On Sep 9, 2010, at 9:48 PM, Mikael Abrahamsson wrote: > On Thu, 9 Sep 2010, Fred Baker wrote: > >> Does that solve all problems? obviously not. It does limit the impact of >> certain classes of attacks. IP Source Guard, a feature from my company and >> also from some others, is essentially the same thing for IPv4, and appears >> to be popular in certain quarters. > > Exactly. DHCPv4 inspection, forced-forwarding etc, all these make IPv4 > deployable in low-cost L2 switch environment. This is the reason the same > ISPs deploying the above would like to run completely without RAs (or at > least block RAs from all customer ports) and rely completely on DHCPv6 for > address hand-out, because then the L2 device can inspect this and implement > filters.
BTW, let me ask a question that came up recently "back at the ranch". As you no doubt know, there has been discussion on NANOG re RFC 5157 "IPv6 Implications for Network Scanning", which basically asserts that nobody in their right mind would address-scan an IPv6 network. Guess what, someone did, demonstrating that as smart as some hacks are, some of them are a little out of touch. BTW, there are ways to optimize an address scan, for the more-clueful hack (draft-baker-v6ops-greynet), and even if one can't actually scan the addresses, one can use a scan to attack other things. A suggestion was made that the algorithms discussed in http://tools.ietf.org/html/draft-ietf-6lowpan-nd "Neighbor Discovery Optimization for Low-power and Lossy Networks", Zach Shelby, Samita Chakrabarti, Erik Nordmark, 2-Aug-10 might be extended to generalized networks. In short, if a host wants a router to carry packets for it, it needs to register its IPv6 address (and, on an Ethernet, its MAC address) with the router, and the router might literally ensure the correspondence of the MAC address and the source IPv6 address, failing which it silently drops the packet. As a result, the router never sends an NS, except to a neighboring router, and hosts that do bad things of this category get blissfully ignored. Could a host application still spoof packets? Yes, but it has a more demanding process to go through - it has to register the "spoofed" address with the router, meaning that if it does so at a high rate someone's likely to notice. The argument for ND as currently defined is in essence to permit hosts to readily generate and change addresses, for scaling purposes. There is a security value in the sense that a host can hide in plain sight - if it is subjected to an attack and changes its address (pick a reason), the attack doesn't come to it any more, at least not for a while. The upside of DHCP is that it gives the operator a great deal of control. My observation, though, is that operators generally cede that to more random processes that run on routers or other equipment. I don't see the argument for DHCP in context - more for stateless DHCP, which updates parameters on all of the hosts in a subnet. Would this kind of a service be interesting/acceptable for operators? -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
