IETF Logo Mail Archive

Re: [Int-area] Comment on draft-ietf-intarea-frag-fragile-02

Joe Touch <touch@strayalpha.com> Tue, 13 November 2018 03:01 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFE2C12872C for <int-area@ietfa.amsl.com>; Mon, 12 Nov 2018 19:01:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eaf6JBzTC_mf for <int-area@ietfa.amsl.com>; Mon, 12 Nov 2018 19:01:38 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F837124408 for <int-area@ietf.org>; Mon, 12 Nov 2018 19:01:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ekLAAKRMbyzd9jg+BZEmTH9/bCy4xmlKl/MBkp0HHQQ=; b=E8+9rur8EedXUOc+CMUcBy788 WHljSji6rwXwuLy3/Idwa9p2yUmycq/mZCznx3XZxIMFt76Be1fhwLwgkRDBAs+2LgP6xPq2t+E/0 7OcXiPqXaIsvH+9gKOamE5C+1jr2nMQfUB17YoileRsnUIQWO/ZYRnptmZkQ4xs51nh+IG+jgZS4+ dm6s2oOTanqq2Vxtw+V91onX6bshVPIDqi2n1w53i273zLYYs5kyJ9kzgxn15bGyonyMMKlDk6BC3 0NZCUXi7wMVZ/DX8+Ap7hv5WT/0Ne2Hunt4AdNjOgSnBJr1k/ffv8VBVUzUigh6ok3HMUL8RFDcHI 4cFsqUCug==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:62313 helo=[192.168.1.77]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <touch@strayalpha.com>) id 1gMOxN-003Bun-5X; Mon, 12 Nov 2018 22:01:38 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Joe Touch <touch@strayalpha.com>
In-Reply-To: <CAFU7BAQROruKdAE-K+5MWSzkFDsSGiNUad+huy=Y-QgdeCyqfg@mail.gmail.com>
Date: Mon, 12 Nov 2018 19:01:35 -0800
Cc: int-area@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5A03237D-0297-4417-8F27-501AB424AAE0@strayalpha.com>
References: <CAFU7BARv90VcSaLsGOkxaSX+epix4Jz6ON2NShTO_fs=utKs0w@mail.gmail.com> <022EB775-2A35-43B9-9981-DEBAFF331370@strayalpha.com> <CAFU7BASZFCZFtHDtt=0x9pkJUpXb1V8fuo--H4bGktjEqmyZyw@mail.gmail.com> <C29D9C45-A6C2-438D-B738-A1455A581B92@strayalpha.com> <CAFU7BAQROruKdAE-K+5MWSzkFDsSGiNUad+huy=Y-QgdeCyqfg@mail.gmail.com>
To: Jen Linkova <furry13@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-OutGoing-Spam-Status: No, score=-0.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/4pJmMCHQF_HTtuRuBSXaR5QSd9o>
Subject: Re: [Int-area] Comment on draft-ietf-intarea-frag-fragile-02
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Nov 2018 03:01:41 -0000


> On Nov 12, 2018, at 6:31 PM, Jen Linkova <furry13@gmail.com> wrote:
> 
> On Tue, Nov 13, 2018 at 3:13 AM Joe Touch <touch@strayalpha.com> wrote:
>>>> Fragment forwarding is a MUST in our standards.
>>> 
>>> I believe you are talking about routers supporting forwarding
>>> fragmented packets, not about policy decisions. While the
>>> recommendations in the draft (not to filter ICMP PTB messages) are
>>> about policies.
>>> So just another policy-related recommendation makes sense, IMHO.
>> 
>> So first, what is the *policy* reason for doing this? The policy of “Rocket” (Guardians of the Galaxy movie)? “Because I really want to”?
> 
> Well, usually the security policies are based on "permit only things
> you need, drop everything else". Therefore in many cases fragments are
> dropped because it's not obvious why they should be permitted.

Operators are in no position to KNOW whether endpoints need fragments or not - unless they’re running these boxes on the edge of *their* enterprise.

The Postel Principle is “be liberal in what you accept, be conservative in what you do”. Security is based on blocking what you don’t trust - so what about fragments makes you not trust them?

If they come at a high rate, sure - throttle (but not drop all).
If they can’t be DPI-inspected, then it is the middle box that is in the wrong location to do its job; this isn’t the fault of the transmitter or its generation of fragments.

Security does not mean “drop what I don’t understand”; that’s just a recipe for over-ossifying the services you provide.

> My
> understanding is that teh main goal of BCP is document the problem,
> explain what would happen if fragments are dropped and provided
> recommendations to those who are looking for such recommendations.

Sure, but sometimes that recommendation means “don’t deploy the middlebox there” or “you need to do virtual reassembly”. Anything that includes “and you can drop all fragments” is incorrect advice because it does not benefit the endpoints — it interferes with them.

> That's why I suggested to add one more explicit recommendation on that topic.
> 
>> However, let’s just look at fragments - who are you trying to protect by blocking them?
>>        - endpoints can already drop whatever they can’t reassemble
>>        - an endpoint that lets fragments interfere with complete packets isn’t implementing reassembly correctly
> 
> (Just to clarify: you don't need to convince *me* that dropping
> fragments is not necessary a good idea)
> 
>> Let’s please not dance around the issue - the only policy at play here is “vendors want to make money lying about what they sell”.
> 
> My experience is different. It has nothing to do with vendors most of
> the time. It's mostly about engineers who has no idea why they should
> explicitly permit fragments, so those poor packets hit the default
> deny rule.

That may occasionally be true, but turning off features either means the vendor sets them as defaults (which they do) or operators figure out what to turn off. I doubt the latter is the more frequent case.

> That's why the BCP makes perfect sense. If fragments are
> dropped because vendors are lying about what they sell (not sure I
> understand what do you mean, actually) then no BCP would change it..
> 
>>> If we already have a document which is saying 'operators MUST NOT
>>> filter any fragmented packets' then
>>> it would be nice to reference it in the draft.
>> 
>> We don’t have a document saying they MAY.
> 
> Er...I somehow suspect most operators apply "Everything which is not
> forbidden is allowed" principle, not the converse one ;)

It would take forever to decide what to turn on to make anything work if that were the case.

> Again, when an engineer builds a set of filtering rules, they would
> look for reason to allow some traffic ('if I do not allow those
> packets a service I need would break") and the BCP provides such a
> guidance.
> 
>>>> *Additionally*, it’s bad practice to indicate “SHOULD” unless the text also explains why it isn’t a MUST, i.e., under what conditions it is OK to not forward fragments.
>>> 
>>> Sorry, I'm a bit confused. Which standard would need to be updated if
>>> the proposed recommendation is made?
>> 
>> If you’re going to systematically drop fragments:
> 
> Now I'm totally confused. Nobody suggests to drop fragments. Quite the opposite.

NAT boxes do. DPI devices do. And even load balancers that could have simple default rules do. This document needs to speak to them too.

Joe

v2.23.0 | Report a Bug | By Email