Hello to the list and RA guard evasion technique

Martin Millnert martin at millnert.se
Mon May 30 02:17:46 CEST 2011


Hi Mark,

the argument of this email is that I disagree that user termination or
even quarantine is, in practice, what happens. 
  In other words, a L3 network design is more important to preventing L2
insecurity, than L2 ~accidental-security plus undefined detection of
attacks and subsequent user termination/quarantine, which generally
doesn't happen in the real world.

On Mon, 2011-05-30 at 07:49 +0930, Mark Smith wrote:
> > Well, is it in an ISPs or company's interest to lose a subscriber or
> > employee based on the above? The person's computer may have been
> > compromised, etc.
> > 
> 
> Yes, in the interests of the greater good. It is quite reasonable to
> quarantine the subscriber or employee if the damage they can cause is
> greater than the value they add (revenue in the case of the subscriber,
> work the employee continues to perform while compromised).

"Greater good" = warning bells to me. If you mean maximizing profit,
then I'm with you.

Ben wrote about termination which for me means cancellation of contract
or firing of the employee, not quarantine.

Terminating (as per above) based solely on their *potential* to cause
damage is simply not done today. You must factor the potential for
damage with the probability of it happening/you caring, and then the
cost of the damage.

And I still doubt either an ISP or a company would be very successful if
they terminated customers or employees based on what can be viruses or
owned machines, since they exist with probability 1.

Now, for quarantine, it usually means some kind of investigation has to
follow in order to reinstate the user.  This is what we did it at the
dormitory network I worked with previously: 
 if (bad things from user), then 
  quarantine(user), 
  notify(user), 
  waitforpositivereplyfrom(user),
  reinstate(user).

AFAIK this is usually too much of a hassle (expense) for large networks
riddled with accountants, who generally simply don't care at all if
their customers have various viruses or are otherwise doing bad things,
unless police is involved.
  Case in point:  A jailbroken iPhone is ~immediately worm-infested
(unless the default passwords are changed).  How many mobile carriers
quarantine their users data connections due to them having a cell phone
which is owned?  I have not heard of any. And it is more common than
generally known.[1]

> I think the technology to manage them i.e. 802.1x has become more
> widely available in the last 5 or so years, generally because of
> upgrade cycles. Enabling it may not be much of an effort. 

Where 802.1x deployment is decided against, I think it is indeed because
the hassle outweighs the perceived benefits.  AFAIR 802.1x still
requires a non-trivial amount of managed infrastructure support on hosts
and network, which may exist in larger companies but less so in smaller
ones. It also places higher requirements on the capabilities of the
IT/network staff.

> So perhaps that means that people aren't really concerned about 
> these threats.

I agree, which is also why SEND et al are not having much of a success,
so far, I believe.

> > For enterprise networks, another approach is to not rely on L2 or L3
> > security, but end-to-end via TLS/SSH etc between servers and user
> > systems. An approach which seems increasingly reasonable to me.
> > 
> 
> I agree, although if the network layer is down the upper layers don't
> work ;-)

I thought we were discussing preventing ettercap-like attacks, not
simply DoS, but I guess 'simple' DoS shouldn't be disregarded since it
may have a tremendous economic impact on the victim. 

The facts remain: 
  - 802.1x, SEND both have a non-zero operational cost (certificate
management, especially), 
  - SEND practically does not exist today,
  - L2 accident-proofing is plausible on mid-level devices,
  - L2 attack-proofing today requires devices with capabilities I
suspect in practice makes them identical to the following:
  - switch chipset capable of access-routing are increasingly cheap,
  - IPv6 space is large enough that you can easily afford subnetting
each user into its own broadcast domain without any additional hacks
required (ie, L3 address scarcity does not impose rules on L2 design),
  - with a unique IPv6 subnet per user/port, identification by IP
becomes a piece of cake regardless of how the interface part of the
address is formed.

A configure-once L3 model with easily lookup-able addresses ought to be
substantially cheaper to operate than a highly managed L2 networks.

Cheers,
Martin

[1] Saw ~1 owned iPhone per month due to it being connected to the
dormitory network and cellular network simultaneously, having a cellular
data IPv4 subnet, preferring to send data over WiFi and the worm
SSH-scanning its cellular IPv4 subnet, on a population of merely 2000
users. 



More information about the ipv6-ops mailing list