Hi, Mark, On 06/01/2011 07:57 AM, Marc Heuse wrote: > this surprised me for two things. > > First: Cisco was not aware. I mentioned this issue to at least one guy @ PSIRT. Nevertheless, it has to tell what it takes for a vendor to be aware. I have had some experience in the past in which I notified an issue to vendors (more than one issue, more than one vendor), and they showed no concerns. One year later they ended up publishing advisories in response to the same issues, but reported much later than when we had reported them. > So you tell you discovered this issue as > well and you informed vendors, but the only vendor who really has RA > support so far is Cisco, and they did not know. We had worked on this thing for a while. IIRC, I talked with a few guys about this in November 2010 or so (including, IIRC, some guys involved in NDPMon)-- For instance, I posted on the ipv6ops mailing-list (in November/December 2010) a few comments noting that RA-Guard could be evaded. (And, FWIW, vendors have been sitting on a number of other ND issues that I asked them to perform on their systems for more than a year now. -- as an example, see my slides for LACSEC 2011 at http://www.gont.com.ar/talks) > So I recommend that you don't keep your findings to your group but > actively inform the vendors about that, and that not via an Internet draft. It is not really up to me who gets informed of what, or when. Nontheless, those times in which I got involved in the business of "cooperating" with vendors, it didn't turn out to be the best thing on which to spend time and energy. > Second: it is always a race who is credited as the finder of an issue. > As anybody can claim he had the vulnerability in his drawers for years, > only the person who publishes it gets the credit, so sorry :-) That wasn't the purpose of the note in my I-D. -- Sorry if it came across like that. For the most part, it tried to make the point that the work that we did had been carried out independently from your own research.. but that we simply had not released our work. (i.e., that it was not that I simply read a post of yours, and decided to write an I-D about it). > I had my attack tool since beginning of January :-) - which is pretty > sure before your group discovered that, and I published first :-) As noted, we were talking about this in November 2010, already. However, as far as I'm concerned, this discussion is non-sensical. The work that you've done on v6 security is more important than a specific IPv6 vulnerability (whether this, or another one). It was the first IPv6 attack suite that was publicly released (before I worked on any of my tools or documents), and probably the first real intent to advance IPv6 security. We have a 200+ page document about IPv6 security waiting to be published, and I hope that you get the credit you deserve for the work you've done on IPv6 security. -- there's only a hadnful of us working on v6 security (other than blah-blah about how IPsec usage is going to increase, etc.) > that being said I have started to inform vendors of two new IPv6 > vulnerability types now, and nobody has told them about these before either. Please see slides 27-30 of: http://www.gont.com.ar/talks/hacklu2009/fgont-hacklu2009-tcp-security.pdf (just an example). -- I'm just trying to make a point that things with vendors do not always work as expected.... That aside (and *aside* from this RA-Guard thing), I should note that it is usually only the discovery of vulnerabilities that gets credited, and not the production of countermeasures -- which is, IMHO, rather unfair. > But nontheless - good work, good draft proposals, thats the way to go > with the issue. Thanks for the comments! Any additional feedback that could help to improve the documents will be highly appreciated. P.S.: This whole thing is probably an indication that we should be cooperating more between each other regarding IPv6 security.... Thanks, -- Fernando Gont e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxx PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
