IETF Logo Mail Archive

Re: [v6ops] <draft-ietf-v6ops-464xlat-optimization-00.txt> - pre-(shepherd-writeup) review

Erik Nygren <erik+ietf@nygren.org> Wed, 15 July 2020 18:17 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E58FE3A0A6D; Wed, 15 Jul 2020 11:17:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YLTG3P5a2sx9; Wed, 15 Jul 2020 11:17:41 -0700 (PDT)
Received: from mail-wr1-f66.google.com (mail-wr1-f66.google.com [209.85.221.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB5873A0FD3; Wed, 15 Jul 2020 11:17:15 -0700 (PDT)
Received: by mail-wr1-f66.google.com with SMTP id z13so3752200wrw.5; Wed, 15 Jul 2020 11:17:15 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cwKialJs6FhrBslJX0CzloAbRR8ifMoG1T75XdJ1W0o=; b=Pi5V2V4FTKuH7H1ia4qvZ6i+1d/QDJGtUIv3+2Wky7clf49RTAsj8DvA2/sQrGXBKz HIxcN9rPZHntsyfiqYQBQKMgyZHVyMjK8CgYaBP7RUfQIlhoT/FuKLKsw5FGa+p2Vg+X KOTLwRRgNMZ8PkD8rEtGsy948KMMP09zJOuy0sWOV7pgNjGI2UocVmpqhEMoJg1/PMGj 0X2PMWLJrjAUjGM7oFJ/dnYaib5rYqFEAnlIiLKaiMl54oJTfEJd6FsSfj0xxPT5wfLv iyjGZZ7xa1LXctiWOy5ICtoefmaKIBfIJdQI+orhBWdfy8ePYIgA3U81Hv70WCIB6jAL 00uA==
X-Gm-Message-State: AOAM533p1IGODM8M0NNX3L+HxZJLzGh5Kek8U+VTA0eD9clQCb5Lmvrj m6C+gLU6eUvDv0BoZc/oVZun2lhP2njNHetF2L0=
X-Google-Smtp-Source: ABdhPJxQG14ysbhLTjlfux4e1ZnCT6xtlhG1hxXSGEEG9Jy+DU5f7S5FR8UaaMXUfd3jYFizYFCt1xMUgNOH5mCCq4U=
X-Received: by 2002:adf:f350:: with SMTP id e16mr599621wrp.43.1594837034028; Wed, 15 Jul 2020 11:17:14 -0700 (PDT)
MIME-Version: 1.0
References: <159393243745.16561.15755916877984628536@ietfa.amsl.com> <17D88CF8-B2CF-4737-910A-3D07881946BA@gmail.com> <24FDA390-8587-4366-8E4D-C6BBBB529CF8@theipv6company.com> <0B3CDBC8-3EBE-4FC4-AC5A-2DCD2480B502@theipv6company.com> <CAFU7BATueaCH5KL=-WVKZphs3fuwkOFvtmELPyQ9h9i4GBnkJw@mail.gmail.com> <CAFU7BAR8CaA6uKfm001J6fSfTNTrvyLffWfVurpBUs2HBxgPqw@mail.gmail.com> <CAFU7BARPpq=vZmS0xeS19pjK8hNRfaoq_hBcUKDbzSjimMTfUg@mail.gmail.com> <0A5FD684-199C-4979-8818-36C9B3047746@consulintel.es> <CAFU7BATHeCB2i25xw1YnVnUUbns+ZbA=2kjv-wpmMmAwP=RTiw@mail.gmail.com> <EF144D45-C4AE-48CC-B070-20D24C792153@consulintel.es> <CAFU7BAQzBCekUQLq36OjHuSE8B9_8ZGgctpaVfQyPsZf13es=g@mail.gmail.com>
In-Reply-To: <CAFU7BAQzBCekUQLq36OjHuSE8B9_8ZGgctpaVfQyPsZf13es=g@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Wed, 15 Jul 2020 14:17:02 -0400
Message-ID: <CAKC-DJgmKMrL89OxF3g-sTrwu8g_JyzW17z3ykkc2W8fA2LF+g@mail.gmail.com>
To: Jen Linkova <furry13@gmail.com>
Cc: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>, V6 Ops List <v6ops@ietf.org>, V6Ops Chairs <v6ops-chairs@ietf.org>, draft-ietf-v6ops-464xlat-optimization@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e352a205aa7eee7a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/wmlqyIZJ9-s4-uYkknAvfvfMSys>
Subject: Re: [v6ops] <draft-ietf-v6ops-464xlat-optimization-00.txt> - pre-(shepherd-writeup) review
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2020 18:17:43 -0000

On Wed, Jul 15, 2020 at 5:23 AM Jen Linkova <furry13@gmail.com> wrote:

> On Fri, Jul 10, 2020 at 9:29 PM JORDI PALET MARTINEZ
> <jordi.palet@consulintel.es> wrote:
> > [Jordi] If instead of the spoofing the AAAA, it is spoofed the A or even
> the AAAA (without this optimization), the result is the same. In my opinion
> it all depends on how and "where" the attack occurs, because the DNS cache
> may be poisoned in the CPE or the hosts, etc.
>
>
> Sorry I should have clarified. The difference is that spoofing *one*
> DNS response would affect *all* devices behind the CPE *even* if those
> device are not using that CPE as a resolver and use DNS over [smth]
> and/or DNSSEC. My laptop might build a secure tunnel to the DNS server
> it's using and validate response using DNSSEC.
> But it does not help because my TV asked for an A RR and the
> corresponding AAAA was spoofed on the CPE, so now all devices in my
> house can not reach that IPv4 address.
>

It's also not just a matter of spoofing.  All it takes is for one device
to get tricked into doing an A/AAAA looking for a legitimate name
(eg, URL embedded in an advertisement or even email) and
if the attacker controls the name being looked up they can
put in a redirection for an IPv4 address of their choice (which
could belong to someone else) to an IPv6 address of their choice
(which could belong to the attacker).  As this is a legit name,
it could be happily DNSSEC signed as well.  The problem is that
an attacker can return an A record for IP space they don't own.

The collision invalidation may help in some cases, but it won't help
for cases where other clients in the local network are using DoH
or are caching and using A records well past their DNS TTL (common
in some cases like older Java).
This is a fairly serious new attack vector that is very easy to exploit
(much more so than DNS spoofing).
If we see deployment of this, we should expect to see people attacking
it this way to bad effect.

    Erik

v2.23.0 | Report a Bug | By Email