Re: [v6ops] SLAAC security concerns

Gert Doering <> Tue, 04 August 2020 20:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 57CD13A0745 for <>; Tue, 4 Aug 2020 13:28:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1qJyCUMVJQWB for <>; Tue, 4 Aug 2020 13:28:51 -0700 (PDT)
Received: from ( [IPv6:2001:608:3:85::38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0E8D93A0AE9 for <>; Tue, 4 Aug 2020 13:28:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=esa; t=1596572931; x=1628108931; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=5H7dHKvQLb6vwwLAL1CaYijbZHTZphZmiFycPGDjMLk=; b=ccXC/tbCxJ7A+43QlIxYG/ueB3roLIelR6WUZ/4zU0DYHr2CTky02/Gc 3BPQt6NZ2Fy1fLFX5pOsli+nua9QtOLx7Dy4E5YNTpXcUxEy7osKK7PXQ ZkTNHEompbUCIoOBx6MEdOOA0bxnco8YUAHo5AAsElKQX6W2Tvb6nYqVU YLj3pdhQ/Hl2bhTTfH1MTU97mLNTIepLmb/5bkLgPPPLfbyOU0OEAVOSo qADrToq+Q1Vv0Y2ySwR/s/mWhhiCxEiLFj7l9GfLM130fmfrj9xE0zdqn P3hAxyxx1lSgwBuWhQVxW0nYqeay4PSooPvM6YYa0Jk1r9y4Gf1Z9WyTa A==;
IronPort-SDR: M5bYB8pylnG/1s3LbN5XkAgmMWvW798h+rL85vSsFY2wgUXEPEcBz+4vSWyvekRvMiwUz5BmLk TAxCQJ8ZG/NUMRqdSyIWkinRvXM2wmnXlk6aeu1DA2XRqQeDQqyDJ5u2UN1NJTEe6j+UkWLnVT 12W7ZeN3EbhhOZyCGNPc3HnmBHhbRZE9mkQcnjgWr5EXNY8l908NKi8ljSbXzzfqO2W5iMiPKG dllypK+pbbM3Zq/sBTNR1VZhS0zlyYQ+LPs+g7mbj0CxMABlOxrmQZ3B8PusmFfQyporLrz2K2 EXo=
X-SpaceNet-SBRS: None
Received: from ([]) by with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Aug 2020 22:28:48 +0200
Received: from (localhost [IPv6:::1]) by (Postfix) with ESMTP id 63E0441D2E for <>; Tue, 4 Aug 2020 22:28:48 +0200 (CEST)
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
X-SpaceNet-Relay: true
Received: from ( [IPv6:2001:608:2:2::251]) by (Postfix) with ESMTP id A2D0141D20; Tue, 4 Aug 2020 22:28:47 +0200 (CEST)
Received: by (Postfix, from userid 1007) id 9C4DB1CF94; Tue, 4 Aug 2020 22:28:47 +0200 (CEST)
Date: Tue, 4 Aug 2020 22:28:47 +0200
From: Gert Doering <>
To: Ted Lemon <>
Cc: Gert Doering <>, Vasilenko Eduard <>, Michael Richardson <>, v6ops list <>, 6man <>
Message-ID: <20200804202847.GB2485@Space.Net>
References: <> <20200804194448.GA2485@Space.Net> <>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="sEJ/o/vgcchwAs8V"
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
Subject: Re: [v6ops] SLAAC security concerns
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Aug 2020 20:28:53 -0000


On Tue, Aug 04, 2020 at 04:15:22PM -0400, Ted Lemon wrote:
> On Aug 4, 2020, at 3:44 PM, Gert Doering <> wrote:
> > There is too many broken switch vendors out there that show again and
> > again that "implementing multicast is hard", breaking IPv6 ND in the 
> > process.
> Why don???t you return that switch for a refund?
> (I???ve never run into a switch that had trouble with IPv6 multicast, but admittedly I only have four different switches in my house, so that???s not a very big sample.)

$20 switches tend to be not affected.

It's the more expensive ones where developers intended to "do the right
thing with multicast!" and never came around to actually implement it.

Or where you need to turn on - or *off* - MLD to make link-local multicast
work, but the default is the wrong way around.

I have seen this on devices from three different vendors - Extreme, Juniper,
and "something that DECIX was using like 15 years ago" - and of course not
all models or all firmware versions are affected.  But when it happens, it's
life time you won't get back.

If I were to return every device in my network where a developer messed
up something the IETF made too complex in protocol design, I would have
a very secure, and very power-efficient result - but no network anymore.

(And your response very nicely demonstrates why operators get fed up
trying to participate in IETF)

Gert Doering
        -- NetMaster
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279