Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns

Mark Smith <markzzzsmith@gmail.com> Tue, 04 August 2020 17:18 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B38D3A0D3A; Tue, 4 Aug 2020 10:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.598
X-Spam-Level:
X-Spam-Status: No, score=-0.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z15oqc65OLgD; Tue, 4 Aug 2020 10:18:53 -0700 (PDT)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D2363A0D34; Tue, 4 Aug 2020 10:18:53 -0700 (PDT)
Received: by mail-oi1-x234.google.com with SMTP id h3so13419521oie.11; Tue, 04 Aug 2020 10:18:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Qa/6AIsDKBp5087+axHve12mMZCZ18mHeT1KxOruMvY=; b=Oecft6oReLmOpyyVzY2MYoLA7nWCIeb/3Kwa2KsN0pv2L5ZgYhd6UWTxCQhmS8nLhY SB+n9eGTSKSn02lT5e/kU+xxEIlUIXnPVBH+xNakbqdWE0rr9lTBN0rSLeMfy17ZOcMg eFAkLF/LJqP//96gsTXOochG6uqwgX8no3lxwc9A6WbSQEhXRytG++2OQMgJ07UQvzco 9Ite4qPlRpE0sE4iu6nxuKIf0iqVzHyLcN6hLMN8forn6zSiABXShMdDDtZZiYsq0373 G9FV98GESwa9RWMMkdAiOazNx76KxHK42CFMJzuUDhbmqIKFF+sGDpJrvZq2eWZmo0Wj 6zFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Qa/6AIsDKBp5087+axHve12mMZCZ18mHeT1KxOruMvY=; b=IIEdsHPIX0XMfEucBKVYvjs/GbP8w7ceJGhDAdLxJoybkpcTsrK44Lt5cxHb/WSndY pXWWjeoEg/1Hs9Y4CbQuGonDINO4Z+o7eY4T4hC4QJH0v2xhg/mHExnzS2En7tOXlWIZ 16OuAl0OEVwq56x+96RaY6aRY8a0kkRfAe3ptnjjp96+sbLtiqFwU3UNR+Vv1cVfiC1P zp78h7SLdZmY2Ji/FOBdQEgmC9RUc3m8tC9O6eLozucDOJeiVOHev3uLh5ZdSdfA2uM8 dqJq9rT20MkqtjqMTZ8gq7KMZRioRWK4eEKoLgRQYHiAq0bsqEcFiibcsGC7gkpvOpsJ t54w==
X-Gm-Message-State: AOAM531GfkmQJ72c1ymPo+0Zw0cIZJmjpBrjCHDb75CmevnWALILuZbs fuUy+0yPKc+YKsyENmXPAQnKYfbM9HOXtMXNTi8=
X-Google-Smtp-Source: ABdhPJydM4D0jPL2XAim6Pq25zEGy+cfwbU4dQAe96Gz/uKFbW5YmcTrFPVRGRcx/MCD7p6n3y4Qytfv+8iSY41Pp4g=
X-Received: by 2002:aca:120b:: with SMTP id 11mr4256868ois.54.1596561531363; Tue, 04 Aug 2020 10:18:51 -0700 (PDT)
MIME-Version: 1.0
References: <96fa6d80137241dd9b57fcd871c8a897@huawei.com> <CAFU7BARePzdeU5DFgoOWyrF0xZCj67_xkC2t8vMN2nH0d8aUig@mail.gmail.com> <37e2a7110f6b423eba0303811913f533@huawei.com> <CAFU7BATiD8RkiWXjrxGuAJU-BUwRQCErYZivUPZ-Mc_up_qGxQ@mail.gmail.com> <aebc46c9b813477b9ae0db0ef33e7bd9@huawei.com> <CAO42Z2yL7+GbO6QRaNzFYoBXLF-JZ2NfwgTTt2zerKhJLwt2Lw@mail.gmail.com> <3C1ECB6F-E667-4200-964F-AB233A0A56E9@cisco.com> <dfb9ccbfd87140cfba01c69447581aef@boeing.com> <15197.1596499036@localhost> <63afd5c67e7c4520b8b7ebabec69cab7@huawei.com> <MN2PR11MB3565E0E206799B95AE6295D7D84A0@MN2PR11MB3565.namprd11.prod.outlook.com> <e64151b767cc4aef9444a2fe546f474f@huawei.com>
In-Reply-To: <e64151b767cc4aef9444a2fe546f474f@huawei.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Wed, 5 Aug 2020 03:18:39 +1000
Message-ID: <CAO42Z2zNmpiTMJAnKgtFqfnVxOWttqJF2vbOmDDSOmEAWAZ6hg@mail.gmail.com>
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
Cc: "Pascal Thubert (pthubert)" <pthubert@cisco.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "Templin (US), Fred L" <Fred.L.Templin@boeing.com>, v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f063b305ac1072ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/vp_A_91yk804Bh7h9uzYeWCGVuk>
Subject: Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional security concerns
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2020 17:18:57 -0000

On Wed, 5 Aug 2020, 02:06 Vasilenko Eduard, <vasilenko.eduard@huawei.com>
wrote:

> Hi Pascal,
> My priority here is coincide with many governments priorities: leakage of
> information is strictly mandatory to prevent (privacy protection).
>


So when you've modified SLAAC and somehow deployed it to not use
multicasts, are you going to move on to DHCPv6? Then Multicast DNS? OSPF?
Spanning Tree? RIPv2?


Modifying existing and widely deployed protocols not to use multicasts is a
far harder way of solving the problem of unauthorised nodes receiving those
multicasts.

Using also existing and widely deployed layer 2 security or isolation
methods to limit the reach of multicasts to only authorised nodes is the
easiest and quickest solution.


Regards,
Mark.








DoS is the second priority. You are right that remote DoS is more
> dangerous, because for local DoS intruder should initially break-through
> into subnet (exploit other vulnerability to gain root access on 1 host).
>
> I agree that Full ND cache on router is the good basement for protection
> against Remote DoS.
>
> Thanks for good example of classification! "Centralized/Distributed
> Address Allocation", "Reactive/Proactive cache management".
> Could I add to classification "Ownership protection for Interface ID"?
> Because I could not imagine how to protect against DoS attack from inside
> subnet without proper trust anchor. The last would probably not happen for
> many years to come.
>
> Yes, I have made comment below that if Address Allocation would be changed
> to Centralized, then it is probably not SLAAC anymore. Then it is better to
> adopt DHCPv6.
>
> But why you said that DHCPv6 is only about "Proactive cache management"?
> DHCP has attribute of "Centralized Address Allocation" too.
>
> I have read your
> https://datatracker.ietf.org/doc/draft-ietf-6lo-backbone-router
> Proxy is not universal solution and should not be mainstream. It is
> complicated: IP subnet is split for many broadcast domains, proxy stitch it
> back.
>
> Eduard
> -----Original Message-----
> From: Pascal Thubert (pthubert) [mailto:pthubert@cisco.com]
> Sent: 4 августа 2020 г. 13:01
> To: Vasilenko Eduard <vasilenko.eduard@huawei.com>om>; Michael Richardson <
> mcr+ietf@sandelman.ca>gt;; Templin (US), Fred L <Fred.L.Templin@boeing.com>
> Cc: v6ops list <v6ops@ietf.org>rg>; 6man <ipv6@ietf.org>
> Subject: RE: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional
> security concerns
>
> Hello Eduard
>
> You need to qualify what you mean by dangerous. In my book an attack that
> is easy to trigger remotely and anonymously is more "dangerous" than the
> same attack if it has to be done from within the local network. Reactive
> (cache and lookup) ND enables a remote DoS attack on the ND cache by
> scanning 2^64 addresses with pings. Proactive (Stateful) ND avoids that
> attack but can be more sensitive to local attacks.
>
> SLAAC has 2 main properties, the Distributed Address Allocation and the
> Reactive ND Binding Cache management. Those properties are orthogonal:
> DHCPv6 today uses the latter but not the former. RFC 8505 allows former but
> does not use the latter. => I guess that by SLAAC you mean that you
> 'prefer' the Reactive Binding Cache management and are not talking about
> the Address Allocation piece since that piece is not at stake here.
> "Preference" is another thing that you'll have to specify (vs. operational
> requirements).
>
> The current situation is (to my best knowledge):
> 1) DHCPv6 allocation is not available in some stacks (Android).
> 2) SLAAC is globally available in hosts and routers but it happens to be
> barred by some enterprise policies
> 3) In many modern environments the switches and routers need to maintain
> the full tables of the attached nodes (e.g., fabrics like eVPN, proxy ND
> for Wi-Fi APs). Today they do it by snooping the protocols so we get the
> worst of both worlds.
> 4) RFC 8505 is not limited to IoT devices. It is very generic. It allows
> to build a network where the remote ND cache DOS becomes inefficient.
> 5) It is possible to build a network that uses both stateful and
> stateless, see
> https://datatracker.ietf.org/doc/draft-ietf-6lo-backbone-router/. This
> looks a lot like what you seems to be asking, Proactive at the WiFi edge
> and Stateless on the wire. If you mix, the remote DOS is still possible,
> but there are more ways to alleviate it.
>
> All the best
>
> Pascal
>
> > -----Original Message-----
> > From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> > Sent: mardi 4 août 2020 11:08
> > To: Michael Richardson <mcr+ietf@sandelman.ca>ca>; Templin (US), Fred L
> > <Fred.L.Templin@boeing.com>
> > Cc: Pascal Thubert (pthubert) <pthubert@cisco.com>om>; v6ops list
> > <v6ops@ietf.org>rg>; 6man <ipv6@ietf.org>
> > Subject: RE: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional
> > security concerns
> >
> > Hi Michael,
> > It is strange that most dangerous attack (unsolicited NA - leading to
> > leakage of
> > information) was not mentioned in RFC 3756.
> >
> > >We need a for nodes to reserve resources on the router.
> > Then router would be stateful (in respect of ND) - it is a very big
> > architecture change. The industry has the big inertia - I do not
> > believe that it is possible to return IPv6 address management to
> > stateful model (except government intrusion - see below).
> > By the way, stateful DHCPv6 exist. Switch could easily snoop all
> > messages and assist to IPv6 in security (like it is done for IPv4).
> > I propose do not push SLAAC in stateful direction - anyone who would
> > like - could use DHCPv6 or 6lo (stateful on router too).
> > I propose to think how to save SLAAC - keeping it with distributed
> > address management.
> >
> > > Many of us would prefer that we avoid making it stateful, but in
> > > wifi
> > networks, are already allocate crypto state, and we should just leverage
> that.
> > Our days big campuses are deployed without CAT5/6 cabling - everything
> > is WiFi.
> > SLAAC for WiFi looks like not the best technology. State repository
> > (AP) is mandatory anyway. But anyone could use 6lo - it is developed
> > specifically for such environment (not effective multicast, frame loss).
> > IMHO: It does not make sense to reinvent the wheel. RFC 6775 and 8505
> > do have good stateful solution for WiFi.
> > SLAAC has been left with the small niche for the future - if it would
> > have fixes for biggest security problems (personal data protection).
> >
> > Looking to all these "data privacy protection legislation" world-wide
> > (in many
> > countries): SLAAC could be banned by some government at any movement.
> > Experts would easily point to alternative: (1) stateful DHCPv6
> > (natural IPv4 prolong); (2) 6lo (it is optimized for wireless).
> > Probably DHCPv6 would win, because it is easy to understand for IT&IP
> > professionals.
> > If any government would push - switchover to DHCPv6 would be fast.
> > Then fixing SLAAC would be too late. It would be the time for
> deprecation RFC.
> >
> > Eduard
> > -----Original Message-----
> > From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Michael
> > Richardson
> > Sent: 4 августа 2020 г. 2:57
> > To: Templin (US), Fred L <Fred.L.Templin@boeing.com>
> > Cc: Pascal Thubert (pthubert) <pthubert=40cisco.com@dmarc.ietf.org>rg>;
> > v6ops list <v6ops@ietf.org>rg>; 6man <ipv6@ietf.org>
> > Subject: Re: [v6ops] I-D Action: draft-ietf-6man-grand-01 - additional
> > security concerns
> >
> >
> > Templin (US), Fred L <Fred.L.Templin@boeing.com> wrote:
> >     > I wish this group could open its eyes. ND as defined in the last
> >     > century is not suited for modern fabrics, virtual machines and
> >     > wireless. It is a pain for silicon-based forwarding. Time to
> upgrade is
> >     > overdue.
> >
> > You are right!
> >
> > We either need SEND (RFC3971), or some technology that addresses the
> > same use case (RFC3756).
> > We need a for nodes to reserve resources on the router.
> >
> > Many of us would prefer that we avoid making it stateful, but in wifi
> > networks, are already allocate crypto state, and we should just
> > leverage that. (ND is just wasted effort on encrypted wifi in my
> > opinion)
> >
> >     > There is nothing broken with IPv6 ND that needs changing; it
> > just needs a new option.
> >     > We have seen how that is possible through publications like
> RFC8801.
> >
> > Also RFC8505.
> > I think, it's really really time to stop pretending everything is
> > big-blue coaxial ethernet.
> >
> >     > BTW, IPv6 itself is a last-century technology but the architects
> > had the wisdom to allow
> >     > for future extensions without needing to modify the core
> architecture..
> >
> > --
> > Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
> > - = IPv6 IoT consulting =-
> >
> >
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>