Michael Richardson
2014-07-24 22:17:24 UTC
Lorenzo spoke at the mic about a "drive-by" attack on an IPv4-only network.
I just want to make it clear about who and how people is impacted.
1) It's an IPv4-only network.
2) It has "modern" hosts, built after publication of draft-ietf-sunset4-noipv4.
3) It's open to some form of attackers.
So the "Starbucks" coffee-shop network of 2018.
It seems somewhat realistic to me.
I'm excluding home wifi networks, because I assume that they are either
layer-2 secure, or can identify brother/sister attacks through other means.
The attacker sends a number of IPv6 RAs per second.
They don't have to use a lot of bandwidth to do this; they just need to to
beat the newly booting/connecting host's emitting a DHCPv4 DISCOVER.
The host, ignoring that this is a hint, has to suppress *all* DHCPv4 DISCOVER
messages when it sees the RA noipv4 option.
If the host has successfully sent a DISCOVERY message, it might get an DHCPv4
OFFER, which may or may not be bogus (maybe the RA is legit and the DHCP is
bogus), and if it does, it would assume that there is v4, and would configure
IPv4.
I think that Lorenzo's concerns are real.
He feels, I think, that given the degree to which the noipv4 option would be
a hint to do DHCPv4 less often, rather than to turn it off completely, that
it would therefore become useless.
My understanding is that the problem with DHCPv4 discovers is that they are
layer-2 broadcasts, and just asking it killing some larger networks that were
trying to benefit from savings by deploying IPv6.
--
Michael Richardson <mcr+***@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
I just want to make it clear about who and how people is impacted.
1) It's an IPv4-only network.
2) It has "modern" hosts, built after publication of draft-ietf-sunset4-noipv4.
3) It's open to some form of attackers.
So the "Starbucks" coffee-shop network of 2018.
It seems somewhat realistic to me.
I'm excluding home wifi networks, because I assume that they are either
layer-2 secure, or can identify brother/sister attacks through other means.
The attacker sends a number of IPv6 RAs per second.
They don't have to use a lot of bandwidth to do this; they just need to to
beat the newly booting/connecting host's emitting a DHCPv4 DISCOVER.
The host, ignoring that this is a hint, has to suppress *all* DHCPv4 DISCOVER
messages when it sees the RA noipv4 option.
If the host has successfully sent a DISCOVERY message, it might get an DHCPv4
OFFER, which may or may not be bogus (maybe the RA is legit and the DHCP is
bogus), and if it does, it would assume that there is v4, and would configure
IPv4.
I think that Lorenzo's concerns are real.
He feels, I think, that given the degree to which the noipv4 option would be
a hint to do DHCPv4 less often, rather than to turn it off completely, that
it would therefore become useless.
My understanding is that the problem with DHCPv4 discovers is that they are
layer-2 broadcasts, and just asking it killing some larger networks that were
trying to benefit from savings by deploying IPv6.
--
Michael Richardson <mcr+***@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-