CRH Draft Update - Security Considerations Section
Ron Bonica <rbonica@juniper.net> Tue, 26 May 2020 22:23 UTC
Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CE123A0ADB for <ipv6@ietfa.amsl.com>; Tue, 26 May 2020 15:23:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=UVj8eNKN; dkim=pass (1024-bit key) header.d=juniper.net header.b=SfYwIN1l
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ctl-FJ6PGUqv for <ipv6@ietfa.amsl.com>; Tue, 26 May 2020 15:23:24 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94B243A0AD7 for <6man@ietf.org>; Tue, 26 May 2020 15:23:24 -0700 (PDT)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04QMIAAi023260; Tue, 26 May 2020 15:23:23 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : content-type : mime-version; s=PPS1017; bh=xO8NVTZG8dCRVhNb1gpJW3clp8/dmA1pUPJeh7QrPqw=; b=UVj8eNKNbtJdlX1x7itMd5fq4MI/UoyX7l08PElz81IALdrT8dhA59+YzvHVvgby+xBw yzuXUxaBFRA8N5QmDRU+TznTXDxEUaAygkK6GzRCXgqDbBaLcGnFJEqS5ZKfK3gmEzqh PK4pDkySLRv1Yg65oN+kyxktm1CZGpX7tjHM0DQBtWAG0cyhyIBXX2YB6vjeBykqnp+B DMvVlxwK0ELKMxJAqs80mojsSS8J6Js8aZrVFgvvGug8pjcR4WOK+AA659oQmiz6U7i8 5RfGNAWoK2hdtdDXbqn7e/IPwsC9J+vn6SvvlKSp9J+n3iN5EAmOD2t9tti++Yy953wi ZA==
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2175.outbound.protection.outlook.com [104.47.59.175]) by mx0a-00273201.pphosted.com with ESMTP id 3171t0566x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 May 2020 15:23:23 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q+gK+mTyRAKuH0BiTG/wI2ZJ5tEQ8Cedh4heNxESmTeNwV/jK1DSXS9GwTNTnEmf0FpJCZsh/tRc0yPxUacKbeKh7ksmPYMvZhsTP0cWoFP8b5O6HMTS8A3mr/UROF8frSkPfrqmD3vg03tbfif2tHkKPrd2Ws0/tRrzeIt8Joeg12jc+W57VFObkRrUpw2nab+H1Yp1eQTDzlWSUGmmJ8FqkJgnnYha9DB1LrXwfo4OkJDF5LXR4FLi/vsx+djP5TczGlBJUXNdVbdPvIOVzPDm6KtilHL5OtQyOF6n1//0ysbvpt73B8ge5WZXnQwm94cCYJ0zX6y7v27/ZgwCYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xO8NVTZG8dCRVhNb1gpJW3clp8/dmA1pUPJeh7QrPqw=; b=TsOjZ9rDtRPygTXydALlDVitUxjGISagweg6D4I/8wATah4gtFQIxzlr7/PofF1/6SVHbZU8BwZnAGZeuMBile4YyIt0ZxOkLQ1+Fo9juIvQrOlO2S9wNHxW2x3RoUn7An5vZtnLZ/U+D6Dj89ZHSj1ENigE9GVpts+t2Hl3jp0Nyuq9HYcdx+IkHmLEvVtnMC0wyDqvNfDyDrCfaWUulbo6LAt1/L1joKSHbYEXO7ocVHqsy+23LBPhSRdc4wCyU7y24AvpeboQlLOF3/Q1WYzVmG0F+f4vsVTNb7usXeWSf28eimITAU1xmHDSzqvyDq3vKLApb2vpn8mLpjrL5w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xO8NVTZG8dCRVhNb1gpJW3clp8/dmA1pUPJeh7QrPqw=; b=SfYwIN1lTYWFOAtV/mQMqJ+wVwbW4a3GUbGB+3fggSQLxT9JYHgNJoxChr1GT59qxhr84Bwb38BYy9F+Fm153jTXtp0x9m1jF6Jvnvt5xVQ3qaY5X6tYCy9alntP8Xx+d/yH2Le64ZormBFW+ujkOMq2cpwTZy44YzEe4OxxgRs=
Received: from DM6PR05MB6348.namprd05.prod.outlook.com (2603:10b6:5:122::15) by DM6PR05MB5067.namprd05.prod.outlook.com (2603:10b6:5:7a::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3045.7; Tue, 26 May 2020 22:23:20 +0000
Received: from DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3]) by DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3%4]) with mapi id 15.20.3045.014; Tue, 26 May 2020 22:23:20 +0000
From: Ron Bonica <rbonica@juniper.net>
To: 6man <6man@ietf.org>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Subject: CRH Draft Update - Security Considerations Section
Thread-Topic: CRH Draft Update - Security Considerations Section
Thread-Index: AdYzpDm5mk94cwa6SjqC/Hej0heh0g==
Date: Tue, 26 May 2020 22:23:20 +0000
Message-ID: <DM6PR05MB63488B772FA7D035EC028C5CAEB00@DM6PR05MB6348.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-05-26T22:23:19Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=472a74e6-927d-4cb3-aa10-1ca2d42ee0d6; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [108.28.233.91]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: ece5826e-d052-44c5-9835-08d801c365a4
x-ms-traffictypediagnostic: DM6PR05MB5067:
x-microsoft-antispam-prvs: <DM6PR05MB506736EC65D13A5FA8FB4920AEB00@DM6PR05MB5067.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-forefront-prvs: 041517DFAB
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BytFE/h45v8S4CNV1/lJ/E/zbczXlVS82TPQi8SPujXqeruu5etVGdvwFgxmzat7pJGav+xy2rmStGxn9R0ktvDxX0E0K6bmuhNFkr2TNX/78Z3hpQdDN9J6iayRg+HpMb8ZR3k7EEVPv3/RTeRvVEZJQon4rjtRmJOoC4sCHsTY9bFX5SLhNYzBO45GJzh7luU6OdU4mgYYU/fzzjRhPcoF1GqJsFb5lAL/w5ht6v7UKNmqY50f7JjEr8FQpdGsLcBxwTuIv0505kRgXY3VhzvfklZ7UnRkAwYm6ooL/EwGzL97Yg8apclzImtTVZm7VPntJ4Vn9CSS0QOnyWaIeQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR05MB6348.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(376002)(366004)(346002)(396003)(136003)(86362001)(316002)(33656002)(478600001)(52536014)(7696005)(2906002)(55016002)(6506007)(26005)(110136005)(5660300002)(83380400001)(15650500001)(71200400001)(9686003)(8936002)(66476007)(64756008)(66446008)(66556008)(186003)(76116006)(8676002)(66946007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: zU48V2aCEzLwozCZ9RmX+Y6gBIvS8L25lgeKNc12w3zHwr/USze3SXG/c74YeqvUrEGAlSVU8y/sMxHexvslQoyx7q7o5u23RYP6LS8EZ0jE6j1qSk1ojg6ZN2Q80Mb19h/2G3Q6IioQ9OxHYnniLa491mAJuXMNLbUDUekEXJy7n4AFAlDrZEzClaSxsD/65/GHzdNBfK1lD7MeahLgQl2OsoqPqTMxyUozDu0GOmvkoh2y6qFJQFrP9RLIMnpTTiVJnmlVzmt++cUwlLZApEGRK+g7/IhECKqv1/PFiRn0pYibbJimlRBIfUaF46WPor7zLu+VMO5FsKU5Ge4VqnOV3BKIBY3Ln3/euSbkOJlaLkfV5Rzrjd5iRcvReVXUQaTY2BSDyfKW2t8BCqxjPRZ9YUkTyy+2oo8zaM3u7hOZKUYMRDVXFB+VOXpxnDgB4mZUCeQDYzIWaWWfXbGfkikkxJ5GskiXO3CZJ5WDVrqLWehkaFf0n5rDnmEq02k2
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR05MB63488B772FA7D035EC028C5CAEB00DM6PR05MB6348namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: ece5826e-d052-44c5-9835-08d801c365a4
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 May 2020 22:23:20.6862 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cRJHz9k5uAK2ebFc/4t4BMxKIXC2Bj+FRzt0MOLkwLgE5T3H6htB34JUqrekvvT/fuMWx6+kd9rJBRyYG9CTTA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB5067
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.687 definitions=2020-05-26_02:2020-05-26, 2020-05-26 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 bulkscore=0 mlxlogscore=999 phishscore=0 adultscore=0 malwarescore=0 cotscore=-2147483648 priorityscore=1501 mlxscore=0 clxscore=1015 suspectscore=0 spamscore=0 impostorscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005260172
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/NA086IJYhbPwqgUDNTBgUXoe2iU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2020 22:23:26 -0000
Folks,
During the call for adoption, Eric Vyncke and others suggested that the Security Consideration Section should be reworked. Does the following text work for everyone.
Ron
Security Considerations
--------------------------------
The CRH can be used as an attack vector. Therefore, it is necessary to filter packets:
- At the CRH domain ingress.
- At the node where the CRH is processed.
At the CRH domain ingress, it is necessary to filter packets that satisfy the following criterion:
- The IPv6 Source Address represents an interface inside of the domain. (This source address is likely to be spoofed.)
It also is necessary to filter packets that satisfy all of the following criteria:
- The IPv6 Destination Address represents an interface inside of the CRH domain.
- The packet contains a Routing header.
- The Routing header is a CRH.
- The Segments Left field has a value greater than 0.
A network operator can implement an Access Control List (ACL) that filters:
- The above-mentioned packets only
- The above-mentioned packets as well as others
For example, the ACL can filter all packets that satisfy the following criterion:
- The IPv6 Destination Address represents an interface inside of the CRH domain.
At each node where the CRH is processed, it is necessary to filter packets that satisfy the following criterion:
- The IPv6 Source Address represents an interface outside of the CRH domain.
ACLs are easily supported for small numbers of seldom changing prefixes, making summarization important.
Juniper Business Use Only
- CRH Draft Update - Security Considerations Section Ron Bonica
- RE: CRH Draft Update - Security Considerations Se… Xiejingrong (Jingrong)
- RE: CRH Draft Update - Security Considerations Se… Ron Bonica
- Re: CRH Draft Update - Security Considerations Se… John Scudder