Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Mon, 25 October 2021 12:01 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 930CD3A0B20 for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 05:01:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.618
X-Spam-Level:
X-Spam-Status: No, score=-9.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ZObUN7Sf; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=H/tJSj6Q
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KtHYj71rqEAu for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 05:01:45 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24B113A0A20 for <v6ops@ietf.org>; Mon, 25 Oct 2021 05:01:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5006; q=dns/txt; s=iport; t=1635163295; x=1636372895; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=+OhlTwVPcQCPgEytBACp/lm8xeWBESneuJSBhSsFmkc=; b=ZObUN7SfLfOPl8FAws1oXhOP1DS3W2nhdOFT9fZD71QAfH00rpu5Jiah NtD4NhFCL0biiDpy93V9Mi1tQKF6MJpBWav58V7CjnfoSIg67XvJDeQxJ guiP/4OtkbTEN4J1EtJwzKnsHfi1U1XMlVZ2MbVne0gICdG2gbiRmftOM k=;
IronPort-PHdr: =?us-ascii?q?A9a23=3AnKFsLBG0WsWPs6MxPvW7Op1GfjwY04WdBeZdw?= =?us-ascii?q?oE/grlDNKKu48eqME/e4KBri1nEFcXe5ulfguXb+6bnRSQb4JmHvXxDFf4EV?= =?us-ascii?q?xIMhcgM2QB1BsmDBB7gNPfhYmo8EdgRHFNg9muwZE5SHsu2blbOo3q0uDgVH?= =?us-ascii?q?Bi3NQd8KunvXIDIiMHi3OGp8JqVaAJN11KA?=
IronPort-Data: =?us-ascii?q?A9a23=3AfaS+7ajwzNgLUN0o64FnslQwX161rBIKZh0uj?= =?us-ascii?q?C45NGQN5FlHY01jehtvCDzVMv2MMDP3eotyPorio0hT75WAy9JkHFZv+3xgR?= =?us-ascii?q?S5jpJueD7x1DKtf0wB+jyH7ockOA/w2MrEsF+hpCC+DzvuRGuK59yAljfvVH?= =?us-ascii?q?uOU5NPsY0ideyc1EE/Ntjo78wIJqtYAbemRW2thi/uryyHsEAfNNwpPD44hw?= =?us-ascii?q?/nrRCWDExjFkGhwUlQWPZintbJF/pUfJMp3yaqZdxMUTmTId9NWSdovzJnhl?= =?us-ascii?q?o/Y1w0mBtXgmbHhfwhRBLXTJgOJzHFRXsBOgDAb+Xd0ifl9ZaFaMBoL49mKt?= =?us-ascii?q?4gZJNFluIKhTwwqM4XHmf8WVF9TFCQW0ahuqeWZcCfj4JDNp6HBWz62qxl0N?= =?us-ascii?q?2koY4oA4c52DH1As/sCJ1glRxaPne+phpu/UfVrgOwnLdD2PY8Dt3VtxjbcS?= =?us-ascii?q?/0hRPjrTKjQ+fdDxD47i4ZIEOq2WiazQVKDdzzaaBFJf1wQEp97x6Gjh2L0d?= =?us-ascii?q?HtTr1f9mEb+2ECLpCQZ7VQnGIqJILRmnfloo3s=3D?=
IronPort-HdrOrdr: =?us-ascii?q?A9a23=3AH0HWkKxqReeFbqVIdQMeKrPxfOgkLtp133?= =?us-ascii?q?Aq2lEZdPULSK2lfpGV8sjziyWatN9IYgBepTiBUJPwJk81bfZOkMks1MSZLX?= =?us-ascii?q?fbUQyTXcJfBOrZsnzd8kjFltK1up0QCJSWZOeAaGSSyPyKnDVQcOxQguVvkp?= =?us-ascii?q?rY/9s2pk0FJWoBBs0QjHYaNu/YKDwKeOAsP+teKHPo3Ls+m9PWQwVvUi3UPA?= =?us-ascii?q?hgY8Hz4/nw0L72ax8PABAqrCOUiymz1bL8Gx+Emj8DTjJm294ZgC34uj28wp?= =?us-ascii?q?/mn+Cwyxfa2WOWxY9RgsHdxtxKA9HJotQJKw/rlh2jaO1aKvm/VXEO0aaSAW?= =?us-ascii?q?QR4YDxSiQbTpxOArTqDzqISC7Wqk/dOfAVmiXfIBGj8CbeSIfCNUMH4oJ69P?= =?us-ascii?q?Jkm13imhYdVBUW6tMU44pf3KAnUi8o1R6NleQhHXtR5zmJiGtnnugJg3NFV4?= =?us-ascii?q?wCLLdXsIwE5UtQVIwNBSTg9ekcYaVT5eznlbxrmGmhHj3kV6hUsaqRd2V2Gg?= =?us-ascii?q?3DTlkJu8ST3TQTlHdlz1EAzMhamnsb7poyR5RN+uyBa81T5f9zZ95Tabg4CP?= =?us-ascii?q?YKQMOxBGCISRXQMHiKKVCiEK0cIXrCp5P+/b1w7uC3f54Dyoc0hf36IRxlnH?= =?us-ascii?q?93f1irBdyF3ZVN/ByISGKhXS71wsUb/JR9sq2UfsuhDcRCciFnryKNmYRqPi?= =?us-ascii?q?TrYYf7BHsNOY6XEYLHI/c/4zHD?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0D/CACdm3Zh/5pdJa1aHgEBCxIMQIF?= =?us-ascii?q?OC4FRUQeBUTcxhEeDRwOFOYgNA4ETmWOBQoERA1QLAQEBDQEBQQQBAYUAAhe?= =?us-ascii?q?COAIlNwYOAQIEAQEBEgEBBQEBAQIBBgSBEROFaA2GQwEBAQIBEhERDAEBNwE?= =?us-ascii?q?PAgEIGgImAgICMBUQAgQOBSKCT4JWAw4hAZ9eAYE6AoofeoExgQGCCAEBBgQ?= =?us-ascii?q?EglGCORiCNQmBECqDBoJ3VEyETH6BLyccgUlEgRUnHIIwNz6BBYMLAQsHASE?= =?us-ascii?q?XgwE3gi6McRBCGYExJAwCLSIKHTwCVgYBG5I0A4MQqQwKgzKeeAUtoF6GPpY?= =?us-ascii?q?MoHOFCQIEAgQFAg4BAQaBdyVpcHAVZQGCPlEZD44gDAUGC4NQil50OAIGAQo?= =?us-ascii?q?BAQMJkCmCRgEB?=
X-IronPort-AV: E=Sophos;i="5.87,180,1631577600"; d="scan'208";a="926974946"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Oct 2021 12:00:48 +0000
Received: from mail.cisco.com (xbe-rcd-003.cisco.com [173.37.102.18]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 19PC0mnv013555 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Mon, 25 Oct 2021 12:00:48 GMT
Received: from xfe-aln-001.cisco.com (173.37.135.121) by xbe-rcd-003.cisco.com (173.37.102.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 25 Oct 2021 07:00:48 -0500
Received: from xfe-rtp-002.cisco.com (64.101.210.232) by xfe-aln-001.cisco.com (173.37.135.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 25 Oct 2021 07:00:47 -0500
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-002.cisco.com (64.101.210.232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Mon, 25 Oct 2021 08:00:47 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BdJFISjGCqU/v343r/VbADattVMpRWOryFqdy4PjTk/PrFCBEU6v3ot79HWM4Bgg1fL2prxfjXucE9MayKLtNx//BJPN5/hWr7mRN6xgWcrZ0BemegCNnH8u8+YWE8yCLJ2V4DJM5jUL9dfXmla32Fr6ZXA1s7+G3RQZ60v3dHFyCTKCM/YaLjEEJR2hhWqonYIUPzGkJe6T9WFB/EE/5pT2+7odtMaYvkgPY4m/6YGanKTEw392hGNkrydD8r9ff7UljilxizZ2HdGcFfp54XK1jKRNghRUSj6MOlVNvWKtsDkIYSLzMvQ0ZUunp/esyDej20YT5qALH/35LYaAYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+OhlTwVPcQCPgEytBACp/lm8xeWBESneuJSBhSsFmkc=; b=h/TOObUlW5cRBcTjMl6KbM9knJb2ejycUDThj1iYPlkqcPs5s1Iu3SIbd+QX6bVrOMMBEiDicLq4tEnLJjz2TFxsDbGshZVPYFsmwRpTDTW/4h2kv96uqU2N12Y3NW40Dg98n6OrIBht6DODQPPPXmjZgWlKcab/LC2wM2JYq7rVtvm+PSfZ2W3r+4RChy8RllawXW6ROPG5NkBgOR/H3b5daLu8L5E/mAH10liXs3I1JHx0f9IOGPuQS8XPOaGy3gyBc/9fPn3hFHhyCAxwYGqfDnfVA/2ja7Sd/du/dK1A3eqKi7yK9T6GY7tz5G5H25Bci0LHbJwf8zxklkLUoA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+OhlTwVPcQCPgEytBACp/lm8xeWBESneuJSBhSsFmkc=; b=H/tJSj6QMeW6ItjyVBdpUECDNd+/qf2/MjFjzLyHaoDg6xTCNDGGnNHEhpqG2FZ30/iGp3l65lThG1gOr3drLGJdGXo4bi/UgJ6aX+rtj1GQrtCH8hI8hvJxDraAAklXjB8vL/w8u9EbMatDwGcew9oVrDboX3Kz/76joZn4QzY=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by PH0PR11MB5094.namprd11.prod.outlook.com (2603:10b6:510:3f::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.18; Mon, 25 Oct 2021 12:00:46 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::fd55:3032:c8df:edad]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::fd55:3032:c8df:edad%3]) with mapi id 15.20.4628.020; Mon, 25 Oct 2021 12:00:46 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Gert Doering <gert@space.net>
CC: Andrew Alston <Andrew.Alston@liquidtelecom.com>, "v6ops@ietf.org" <v6ops@ietf.org>
Thread-Topic: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
Thread-Index: AQHXyRlyE2pKHmh5b0+Yuk6vs+00KavjPv0AgACANwA=
Date: Mon, 25 Oct 2021 12:00:46 +0000
Message-ID: <AA8D0783-E577-4D9B-B6E7-A499B71F2102@cisco.com>
References: <9BF3A772-EFCD-403E-9089-15FDC941EC69@cisco.com> <YXZM/gDya6lTjykV@Space.Net>
In-Reply-To: <YXZM/gDya6lTjykV@Space.Net>
Accept-Language: fr-BE, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.54.21101001
authentication-results: space.net; dkim=none (message not signed) header.d=none;space.net; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 578cd94a-dbac-40fd-2163-08d997af1438
x-ms-traffictypediagnostic: PH0PR11MB5094:
x-microsoft-antispam-prvs: <PH0PR11MB5094FF9D5B3A0CFB541BE896A9839@PH0PR11MB5094.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: M4+HCR3jh75U52XJT4136D3aojaOcaxsFUhElZwFt/K8QsHWY0huCwfSPimjynMMzcVgMRBdEhtdCYU3d0LO8YzeLH3aSvnbZEh04djVAdn26pVZFEBb1BtFT+P/2OVp1veVz9V66dk5TzOA1cdNBJaRihT799xGuJ7erPzq0HG931Fan1Y+NUc+zSnM5b+41yoc1kdcuX41IjtajehkqJ9yAw6m3lu/8ejvlB5+LJjTJVHseyU2w8b3/Fw+sF2C9Bq1S4ciipVSBV5NuDdJN8qq1IurCnMd6huovJvsIh/2EZIIhxT9Wqg9YB+356GIkFkYrsmdEsna1cJjhKxziQn1P3eLL6XDGo48WcsBwET9Z7m/ec0+WtCTzsA9hJZUYbYC02/SwU2pB+nadlhkKGQUHm51r+p6aGv5/KGboRqgJfy3+8y80rvukTcTJBNSLtGXUrFPcrujveEGQJbNDJfA7VEyZBXHfmMyuYnTZs5K2ieQOXN9PLQ4CIbTlkh0+MGHNd1v6iakLpfsGABmKvmZMaOOosBTxm9haIGSVUqXzNIouvutEiiD9b3Crvg+2m/gRB207RFGiXl1kDDIrbHJqAn7gXxXC9Vser+SgGwNxlqFBeuCuE34wwobMf1RCCKMNuKT1hTi+A1QMQEZUTmTFn1wh75caqejrQ2JhBqDF/TTCeIcY4E2NQZHhAQHou29PObsk+AthoAxLt0Gxu1jwypA5Vn8IG52UlpK3bauU5PXzHjmHDiwEHPw8CuS
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(8936002)(64756008)(66946007)(6512007)(508600001)(4326008)(54906003)(66446008)(6506007)(66476007)(66556008)(36756003)(186003)(86362001)(2906002)(91956017)(38100700002)(5660300002)(316002)(71200400001)(122000001)(6916009)(2616005)(6486002)(66574015)(83380400001)(8676002)(76116006)(33656002)(38070700005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?dmNnNnRZaXR5N25XTnpiRmpFNUtoUW0xV2tHbDMxUXZrbkJCN05xTGI5VHFE?= =?utf-8?B?cWpCTzM0ZjY5Tkw4bDJCdlltYkJDczVVY2RtU0ZyM2REa3BJOStnYW4zNWNz?= =?utf-8?B?WjhCcW1jWEs5Q2xPeEtPbmNFNDRaWVNFaUYvclVFUVdLQnBZUFVlUUdOeTYw?= =?utf-8?B?dEsxRjlhYk5iRzNDZmtlWnhJWlVOMURaM3dvQVp3MWRxT2NZaWFlRHcxMHdk?= =?utf-8?B?amo3UG85TkZVMURDd09oNDNKenBWK2hlM2hYSnloL3JTQmhKWDZPbkp5b0lQ?= =?utf-8?B?bVBBM0F6VzRJVnZYMEFmNk4zQk81TUk2aWVtNDQ2NnVhVHltaXJsbm9NQXpk?= =?utf-8?B?VHN6WWpMOTRzbHc1b21KUFkvMTFyRS9aMzlNbEFGZjlDWWdSMXRERkZjamli?= =?utf-8?B?MzFRbmtIaUZUZG9xUXcyc1Y3MXl5OGFrc1hLQ3dmT21PUmJmRks2RWVMM0Js?= =?utf-8?B?ODNXdjRzOTBrY0ZubENqMVErb1dxRFovcEVhRXc1dlhLdFFhRmx2SUY5WkxV?= =?utf-8?B?ZDg0ajkyZWRLSVZvK29BcVpKV3F6dDBwMWJneFBKd053NU1mOTZKMVUyVFVp?= =?utf-8?B?ekZ0dEduajM5YWg3TDJsbFZ2ajR1TiszdTVRdFRraDAwUjgrSGEzMVFZNmtL?= =?utf-8?B?eTdYbUM1S2IxZWdKNnJDdnhlMDRJUVByMWRpYmFWQ2VORExsN0kwcGtYQWZN?= =?utf-8?B?SklUbzBhNm1mU2w0ME5FUjNVTmM1VW5GSFVtYlk2SlNEVXYxRCtYalpjOXdy?= =?utf-8?B?cyt6R25YR0lheTF4U3J6U0piWGg2NUZIT0lVTC93MWFOSUNTM1VUa2xoRTUx?= =?utf-8?B?QmtNOHJaTkVXSnBZL01tZEs1V1FJOEgxdXRWckg4bDBqNnlhaERPTG1EYmY0?= =?utf-8?B?azVUalRlQ1o3QkRuNnN4aUI3M1lwNXVtQkhGME44NlcrcTNVR3FJR29YNUFn?= =?utf-8?B?c2dNQWJhWkpZMm9NOGJRaGgyemw0cjlnQy9iUGwvRk8vZEcvdFU0dGJjT1dt?= =?utf-8?B?cFRoSjJLVVBSVk5NUHQ1M3cvRGw5RWcvM0ZySXdUVThmV3RPMzFvbzArdEkr?= =?utf-8?B?SDJIdFZDWUt5QVVkc0FUV0c4S1pIZDJFcXgxOWJjVk9pbGVqZDBWUlhNbWUx?= =?utf-8?B?QlQxUytzZVAxZTdud1RYcWovUXRXUnZEZGJsUmVvMTRoZGFMakxPakxvdnhX?= =?utf-8?B?dHpwOW1MNFA4enZwYUZJdHhPTXRVMExRKzNQOU5ZaWRkbVJibDlCd1hJS2M5?= =?utf-8?B?Ri9HSVNhT2xIL2hFSnRVbG1MaXJJcWlMdXYzcVJiby9RVnJjbUpsYkdDQ2Fk?= =?utf-8?B?TUJqRThjNVlzYlV2aTlJUTdUVEFsRVZoZ29QWjlFSHJqaU5NU01qWHo2Z29i?= =?utf-8?B?dEdtNW5FSnh5clFXM2x0SHdaYkIxSmJiZE00aGxqaEkySmFsRUZtNHpDZDVB?= =?utf-8?B?ODlFZlBPeTB5MU9LUlhVcTA4Vm00cVNXVHRJQ0ltWS9ZLy9wY0VGVXVMR3Ji?= =?utf-8?B?YkFVR1BiUTUzQ2xYQnZPT3A1S284R0JiWkhIMEN0UFFJN0cyMFZGZ3FkUGh1?= =?utf-8?B?N3RGakl2SVlZZVdpLzRJWXc0VUZTU2NGcnE0SG92U1czZlhHQ1MyYy9SSzZx?= =?utf-8?B?M1dqT2NzWUllNnlGc0VwTjNsQXczZGtmanRuaDQzaFdVZXpGaHNyUnVLN1Z5?= =?utf-8?B?WW1LSEk3V1J2MU5HQnF2U3pKM2llb09GVnl6bFVIdzFEWEQ4SWpZTjlaT0x1?= =?utf-8?B?SU5NL1ZzNXN0a2dLQlFTSUE3VWxNR2R4OUtBbEcraTdEeHdDN01yRTN6NnJx?= =?utf-8?B?TXBERUdnMExBQnRLbDZORHE4S3NYbXRja0ZDelBub1c5N0UvUW14WDJyNGdB?= =?utf-8?B?Nlhnd1o4R1pOUEpRYjEyNjFucGFiT3J2YzhRYStIOVBoV1oxbVVXbWVheWxl?= =?utf-8?B?bTBxM1JaNWtvaU9IbTU4Nk1DNUkyWmFIVWNlOW5xVzFPTTJ4Z2pjTEw1TnRz?= =?utf-8?B?cGFXWkh1TjdMZnVwNHNzUDZBcmxHU2wvbFB6YWVKd09EMmFtVDRzbysrTTBB?= =?utf-8?B?YldVT3FIc1ZlQ1lvb2JKNXdvY001aUhRTnk0QWk5bTR0L2lmN1M1aWh4cWk4?= =?utf-8?B?cWN6Zjg2NnN3K0NRVWFhM29YbWNBTlFxM3ppK3AvWTl4VlBvWEZmL2dDb21w?= =?utf-8?B?M2J5N3Y4c0lGUTh6NUhkWFR2Q1NLSmhTZUFycHI4NmlMeEplZmJtaldoZE4v?= =?utf-8?Q?RAPEqOAUaDxBQGxe4TyvtY5XZxp6VOScI5GcYYVem8=3D?=
Content-Type: text/plain; charset="utf-8"
Content-ID: <C8DCBF5333A1A44B9750C0DC6262B9A8@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 578cd94a-dbac-40fd-2163-08d997af1438
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2021 12:00:46.2008 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uKwTw4q6xcZ8FGJ6Q6k7grxK8Ga95U2FJQ903SjMBZ+4ps7O5JCiqoQuW1zuKRFcnts+7UT/7HyM5po9+jQ0YQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5094
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.18, xbe-rcd-003.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/zmKA9eGmy-VfsHlCCRLDFWRIsmc>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 12:01:54 -0000

Hello Gert,

Long time not see... I hope that all is well for you and your relatives

<still wearing not specific hat>

See below for EV> and I have elided some texts when we agree.

Regards

-éric

On 25/10/2021, 08:22, "Gert Doering" <gert@space.net> wrote:

...%<....%<.....

    [..]
    > About the looping attacks, there is no amplification here as the
    > compromised host needs to generate N packets to force the non-compromised
    > tunnel endpoint to generate N (shorter) packets. The RFC 6324
    > describes a related attack by with amplification using ISATAP.

    The looping attack is similar to what was described for RH0 - you send
    one packet, but that packet traverses the target network multiple times,
    pingponging between participating routers.

EV> Of course RH-3 (RFC 6554) and RH-4 (RFC 8754) have the same issues as RH-0 and we all know that the RH-0 issue was documented a long time ago by RFC 5095. RPL & SRH are per design limited in a specific domain (and SRH can even have a HMAC TLV -- even if not protecting against a compromise SRH node)

EV> My reading of Andrew's original email is that the attack is different than the good old RH-0 attack: a compromised router A sends an encapsulated packet to B, which decapsulates and sends the decapsulated packet back to A, which is then re-encapsulated an so on... This is different than the RFC 5095 attack: an in-domain node must be compromised and there is only a x2 amplification by B sending the traffic to A. Of course, A could send its SRH with a convoluted route to 'burn' more bandwidth. But, honestly, if I 'pawned' a router, then I would rather attack the control plane than the data plane.

    > It is clear that tunnel endpoints (whether GRE, ISATAP, IPsec,
    > or even SRH) should not trust blindly any packets and should only
    > decapsulate valid packets (based at the minimum on source address
    > and applying BCP38 and infrastructure ACL at their edge ??? if
    > applicable). In the case of SRH[2] (or any RH actually even MIPv6
    > or RPL), this function should not be enabled by default and must
    > be configured correctly.

    So, if you turn on SR6 in your network, how would you protect said 
    network against malicious hosts *in* your network?

EV> it is clear that hosting VMs in your SRv6 'underlay' is probably not really wise ;-) 
EV> AFAIK, the SRv6 use cases are L[23]VPN or Data Center fabric. And in the case of MPLS-VPN, having a compromised P or PE router can also have devastating consequences. I.e., nothing really new under the Sun

    Of course "not using SR6" or "block all EH from hosts" is a viable 
    strategy, but might not be how the inventors intended things to be used...

EV> if a transit provider on the public Internet enables blindly RPL or SRH on her/his network, then this won't be really smart as well. The same applies for a vendor shipping routers/VM with RPL/SRH enabled by default.

EV> forwarding RH-3 or RH-4 on your network as long as the DA does not trigger any RH processing is perfectly fine of course (it takes 10 minutes to craft a SHR/RPL packet with scappy and send it anywhere and it will arrive at destination most probably)


    Gert Doering
            -- NetMaster
    -- 
    have you enabled IPv6 on something today...?

    SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
    Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
    D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
    Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279