Hi Christian, > -----Original Message----- > From: Christian Huitema [mailto:[email protected]] > Sent: Tuesday, January 10, 2017 11:34 AM > To: Templin, Fred L <[email protected]>; 'Brian E Carpenter' > <[email protected]>; '6man WG' <[email protected]>; > 'INT Area' <[email protected]> > Subject: RE: [Int-area] Route Information Options in Redirect Messages > > On Tuesday, January 10, 2017 9:55 AM, Fred Templin wrote: > > ... > > What is being proposed in the document I submitted is the inclusion of > > RIOs in Redirect messages for a *prefix* that is not on-link, as opposed > > to a singleton destination. So, the same SHOULD in the paragraph above > > would seem to apply also to prefix redirection the same as for ordinary > > destination redirection. > > Fred, I am reading the security section of your draft. I think it needs a > bit more work. > > Currently, the RIO are only expected in router advertisements. RA are > somewhat special, and there is often specific code in switches to check RA > and prevent RA spoofing -- e.g., RA-Guard. Allowing the option in Redirect > messages could very well bypass the RA specific checks. Doesn't that open > the path for new attacks? Should you not say something about that in the > security section? How about specific mitigations, such as sanity checks when > processing redirect messages?
Since IP will still operate correctly if transmission of Redirect messages is somehow suppressed (i.e., denial of Redirect service), the more serious threat to be considered is spoofing. Here is what currently appears under Security Considerations: "Security considerations for Redirect messages that include RIOs are the same as for any IPv6 ND messages as specified in Section 11 of [RFC4861]. Namely, the protocol must take measures to secure IPv6 ND messages on links where spoofing attacks are possible. A spoofed Redirect message containing no RIOs could cause corruption in the host's destination cache while a spoofed Redirect message containing RIOs could corrupt the host's routing tables. While the latter would seem to be a more onerous result, the possibility for corruption is unacceptable in either case." So, from the first paragraph, we can see that the protocol must take measures to secure IPv6 ND messages on links where spoofing attacks are possible. The second paragraph then analyzes the consequences of what could happen if a spoofing attack were successful and we see that there are unacceptable negative consequences for both traditional Redirects and Redirects that include RIOs. The text stops short of saying that "no Redirects of any kind should be used on links where spoofing attacks are possible". Would adding a statement such as this address the concern? Thanks - Fred [email protected] _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
