IETF Logo Mail Archive

Re: Questions regarding the security mechanisms//RE: CRH and RH0

John Scudder <jgs@juniper.net> Sat, 16 May 2020 19:18 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1F7A3A0406 for <ipv6@ietfa.amsl.com>; Sat, 16 May 2020 12:18:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=GSWa1AyT; dkim=pass (1024-bit key) header.d=juniper.net header.b=cwwTtP6Z
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slASjTAAj4dq for <ipv6@ietfa.amsl.com>; Sat, 16 May 2020 12:18:44 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF76A3A03F7 for <6man@ietf.org>; Sat, 16 May 2020 12:18:44 -0700 (PDT)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04GJHmdS025871; Sat, 16 May 2020 12:18:36 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=KyQ8dToZIBji3NwpYHKDkaIifP0Kod7BimUeoEVWuJY=; b=GSWa1AyTX7pT25M9K/ipNB/9v14/ygV39Y/bqjkfsg+0/z4Rd7LKP/gcXBCloAXLn0Xm DtwUyUSlhks0DrAWx4VtfhViqm6OQCSKMHwR4ctrYngvynAsdTDnw+Tu21ixEgjKXOte uG1sBi9HqNWknNBtTILMNh593JepYhTPX2lwC7CDTUhNvC4BtqFRx+NA715GAjS0jdwM NqAq6akT4NdV2KDbRI9RxhLsQtcnmGNLUSZIeaaQRgN7ImaBk2YFDD+YcjuBYQdM2Y9u e49Ns4C7us80Upvyo8+rNXAJ+FoFIU/HHEBRAqjAV4oP2sq6AHkSARNs28yrpQKTxt2I Sg==
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2173.outbound.protection.outlook.com [104.47.59.173]) by mx0b-00273201.pphosted.com with ESMTP id 312e3h8hgu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 16 May 2020 12:18:36 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FBLbzOSHmrTW7Lm+X6O236AUgpXolCAzUfPPKEQLTd9isKMgl/M8F+3eQPUOyKPaeEtC5P4tcqjOOaGcqhQoi5Di1PVgVPMbyTdnNr+BzOxl8MkV2rzr6JO6ZEJieaNFzmZVKlhXmBaX0KzmuEvQ2ecF6VPyLv7bPqqML3ILPtoexmM/OLG/cBFHU89TqEhFBzSFTwFeZhzY8vK74bxkvmjhx9BdIwSOkk10oxWh8UKC+ibhGdBSSIaYZ2UilKSM1zUsUszfQDsjh0KasSV6yk8PAD5yQGaJvByRmR32bU0oQbFaJTZlouM3rQztMinWkQkarGro+srgL/d8F+8PIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KyQ8dToZIBji3NwpYHKDkaIifP0Kod7BimUeoEVWuJY=; b=RjHq0qj/ZCeIezm5ZfsUEtQ+E4JNDTrPVDz+mRUFw+gIFw2g1AWYI58vTRgsIhOCrD1HKuCvuQKuouKKo7yIbY34zxv1FE+AT/Hh0SNYmALB+MUBlyiNR9S/g4WuYwDcpiVY6WV803+98l1Md6jB5vgIfqLDJLEoTEWLEoOj/69wFpTLe4xUFkOuFLh1MRAaGF6u++66X63S3qDj/wqoRfnCNCvRKmRPwW5VKNeLTheYqaXCEvUdQQCKJMq1l9hq04HwGbLpzJiJBKXDxBPpzN5bfvwMru31vA0nU6pfPz/tBsCjO44yWRaJgH4ODXUhew8+N7pzVefUT5wmxtjvSQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KyQ8dToZIBji3NwpYHKDkaIifP0Kod7BimUeoEVWuJY=; b=cwwTtP6ZcYObTszT3S0ALKFVLd0S5DfFF6iRBdxryUxoFRwIi1OjustuU7Ykrz1iFM4JKDfzUS+DO7aKq856yeW4t4QSjIMO7izBQk4/+BzRpKt/g/E0skCqsaImmOIp7ZrQ136lRa/W3/TxAC/j/JYwMyuBDbHCkeMBK2YMhn8=
Received: from BL0PR05MB5076.namprd05.prod.outlook.com (2603:10b6:208:83::12) by BL0PR05MB4898.namprd05.prod.outlook.com (2603:10b6:208:58::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.11; Sat, 16 May 2020 19:18:28 +0000
Received: from BL0PR05MB5076.namprd05.prod.outlook.com ([fe80::d450:6f4c:4c28:b45f]) by BL0PR05MB5076.namprd05.prod.outlook.com ([fe80::d450:6f4c:4c28:b45f%7]) with mapi id 15.20.3021.010; Sat, 16 May 2020 19:18:28 +0000
From: John Scudder <jgs@juniper.net>
To: "Xiejingrong (Jingrong)" <xiejingrong@huawei.com>
CC: Tom Herbert <tom@herbertland.com>, Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, 6man <6man@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
Subject: Re: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Topic: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Index: AdYqA0uTBELEk8r7RxOFOlq1QjWhwwAniBKgABOLx4AAA6/ZAAATfhkAABqdDHI=
Date: Sat, 16 May 2020 19:18:27 +0000
Message-ID: <87E86EE4-7D6C-49A3-A965-317C3F95A346@juniper.net>
References: <23488ea0d4eb474c9d7155086f940dae@huawei.com> <006c01d62aa1$8c195520$a44bff60$@com> <DM6PR05MB634863122645FD4981B97F71AEBD0@DM6PR05MB6348.namprd05.prod.outlook.com> <CALx6S35thGuTgTmCFozU=3MULW8V95OwA5GdqQ7OGrA-agR7Hw@mail.gmail.com>, <891ccad03b484c7386ab527d89143f8c@huawei.com>
In-Reply-To: <891ccad03b484c7386ab527d89143f8c@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: herbertland.com; dkim=none (message not signed) header.d=none;herbertland.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [2600:1700:37a0:3ca0:c0a2:dbad:dffa:a710]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 25417664-9bed-402e-eb3d-08d7f9cde9ab
x-ms-traffictypediagnostic: BL0PR05MB4898:
x-microsoft-antispam-prvs: <BL0PR05MB48980AA721BA47CE367E7FCBAABA0@BL0PR05MB4898.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 040513D301
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hW7TEK320E4i6mC1rkUzNJ/BFZkbfAtGbwfmEItq6b5GUtCSDc6h3pdtzwXPIoLG4+TKSlLK5tQQ6OvN2U+EkjXIZVQdqO1YMWzyHDvgY0CpCBi4BclsKivrU39ciJMy9531eWNkTW4lKpDzkwXJUh+yQuCSvMaIXGKHRk+HAHuF3+A/qYlJIi2MVeCwKy2jbxQM83GdNv2s3uRzGqM0vvuhbvX4oGcl0Xp/U4NYre4nzDtkOY/7nF5ZpRskTY48/RMRxZ15pRiiOAfKSya+ItPq7HpMjVmQ0ZgO5jOgvpbVWL1FLmoLZ3N3lGRwDG+x
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR05MB5076.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(39860400002)(346002)(136003)(396003)(366004)(53546011)(33656002)(66446008)(4326008)(478600001)(6916009)(5660300002)(186003)(66574014)(36756003)(2906002)(66946007)(6486002)(2616005)(8676002)(71200400001)(64756008)(6506007)(66476007)(66556008)(76116006)(91956017)(54906003)(8936002)(6512007)(316002)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: zA0VCUN1LXu4o7/J4fD1zDe+QFrc2X9lpjkRUlEOMBRI5z1fQD80tCqhhyz70PBdNBqM528pXO+qrq03xC8CAIVIHoPBNto/9zy4gJ2Yy3fYlgKmjB6LcqhL1FWDGmyAwa2+P0CWE0QvvaIGbu8XaLGP4QzFU7kzCBtPSy43WU780V4Lnj1WO9sTtiKWUBM7o6Jn99iejn9B1lkI4om0kT7MzMxtXGiWM9wehswicDODR0MgnHGirsSdkfkiNgaHc/PFCuabco3JFFSsJ0IRf2MWgphGemfXqOfTf4y6PSFNNWyveYRJbVsymPbozUCPttlUGNIPyoG16M1rLxSPkQCI7gy0MPaAq2+4olu5O+wU13m+Aqrv2zJALgAGGkYRt2dHXtpOw7W/pYoWh6w8ckWk4EIjupG6V/bPHWFxKvrqqUJj16/IUIOewyX4Jc5z2JQLg/Fzrbj68VObeHfINCMeEYcfh1ccYZTsK3Dwvpab8XHBO2kWj/ueQ/qkG0YDoszVh3NyWlI4MP83qaA3JBpgP3M85W3EskVZEN53S0cf+U/I8q3q7LyjZinYv/bM
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 25417664-9bed-402e-eb3d-08d7f9cde9ab
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 May 2020 19:18:27.8795 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8ku0lrL6gWGrk31iPS+XRXd0cd5jjCLcHnSxXWEF89LTyCptI+cG8170GToaszZH
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR05MB4898
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-16_11:2020-05-15, 2020-05-16 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 mlxscore=0 adultscore=0 phishscore=0 lowpriorityscore=0 malwarescore=0 mlxlogscore=768 clxscore=1011 spamscore=0 impostorscore=0 cotscore=-2147483648 bulkscore=0 suspectscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005160174
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/HvPKUUUb5YjTatk21k9ycoEXiMU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 May 2020 19:18:46 -0000

Hi Jingrong,

As far as I can tell, although 8754 S 5.1 is very nicely written, it boils down to “use border ACLs”. Specific to this:

On May 16, 2020, at 2:36 AM, Xiejingrong (Jingrong) <xiejingrong@huawei.com> wrote:
> 
> [XJR] Once an attack packet pass through the border router, there is no additional protection like the "complemented per-node protection" in RFC8754 section 5.1.

I think the “complemented per-node protection” in S 5.1 part 2 is not especially valuable, and may even be detrimental. The reasoning is as follows: if the border routers do correctly implement destination address filtering per part 1, attack traffic will already be stopped; there is no need for the source address filtering part 2 specifies. On the other hand, if the border routers do not correctly implement DA filtering, why on earth would we expect them to correctly implement SA filtering? If they don’t, then an attacker can craft their attack with forged SA to bypass SA filtering within the victim network. For this reason, I think the “complemented per-node protection” is of little value. It may be of negative value if it leads to a sense of complacency on the part of the victim.

Regards,

—John

v2.23.0 | Report a Bug | By Email