Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Gert Doering <gert@space.net> Mon, 25 October 2021 21:31 UTC

Return-Path: <gert@space.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76E643A089B for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 14:31:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=space.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vm-b9IWpoUWQ for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 14:31:17 -0700 (PDT)
Received: from gatekeeper1-relay.space.net (gatekeeper1-relay.space.net [IPv6:2001:608:3:85::38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7113F3A0821 for <v6ops@ietf.org>; Mon, 25 Oct 2021 14:31:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=space.net; i=@space.net; q=dns/txt; s=esa; t=1635197474; x=1666733474; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=q6bIK1nP7B4lXCRQM6CiZzRSNtxILjJRMSoKg9ZAwYU=; b=POMQSuqKqMx8lzSM6xU3ONlDEsmeKCH/64alyynniqhTxFU3ZpMRA3/M Bo71SOrmL8prJJzbB1i80h2CGp4GZAmR7B5U8uOD6vMCikdpriSSNTf2o 5CMfGD9lY1LJDfp5HiZbgHX1nMEvtIzL31Gitsw1glAf0zWfTMs8xCyA7 lIZI3P7cO2c+UwTYB4MixlUpMUqVzr4Y7OJ4+hUB0kNqn2y6fTGIjM5o4 YTeNr7PnG9x01iWgv/8IO/NwL5K4ZKvhE4lPiyb67GVw4ZF4bSTvy88Vl mDpIydFaHrCO0+w8v/IbTTTnQh89OAghtx9nl86DsJkYy7oGbOuxqucbP A==;
X-SpaceNet-SBRS: None
Received: from mobil.space.net ([195.30.115.67]) by gatekeeper1-relay.space.net with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Oct 2021 23:31:10 +0200
X-Original-To: v6ops@ietf.org
Received: from mobil.space.net (localhost [IPv6:::1]) by mobil.space.net (Postfix) with ESMTP id A4934436BF for <v6ops@ietf.org>; Mon, 25 Oct 2021 23:31:09 +0200 (CEST)
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
Received: from moebius4.space.net (moebius4.space.net [IPv6:2001:608:2:2::251]) by mobil.space.net (Postfix) with ESMTP id 7179442471; Mon, 25 Oct 2021 23:31:09 +0200 (CEST)
Received: by moebius4.space.net (Postfix, from userid 1007) id 6B59718F1; Mon, 25 Oct 2021 23:31:09 +0200 (CEST)
Date: Mon, 25 Oct 2021 23:31:09 +0200
From: Gert Doering <gert@space.net>
To: Warren Kumari <warren@kumari.net>
Cc: Ole Troan <otroan@employees.org>, "v6ops@ietf.org" <v6ops@ietf.org>
Message-ID: <YXciHYMNa6KJUohp@Space.Net>
References: <CB45220A-ECE6-492A-8A37-D189A71CDA2B@liquidtelecom.com> <CAHw9_iJy_OjSwRDRx5cbB6yhau7XzNUKTi49sHhi0CnmRARQUA@mail.gmail.com> <1F31CC6F-8471-4B50-AE3F-9E5FC76BB447@employees.org> <CAHw9_iKU5--mFq3swhSbGJHV9Y5H52cKcgeF=nBf1rqZeBMRJQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAHw9_iKU5--mFq3swhSbGJHV9Y5H52cKcgeF=nBf1rqZeBMRJQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/je3bc3RmAqqfuk-b_7I6wVl7nOw>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 21:31:21 -0000

Hi,

On Mon, Oct 25, 2021 at 05:20:51PM -0400, Warren Kumari wrote:
> I somewhat like the idea of having a well known prefix for "limited
> domains" - if everyone used $prefix, we could default to filtering it on
> external links, and, just like MPLS/OSPF/IS-IS/<whatever>, consciously
> decide to allow it between consenting adults. This is far from perfect --
> it requires more routes in my IGP, etc, but it's better than nothing.

Indeed, that would be a good start.

Implementors would have to ensure that decapsulation of "things" only
happen for packets destined to this prefix, and not "outside of this
domain" interfaces (IXPs, customer attachment circuits, etc).

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279