Re: [Int-area] Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)
Ronald Bonica <rbonica@juniper.net> Fri, 15 May 2015 01:49 UTC
Return-Path: <rbonica@juniper.net>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8D461B2EE0; Thu, 14 May 2015 18:49:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.901
X-Spam-Level:
X-Spam-Status: No, score=-101.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OKBASKXV5ddm; Thu, 14 May 2015 18:49:25 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0733.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::733]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBC441B2D16; Thu, 14 May 2015 18:49:24 -0700 (PDT)
Received: from BLUPR05MB1985.namprd05.prod.outlook.com (25.162.224.27) by BLUPR05MB1987.namprd05.prod.outlook.com (25.162.224.29) with Microsoft SMTP Server (TLS) id 15.1.160.19; Fri, 15 May 2015 01:49:07 +0000
Received: from BLUPR05MB1985.namprd05.prod.outlook.com ([25.162.224.27]) by BLUPR05MB1985.namprd05.prod.outlook.com ([25.162.224.27]) with mapi id 15.01.0160.009; Fri, 15 May 2015 01:49:07 +0000
From: Ronald Bonica <rbonica@juniper.net>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "Templin, Fred L" <Fred.L.Templin@boeing.com>
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)
Thread-Index: AQHQjeuraQWLl4q6nUqMr+wRYH60Tp17aEKAgAAciKCAABiOQIAASz5wgABToQCAAAE3AA==
Date: Fri, 15 May 2015 01:49:07 +0000
Message-ID: <BLUPR05MB19854B35DFE0D3774756E6B7AEC70@BLUPR05MB1985.namprd05.prod.outlook.com>
References: <20150514021405.29892.21704.idtracker@ietfa.amsl.com> <CY1PR05MB1994819D2EC000754D69ACFDAED80@CY1PR05MB1994.namprd05.prod.outlook.com> <E87B771635882B4BA20096B589152EF628C0CC2C@eusaamb107.ericsson.se> <CAHbuEH5NEopFBPeATmhhLJ=iLom+2DvtTZUUobax2r3KbW=JcQ@mail.gmail.com> <BLUPR05MB19859D4F490C1744BC9B50F7AED80@BLUPR05MB1985.namprd05.prod.outlook.com> <BLUPR05MB19854E65D511F14253556DF3AED80@BLUPR05MB1985.namprd05.prod.outlook.com> <2134F8430051B64F815C691A62D9831832E621B4@XCH-BLV-504.nw.nos.boeing.com> <32221A4D-CD1B-4678-94BE-F49C0499F483@gmail.com>
In-Reply-To: <32221A4D-CD1B-4678-94BE-F49C0499F483@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;
x-originating-ip: [66.129.241.14]
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR05MB1987;
x-microsoft-antispam-prvs: <BLUPR05MB19870222B6D0E5318542DABFAEC70@BLUPR05MB1987.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BLUPR05MB1987; BCL:0; PCL:0; RULEID:; SRVR:BLUPR05MB1987;
x-forefront-prvs: 0577AD41D6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(24454002)(164054003)(86362001)(16236675004)(19617315012)(76576001)(19580405001)(2900100001)(19580395003)(2950100001)(50986999)(19609705001)(230783001)(19625215002)(54356999)(74316001)(76176999)(77156002)(62966003)(19300405004)(40100003)(15975445007)(102836002)(5001960100002)(189998001)(5001770100001)(33656002)(122556002)(93886004)(66066001)(87936001)(106116001)(46102003)(2656002)(92566002)(99286002)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR05MB1987; H:BLUPR05MB1985.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: multipart/alternative; boundary="_000_BLUPR05MB19854B35DFE0D3774756E6B7AEC70BLUPR05MB1985namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2015 01:49:07.0420 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR05MB1987
Archived-At: <http://mailarchive.ietf.org/arch/msg/int-area/yKqDt_NDjFcChpCq8Erw34-raTc>
Cc: "draft-ietf-intarea-gre-mtu@ietf.org" <draft-ietf-intarea-gre-mtu@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>, "draft-ietf-intarea-gre-mtu.ad@ietf.org" <draft-ietf-intarea-gre-mtu.ad@ietf.org>, "draft-ietf-intarea-gre-mtu.shepherd@ietf.org" <draft-ietf-intarea-gre-mtu.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "intarea-chairs@ietf.org" <intarea-chairs@ietf.org>
Subject: Re: [Int-area] Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2015 01:49:29 -0000
Hi Kathleen,
Thanks, I will post an updated version of the draft.
Regarding Fred’s question, an attacker can send ICMP PTB to the GRE ingress node. When this happens, the GRE ingress node’s estimation of the PMTU and GMTU become inaccurate. That is why the draft says:
“PMTU Discovery is vulnerable to two denial of service attacks (see Section 8 of [RFC1191] for details). Both attacks are based upon on a malicious party sending forged ICMPv4 Destination Unreachable or ICMPv6 Packet Too Big messages to a host. In the first attack, the forged message indicates an inordinately small PMTU. In the second attack, the forged message indicates an inordinately large MTU. In both cases, throughput is adversely affected. On order to mitigate such attacks, GRE implementations include a configuration option to disable PMTU discovery on GRE tunnels. Also, they can include a configuration option that conditions the behavior of PMTUD to establish a minimum PMTU.”
Ron
From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
Sent: Thursday, May 14, 2015 9:11 PM
To: Templin, Fred L
Cc: Ronald Bonica; Suresh Krishnan; draft-ietf-intarea-gre-mtu@ietf.org; int-area@ietf.org; draft-ietf-intarea-gre-mtu.ad@ietf.org; draft-ietf-intarea-gre-mtu.shepherd@ietf.org; The IESG; intarea-chairs@ietf.org
Subject: Re: Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)
Hi Ron,
I like the updated text, thank you!
I'm interested to hear the answer to Fred's question too.
Thanks,
Kathleen
Sent from my iPhone
On May 14, 2015, at 4:13 PM, "Templin, Fred L" <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> wrote:
Hi Ron,
Isn’t it true that a DoS attack based on forged PTB messages can be mounted even
if the subject and attacker are both located within the same administrative domain,
i.e., an “insider attack”?
Thanks – Fred
fred.l.templin@boeing.com<mailto:fred.l.templin@boeing.com>
From: Int-area [mailto:int-area-bounces@ietf.org] On Behalf Of Ronald Bonica
Sent: Thursday, May 14, 2015 12:44 PM
To: Kathleen Moriarty; Suresh Krishnan
Cc: draft-ietf-intarea-gre-mtu@ietf.org<mailto:draft-ietf-intarea-gre-mtu@ietf.org>; int-area@ietf.org<mailto:int-area@ietf.org>; draft-ietf-intarea-gre-mtu.ad@ietf.org<mailto:draft-ietf-intarea-gre-mtu.ad@ietf.org>; draft-ietf-intarea-gre-mtu.shepherd@ietf.org<mailto:draft-ietf-intarea-gre-mtu.shepherd@ietf.org>; The IESG; intarea-chairs@ietf.org<mailto:intarea-chairs@ietf.org>
Subject: Re: [Int-area] Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)
Kathleen,
The following is an updated Security Considerations Section. Does this work?
Ron
Security Considerations
In the GRE fragmentation solution described above, either the GRE payload or the GRE delivery packet can be fragmented. If the GRE payload is fragmented, it is typically reassembled at its ultimate destination. If the GRE delivery packet is fragmented, it is typically reassembled at the GRE egress node.
The packet reassembly process is resource intensive and vulnerable to several denial of service attacks. In the simplest attack, the attacker sends fragmented packets more quickly than the victim can reassemble them. In a variation on that attack, the first fragment of each packet is missing, so that no packet can ever be reassembled.
Given that the packet reassembly process is resource intensive and vulnerable to denial of service attacks, operators should decide where reassembly process is best performed. Having made that decision, they should decide whether to fragment the GRE payload or GRE delivery packet, accordingly.
Some IP implementations are vulnerable to the Overlapping Fragment Attack [RFC 1858]. This vulnerability is not specific to GRE and needs to be considered in all environments where IP fragmentation is present. [RFC 3128] describes a procedure by which IPv4 implementations can partially mitigate the vulnerability. [RFC 5722] mandates a procedure by which IPv6-compliant implementations are required to mitigate the vulnerability. The procedure described in RFC 5722 completely mitigates the vulnerability. Operators SHOULD ensure that the vulnerability is mitigated to their satisfaction on equipment that they deploy.
PMTU Discovery is vulnerable to two denial of service attacks (see Section 8 of [RFC1191]<https://tools.ietf.org/html/rfc1191#section-8> for details). Both attacks are based upon on a malicious party sending forged ICMPv4 Destination Unreachable or ICMPv6 Packet Too Big messages to a host. In the first attack, the forged message indicates an inordinately small PMTU. In the second attack, the forged message indicates an inordinately large MTU. In both cases, throughput is adversely affected. On order to mitigate such attacks, GRE implementations include a configuration option to disable PMTU discovery on GRE tunnels. Also, they can include a configuration option that conditions the behavior of PMTUD to establish a minimum PMTU.
<NEW
- [Int-area] Kathleen Moriarty's Discuss on draft-i… Kathleen Moriarty
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Ronald Bonica
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Suresh Krishnan
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Kathleen Moriarty
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Ronald Bonica
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Carlos Pignataro (cpignata)
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Ronald Bonica
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Templin, Fred L
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Kathleen Moriarty
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Ronald Bonica
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Brian Haberman
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Templin, Fred L
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Suresh Krishnan
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Carlos Pignataro (cpignata)
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Suresh Krishnan
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Templin, Fred L
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Templin, Fred L
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Brian Haberman
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Suresh Krishnan
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Templin, Fred L
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Suresh Krishnan
- Re: [Int-area] Kathleen Moriarty's Discuss on dra… Templin, Fred L