IPv6 Implications for Network Scanning
draft-ietf-v6ops-scanning-implications-04
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
04 | (System) | post-migration administrative database adjustment to the No Objection position for Jari Arkko |
2012-08-22
|
04 | (System) | post-migration administrative database adjustment to the No Objection position for Tim Polk |
2012-08-22
|
04 | (System) | post-migration administrative database adjustment to the No Objection position for Russ Housley |
2008-01-22
|
04 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2008-01-22
|
04 | Amy Vezza | IESG state changed to Approved-announcement sent |
2008-01-22
|
04 | Amy Vezza | IESG has approved the document |
2008-01-22
|
04 | Amy Vezza | Closed "Approve" ballot |
2008-01-22
|
04 | Ron Bonica | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Ron Bonica |
2008-01-22
|
04 | (System) | IANA Action state changed to No IC from In Progress |
2008-01-22
|
04 | (System) | IANA Action state changed to In Progress |
2008-01-22
|
04 | Jari Arkko | [Ballot Position Update] Position for Jari Arkko has been changed to No Objection from Discuss by Jari Arkko |
2007-11-20
|
04 | Russ Housley | [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley |
2007-11-20
|
04 | Tim Polk | [Ballot Position Update] Position for Tim Polk has been changed to No Objection from Undefined by Tim Polk |
2007-11-20
|
04 | Tim Polk | [Ballot Position Update] Position for Tim Polk has been changed to Undefined from Discuss by Tim Polk |
2007-11-19
|
04 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2007-11-19
|
04 | (System) | New version available: draft-ietf-v6ops-scanning-implications-04.txt |
2007-11-03
|
04 | Samuel Weiler | Request for Telechat review by SECDIR Completed. Reviewer: Jeffrey Hutzelman. |
2007-11-02
|
04 | (System) | Removed from agenda for telechat - 2007-11-01 |
2007-11-01
|
04 | Amy Vezza | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza |
2007-11-01
|
04 | Jari Arkko | [Ballot discuss] Overall, this document would be improved if it simply described the implications or lack thereof for scanning, as opposed to starting from the … [Ballot discuss] Overall, this document would be improved if it simply described the implications or lack thereof for scanning, as opposed to starting from the statement that scanning is much harder in IPv6, and going through rather extreme pain in making that statement true (e.g., filling DNS with 2^64 entries). Some suggested specific improvements: From the abstract: > The 128 bits of IPv6 address space is considerably bigger than the 32 > bits of address space of IPv4. In particular, the IPv6 subnets to > which hosts attach will by default have 64 bits of host address > space. As a result, traditional methods of remote TCP or UDP network > scanning to discover open or running services on a host will > potentially become less feasible, due to the larger search space in > the subnet. In addition automated attacks, such as those performed > by network worms, that pick random host addresses to propagate to, > may be hampered. This document discusses this property of IPv6 and > describes related issues for IPv6 site network administrators to > consider, which may be of importance when planning site address > allocation and management strategies. While traditional network > scanning probes (whether by individuals or automated via network > worms) may become less common, administrators should be aware of > other methods attackers may use to discover IPv6 addresses on a > target network, and also be aware of appropriate measures to mitigate > them. I would rewrite this as: The 128 bits of IPv6 address space is considerably bigger than the 32 bits of address space of IPv4. In particular, the IPv6 subnets to which hosts attach will by default have 64 bits of host address space. This document discusses the implications or lack thereof for scanning attacks that attempt to discover open or running services on a host. There is little difference for attackers residing on the same network as victims. Some additional protection is provided when the attackers are elsewhere in the Internet, assuming the victim hosts are not easily found from DNS. However, there are other means to acquire address information, administrators should be aware of these methods, and also be aware of appropriate measures to mitigate them. The rest of the document: > 4. Alternatives for Attackers: On-link > > 4.1. General on-link methods > > > If the attacker is on link, then traffic on the link, be it Neighbour > Discovery or application based traffic, can invariably be observed, > and target addresses learnt. In this document we are assuming the > attacker is off link ... This seems contradictory. I would suggest not claiming such an assumption. I think it is valuable to document the implications for both on-link and off-link. (And the implications are at a high level imho that for on-link there isn't much of a change for on-link, and that there are some benefits in the off-link situation under certain assumptions.) > IPv6-enabled hosts on local subnets may be discovered through probing > the "all hosts" link local multicast address. For clarification, it would be better to start with "In addition to making observations of traffic on the link, additional IPv6-enabled hosts on local subnets may be ..." Otherwise, the issue of merely listening on the link does not stand out as prominently as it should be. > 3.4. Log File Analysis > By using the IPv6 Privacy Extensions [3] hosts in a network may only > be able to connect to external systems using their current > (temporary) privacy address. This seems incorrect. The privacy extensions certainly leave the hosts in charge of how they want to connect. By no means is there any prevention of them using their stable address, too, if they want to . > It may be worth exploring whether firewalls can be adapted to allow > the option to block traffic initiated to a known IPv6 Privacy Address > from outside a network boundary. While some applications may > genuinely require such capability, it may be useful to be able to > differentiate in some circumstances. There is no way to know what addresses are "known privacy addresses". > dns filling > 5.5 Rolling server addresses The document contains recommendations that IMHO go way beyond the cost/benefit ratio that makes sense. I would suggest deleting these. > Due to the much larger size of IPv6 subnets in comparison to IPv4 it > will become less feasible for network scanning methods to detect open > services for subsequent attacks. I would say "less feasible .. assuming attackers are off-site and the victim hosts and services are not listed in DNS." > If administrators number their IPv6 > subnets in 'random', non-predictable ways, attackers, whether they be > in the form of automated network scanners or dynamic worm > propagation, will need to use new methods to determine IPv6 host > addresses to target. Of course, if those systems are dual-stack, and > have open IPv4 services running, they will remain exposed to > traditional probes over IPv4 transport. This does not seem to include IP address leakage from logs, etc as discussed earlier in the document. |
2007-11-01
|
04 | Jari Arkko | [Ballot discuss] Overall, this document would be improved if it simply described the implications or lack thereof for scanning, as opposed to starting from the … [Ballot discuss] Overall, this document would be improved if it simply described the implications or lack thereof for scanning, as opposed to starting from the statement that scanning is much harder in IPv6, and going through rather extreme pain in making that statement true (e.g., filling DNS with 2^64 entries). Some suggested specific improvements: From the abstract: > The 128 bits of IPv6 address space is considerably bigger than the 32 > bits of address space of IPv4. In particular, the IPv6 subnets to > which hosts attach will by default have 64 bits of host address > space. As a result, traditional methods of remote TCP or UDP network > scanning to discover open or running services on a host will > potentially become less feasible, due to the larger search space in > the subnet. In addition automated attacks, such as those performed > by network worms, that pick random host addresses to propagate to, > may be hampered. This document discusses this property of IPv6 and > describes related issues for IPv6 site network administrators to > consider, which may be of importance when planning site address > allocation and management strategies. While traditional network > scanning probes (whether by individuals or automated via network > worms) may become less common, administrators should be aware of > other methods attackers may use to discover IPv6 addresses on a > target network, and also be aware of appropriate measures to mitigate > them. I would rewrite this as: The 128 bits of IPv6 address space is considerably bigger than the 32 bits of address space of IPv4. In particular, the IPv6 subnets to which hosts attach will by default have 64 bits of host address space. This document discusses the implications or lack thereof for scanning attacks that attempt to discover open or running services on a host. Administrators should be aware of other methods attackers may use to discover IPv6 addresses on a target network, and also be aware of appropriate measures to mitigate them. The rest of the document: > 4. Alternatives for Attackers: On-link > > 4.1. General on-link methods > > > If the attacker is on link, then traffic on the link, be it Neighbour > Discovery or application based traffic, can invariably be observed, > and target addresses learnt. In this document we are assuming the > attacker is off link ... This seems contradictory. I would suggest not claiming such an assumption. I think it is valuable to document the implications for both on-link and off-link. (And the implications are at a high level imho that for on-link there isn't much of a change for on-link, and that there are some benefits in the off-link situation under certain assumptions.) > IPv6-enabled hosts on local subnets may be discovered through probing > the "all hosts" link local multicast address. For clarification, it would be better to start with "In addition to making observations of traffic on the link, additional IPv6-enabled hosts on local subnets may be ..." Otherwise, the issue of merely listening on the link does not stand out as prominently as it should be. > 3.4. Log File Analysis > By using the IPv6 Privacy Extensions [3] hosts in a network may only > be able to connect to external systems using their current > (temporary) privacy address. This seems incorrect. The privacy extensions certainly leave the hosts in charge of how they want to connect. By no means is there any prevention of them using their stable address, too, if they want to . > It may be worth exploring whether firewalls can be adapted to allow > the option to block traffic initiated to a known IPv6 Privacy Address > from outside a network boundary. While some applications may > genuinely require such capability, it may be useful to be able to > differentiate in some circumstances. There is no way to know what addresses are "known privacy addresses". > dns filling > 5.5 Rolling server addresses The document contains recommendations that IMHO go way beyond the cost/benefit ratio that makes sense. I would suggest deleting these. > Due to the much larger size of IPv6 subnets in comparison to IPv4 it > will become less feasible for network scanning methods to detect open > services for subsequent attacks. I would say "less feasible .. assuming attackers are off-site and the victim hosts and services are not listed in DNS." > If administrators number their IPv6 > subnets in 'random', non-predictable ways, attackers, whether they be > in the form of automated network scanners or dynamic worm > propagation, will need to use new methods to determine IPv6 host > addresses to target. Of course, if those systems are dual-stack, and > have open IPv4 services running, they will remain exposed to > traditional probes over IPv4 transport. This does not seem to include IP address leakage from logs, etc as discussed earlier in the document. |
2007-11-01
|
04 | Jari Arkko | [Ballot discuss] > 4. Alternatives for Attackers: On-link > > 4.1. General on-link methods > > > If the attacker is on link, then traffic … [Ballot discuss] > 4. Alternatives for Attackers: On-link > > 4.1. General on-link methods > > > If the attacker is on link, then traffic on the link, be it Neighbour > Discovery or application based traffic, can invariably be observed, > and target addresses learnt. In this document we are assuming the > attacker is off link ... This seems contradictory. I would suggest not claiming such an assumption. I think it is valuable to document the implications for both on-link and off-link. (And the implications are at a high level imho that for on-link there isn't much of a change for on-link, and that there are some benefits in the off-link situation under certain assumptions.) > IPv6-enabled hosts on local subnets may be discovered through probing > the "all hosts" link local multicast address. For clarification, it would be better to start with "In addition to making observations of traffic on the link, additional IPv6-enabled hosts on local subnets may be ..." Otherwise, the issue of merely listening on the link does not stand out as prominently as it should be. > 3.4. Log File Analysis > By using the IPv6 Privacy Extensions [3] hosts in a network may only > be able to connect to external systems using their current > (temporary) privacy address. This seems incorrect. The privacy extensions certainly leave the hosts in charge of how they want to connect. By no means is there any prevention of them using their stable address, too, if they want to . > It may be worth exploring whether firewalls can be adapted to allow > the option to block traffic initiated to a known IPv6 Privacy Address > from outside a network boundary. While some applications may > genuinely require such capability, it may be useful to be able to > differentiate in some circumstances. There is no way to know what addresses are "known privacy addresses". |
2007-11-01
|
04 | Jari Arkko | [Ballot discuss] > 4. Alternatives for Attackers: On-link > > 4.1. General on-link methods > > > If the attacker is on link, then traffic … [Ballot discuss] > 4. Alternatives for Attackers: On-link > > 4.1. General on-link methods > > > If the attacker is on link, then traffic on the link, be it Neighbour > Discovery or application based traffic, can invariably be observed, > and target addresses learnt. In this document we are assuming the > attacker is off link ... This seems contradictory. I would suggest not claiming such an assumption. I think it is valuable to document the implications for both on-link and off-link. (And the implications are at a high level imho that for on-link there isn't much of a change for on-link, and that there are some benefits in the off-link situation under certain assumptions.) |
2007-11-01
|
04 | Jari Arkko | [Ballot Position Update] New position, Discuss, has been recorded by Jari Arkko |
2007-11-01
|
04 | David Ward | [Ballot Position Update] New position, No Objection, has been recorded by David Ward |
2007-11-01
|
04 | Magnus Westerlund | [Ballot Position Update] New position, No Objection, has been recorded by Magnus Westerlund |
2007-11-01
|
04 | Dan Romascanu | [Ballot Position Update] New position, No Objection, has been recorded by Dan Romascanu |
2007-11-01
|
04 | Chris Newman | [Ballot comment] I concur with Sam. |
2007-11-01
|
04 | Chris Newman | [Ballot Position Update] New position, Abstain, has been recorded by Chris Newman |
2007-10-31
|
04 | Ross Callon | [Ballot Position Update] New position, No Objection, has been recorded by Ross Callon |
2007-10-31
|
04 | Tim Polk | [Ballot discuss] To be effective, address obfuscation must be performed in coordination with local security organization (since they probably employ tools that depend on scanning), … [Ballot discuss] To be effective, address obfuscation must be performed in coordination with local security organization (since they probably employ tools that depend on scanning), the local DNS folks (since DNS walking and zone transfers can expose the same information), and an effective security policy for local hosts (since log files, etc. may provide the same information). That is, address obfuscation can add a layer of protection in a well-coordinated environment with decent security already. If deployed in a haphazard fashion or in an environment that in already insecure it is a waste of time. While some of this is said in the body of the document, I beieve that it should be clearl;y stated in the security considerations. |
2007-10-31
|
04 | Tim Polk | [Ballot Position Update] New position, Discuss, has been recorded by Tim Polk |
2007-10-31
|
04 | Cullen Jennings | [Ballot comment] Section 3.2 I suspect I am not understanding this because I am thinking it might require a huge number of DNS entries. How … [Ballot comment] Section 3.2 I suspect I am not understanding this because I am thinking it might require a huge number of DNS entries. How many entries will this be in DNS? Is that amount alright? Section 5.5 , para 2. I don't see how this would help - wouldn't spammer just use the DNS name? Section 2.5 I'm a little confused by what you mean by "on link" here when we are talking about switches. Do you just mean that the Administrator will have ways of knowing all the IP talking to the switches? Section 5.4 - note this is a comment not discuss. I am somewhat uncomfortable with a information document from a different WG putting strong specifications on how a DHCP server should work. |
2007-10-31
|
04 | Cullen Jennings | [Ballot Position Update] New position, No Objection, has been recorded by Cullen Jennings |
2007-10-30
|
04 | Sam Hartman | [Ballot comment] I don't think the quality or value of this document justifies publication. |
2007-10-30
|
04 | Sam Hartman | [Ballot Position Update] New position, Abstain, has been recorded by Sam Hartman |
2007-10-29
|
04 | Russ Housley | [Ballot discuss] Based on Gen-ART Review by Brian Carpenter. Section 3.2 says: > > It is also worth noting that the … [Ballot discuss] Based on Gen-ART Review by Brian Carpenter. Section 3.2 says: > > It is also worth noting that the reverse DNS tree may also expose > address information. In such cases, populating the reverse DNS > tree for the entire subnet, even if not all addresses are actually > used, may reduce that exposure. > Do we really think that it is okay to publish up to 2^64 bogus PTR records for every subnet? |
2007-10-29
|
04 | Russ Housley | [Ballot Position Update] New position, Discuss, has been recorded by Russ Housley |
2007-10-27
|
04 | Lars Eggert | [Ballot comment] Section 1., paragraph 6: > Finally, note that this document is currently intended to be > informational; there is not yet … [Ballot comment] Section 1., paragraph 6: > Finally, note that this document is currently intended to be > informational; there is not yet sufficient deployment experience for > it to be considered BCP. Suggest to rephrase "is currently intended to be" as "has been published as". Section 10., paragraph 2: > [2] Thomson, S. and T. Narten, "IPv6 Stateless Address > Autoconfiguration", RFC 2462, December 1998. Obsoleted by RFC 4862. Section 10., paragraph 3: > [3] Narten, T. and R. Draves, "Privacy Extensions for Stateless > Address Autoconfiguration in IPv6", RFC 3041, January 2001. Obsoleted by RFC 4941. Section 10., paragraph 12: > [12] Davies, E., Krishnan, S., and P. Savola, "IPv6 Transition/ > Co-existence Security Considerations > (draft-ietf-v6ops-security-overview-06)", October 2007. Published as RFC 4942. |
2007-10-27
|
04 | Lars Eggert | [Ballot Position Update] New position, No Objection, has been recorded by Lars Eggert |
2007-10-26
|
04 | Samuel Weiler | Request for Telechat review by SECDIR is assigned to Jeffrey Hutzelman |
2007-10-26
|
04 | Samuel Weiler | Request for Telechat review by SECDIR is assigned to Jeffrey Hutzelman |
2007-10-26
|
04 | Amanda Baber | IANA Evaluation comments: As described in the IANA Considerations section, we understand this document to have NO IANA Actions. |
2007-10-19
|
04 | Ron Bonica | [Ballot Position Update] New position, Yes, has been recorded for Ronald Bonica |
2007-10-19
|
04 | Ron Bonica | Ballot has been issued by Ron Bonica |
2007-10-19
|
04 | Ron Bonica | Created "Approve" ballot |
2007-10-19
|
04 | (System) | Ballot writeup text was added |
2007-10-19
|
04 | (System) | Last call text was added |
2007-10-19
|
04 | (System) | Ballot approval text was added |
2007-10-19
|
04 | Ron Bonica | Placed on agenda for telechat - 2007-11-01 by Ron Bonica |
2007-10-19
|
04 | Ron Bonica | State Changes to IESG Evaluation from Publication Requested by Ron Bonica |
2007-06-21
|
04 | Dinara Suleymanova | PROTO Write-up (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, … PROTO Write-up (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, does he or she believe this version is ready for forwarding to the IESG for publication? I am the document shepherd, and I believe that this is ready for publication. (1.b) Has the document had adequate review both from key WG members and from key non-WG members? Does the Document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? The Acknowledgments sections notes a number of direct contributors: Thanks are due to people in the 6NET project (www.6net.org) for discussion of this topic, including Pekka Savola, Christian Strauf and Martin Dunmore, as well as other contributors from the IETF v6ops and other mailing lists, including Tony Finch, David Malone, Bernie Volz, Fred Baker, Andrew Sullivan, Tony Hain, Dave Thaler and Alex Petrescu. In addition, there was some discussion on the list and in the working group, mostly in review. (1.c) Does the Document Shepherd have concerns that the document needs more review from a particular or broader perspective, e.g., security, operational complexity, someone familiar with AAA, internationalization, or XML? No, I don't think it needs to have further review. (1.d) Does the Document Shepherd have any specific concerns or issues with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. Has an IPR disclosure related to this document been filed? If so, please include a reference to the disclosure and summarize the WG discussion and conclusion on this issue. In truth, I think the biggest value of the document is in debunking some of the marketing concerning IPv6. The statement has been made for some time that IPv6 is inherently more secure than IPv4 because IPsec is an interior header rather than a sub-layer between IP and its transport, and that the larger address space makes network scanning an inefficient attack. In fact, the additional security of IPv6 is debatable - there are other ways to scan a network, such as sending a ping to the local broadcast address, and other ways to find the systems on a LAN without directly sending a message to any of them. The draft makes what I consider a fairly objective review of the tactics that attackers and defenders might use and gives practical advice intended to help operational staff ensure the security of their networks. (1.e) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? As noted, there have been a number of reviewers and participants, mostly one-on-one with the author. Working group review has reflected a perception that the document is done and waiting for the IETF process to push it out. (1.f) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarize the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is entered into the ID Tracker.) Not to my knowledge. (1.g) Has the Document Shepherd personally verified that the document satisfies all ID nits? (See http://www.ietf.org/ID-Checklist.html and http://tools.ietf.org/tools/idnits/.) Boilerplate checks are not enough; this check needs to be thorough. Yes, and it passes those checks. The result of the idnits tools is as follows: idnits 2.04.09 tmp/draft-ietf-v6ops-scanning-implications-03.txt: Checking boilerplate required by RFC 3978 and 3979, updated by RFC 4748: ------------------------------------------------------------------------ ---- No issues found here. Checking nits according to http://www.ietf.org/ietf/1id- guidelines.txt: ------------------------------------------------------------------------ ---- No issues found here. Checking nits according to http://www.ietf.org/ID-Checklist.html: ------------------------------------------------------------------------ ---- No issues found here. Miscellaneous warnings: ------------------------------------------------------------------------ ---- No issues found here. Checking references for intended status: Informational ------------------------------------------------------------------------ ---- No issues found here. No nits found. ------------------------------------------------------------------------ -------- (1.h) Has the document split its references into normative and informative? Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the strategy for their completion? Are there normative references that are downward references, as described in [RFC3967]? If so, list these downward references to support the Area Director in the Last Call procedure for them [RFC3967]. The references have been split, in the sense that they are all considered "informative". There are no "normative" references. (1.i) Has the Document Shepherd verified that the document's IANA Considerations section exists and is consistent with the body of the document? There are no IANA considerations for this document, and the IANA considerations section says that. (1.j) Has the Document Shepherd verified that sections of the document that are written in a formal language, such as XML code, BNF rules, MIB definitions, etc., validate correctly in an automated checker? there are no such sections. (1.k) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary The 128 bits of IPv6 address space is considerably bigger than the 32 bits of address space of IPv4. In particular, the IPv6 subnets to which hosts attach will by default have 64 bits of host address space. As a result, traditional methods of remote TCP or UDP network scanning to discover open or running services on a host will potentially become less feasible, due to the larger search space in the subnet. In addition automated attacks, such as those performed by network worms, that pick random host addresses to propagate to, may be hampered. This document discusses this property of IPv6 and describes related issues for IPv6 site network administrators to consider, which may be of importance when planning site address allocation and management strategies. While traditional network scanning probes (whether by individuals or automated via network worms) may become less common, administrators should be aware of other methods attackers may use to discover IPv6 addresses on a target network, and also be aware of appropriate measures to mitigate them. Working Group Summary The working group process was uneventful. Document Quality The document addresses the widespread practice in IPv4 of scanning a network to detect the presence of hosts, how hosts might be detected in an IPv6 network, and how an administration might defend against those attacks. The working group generally believes that it will be helpful to an IPv6 network administration. Personnel The Document Shepherd is Fred Baker. Ron Bonica is He Who Is Responsible. |
2007-06-21
|
04 | Dinara Suleymanova | Draft Added by Dinara Suleymanova in state Publication Requested |
2007-03-28
|
03 | (System) | New version available: draft-ietf-v6ops-scanning-implications-03.txt |
2007-03-08
|
02 | (System) | New version available: draft-ietf-v6ops-scanning-implications-02.txt |
2006-10-26
|
01 | (System) | New version available: draft-ietf-v6ops-scanning-implications-01.txt |
2006-06-21
|
00 | (System) | New version available: draft-ietf-v6ops-scanning-implications-00.txt |