More on IPv6 RA-Guard evasion (IPv6 security)
Folks, A few months ago I had published a couple of IETF Internet-Drafts to tackle the problem of RA-Guard evasion -- A summary of the problem and pointers to relevant materials is available at: http://blog.si6networks.com/2011/09/router-advertisement-guard-ra-guard.html The two I-Ds are: * http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-evasion-01.txt * http://tools.ietf.org/id/draft-gont-6man-nd-extension-headers-01.txt The former one explains the different attack vectors, and proposes operational counter-measures. The latter proposes a longer-term solution. I'm planning to revise these two I-Ds soon, so any comments/feedback/discussion would be really welcome. P.S.: In case you haven't, you may want to join the IPv6 Hackers mailing-list: http://www.si6networks.com/community/mailing-lists.html Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com web: http://www.si6networks.com
Hi Fernando, I gave you my feedback and some advice during the IETF in Quebec in a 1-2-1 email. My hopes are that you integrate the feedback. The draft RA-Guard is correct and needs no fixing. I agree that my security section in the RA-Guard RFC is a bit light on content. However the main thing is that implementations for RA-Guard use traditional ACLs for achieving the goal and then ofcours these implementations can be bypassed with well known and documented ACL's bypass techniques. You can keep rambling the kettle here, but keep the above in mind if you desire to proceed with this work. G/ -----Original Message----- From: ipv6-wg-bounces@ripe.net [mailto:ipv6-wg-bounces@ripe.net] On Behalf Of Fernando Gont Sent: 05 September 2011 05:54 To: ipv6-wg@ripe.net Subject: [ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security) Folks, A few months ago I had published a couple of IETF Internet-Drafts to tackle the problem of RA-Guard evasion -- A summary of the problem and pointers to relevant materials is available at: http://blog.si6networks.com/2011/09/router-advertisement-guard-ra-guard. html The two I-Ds are: * http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-evasion-01.txt * http://tools.ietf.org/id/draft-gont-6man-nd-extension-headers-01.txt The former one explains the different attack vectors, and proposes operational counter-measures. The latter proposes a longer-term solution. I'm planning to revise these two I-Ds soon, so any comments/feedback/discussion would be really welcome. P.S.: In case you haven't, you may want to join the IPv6 Hackers mailing-list: http://www.si6networks.com/community/mailing-lists.html Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com web: http://www.si6networks.com
Hi, Gunter, On 09/05/2011 05:12 AM, Gunter Van de Velde (gvandeve) wrote:
I gave you my feedback and some advice during the IETF in Quebec in a 1-2-1 email. My hopes are that you integrate the feedback.
Yes. I'll revise the I-D as proposed.
The draft RA-Guard is correct and needs no fixing.
Do you mean the RA-Guard RFC, or my RA-Guard evasion I-D?
I agree that my security section in the RA-Guard RFC is a bit light on content. However the main thing is that implementations for RA-Guard use traditional ACLs for achieving the goal and then ofcours these implementations can be bypassed with well known and documented ACL's bypass techniques.
My I-D is not meant to trash any others' work -- sorry if it came across like that. (the next version of the I-D will be revised as you had suggested off-list) That said (and aside of the project of pursuing this work), I do think that RA-Guard skips important considerations that should be taken into account to implement the "RA-Guard concept" in a real device -- which IMHO are core to the mechanism, rather than just a security consideration.
You can keep rambling the kettle here,
Not sure what this expression means (English as second language here) -- anyway I was just asking for feedback.
but keep the above in mind if you desire to proceed with this work.
As noted, I'll do. Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com web: http://www.si6networks.com | Twitter: @SI6Networks
participants (2)
-
Fernando Gont -
Gunter Van de Velde (gvandeve)