Re: [v6ops] Improving ND security

"Templin (US), Fred L" <Fred.L.Templin@boeing.com> Fri, 31 July 2020 17:35 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 534483A0C50; Fri, 31 Jul 2020 10:35:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=boeing.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EWuQAPM96vus; Fri, 31 Jul 2020 10:35:47 -0700 (PDT)
Received: from clt-mbsout-02.mbs.boeing.net (clt-mbsout-02.mbs.boeing.net [130.76.144.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 377C03A0C8E; Fri, 31 Jul 2020 10:35:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by clt-mbsout-02.mbs.boeing.net (8.15.2/8.15.2/DOWNSTREAM_MBSOUT) with SMTP id 06VHZf58005314; Fri, 31 Jul 2020 13:35:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=boeing.com; s=boeing-s1912; t=1596216943; bh=DUo7ww1w/pv0NZ4byUp+8C9ofUkcKdC9ID8ydkZwfiU=; h=From:To:CC:Subject:Date:From; b=EYxYgq4rAfdjiMaB96a0d1vOt9v0zLJCbIzWupTUaZyv6qG4OtR+ZsrBHirnNwHM7 91RGaJTeGvT664WPgRCeoRavX06mLR3T98iAUeD3k4ibT8NGSoYvYtxeqFbdAirXar KE+Y3ku5w8Thpj3azV+bqewmg2wy1KR6NPQO45cM64aggNs90vxtEf48QtSVclzlY2 7EsR1UyOstCh1RCzNwp6v9/Y0KNA+qRBivOFozBo5DmKBXtEAveHO7WiwOag0weHax cOEpcjYpep7cEzztSyC67tciVdFHpRQxYeciHUUlxYPggxqYmzWNlkLCQWSiDSjqEb lvrMVken7iNtw==
Received: from XCH16-07-09.nos.boeing.com (xch16-07-09.nos.boeing.com [144.115.66.111]) by clt-mbsout-02.mbs.boeing.net (8.15.2/8.15.2/8.15.2/UPSTREAM_MBSOUT) with ESMTPS id 06VHZWrC004749 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Fri, 31 Jul 2020 13:35:32 -0400
Received: from XCH16-07-10.nos.boeing.com (144.115.66.112) by XCH16-07-09.nos.boeing.com (144.115.66.111) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1979.3; Fri, 31 Jul 2020 10:35:31 -0700
Received: from XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5]) by XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5%2]) with mapi id 15.01.1979.003; Fri, 31 Jul 2020 10:35:31 -0700
From: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
To: Ted Lemon <mellon@fugue.com>
CC: "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, "v6ops list" <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Thread-Topic: Improving ND security
Thread-Index: AdZnYGykJNK1kk2zSneWe05yLDtm6g==
Date: Fri, 31 Jul 2020 17:35:31 +0000
Message-ID: <d5c245f216c3409f826f8132e532a882@boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [137.137.12.6]
x-tm-snts-smtp: 987A15763C39FB47C81163C67172A664484305430C429B3FB5955EE3A62918892000:8
Content-Type: multipart/alternative; boundary="_000_d5c245f216c3409f826f8132e532a882boeingcom_"
MIME-Version: 1.0
X-TM-AS-GCONF: 00
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/s48diomLTRgGnOfaLo5fjsu7c1E>
Subject: Re: [v6ops] Improving ND security
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 17:35:53 -0000

On Jul 31, 2020, at 1:17 PM, Templin (US), Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> wrote:
Ted, I think SEND would solve the neighbor cache resource exhaustion attack since a NCE is
only created on receipt of an authentic (SEND-protected) IPv6 ND message.

OK, but an attacker can just generate a bazillion key pairs, right? So it can still exhaust the cache, at the cost of some computation work.
[>]

I think as long as the network has a way of associating the key pair with another piece
of information that accompanies the IPv6 ND message then the network would be able
to know when the mobile node is using its (single) authorized key. So, for example, if
the IPv6 ND message included an identity for the MN (sort of like a DHCPv6 DUID), the
network would know when the MN is using the correct key pair – right? (BTW, I am
not saying to use DHCPv6 DUID – that is just one example of a MN identity…)

Thanks - Fred