Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns

Vasilenko Eduard <vasilenko.eduard@huawei.com> Fri, 31 July 2020 17:20 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5EAF3A0BB0; Fri, 31 Jul 2020 10:20:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KFFtU8CARfsr; Fri, 31 Jul 2020 10:20:36 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A37193A0BAA; Fri, 31 Jul 2020 10:20:36 -0700 (PDT)
Received: from lhreml706-chm.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 58AC78829FDB946E3515; Fri, 31 Jul 2020 18:20:31 +0100 (IST)
Received: from msceml702-chm.china.huawei.com (10.219.141.160) by lhreml706-chm.china.huawei.com (10.201.108.55) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Fri, 31 Jul 2020 18:20:30 +0100
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by msceml702-chm.china.huawei.com (10.219.141.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Fri, 31 Jul 2020 20:20:30 +0300
Received: from msceml703-chm.china.huawei.com ([10.219.141.161]) by msceml703-chm.china.huawei.com ([10.219.141.161]) with mapi id 15.01.1913.007; Fri, 31 Jul 2020 20:20:30 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Tony Finch <dot@dotat.at>, Owen DeLong <owen@delong.com>
CC: "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, "v6ops list" <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Thread-Topic: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns
Thread-Index: AdZl2/KmEr6Lt/NERGGqFiMA7k1/CAAIPvAAABH5AHD///P/gP//vOiggAECawCAABGlgIABGVqAgAAEyoCAAAv7AP//vkZQ
Date: Fri, 31 Jul 2020 17:20:30 +0000
Message-ID: <4f29ab2dd1a0467791d9304d85369f75@huawei.com>
References: <96fa6d80137241dd9b57fcd871c8a897@huawei.com> <CAFU7BARePzdeU5DFgoOWyrF0xZCj67_xkC2t8vMN2nH0d8aUig@mail.gmail.com> <37e2a7110f6b423eba0303811913f533@huawei.com> <CAFU7BATiD8RkiWXjrxGuAJU-BUwRQCErYZivUPZ-Mc_up_qGxQ@mail.gmail.com> <aebc46c9b813477b9ae0db0ef33e7bd9@huawei.com> <CAO42Z2yL7+GbO6QRaNzFYoBXLF-JZ2NfwgTTt2zerKhJLwt2Lw@mail.gmail.com> <3C1ECB6F-E667-4200-964F-AB233A0A56E9@cisco.com> <91D98D51-4045-4331-A711-8387ECE73400@fugue.com> <F56A89D4-0DA3-4A9B-ADC1-FC51ECAB193B@delong.com> <alpine.DEB.2.20.2007311707380.16320@grey.csi.cam.ac.uk>
In-Reply-To: <alpine.DEB.2.20.2007311707380.16320@grey.csi.cam.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.204.150]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/mmdaWft_kpl9xTKlXgJ6oAE_a6M>
Subject: Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 17:20:40 -0000

Hi Tone,

> If GRAND is deployed, would that allow routers to assume their neighbour tables are complete, so they can just drop ND exhaustion attacks?

How is it possible to be sure that all hosts do support new draft?
(1) draft does not propose to signal ND version in any way ("Code" is still 0)
(2) Only by separate admin configuration on router, then it is operational practice. No need for standardization.

May be you have asked: is possible in principle?
No, because ND cache could be overwhelmed by Unsolicited NDs, but Unsolicited ND is primary vehicle in the draft.

PS: I was more concerned about "Man-in-the middle" - it is the bigger security problem, not DDoS - albeit it is a big problem too.
Ed/
-----Original Message-----
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Tony Finch
Sent: 31 июля 2020 г. 19:13
To: Owen DeLong <owen@delong.com>
Cc: Pascal Thubert (pthubert) <pthubert=40cisco.com@dmarc.ietf.org>rg>; v6ops list <v6ops@ietf.org>rg>; 6man <ipv6@ietf.org>
Subject: Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns

Owen DeLong <owen@delong.com> wrote:
>
> Indeed, as an operator, IMHO, if there’s a place we need to focus on 
> improving L2 attack surface in v6, it’s in finding better ways for 
> {routers, hosts, switches} to mitigate/absorb this type of resource 
> exhaustion attack. Unfortunately, this is a hard problem to solve, so 
> we focus on moving the deck chairs we can move while ignoring the 
> elephant-sized hole in the bulkheads that we don’t know how to patch.

If GRAND is deployed, would that allow routers to assume their neighbour tables are complete, so they can just drop ND exhaustion attacks?

Tony.
--
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/ Shannon, Southeast Rockall: Westerly or southwesterly 4 or 5. Moderate or rough. Showers. Good, occasionally moderate.