Re: Last Call: <draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03.txt> (Security Implications of IPv6 on IPv4 Networks) to Informational RFC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 06:03 29-03-2013, The IESG wrote:
The IESG has received a request from the Operational Security
Capabilities for IP Network Infrastructure WG (opsec) to consider the
following document:
- 'Security Implications of IPv6 on IPv4 Networks'
  <draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03.txt> as
Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@xxxxxxxx mailing lists by 2013-04-12. Exceptionally, comments may be

From Section 6:

  "In general, the possible mitigations boil down to enforcing on native
   IPv6 and IPv6 transition/co-existence traffic the same security
   policies currently enforced for IPv4 traffic, and/or blocking the
   aforementioned traffic when it is deemed as undesirable."

My reading of the mitigation is that it comes down to block everything IPv6. The draft seems to treat every network as a military operation network.

In the Section 1:

  "Native IPv6 support could also possibly lead to VPN traffic leakages
   when hosts employ VPN software that not only does not support IPv6,
   but that does nothing about IPv6 traffic.
   [I-D.ietf-opsec-vpn-leakages] describes this issue, along with
   possible mitigations."

I don't understand the relationship between the above and "IPv4-only" networks.

From Section 2:

 "This means that even if a network is expected to be IPv4-only,
  much of its infrastructure is nevertheless likely to be
  IPv6 enabled."

What is an IPv4-only network?

  "[CORE2007] is a security advisory about a buffer overflow which
   could be remotely-exploited by leveraging link-local IPv6
   connectivity that is enabled by default."

How is this attack mitigated within the context of the draft?

  "Additionally, unless appropriate measures are taken, an attacker with
   access to an 'IPv4-only' local network could impersonate a local
   router and cause local hosts to enable their 'non-link-local' IPv6
   connectivity (e.g. by sending Router Advertisement messages),
   possibly circumventing security controls that were enforced only on
   IPv4 communications."

Where is the mitigation for this?

From Section 4:

  "IPv6 deployments in the Internet are continually increasing"

I am no longer worried about IPv6 deployment as the OPSEC working group has a plan to stop that. :-)

  'Upstream filtering of transition technologies or situations
   where a mis-configured node attempts to "provide" native IPv6
   service on a given network without proper upstream IPv6 connectivity
   may result in hosts attempting to reach remote nodes via IPv6, and
   depending on the absence or presence and specific implementation
   details of "Happy Eyeballs" [RFC6555], there might be a non-trivial
   timeout period before the host falls back to IPv4 [Huston2010a]
  [Huston2012].'

I don't see what "Happy Eyeballs" has to do with operational security.

  "For this reason, networks attempting to prevent IPv6 traffic from
   traversing their devices should consider configuring their local
   recursive DNS servers to respond to queries for AAAA DNS records with
   a DNS RCODE of 3 (NXDOMAIN) [RFC1035] or to silently ignore such
   queries, and should even consider filtering AAAA records at the
   network ingress point to prevent the internal hosts from attempting
   their own DNS resolution."

The above breaks DNS in an attempt to remove everything IPv6 related from the network.

The title of the draft is "Security Implications of IPv6 on IPv4 Networks". The Abstract mentions "IPv4-only" networks. The Introduction Section mentions "networks that are assumed to be IPv4-only". I don't understand what this draft is about. I guess that I should watch http://www.youtube.com/watch?v=kunc5EeN7Dk :-)

Regards,
-sm



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]