Re: [Last-Call] [v6ops] [secdir] Secdir last call review of draft-ietf-v6ops-cpe-slaac-renum-04

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Virtually anyone that could possibly be on both interfaces has access to do far more damage to the network than would be possible from this particular vulnerability.

The northbound interface is between the CPE and the ISP. The southbound interface is to the site local area networks.

Only the site administrator(s) should (theoretically) have access to both networks. An attacker who has access to both can override virtually any automated network provisioning at the local site.

Owen


On Sep 9, 2020, at 7:17 PM, Uri Blumenthal <uri@xxxxxxx> wrote:

Capability-wise, what's the likelihood that the attacker would be present on the southbound interface, but *not* on the northbound one?

Sent from my test iPhone

On Sep 9, 2020, at 19:32, Ted Lemon <mellon@xxxxxxxxx> wrote:

 On Sep 9, 2020, at 7:16 PM, Christopher Wood via Datatracker <noreply@xxxxxxxx> wrote:
- Section 3: is it possible for an attacker to send DHCPv6 Prefix Delegations
with lifetime=0 to CE routers that support LAN-side DHCPv6 and amplify
Reconfigure messages to supporting clients? (I don't know if this is a concern
or part of the threat model, but this did seem to be a case of possible
request/response asymmetry.) - Section 4: rationale for these default values,
if available, might be worth including. (Why not make them shorter? What are
the tradeoffs?) - Section 6: it might be worth noting what happens if stable
storage is unavailable or otherwise compromised when trying to store prefix
information. What happens if the "A" or "L" bits are modified? (I suspect
nothing dangerous, but it's not clear to me whether or not integrity is
important.)

The attacker on the southbound link would have to know the transaction ID of the DHCP request/confirm/renew message, which is only sent on the northbound interface, and would have to know the DUID and IAID used by the client, again never seen on the southbound link, and would have to know the server’s DUID, again only visible northbound. I don’t think this is a feasible attack. It’s hard to see what the benefit of such an attack would be—in order to effect this attack without knowledge of the exchange on the northbound interface, the client would have to be continuously spamming the southbound link with attempts, so that would be a negative amplication factor of perhaps 2^256, perhaps less if the identifiers can be predicted and renewal times can be predicted.

And this assumes that the DHCPv6 PD client on the CPE device will even accept a DHCP Reply on its southbound interface.

:)

_______________________________________________
secdir mailing list
secdir@xxxxxxxx
https://www.ietf.org/mailman/listinfo/secdir
wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
_______________________________________________
v6ops mailing list
v6ops@xxxxxxxx
https://www.ietf.org/mailman/listinfo/v6ops

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux