IETF Logo Mail Archive

Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157

"Marksteiner, Stefan" <stefan.marksteiner@joanneum.at> Tue, 25 September 2012 14:20 UTC

Return-Path: <stefan.marksteiner@joanneum.at>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 510D321F8557 for <v6ops@ietfa.amsl.com>; Tue, 25 Sep 2012 07:20:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.004
X-Spam-Level:
X-Spam-Status: No, score=-0.004 tagged_above=-999 required=5 tests=[AWL=0.826, BAYES_00=-2.599, HELO_EQ_AT=0.424, HOST_EQ_AT=0.745, J_CHICKENPOX_13=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qpCIBJ32V5aD for <v6ops@ietfa.amsl.com>; Tue, 25 Sep 2012 07:20:19 -0700 (PDT)
Received: from rzjgate.joanneum.ac.at (rzjgate.joanneum.ac.at [143.224.185.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA0AF21F889D for <v6ops@ietf.org>; Tue, 25 Sep 2012 07:20:18 -0700 (PDT)
Received: from RZJS077.jr1.local (rzjs077.joanneum.ac.at [143.224.71.18]) by rzjgate.joanneum.ac.at (8.13.8/8.13.8) with ESMTP id q8PEK82w013388; Tue, 25 Sep 2012 16:20:09 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joanneum.at; s=sel3; t=1348582809; bh=l/heH+bE72ZT+rLDCUdZCgKOM3nALNaVm/xBRLjMGGo=; h=From:To:CC:Date:Subject:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=rmuUS7XnSYZCiPAaku/09UkUewkF89qyfPNhapJ8z8WLwCWMcEMssGZvmb1iWDfvE 1xHgkdcQmnSXCQZ6Yldo4/ew3Xe6yVxdCVRChcif78DvpjqTVHhMk3JAAZ3PdMKAGj LNMnmBp39NaTBMgsAAToJbMJ9qS7yhNaHAj3Z1QU=
Received: from RZJC1EX.jr1.local ([169.254.2.9]) by RZJS077.jr1.local ([143.224.71.18]) with mapi; Tue, 25 Sep 2012 16:20:08 +0200
From: "Marksteiner, Stefan" <stefan.marksteiner@joanneum.at>
To: IPv6 Ops WG <v6ops@ietf.org>
Date: Tue, 25 Sep 2012 16:18:59 +0200
Thread-Topic: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157
Thread-Index: Ac2bIan9fJkY23LORwWxgmEFHWwGPAABwrdL
Message-ID: <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D90A@RZJC1EX.jr1.local>
References: <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D8FF@RZJC1EX.jr1.local>, <1348519034.47465.YahooMailNeo@web32503.mail.mud.yahoo.com> <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D902@RZJC1EX.jr1.local>, <5061B157.1090106@gmail.com>
In-Reply-To: <5061B157.1090106@gmail.com>
Accept-Language: de-DE, de-AT
Content-Language: de-AT
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: de-DE, de-AT
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 14:20:20 -0000

Hi Brian,

SLAAC is *somewhat* predictable, especially when you already have one address as a starting point (then you've got a vendor ID plus a probable batch which narrows the scanning address room significantly).
Of course I assume workstation machines not to be in public a DNS zone...

Regards,

Stefan


________________________________________
Von: Brian E Carpenter [brian.e.carpenter@gmail.com]
Gesendet: Dienstag, 25. September 2012 15:27
An: Marksteiner, Stefan
Cc: Mark ZZZ Smith; IPv6 Ops WG
Betreff: Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157

On 25/09/2012 10:42, Marksteiner, Stefan wrote:
> Hi Mark,
>
> First of all I think I've forgotten to clarify that I'm talking about IIDs, sorry ;)
> The aim of my thoughts would be to make it harder for externals to scan for attackable addresses. One often cited (mostly by marketeers) benefit of IPv6 is the vast amount of addresses per subnet making it seemingly harder to scan, which would be nullified if companies used simple sequential addressing.
>
> You're of course right that most (potential) attackers are insiders - but they likely wouldn't have to scan anyway, instead the would probably already have knowledge of alive (and maybe even vulnerable) hosts. Thus, they aren't my focus in this matter, but instead are "black box"-scanners and Internet worms.
>
> ULA/LLA are, as you've correctly stated, the best choice if you don't need Internet connection, but what about workstations for employees needing the Internet?
>
> I'm suggesting to recommend companies to use a different scheme as ::1;::2 or ::BABE;::CAFE or even ::4593;4594 and so on which according to some studies (e.g. [1], pp.65-75, especially 68) most administrators unfortunately do.
> What might be needed to change this would be a scheme which is practicably administrable in the easiest possible way.

It depends what you mean by "administrable" but SLAAC doesn't need a scheme
and therefore doesn't need administration. For machines that are in public DNS
it doesn't matter anyway, so any scheme will do.

    Brian

> This would have, in my opinion, two benefits. Firstly it would render standard scanning procedures for IPv6 like sequential scanning and scanning for "funny" addresses pretty much useless. Secondly, if the numbers are, seen from the outside, seemingly random, it wouldn't help a scanner or worm if he or it discovered a single address by chance (e.g. by a log entry) and took it as a starting point for further scanning.
>
> I'm aware of the discussions about security by obscurity and that a good firewall is needed anyway to secure internal assets, but I would find it nice if the often cited "security argument" that IPv6 subnets are merely impossible to scan would be true (again) :)
>
>
> Cheers,
>
> Stefan
>
>
> [1]http://www.mh-sec.de/downloads/mh-ipv6_vulnerabilities.pdf
> ________________________________________
> Von: Mark ZZZ Smith [markzzzsmith@yahoo.com.au]
> Gesendet: Montag, 24. September 2012 22:37
> An: Marksteiner, Stefan; IPv6 Ops WG
> Betreff: Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157
>
> Hi Stefan,
>
> ----- Original Message -----
>
>> From: "Marksteiner, Stefan" <stefan.marksteiner@joanneum.at>
>> To: IPv6 Ops WG <v6ops@ietf.org>
>> Cc:
>> Sent: Tuesday, 25 September 2012 4:03 AM
>> Subject: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157
>>
>>
>> Hi Folks,
>>
>> RFC5157 presents hazards of sequentially numbering IPv6 networks and technical
>> means (like CGAs and privacy extensions) to mitigate them. Unfortunately these
>> mitigation methods may be deemed difficult to handle for administrators (SEND
>> may be too complicated to implement, PEs bring difficulties to keep track of IP
>> addresses). Therefore there may be demand for an addressing scheme (rather than
>> a technical method) that makes IPv6 addresses easy to predict for tech staff but
>> difficult to do so by outsiders, building a low-end supplement for the methods
>> mentioned in RFC5157.
>
>
> I think it might be worth having a bit more of a think about who might be inclined to attack you - for a typical non-Internet services organisation, I think it's more likely going to be
> disgruntled ex-staff, and it'll be hard to make them forget "numbers" / addresses or prevent them copying the mapping application if they have an inkling they're going to get fired.
>
>
>>
>
>> What I have in mind is an simple mental arithmetic operation, which generates an
>> address out of a company fixed part plus a sequential number for host.
>> Alternatively a Hash-Operation consisting again of a secret organisational plus
>> a sequential host number. The first requires the scheme to be slightly different
>> in every organisation in order to have a negative impact on IPv6 scanning from
>> external sources, the second is more secure but requires an internal web site or
>> smartphone app in order for field engineers to calculate an address out of the
>> sequential information.
>>
>
> It sounds like here you're talking about a subnet numbering scheme. The common prefix size for most organisations is going to be /56 or 256 /64 subnets, or /48 or 65K /64 subnets. Many providers seem to be leaning towards /56s unless their customers ask for a /48, which provides very little address space to effectively hide the in-use subnet numbers from a scanning based attack (and that's one of the reasons why I'd be giving customers /48s from the outset). One advantage though of IPv6 is that it is possible to phase in and phase out addressing using the address/prefix lifetimes mechanism, so it would be possible to change assigned in your network prefixes on e.g. a weekly basis.
>
> If your fundamental goal is to make internal links unreachable from the Internet, they can be not assigned a global prefix, and numbered from either the ULA address space (RFC4193) or left as link-locals only ("unnumbered"). You may be interested in the following, which discusses link-local only addressing -
>
> "Using Only Link-Local Addressing Inside an IPv6 Network"
> http://tools.ietf.org/html/draft-behringer-lla-only-01
>
>
> Regards,
>
> Mark.
>
>> My question is, in your opinion, would this be worthwhile to be formulated as an
>> ID an be drafted or does this idea sound absurd?
>>
>>
>
>> Cheers,
>>
>> Stefan
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email