Re: WG Last Call: draft-ietf-v6ops-unmaneval-01.txt

[Fred Templin <ftemplin@iprg.nokia.com>]

Hi Ralph,

Ralph Droms wrote:

> What are the security implications of ND proxy? 


I believe that the implications are somewhat different if native
IPv6 is used vs. IPv6 tunneled over IPv4. In the case of native IPv6,
([NDPROXY], section 4.1.4) seems to provide opportunity for, e.g.,
simple man-in-the-middle redirection attacks, since the model requires
that the NDproxy be able to change the addresses that appear in the
TLLA options of proxied IPv6 redirect messages.

When IPv6 is tunneled over IPv4, the NDProxy effectively becomes
an ARP Proxy, and the TLLA options in the encapsulated IPv6 redirect
messages are unchanged. (Or, if they are changed, the receiver should
be able to detect this if the sender is using some form of authentication
for the IPv6 ND messages it sends.)

Based on the security and path MTU issues, it seems that:

 - native IPv6 should be used between IPv6 neighbors on the same
   segment, or neighbors that are separated by simple L2 bridges
   that connect segments of like media
 - IPv6 tunneled over IPv4 should be used between IPv6 neighbors
   when an NDProxy occurs along the path

In other words, the NDProxy can be greatly simplified (and issues
such as  security; path MTU black holes can be avoided) if only IPv4
ND messages (and not IPv6) are proxied. This would reduce the
functionality of the NDProxy to that of the existing ARP proxy
model, which I believe others have mentioned as widely deployed
in operational scenarios.

Fred
ftemplin@iprg.nokia.com