Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Ted Lemon <mellon@fugue.com> Tue, 07 February 2023 13:34 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86AD4C1524B2 for <v6ops@ietfa.amsl.com>; Tue, 7 Feb 2023 05:34:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jb11wiJ1LM_u for <v6ops@ietfa.amsl.com>; Tue, 7 Feb 2023 05:34:06 -0800 (PST)
Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42E33C1522CB for <v6ops@ietf.org>; Tue, 7 Feb 2023 05:34:05 -0800 (PST)
Received: by mail-qv1-xf36.google.com with SMTP id w11so3678824qvs.7 for <v6ops@ietf.org>; Tue, 07 Feb 2023 05:34:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=mF/bCM0cSegbAe43KxXdz3lfYwF72QkptLrtTFs4+jM=; b=jF1ycHe1rrt9koVbmtBzmXsfi83YKhmIOz+xmk7DxhMCP9fU8eSDLk3rYKIPfkxzI5 GrWeiRG9BMfqNVHlFWIW8/dbwI45l2v+KBArQ7LlTFX3iqYajflesfrqVuTydNnhYXOM XMXdn3RkGoiPTRl5d1Efgt+rY4GJY5iCd0f/9z07UJLQ1N4uWkGyLzIN5JcrAqpkT9bn YUIyYHdNTrGVufDlkQXRvWGNeTelINdSSxFz77K0XKvudqqLLi7tZYZy8t8QsQThLpko 1BHqtz9KWVO93iN8q37jHIeZs8gXmPirLfANPLsRF0NIDaEs+/5hy1UxMqTNrvl6wAH/ ONbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=mF/bCM0cSegbAe43KxXdz3lfYwF72QkptLrtTFs4+jM=; b=lCC5N7Itauo14N0ohC68jMtmZ3pIfYbD7ZJkbJkZ2KXbhldCoWLoaHbrLjNXH1B9Tz qggSEKdOyj6j8NncL+78rB/7eZpM4gdt30njozz174g6+WW5lhs7lAkitrPzs+Bife6O J6xoFS1851O8HlUem8ZYpjHMb8L5iXZK7Uvv1q5LBky0v3/IQUykjpPGBcG/LbIWZsaC nnpOcail54hA6LhvKVfO1bE9aq/FUg0vBvj5wCLfbwf5aPpS13Kr3VR7nnI9UwIHwXgR /M/7m6Q61MoPAPYhT6cd8wbtEEJObtqUpG21hoePdAW0qodHhSRLF3nUMfqLLIhpmzPi pKXA==
X-Gm-Message-State: AO0yUKXw/NVz7J1TR+H2/3zoDBu3P/RIUXzgCa23PibcSyg269CK6eON krXWx7tzHdAQWhK5Q5AV2a/AKhxk4kmNMPwoUcDRm09FrTj5FXJ/
X-Google-Smtp-Source: AK7set+0DkJo5KUJfwwC18MaWc4ihwI9weLBPfBbc1A6O5hr0zQ7f6qEbMgrlSxCn5lqh+zRHLDCISPxUbafKebqDIE=
X-Received: by 2002:a0c:cb12:0:b0:537:7bd7:29c0 with SMTP id o18-20020a0ccb12000000b005377bd729c0mr194668qvk.1.1675776844858; Tue, 07 Feb 2023 05:34:04 -0800 (PST)
MIME-Version: 1.0
References: <091075f1-033a-5577-60d9-3c6a009b3e21@si6networks.com> <55adf66d-23cb-0b2c-65d7-8f053a6f9298@si6networks.com>
In-Reply-To: <55adf66d-23cb-0b2c-65d7-8f053a6f9298@si6networks.com>
From: Ted Lemon <mellon@fugue.com>
Date: Tue, 07 Feb 2023 05:33:54 -0800
Message-ID: <CAPt1N1keDFsseXVXqr8YuQgEDCHHusJxxpm-mS_vkdPyNqmEdQ@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: IPv6 Operations <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008f9f5605f41c3313"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/rvxllV1KBL-tvqNK-pmpg1MjVlI>
Subject: Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 13:34:07 -0000
This seems like fairly iffy advice, which is perhaps not surprising given that the discussion you’re trying to ameliorate seems unrealistic. Thanks for trying to do something to improve it! Block lists for ip addresses might be useful, but I suspect are more likely to cause operational issues—eg I’ve had addresses i use blocked because someone did something nefarious from them previously. Where they are appropriate, it is likely because the owner of the full delegation is untrustworthy, in which case it would make sense to block the whole range, or even refuse whatever route they publish. It doesn’t make sense to try to use DHCPv6 or disable temporary addresses in order to enable the continued use of single-address block lists, and mentioning it in an IETF document seems harmful. The problem is that the operator who would be motivated to do this doesn’t control the address space that is the source of the problem, so they can’t force the owner of that address space to use DHCPv6 or disable temporary addresses. Instead, this advice will likely be taken to mean that the use of SLAAC is generally bad, and should be prevented. This would be a very bad outcome. Similarly, your observations about /56 delegations making it possible for a host to pretend to be multiple hosts are likely to discourage ISPs from offering delegations larger than /64, which again would be an unfortunate outcome. The simple advice which I think is appropriate for the context you described is simply to point out that with IPv6, prefixes are the identifier, not individual addresses. The rest is too much. Op ma 6 feb. 2023 om 23:28 schreef Fernando Gont <fgont@si6networks.com> > Folks, > > FYI, this one is targeted at opsec, but might be of interest to this group: > > * TXT: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt > * HTML: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html > > Thanks! > > Regards, > Fernando > > > > > -------- Forwarded Message -------- > Subject: (IETF I-D); Implications of IPv6 Addressing on Security > Operations (Fwd: New Version Notification for > draft-gont-opsec-ipv6-addressing-00.txt) > Date: Fri, 3 Feb 2023 01:28:17 -0300 > From: Fernando Gont <fgont@si6networks.com> > To: opsec@ietf.org > > Hi, All, > > I happened to participate in an IPv6 deployment meeting with some large > content provider. Eventually there was a discussion about how to > mitigate some attacks using block-lists, and they argued that they ban > offending addresses (/128 for the IPv6 case), following IPv4 practices. > While they had already deployed IPv6, some of the associated > implications arising from the increased address space seemed to be > non-obvious to them. > > So that's what motivated the publication of this document. > > * TXT: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt > * HTML: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html > > Comments welcome! > > Thanks, > Fernando > > > > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-gont-opsec-ipv6-addressing-00.txt > Date: Thu, 02 Feb 2023 19:48:40 -0800 > From: internet-drafts@ietf.org > To: Fernando Gont <fgont@si6networks.com>, Guillermo Gont > <ggont@si6networks.com> > > > A new version of I-D, draft-gont-opsec-ipv6-addressing-00.txt > has been successfully submitted by Fernando Gont and posted to the > IETF repository. > > Name: draft-gont-opsec-ipv6-addressing > Revision: 00 > Title: Implications of IPv6 Addressing on Security Operations > Document date: 2023-02-02 > Group: Individual Submission > Pages: 8 > URL: > https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt > Status: https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-addressing/ > Htmlized: > https://datatracker.ietf.org/doc/html/draft-gont-opsec-ipv6-addressing > > > Abstract: > The increased address availability provided by IPv6 has concrete > implications on security operations. This document discusses such > implications, and sheds some light on how existing security > operations techniques and procedures might need to be modified > accommodate the increased IPv6 address availability. > > > > > The IETF Secretariat > > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] Fwd: (IETF I-D): Implications of IPv6 Add… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Vasilenko Eduard
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… David Conrad
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Ted Lemon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Vasilenko Eduard
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Fernando Gont
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Nick Buraglio
- Re: [v6ops] Fwd: (IETF I-D): Implications of IPv6… Henri Alves de Godoy
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Simon
- Re: [v6ops] (IETF I-D): Implications of IPv6 Addr… Fernando Gont