[LACNIC/Seguridad] [LAC-TF] Fwd: Re: macos Sierra with CGA address?

Fernando Gont fgont en si6networks.com
Mar Dic 20 04:02:44 BRST 2016


Hola, Jaime,

Mil gracias!

Todo pareciera indicar que ellos implementaron RFC7217 basandose en algo
de codigo que tenian para SEND -- pero sin habilitar SEND. De ahi a que
clas interfaces ser marquen como "secured".

Algunos otros flacos sniffearo trafico y comentaron que no se utilizan
opciones de SEND en el trafico ND.

Este finde me pasan los resultados de las mismas pruebas con Windows, ya
que parece que ellos estan implementando RFC7217, tambien.

Saludos, y gracias!
Fernando




On 12/19/2016 01:47 PM, Jaime Olmos wrote:
> Adjunto pruebas de los incisos 1 y 2:
> 
> 1) As you disconnect and subsequently reconnect to the same network, the
>     IPv6 address is formed with the same IID?
> 
> v6:~ olmos$ ifconfig en4
> en4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> 	options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
> 	ether ac:87:a3:11:5e:af 
> 	inet6 fe80::cf6:23d3:1fe6:60b5%en4 prefixlen 64 secured scopeid 0x5 
> 	inet6 2001:1210:100:15:10e6:bc50:9c11:874c prefixlen 64 autoconf secured 
> 	inet6 2001:1210:100:15:597d:40f6:38eb:7477 prefixlen 64 autoconf temporary 
> 	nd6 options=201<PERFORMNUD,DAD>
> 	media: autoselect (1000baseT <full-duplex,flow-control>)
> 	status: active
> v6:~ olmos$ ifconfig en4
> en4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> 	options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
> 	ether ac:87:a3:11:5e:af 
> 	inet6 fe80::cf6:23d3:1fe6:60b5%en4 prefixlen 64 secured scopeid 0x5 
> 	inet6 2001:1210:100:15:10e6:bc50:9c11:874c prefixlen 64 autoconf secured 
> 	inet6 2001:1210:100:15:adec:7e65:11a3:4605 prefixlen 64 autoconf temporary 
> 	nd6 options=201<PERFORMNUD,DAD>
> 	media: autoselect (1000baseT <full-duplex,flow-control>)
> 	status: active
>     
> 
>     2) When multiple IPv6 prefixes are advertised on the same network, each
>     resulting address (for each different prefix) employs a different IID?
> 
> v6:~ olmos$ ifconfig en4
> en4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> 	options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
> 	ether ac:87:a3:11:5e:af 
> 	inet6 fe80::cf6:23d3:1fe6:60b5%en4 prefixlen 64 secured scopeid 0x5 
> 	inet 148.202.15.40 netmask 0xffffff00 broadcast 148.202.15.255
> 	inet6 2001:1210:100:15:10e6:bc50:9c11:874c prefixlen 64 autoconf secured 
> 	inet6 2001:1210:100:15:adec:7e65:11a3:4605 prefixlen 64 autoconf temporary 
> 	inet6 2001:1210:100:15a:ec:df2c:f737:ee0c prefixlen 64 autoconf secured 
> 	inet6 2001:1210:100:15a:f1e6:720d:89d3:9da prefixlen 64 autoconf temporary 
> 	nd6 options=201<PERFORMNUD,DAD>
> 	media: autoselect (1000baseT <full-duplex,flow-control>)
> 	status: active    
> 
>     3) If multiple interfaces (NICs) are connected to the same subnet, each
>     obtains a different address, plus "1)" and "2)" above are true?
> 
> 
>  
> Saludos,
> Mtro. Jaime Olmos
> Responsable del Centro de Operaciones de la Red – NOC-UDG
> Coordinación General de Tecnologías de Información - CGTI
> Universidad de Guadalajara
> Av. Juárez No. 976, Edificio de la Rectoría General, Planta Baja.
> (33)31342221  extensión 12327
> http://www.ipv6.udg.mx
> 
> On 12/14/16, 5:30 PM, "Seguridad on behalf of Fernando Gont" <seguridad-bounces en lacnic.net on behalf of fgont en si6networks.com> wrote:
> 
>     Estimados,
>     
>     Alguno con MacOS Sierra puede cmprobar que:
>     
>     Can anyone verify that:
>     
>     1) As you disconnect and subsequently reconnect to the same network, the
>     IPv6 address is formed with the same IID?
>     
>     2) When multiple IPv6 prefixes are advertised on the same network, each
>     resulting address (for each different prefix) employs a different IID?
>     
>     3) If multiple interfaces (NICs) are connected to the same subnet, each
>     obtains a different address, plus "1)" and "2)" above are true?
>     
>     
>     
>     P.S.: Parece que los muchachos de la manzanita habilitaron send como
>     implementacion heavyweight the RFC7217... :-(
>     
>     Slds, y gracias!
>     Fernando
>     
>     
>     
>     
>     -------- Forwarded Message --------
>     To: Tim Chown <Tim.Chown en jisc.ac.uk>, Jeroen Massar <jeroen en massar.ch>
>     References: <f46f5f7b-70ba-35b6-06b6-b75f03dee460 en hznet.de>
>     <e9ecb763-2e58-258b-6e3b-4e66b1bda629 en massar.ch>
>     <2BAEFBF2-A68E-48E5-9D44-79EB64F2ACCA en jisc.ac.uk>
>     Cc: ipv6-ops en lists.cluenet.de <ipv6-ops en lists.cluenet.de>
>     From: Fernando Gont <fernando en gont.com.ar>
>     Message-ID: <12b61a26-4097-68b6-4e0c-55a626ddde8b en gont.com.ar>
>     Date: Wed, 14 Dec 2016 19:42:07 -0300
>     User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
>     Thunderbird/45.5.1
>     MIME-Version: 1.0
>     In-Reply-To: <2BAEFBF2-A68E-48E5-9D44-79EB64F2ACCA en jisc.ac.uk>
>     Content-Type: text/plain; charset=utf-8
>     Content-Transfer-Encoding: 8bit
>     
>     On 12/14/2016 08:31 AM, Tim Chown wrote:
>     > Hi,
>     > 
>     >> On 14 Dec 2016, at 11:08, Jeroen Massar <jeroen en massar.ch> wrote:
>     >>
>     >> On 2016-12-14 11:55, Holger Zuleger wrote:
>     >>> Hi,
>     >>>
>     >>> I just realized that the permanent interface identifier of my MAC has
>     >>> changed after upgrading to OS 10.12 (I guess).
>     >>>
>     >>> The output of ifconfig shows a new "secured" flag at the permanent address.
>     >>> $ ifconfig en0 | grep inet6 | \
>     >>>>      sed "s/2[^:]*:[^:]*:[^:]*:[^:]*:/<prfx48>:/"
>     >>> inet6 fe80::c54:6333:ac12:c67b%en0 prefixlen 64 secured scopeid 0x4
>     >>> inet6 <prfx48>:20e3:84f6:6794:5ace prefixlen 64 autoconf secured
>     >>> inet6 <prfx48>:8822:a8a3:b6ec:a79b prefixlen 64 autoconf temporary
>     >>>
>     >>> I found two or three posts in the internet, all mentioning (or hoping)
>     >>> that this is related to a change to RFC7217 as default IID mechanism.
>     >>>
>     >>> But one guy sad, that the source code (of 10.11) shows, that this is a
>     >>> cryptographic generated interface identifier for SeND (RFC3971).
>     >>>
>     >>> I tend to believe that the latter is true.
>     >>
>     >> Seeing how Apple implemented things like "Happy Eyeballs" it likely is
>     >> neither. And in the case of "Happy Eyeballs" there is no way to turn it
>     >> off either. Filing radar bugs clearly does not help as they never get
>     >> addressed or marked as 'dupe' at which point you do not know the status
>     >> of the 'original' problem and well, nothing happens...
>     > 
>     > Interesting - I’d also assumed the new form of address was RFC 7217 support. I don’t think any other common OS implements SeND, does it?
>     
>     Can anyone verify that:
>     
>     1) As you disconnect and subsequently reconnect to the same network, the
>     address is formed with the same IID?
>     
>     2) When multiple prefixes ad advertised on the same network, each
>     resulting address (for each different prefix) employs a different IID?
>     
>     3) If multiple interfaces (NICs) are connected to the same subnet, each
>     obtains a different address, plus "1)" and "2)" above are true?
>     
>     Thanks!
>     
>     Cheers,
>     -- 
>     Fernando Gont
>     e-mail: fernando en gont.com.ar || fgont en si6networks.com
>     PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>     
>     
>     
>     _______________________________________________
>     Seguridad mailing list
>     Seguridad en lacnic.net
>     https://mail.lacnic.net/mailman/listinfo/seguridad
>     
> 
> 
> _______________________________________________
> LACTF mailing list
> LACTF en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lactf
> Cancelar suscripcion: lactf-unsubscribe en lacnic.net
> 


-- 
Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492







Más información sobre la lista de distribución Seguridad