IETF Logo Mail Archive

Re: [v6ops] Improving ND security

"Templin (US), Fred L" <Fred.L.Templin@boeing.com> Fri, 31 July 2020 19:23 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A09823A0808; Fri, 31 Jul 2020 12:23:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=boeing.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hTyBQLrIjaFq; Fri, 31 Jul 2020 12:23:09 -0700 (PDT)
Received: from clt-mbsout-01.mbs.boeing.net (clt-mbsout-01.mbs.boeing.net [130.76.144.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BA5A3A081C; Fri, 31 Jul 2020 12:22:46 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by clt-mbsout-01.mbs.boeing.net (8.15.2/8.15.2/DOWNSTREAM_MBSOUT) with SMTP id 06VJMgLE020925; Fri, 31 Jul 2020 15:22:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=boeing.com; s=boeing-s1912; t=1596223364; bh=6hK1GZ1NhyRZzdPN12rHaIpkQwKWj3AUPKQ9eRUCGGc=; h=From:To:CC:Subject:Date:From; b=AuGdpMP6Tt1ZaDI261Qf4ZaRsrKSk7TZnmUn3A8Y5eKfMApAXIuwGLGEUEGmHSLpU EtNuxRvjbeWSJtxEEbjQZ2ja356+zl6eoMoCvBRuFlUDpAkpDrObR2CPYug5CZDtnv k0VO6nWDIVsq9WfjevXFgCzNDWds4Xn3NgkrrcPLbq9Mpdn7fNFmae41+3+dYt3d75 rCo/ZBzLUQErlpFsdRrUOjsK6VxP692H/5uouaw136TPcRJSK67aAzunqrQmBBUTZz UbcR74BpdhQnKUBn7RsBxfP5QP2RUexI0qCIwW2dVo6KBL/GAWuYHAqF4KdLK6QiGd caPRbL+rPgI1w==
Received: from XCH16-07-08.nos.boeing.com (xch16-07-08.nos.boeing.com [144.115.66.110]) by clt-mbsout-01.mbs.boeing.net (8.15.2/8.15.2/8.15.2/UPSTREAM_MBSOUT) with ESMTPS id 06VJMguj020913 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Fri, 31 Jul 2020 15:22:42 -0400
Received: from XCH16-07-10.nos.boeing.com (144.115.66.112) by XCH16-07-08.nos.boeing.com (144.115.66.110) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1979.3; Fri, 31 Jul 2020 12:22:40 -0700
Received: from XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5]) by XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5%2]) with mapi id 15.01.1979.003; Fri, 31 Jul 2020 12:22:40 -0700
From: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, v6ops list <v6ops@ietf.org>
CC: 6man <ipv6@ietf.org>
Thread-Topic: [v6ops] Improving ND security
Thread-Index: AdZnb9HwzApLuuqUTQWv8zR12jJtUg==
Date: Fri, 31 Jul 2020 19:22:40 +0000
Message-ID: <5a0b92a370c8438ab8c0e318c3b60e34@boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [137.137.12.6]
x-tm-snts-smtp: BCF3A2B71E50AC4E6D05E1077F13522A9FCE8051784D120D9F11A3738225C0162000:8
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-TM-AS-GCONF: 00
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/vrr9iqEMH6XmwimIRaeCtcKWJ6E>
Subject: Re: [v6ops] Improving ND security
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 19:23:13 -0000

This is all good data; thank you. I don't buy the argument that SEND is too complex;
instead, I think it was simply a solution that was ahead of its time, but perhaps its
time has now come.

Fred

> -----Original Message-----
> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Bjoern A. Zeeb
> Sent: Friday, July 31, 2020 12:03 PM
> To: v6ops list <v6ops@ietf.org>
> Cc: 6man <ipv6@ietf.org>
> Subject: Re: [v6ops] Improving ND security
> 
> On 31 Jul 2020, at 16:58, Fernando Gont wrote:
> 
> >> Is there agreement that this is a serious problem in any case?
> >
> > It is a problem... which seems to be more cost-effective solved with
> > smaller prefixes for P2P links and/or better management of the
> > neighbor cache (e.g. be more aggressive flushing/policing NC entries
> > in the incomplete state).
> 
> I agree that there are quite a few intelligent things which can be done
> on neighbour tables under attack to a certain level. People had this
> discussions [felt] like a decade ago as well and they should be in the
> archives.
> 
> 
> > SEND seems to me like a nice idea, but overly complex for the problem
> > it's trying to address.
> 
> It is these unbacked statements which people will use to reason against
> it.
> “complex” is not a cause unless it is backed by proper arguments.
> “trust distribution” is a thing, which doesn’t really work in a
> coffee shop around the corner.
> 
> I do agree that SeND does not solve all the problems either but having
> had it running since Ana Kukec (some might remember her from IETF) did
> this in 2009/2010 for FreeBSD [1] we’ve been shipping a mixed
> kernel/user space solution based on the DoCoMo NTT works which alos run
> on Linux and others.  People later produced WinSeND for Windows [2] and
> their paper read a lot like Ana’s.
> 
> I have no idea how the support for major OSes and router vendors is a
> decade later, but I’d be curious if someone would do a proper survey
> and post the results.  I think that would be super helpful (not as an
> RFC, but as a “state snapshot”);  could be a blog post or a cloud
> based spreadsheet somewhere.
> 
> /bz
> 
> 
> [1] https://wiki.freebsd.org/SOC2009AnaKukec
> [2]
> https://hpi.de/meinel/security-tech/next-generation-security-engineering/ipv6-security/winsend.html
>   (I hope the link is good, I cannot currently reach their site)
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email