resource and > minimize false positive impact. e.g. IP resource misbehaves, it is > filtered for n minutes and then unblocked. second offense is 15 minutes, > third offense is a day, whatever, you get the point. This is, again, how > orgs I have worked with for years have chosen to do things it works well > for those use cases. There's also the question of how you "scale" the filters in terms of their lifespam. e.g., when you shorten the prefix, you might want to reduce the banning time. > Operationally I have never felt that reputation lists are terribly > useful, personally (likely due to the old RBL days and pain caused by > them), but having them there as a guide is sometimes useful. They are one tool in the toolbox. e.g., while you get the devops folks to patch vulnerable ednpoints, you probably don't want to e.g., show up in shodan.io (and similar). > > So that's what motivated the publication of this document. > > * TXT: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt <https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt> > * HTML: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html <https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html> > > > FWIW, I didn't read it as implying that SLAAC was undesirable, but I did > only give it a quick skim. We certainly didn't mean it. Obviously, ACLs rely on some address stability, so temporary addresses will be at odds with /128 ACLs. (temporary addresses are theoretically supported by both SLAAC and DHCPv6, though) Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
- [v6ops] Fwd: (IETF I-D): Implications of IPv6 Add… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Vasilenko Eduard
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… David Conrad
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Ted Lemon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Vasilenko Eduard
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Henri Alves de Godoy
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Simon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Fernando Gont