To Opsec Subscribers,
I originally emailed the feedback below directly to Fernando Gont and he
requested I provide the feedback directly to the alias.
I have some feedback regarding this document. I feel documents like this
are primarily used by industry professionals as guides to secure their
networks. As a result, my feedback pertains specifically to helping
network administrators better apply the knowledge outlined in your RFC:
3.1.3. Manually-configured addresses
"This is typically the case for IPv6 addresses assigned to routers, since
routers do not employ automatic address configuration."
I would not state that routers do not universally employ automatic
address configuration. In order to state that, I would at least suggest
referencing an RFC where it is not recommended to use automatic address
configuration. One of the functions of IPv6 is its "plug-and-play"
nature. I feel a statement like this may be misinterpreted by the more
general audience.
"On the other hand, the search space for IPv6 wordy-addresses is
probably larger and more
complex, but still greatly reduced when compared to the original 64-
bit search space."
The terminology used in this sentence does not sound technically
confident. Words like "probably" make the sentence sound unimportant. I
understand what you're getting across, but the sentence itself doesn't
feel technically strong.
3.2. IPv6 address scanning of remote area networks
"While in IPv4 networks attackers have been able to get away with
"brute force" scanning attacks (thanks to the reduced search space),
successfully performing a brute-force scan of an entire /64 network
would be infeasible. "
When I first read this, I immediately agreed that performing a
brute-force attach on a /64 network would be infeasible. But then I
started to reflect on why it would be so infeasible? Computers are
getting faster, and NICs have more capacity, so their ability to create
faster mappings scales in relation. Do we have current research numbers
to state how long it takes to do a brute force scan of a /64? I think
referencing research would go a long way to convincing readers of this
statement.
"Unfortunately, a number of IPv6
implementations have been found to be unable to properly handle large
number of entries in the Neighbor Cache, and hence these address-scan
attacks may have the side effect of resulting in a Denial of Service
(DoS) attack [CPNI-IPv6] [I-D.ietf-v6ops-v6nd-problems]."
It might be worth mentioning that stateful devices in the network path,
like firewalls, will track neighbour cache and connection information.
Since these values are so much larger in IPv6, these intermediate
devices are also subject to such DoS vulnerabilities.
I am new to providing feedback on IETF documentation. So let me know if
I've missed the mark on this email. I don't know the exact format or
procedures for providing this feedback but I thought there would be no
harm in emailing the authors directly with my thoughts.
Regards,
Rama
--
Rama Darbha, CCIE#28006
919-574-5071
[email protected]
Cisco TAC - Security Solutions
RTP, NC, USA
Hours: 8h30 - 17h00 (EST)
http://www.cisco.com/tac/
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
