Re: [v6ops] Secdir last call review of draft-ietf-v6ops-cpe-slaac-renum-04
Christopher Wood <caw@heapingbits.net> Thu, 17 September 2020 18:11 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE7B03A0EE3; Thu, 17 Sep 2020 11:11:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=SVM7WqPQ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=of+6ODmL
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AemHJeiFYXvl; Thu, 17 Sep 2020 11:11:52 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F9243A0F23; Thu, 17 Sep 2020 11:11:31 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 713645C0129; Thu, 17 Sep 2020 14:11:30 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Thu, 17 Sep 2020 14:11:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm2; bh=raMiAC08cztIxdQBUtGLBY0cqjEP VW5TuNohg9J2W4k=; b=SVM7WqPQb4uXnFLeQTk/l27SQWh7nivtdCUYve8l+SMk HCcdwRVaLTP7XzPykeOncKTfRy8IzSzAjX1yViN2b2g3+VX2Xn0tBqEKb6YzXqoG Q3Y1vYGCq5zUgSie+4pDh3jP/LW5WFQ9cetRHgbaHEosAzphnSogYyqay1AYzQLM SNRTNzPeNAGnaw3r6XR2Cla0AnkdZjdtG495HHQnmLfwq6rgtCIl6IGM9wW6piS9 enB+9QnaZnWBK4xFJa3XqzCaei0Rjtu2ZihYCvfzglWicIfUTQv9ruXqtHktzZXm +pQubt43fSFpiNkOIMa0agcai0cFsoTFKwzvJKFgZQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=raMiAC 08cztIxdQBUtGLBY0cqjEPVW5TuNohg9J2W4k=; b=of+6ODmLMMckHs2QRTdap5 O1fsoVF/rcHt3FhxsNIoZiHCMggy5wJrCHGzTZwDD1QmruWpH2kB4jVFecB4tTLl vAliKYtG2dh1uF7Un0SLIU5/B+aKmKmiYraE4B4YLCZFSc3aKaVl+n/F9wGJg1Vp 9220rAxmmBzHL/VHQ87CufNRvaJgz7o9L4Xc4b3jMSeXAdrM6Bh1B8d3Dk+JGpq0 Kk2WCcqcv0lbnSdYR/TbVzJ3y3WvBrxcbzWOdUSb6MFqtugbey5o48tTTp4aUi1/ Azl8mSfmW53AHCnQIpBs+0tjB9JUJ20W43vkMa69K3xfCsKKfIO1Pe+HkYRt7MsQ ==
X-ME-Sender: <xms:0aZjXwtZc3bSzqNeE2N0sC6c1r2-mhi3XanvhqCCx3WTZU4IYIQZxQ> <xme:0aZjX9fnNvkx59w3G5JbtG2On-iwD_NomQvRVSWaQhjhgiz8FHtolJkPCGWRIvHFf SWiux0JOSix0LJErRQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrtdeggdduvdegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdevhhhr ihhsthhophhhvghrucghohhougdfuceotggrfieshhgvrghpihhnghgsihhtshdrnhgvth eqnecuggftrfgrthhtvghrnhepudffiedtuddttefggeefkeegvdekledvieeitdejteet uedvjeevleelleettdehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:0aZjX7w4QJTe_-NXV2pTicDgzD5GzadFor0-ehMdMSzVx6tgOplYBQ> <xmx:0aZjXzN8hGxXJfQNbUNgraoSujbZOCYdWhOppw3fxI5oH4deZ3sXpQ> <xmx:0aZjXw94RjGG_IfceJS_GJFXdjfPNAsd9FYsAbrdprog6BzZgrRgsw> <xmx:0qZjXyLYnIYFVNRrDWrhgSxEoKnDECFmf3KAsulKEkPrn5yNVWGPLg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 7476B3C011C; Thu, 17 Sep 2020 14:11:29 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-324-g0f99587-fm-20200916.004-g0f995879
Mime-Version: 1.0
Message-Id: <e29f55b1-377b-49a0-8f25-5acbd0b59f36@www.fastmail.com>
In-Reply-To: <fe485ff7-193c-e079-05ee-6a3e24362302@si6networks.com>
References: <159969337123.15697.6820068156665930267@ietfa.amsl.com> <fe485ff7-193c-e079-05ee-6a3e24362302@si6networks.com>
Date: Thu, 17 Sep 2020 11:11:08 -0700
From: Christopher Wood <caw@heapingbits.net>
To: Fernando Gont <fgont@si6networks.com>, "secdir@ietf.org" <secdir@ietf.org>
Cc: last-call@ietf.org, v6ops@ietf.org, draft-ietf-v6ops-cpe-slaac-renum.all@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/nMD_8-r7Q6GRyJfldGiOd-s826A>
Subject: Re: [v6ops] Secdir last call review of draft-ietf-v6ops-cpe-slaac-renum-04
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 18:11:54 -0000
On Wed, Sep 9, 2020, at 10:09 PM, Fernando Gont wrote: > Hello, Chris, > > Thanks a lot for your comments! In-line.... > > On 9/9/20 20:16, Christopher Wood via Datatracker wrote: > > Reviewer: Christopher Wood > > Review result: Has Nits > > > > Summary: Has Nits > > > > Comments: > > > > - Section 3: is it possible for an attacker to send DHCPv6 Prefix Delegations > > with lifetime=0 to CE routers that support LAN-side DHCPv6 and amplify > > Reconfigure messages to supporting clients? (I don't know if this is a concern > > or part of the threat model, but this did seem to be a case of possible > > request/response asymmetry.) > > Not sure what you mean. PDs with a lifetime of 0 are orthogonal to > Reconfigure messages. > > If the client asked for reconfigure support, yes it will be accepting > server reconfigure messages. > > However, Reconfigure messages are required to be unicasted (RFC8415, > Section 16.11), so there's no possibility for amplification (i.e., > single server packet triggering actions on multiple clients). Got it. Thanks. > > - Section 4: rationale for these default values, > > if available, might be worth including. (Why not make them shorter? What are > > the tradeoffs?) > > I suggested to add this in response to Dale's comments: > > " However, while the aforementioned values represent an improvement > over the default values specified in [RFC4861], they represent a > trade-off among a number of factors, including responsiveness, possible > impact on the battery life of connected devices [RFC7772], etc. Thus, > they may or may not provide sufficient mitigation to the problem > discussed in this document. > " > > ? This seems reasonable to me. > > - Section 6: it might be worth noting what happens if stable > > storage is unavailable or otherwise compromised when trying to store prefix > > information. What happens if the "A" or "L" bits are modified? (I suspect > > nothing dangerous, but it's not clear to me whether or not integrity is > > important.) > > Compromised as in "an attacked intentionally caused different bits to be > stored"? Well, either maliciously or not, I suppose. I was just trying to learn if integrity is important. > If so, I'd say that's probably the least of your concerns. Since DHCPv6 > exchanges are not encrypted or authenticated, your first concern would > be forged packets. If the attacker has essentially hacked the CE Router, > then all bets are off. > > > > > Nits: > > > > - In some places "\"Valid Lifetime\"" is written as "valid-lifetime" -- should > > these be made consistent? > > We use "Valid Lifetime" for SLAAC PIOs, and "valid-lifetime" for DHCPv6 > options, since that's what the respective specs use. Please do let us > know if you think this should be clarified. Ah! If that's well understood by others, then it's fine with me. (I wasn't aware of the difference.) Thanks for following up. :-) Best, Chris
- [v6ops] Secdir last call review of draft-ietf-v6o… Christopher Wood via Datatracker
- Re: [v6ops] Secdir last call review of draft-ietf… Ted Lemon
- Re: [v6ops] [secdir] Secdir last call review of d… Uri Blumenthal
- Re: [v6ops] [secdir] Secdir last call review of d… Ted Lemon
- Re: [v6ops] Secdir last call review of draft-ietf… Fernando Gont
- Re: [v6ops] [secdir] Secdir last call review of d… Fernando Gont
- Re: [v6ops] Secdir last call review of draft-ietf… Christopher Wood
- Re: [v6ops] Secdir last call review of draft-ietf… Christopher Wood
- Re: [v6ops] Secdir last call review of draft-ietf… Warren Kumari
- Re: [v6ops] [secdir] Secdir last call review of d… Owen DeLong