Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns

Vasilenko Eduard <vasilenko.eduard@huawei.com> Fri, 31 July 2020 19:40 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09E9F3A0898; Fri, 31 Jul 2020 12:40:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wcCucc23fzo6; Fri, 31 Jul 2020 12:40:56 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 200463A0861; Fri, 31 Jul 2020 12:40:56 -0700 (PDT)
Received: from lhreml710-chm.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id AE8EA7DB3417B7EE5234; Fri, 31 Jul 2020 20:40:52 +0100 (IST)
Received: from msceml701-chm.china.huawei.com (10.219.141.159) by lhreml710-chm.china.huawei.com (10.201.108.61) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Fri, 31 Jul 2020 20:40:52 +0100
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by msceml701-chm.china.huawei.com (10.219.141.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Fri, 31 Jul 2020 22:40:51 +0300
Received: from msceml703-chm.china.huawei.com ([10.219.141.161]) by msceml703-chm.china.huawei.com ([10.219.141.161]) with mapi id 15.01.1913.007; Fri, 31 Jul 2020 22:40:51 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Ted Lemon <mellon@fugue.com>
CC: Tony Finch <dot@dotat.at>, Owen DeLong <owen@delong.com>, "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Thread-Topic: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns
Thread-Index: AdZl2/KmEr6Lt/NERGGqFiMA7k1/CAAIPvAAABH5AHD///P/gP//vOiggAECawCAABGlgIABGVqAgAAEyoCAAAv7AP//vkZQgABVPwD//6zUYA==
Date: Fri, 31 Jul 2020 19:40:51 +0000
Message-ID: <16f520d2e6144de38303c7a9e6a2bc23@huawei.com>
References: <96fa6d80137241dd9b57fcd871c8a897@huawei.com> <CAFU7BARePzdeU5DFgoOWyrF0xZCj67_xkC2t8vMN2nH0d8aUig@mail.gmail.com> <37e2a7110f6b423eba0303811913f533@huawei.com> <CAFU7BATiD8RkiWXjrxGuAJU-BUwRQCErYZivUPZ-Mc_up_qGxQ@mail.gmail.com> <aebc46c9b813477b9ae0db0ef33e7bd9@huawei.com> <CAO42Z2yL7+GbO6QRaNzFYoBXLF-JZ2NfwgTTt2zerKhJLwt2Lw@mail.gmail.com> <3C1ECB6F-E667-4200-964F-AB233A0A56E9@cisco.com> <91D98D51-4045-4331-A711-8387ECE73400@fugue.com> <F56A89D4-0DA3-4A9B-ADC1-FC51ECAB193B@delong.com> <alpine.DEB.2.20.2007311707380.16320@grey.csi.cam.ac.uk> <4f29ab2dd1a0467791d9304d85369f75@huawei.com> <80FADCA7-8CB3-486F-A679-B747413831D6@fugue.com>
In-Reply-To: <80FADCA7-8CB3-486F-A679-B747413831D6@fugue.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.204.150]
Content-Type: multipart/alternative; boundary="_000_16f520d2e6144de38303c7a9e6a2bc23huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/vmB_qzv0fsn8WFyF88MauF7G35E>
Subject: Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 19:40:58 -0000

Hi Ted,
I do not understand you.


You did copy my comment that was related to the capability of GRAND to alleviate ND exhaustion attacks. It was separate comment from Tony Finch.

I could repeat again: no, it would not help against this type of attack, even if it would be slightly modified.

But DoS is not extremely big problem – it was not my concern. This concern has been mentioned by many other people in this thread, but not me. This problem is not good too, but I could tolerate it (at least I am ready to trade-off it for performance).

Leakage of information is much bigger problem that I could not tolerate.

May be you are asking me about GRAND in general,
then no - I do not think that it is a good idea to expand functionality using the most valuable feature of ND (Unsolicited NA).
Unsolicited NA is very easy to create a leakage of information. IMHO: it is unacceptable problem that should be fixed first.
If Unsolicited NA would be changed as a result of such ND modification – then GRAND would be based on new version of ND.

Eduard
From: Ted Lemon [mailto:mellon@fugue.com]
Sent: 31 июля 2020 г. 20:23
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
Cc: Tony Finch <dot@dotat.at>at>; Owen DeLong <owen@delong.com>om>; Pascal Thubert (pthubert) <pthubert=40cisco.com@dmarc.ietf.org>rg>; v6ops list <v6ops@ietf.org>rg>; 6man <ipv6@ietf.org>
Subject: Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns

On Jul 31, 2020, at 1:20 PM, Vasilenko Eduard <vasilenko.eduard@huawei.com<mailto:vasilenko.eduard@huawei.com>> wrote:
(2) Only by separate admin configuration on router, then it is operational practice. No need for standardization.

I think I explained why it was worth standardizing from my perspective. Perhaps you disagree with that perspective, but you haven’t said why.   The way you say this makes it sound like you think there’s a downside to standardizing.  Can you explain what that downside is?