[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Routing loop attacks using IPv6 tunnels

To: "Templin, Fred L" <Fred.L.Templin@boeing.com>, Dmitry Anipko <Dmitry.Anipko@microsoft.com>, v6ops <v6ops@ops.ietf.org>
Subject: Re: Routing loop attacks using IPv6 tunnels
From: Gabi Nakibly <gnakibly@yahoo.com>
Date: Tue, 16 Mar 2010 12:23:26 -0700 (PDT)
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=uSZv/WYvKOO104L5m6K4jOicX8OeIxFLBKl9X1NiIeaR1p9E7CTEmNuaDxs/78uqodYpCTb+9e3u/QMQP8894s4rcB7UTnYyRdFFvqxXTE0Q14sTGqWeozRtunrYhrWcSJVPM8/dMZB+9aXrn2pvpUo42QN72nyGAlHxLd2OW54=;
In-reply-to: <E1829B60731D1740BB7A0626B4FAF0A649511DCE30@XCH-NW-01V.nw.nos.boeing.com>
References: <475898.88672.qm@web45510.mail.sp1.yahoo.com><39C363776A4E8C4A94 691D2BD9D1C9A106514554@XCH-NW-7V2.nw.nos.boeing.com><39C363776A4E8C4A94691D 2BD9D1C9A1065145AE@XCH-NW-7V2.nw.nos.boeing.com><39C363776A4E8C4A94691D2BD9 D1C9A106555996@XCH-NW-7V2.nw.nos.boeing.com><212591.98462.qm@web45502.mail. sp1.yahoo.com><39C363776A4E8C4A94691D2BD9D1C9A106555B3D@XCH-NW-7V2.nw.nos.boeing.com> <DD1A73D9E9C89144A927C5080F70285A9366BCAF28@NA-EXMSG-S702.segroup.winse.corp.microsoft.com> <E1829B60731D1740BB7A0626B4FAF0A649511DCE30@XCH-NW-01V.nw.nos.boeing.com>

Dmitry and Fred,
Indeed using different values in the Protocol field for different automatic tunnel protocols can help in mitigating the routing loops. It is useful when the two victims employ _different_ tunneling protocols. However, this measure will not be useful for mitigating routing loops between two nodes that employ the same tunneling protocol. In think that this may reduce the motivation to apply this measure.
In addition, making such a change to the semantics of the Protocol field is a big step that should be considered thoroughly.

Gabi


----- Original Message ----
> From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
> To: Dmitry Anipko <Dmitry.Anipko@microsoft.com>; Gabi Nakibly <gnakibly@yahoo.com>; v6ops <v6ops@ops.ietf.org>
> Cc: "ipv6@ietf.org" <ipv6@ietf.org>; "secdir@ietf.org" <secdir@ietf.org>
> Sent: Fri, March 12, 2010 11:13:05 PM
> Subject: RE: Routing loop attacks using IPv6 tunnels
> 
> Hi Dmitry,

> -----Original Message-----
> From: Dmitry Anipko 
> [mailto:> href="mailto:Dmitry.Anipko@microsoft.com";>Dmitry.Anipko@microsoft.com]
> 
> Sent: Friday, March 12, 2010 12:54 PM
> To: Templin, Fred L; Gabi Nakibly; 
> v6ops
> Cc: > href="mailto:ipv6@ietf.org";>ipv6@ietf.org; > ymailto="mailto:secdir@ietf.org"; 
> href="mailto:secdir@ietf.org";>secdir@ietf.org
> Subject: RE: Routing 
> loop attacks using IPv6 tunnels
> 
> Hello,
> 
> I 
> wanted to follow up on Fred's comment earlier in this thread:
> 
> 
> >> OK. That will greatly simplify the checks needed for new
> 
> automatic tunneling protocols that have a format other
> than 
> ip-proto-41.
> 
> For the designers of new tunneling protocols, 
> shall perhaps a recommendation on best practices be
> included into the 
> draft or another document, that for the new tunnels a different protocol value 
> /
> format should be used?

Are you are referring here to 
> 'draft-nakibly-v6ops-tunnel-loop-01'?
If so, IMHO this document would be the 
> natural location for such a
recommendation. 

> Examples of such 
> protocol / formats could include using a different next-protocol value, 
> potentially
> with some multiplexing schema if just using different 
> next-protocol values is not scalable, or
> possibly some other 
> format.

Yes, I think it would be very good to declare ip-proto-41 
> as
fully-developed and recommend that new tunneling protocols use
a 
> different ip protocol number and/or TCP/UDP port number. This
would greatly 
> reduce the concern for having to go back and
revisit tunneling 
> implementations that perform src/dst checks
if a new tunneling protocol 
> happens to emerge. Gabi - do you
have any thoughts on this?

Thanks - 
> Fred
> href="mailto:fred.l.templin@boeing.com";>fred.l.templin@boeing.com

> 
> Thank you,
> Dmitry
> 
> -----Original Message-----
> 
> From: > href="mailto:ipv6-bounces@ietf.org";>ipv6-bounces@ietf.org [mailto:> ymailto="mailto:ipv6-bounces@ietf.org"; 
> href="mailto:ipv6-bounces@ietf.org";>ipv6-bounces@ietf.org] On Behalf Of 
> Templin, Fred L
> Sent: Friday, August 28, 2009 1:25 PM
> To: Gabi 
> Nakibly; v6ops
> Cc: > href="mailto:ipv6@ietf.org";>ipv6@ietf.org; > ymailto="mailto:secdir@ietf.org"; 
> href="mailto:secdir@ietf.org";>secdir@ietf.org
> Subject: RE: Routing 
> loop attacks using IPv6 tunnels
> 
> Gabi,
> 
> > 
> -----Original Message-----
> > From: Gabi Nakibly [mailto:> ymailto="mailto:gnakibly@yahoo.com"; 
> href="mailto:gnakibly@yahoo.com";>gnakibly@yahoo.com]
> > Sent: 
> Friday, August 28, 2009 12:07 PM
> > To: Templin, Fred L; v6ops
> 
> > Cc: > href="mailto:ipv6@ietf.org";>ipv6@ietf.org; > ymailto="mailto:secdir@ietf.org"; 
> href="mailto:secdir@ietf.org";>secdir@ietf.org
> > Subject: Re: 
> Routing loop attacks using IPv6 tunnels
> >
> > Correct. All 
> the attacks rely on the fact that the ISATAP router
> 
> encapsulates/decapsulates a packet
> > the 6to4 relay 
> decapsulates/encapsulates, respectively. So the two
> tunnels must have 
> the same
> > encapsulation type.
> 
> OK. That will greatly 
> simplify the checks needed for new
> automatic tunneling protocols that 
> have a format other
> than ip-proto-41.
> 
> Fred
> > ymailto="mailto:fred.l.templin@boeing.com"; 
> href="mailto:fred.l.templin@boeing.com";>fred.l.templin@boeing.com
> 
> 
> > ----- Original Message ----
> > > From: "Templin, Fred 
> L" <> href="mailto:Fred.L.Templin@boeing.com";>Fred.L.Templin@boeing.com>
> 
> > > To: Gabi Nakibly <> href="mailto:gnakibly@yahoo.com";>gnakibly@yahoo.com>; v6ops <> ymailto="mailto:v6ops@ops.ietf.org"; 
> href="mailto:v6ops@ops.ietf.org";>v6ops@ops.ietf.org>
> > > 
> Cc: > href="mailto:ipv6@ietf.org";>ipv6@ietf.org; > ymailto="mailto:secdir@ietf.org"; 
> href="mailto:secdir@ietf.org";>secdir@ietf.org
> > > Sent: 
> Friday, August 28, 2009 7:23:03 PM
> > > Subject: RE: Routing loop 
> attacks using IPv6 tunnels
> > >
> > > Gabi,
> 
> > >
> > > Correct me if I am wrong, but if there were a new 
> version
> > > of ISATAP that did not use ip-proto-41 encapsulation 
> but
> > > instead used a different kind of encapsulation, then 
> it
> > > need not concern itself with routing loop 
> interactions
> > > with 6to4 relays since 6to4 relays only know 
> about
> > > ip-proto-41. Does that match your understanding?
> 
> > >
> > > Thanks - Fred
> > > > ymailto="mailto:fred.l.templin@boeing.com"; 
> href="mailto:fred.l.templin@boeing.com";>fred.l.templin@boeing.com
> 
> >
> >
> >
> >
> 
> --------------------------------------------------------------------
> 
> IETF IPv6 working group mailing list
> > href="mailto:ipv6@ietf.org";>ipv6@ietf.org
> Administrative Requests: 
> > >https://www.ietf.org/mailman/listinfo/ipv6
> 
> --------------------------------------------------------------------

References:
- RE: Routing loop attacks using IPv6 tunnels
  - From: "Templin, Fred L" <Fred.L.Templin@boeing.com>

Prev by Date: RE: Routing loop attacks using IPv6 tunnels
Next by Date: Proposed agenda for IPv6 Operations - IETF 77
Previous by thread: RE: Routing loop attacks using IPv6 tunnels
Next by thread: Proposed agenda for IPv6 Operations - IETF 77
Index(es):
- Date
- Thread