Re: IPv6 header insertion in a controlled domain
Gyan Mishra <hayabusagsm@gmail.com> Sun, 08 December 2019 23:50 UTC
Return-Path: <hayabusagsm@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FB8E120074 for <ipv6@ietfa.amsl.com>; Sun, 8 Dec 2019 15:50:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dAgzuGQQigch for <ipv6@ietfa.amsl.com>; Sun, 8 Dec 2019 15:50:10 -0800 (PST)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1EC812002F for <ipv6@ietf.org>; Sun, 8 Dec 2019 15:50:10 -0800 (PST)
Received: by mail-io1-xd29.google.com with SMTP id s2so12834906iog.10 for <ipv6@ietf.org>; Sun, 08 Dec 2019 15:50:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XSMO0vM5od9bmneX8z0Y1qDKSgK3unprzoHQpPdvCN0=; b=Nii2xOsiIZW8lHa0AWip4wtWBDZjp0yaHL7pjPkSPcQutVq7S4AFXNtxge618HwOOf ksNiH3Iz/ONFpx6eFAb0yFhCrkFvWYGUbYwhMMhkLX/Gm6/BY9tclxKlSBfdlb/y5spS pu+ftevcXxLoJzd0WC4EvwdPdbEA1jnCIHzomTJMtPugmD/Xzl0a3r/SI52pVAzHQ1iG srhuOqiGCvr8F+abYptb2J0aDUPGdg61RsSQ5Xyb29/y5uSfnZzeCmFj0xjUiXfvhx6g yWyO/JJhC2QAXVBcZyL+s9MfZvrhKpR+Rj7RDbFx6gR38dU7+UePieKUGftKzd0NatE2 Q2nA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XSMO0vM5od9bmneX8z0Y1qDKSgK3unprzoHQpPdvCN0=; b=qka6pnRdpTXVmPBiZr/+V+7tRDkY8oQlIV3N7XW0tjrhlPcw1J/91vvaVn+TMQmtOB HF9EgQhWTi3+jjN2Brvyu96JeH47zPOJuGAa+VV/w608C31pNUZkDqEz/Jto8o8zt2EA yYkcUWcg2O/GT8pWIKSpYmeuG0vLp8MRhb8GEQiVlLrX5o1YodNzUhU6HCeJir1e3Y8y OSQXmLOcSEfCFfdY7FZ6RtpKexAHHGOieg0nm0az2qSQuCIFhJJ5oP1zRA3T9G7Keckr Plozo4NT/Afe4gzAt5sT1JVUTUL+txK5Kd8czHF60eG35xGsmbuiktY1Y7Rpq+6KlBR8 Lv/g==
X-Gm-Message-State: APjAAAWsRIrN0dfm6MplgU4Rgrru+aHjZSkW+R+o72W9Vy5baOERt8gQ rdrnjNPdof+SAK1UCdAzcxaEsEoxOGVIoW11CLY=
X-Google-Smtp-Source: APXvYqzzMI5ILS6M8yu2U1MP12SrdCx3Rn0lCV15Y5FEbMb+vfnfQMJOI1m7qE6rdoq1MC9wUZKqrvHCM6ng+YgsvE8=
X-Received: by 2002:a6b:7316:: with SMTP id e22mr19459239ioh.205.1575849009726; Sun, 08 Dec 2019 15:50:09 -0800 (PST)
MIME-Version: 1.0
References: <CALx6S3588ja9AZzBQ0dqwx0j-ki6A5tusye+odQKPyAyF+hEww@mail.gmail.com> <10E890EA-3278-44EE-881E-EBC91D419587@employees.org> <88287cb0-c0c3-f990-4dd7-338df87c7fb2@joelhalpern.com> <4E76C386-FB1E-4E48-814D-BB626466BEE3@employees.org> <CAO42Z2ze7tmkGh=E-YrPuJHMeD8V6EuxgjjaJ33iz+Ms3abNsA@mail.gmail.com> <ED9B7C60-ACDE-4107-A121-AE2DAEA6B640@employees.org> <CABNhwV0EGiMaX0Qkyk+_zqZfiaAS_RP_ewVEctgdSnMuJ3MBPw@mail.gmail.com> <8AE06652-D6DB-444D-A8BB-7924181C83E4@employees.org> <CABNhwV1Ym5xtDY+vo8haaaObhMayE+ejkUbm4Sq9A5axCQwopA@mail.gmail.com> <160F2740-7571-44D9-8995-5D2F23989DF6@employees.org> <2ecefe0e-14c1-b991-754f-c2724e3fe198@gmail.com> <51AB190F-92A6-427D-8605-0796FAB9820A@employees.org>
In-Reply-To: <51AB190F-92A6-427D-8605-0796FAB9820A@employees.org>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Sun, 08 Dec 2019 18:49:58 -0500
Message-ID: <CABNhwV0J7DZAQSvfJTfCKnqmMfbPfv1r4N-s7FZLzqQMNXUW7A@mail.gmail.com>
Subject: Re: IPv6 header insertion in a controlled domain
To: otroan@employees.org
Cc: 6man WG <ipv6@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000071cc74059939f02b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/eqmY08wSez27HVuSWVHzU2jZLW4>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Dec 2019 23:50:13 -0000
On Sun, Dec 8, 2019 at 5:03 PM <otroan@employees.org> wrote: > Brian, > > >>> I was thinking the obvious man in middle attack tampering with v6 > header by intermediate node and possible impact to AH if used. > >> > >> If AH is used, wouldn't A add the signature, and C when validating > would know that B added the header and could do verification accordingly? > >> For a controlled domain where all of A,B and C are acting in cohort, > then that wouldn't be too far fetched to assume. > >> At least a lot more probable than that AH would be used at all. ;-) > >> > >> Any other security issues you see? > > > > Two comments on this thread: > > > > 1) It isn't just AH that is broken; any form whatever of cryptographic > authentication of the packet header or the packet as a whole between A and > C is impossible unless the key is shared between A and B. But whether that > matters or not is a domain-specific decision. If I'm outside the domain, > why would I care? > > Right. I think Gyan's point was that header insertion made it harder to > secure the tunnel between A and C. > So mainly a problem for the controlled domain itself. > ESP NULL would work fine probably, since it doesn't include payload length > in the signature. > And you can ensure whatever is inserted is also treated as mutable. > Regardless, this is an inside the controlled domain problem, and one could > probably define a suitable security scheme for it if required. > > > 2) For me the test that matters is not whether this all works, but > whether the fact that it's happening can in principle be detected from > outside the domain. If it can't be detected from outside, why would I care? > > > > Note that NAT fails test 2. I'm not convinced that SRH insertion inside > a tunnel does so. > > I suppose header insertion has to pass both tests. > It has to be transparent to the outside, and it has to be possible to > secure within the domain. I think since this is within the operators domain that they have full control of maintaining the trust boundaries and enforcement of what can be seen outside the domain. A good example of this enforcement in the MPLS world is that you don’t allow any entity or customer outside the operator domain to trace through the domain. Real would scenario is using the “no mpls ttl-propagate” to prevent traceroute through an operators mpls core. My point is the onus is on the operator to enforce the boundary and allow or not allow visibly into the operators network. So 2 can be easily accomplished but the onus is on the operator. Ole had a valid point about AH that the probability of the nodes in the domain having a common security stance is more probable then the operator using AH within the domain. > > > Cheers, > Ole > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -- Gyan S. Mishra IT Network Engineering & Technology Verizon Communications Inc. (VZ) 13101 Columbia Pike FDC1 3rd Floor Silver Spring, MD 20904 United States Phone: 301 502-1347 Email: gyan.s.mishra@verizon.com www.linkedin.com/in/networking-technologies-consultant
- Network Programming - Penultimate Segment Popping Ron Bonica
- Re: Network Programming - Penultimate Segment Pop… Fernando Gont
- Re: Network Programming - Penultimate Segment Pop… Darren Dukes (ddukes)
- RE: Network Programming - Penultimate Segment Pop… Ron Bonica
- Re: Network Programming - Penultimate Segment Pop… Fernando Gont
- Re: Network Programming - Penultimate Segment Pop… otroan
- RE: Network Programming - Penultimate Segment Pop… Ron Bonica
- Re: Network Programming - Penultimate Segment Pop… otroan
- Re: Network Programming - Penultimate Segment Pop… Fernando Gont
- We don't seem to be following our processes (Re: … Fernando Gont
- Re: We don't seem to be following our processes (… otroan
- Re: We don't seem to be following our processes (… Fernando Gont
- Re: We don't seem to be following our processes (… otroan
- Re: We don't seem to be following our processes (… Tom Herbert
- RE: We don't seem to be following our processes (… Ron Bonica
- Re: We don't seem to be following our processes (… Fernando Gont
- Re: We don't seem to be following our processes (… Enno Rey
- Re: We don't seem to be following our processes (… Enno Rey
- RE: We don't seem to be following our processes (… Ron Bonica
- Re: We don't seem to be following our processes (… Bob Hinden
- Re: We don't seem to be following our processes (… Fernando Gont
- Re: We don't seem to be following our processes (… otroan
- Re: We don't seem to be following our processes (… Joel M. Halpern
- Re: We don't seem to be following our processes (… Sander Steffann
- Re: We don't seem to be following our processes (… Alexandre Petrescu
- Re: We don't seem to be following our processes (… Tom Herbert
- Re: [spring] We don't seem to be following our pr… Robert Raszuk
- Re: [spring] We don't seem to be following our pr… Sander Steffann
- Re: [spring] We don't seem to be following our pr… Robert Raszuk
- Re: We don't seem to be following our processes (… Bob Hinden
- Re: We don't seem to be following our processes (… Fernando Gont
- Re: We don't seem to be following our processes (… Fernando Gont
- Re: We don't seem to be following our processes (… otroan
- Re: We don't seem to be following our processes (… Fernando Gont
- Re: We don't seem to be following our processes (… Tom Herbert
- Re: We don't seem to be following our processes (… otroan
- Re: [spring] We don't seem to be following our pr… Andrew Alston
- Re: We don't seem to be following our processes (… Brian E Carpenter
- Re: [spring] We don't seem to be following our pr… otroan
- RE: [spring] We don't seem to be following our pr… Ron Bonica
- Re: [spring] We don't seem to be following our pr… Andrew Alston
- Re: [spring] We don't seem to be following our pr… otroan
- RE: [spring] We don't seem to be following our pr… Ron Bonica
- Re: We don't seem to be following our processes (… Brian E Carpenter
- Re: [spring] We don't seem to be following our pr… Fernando Gont
- Re: Network Programming - Penultimate Segment Pop… Darren Dukes (ddukes)
- Re: We don't seem to be following our processes (… Fernando Gont
- RE: Network Programming - Penultimate Segment Pop… Ron Bonica
- Re: [spring] We don't seem to be following our pr… Ole Troan
- Re: [spring] We don't seem to be following our pr… Andrew Alston
- Re: [spring] We don't seem to be following our pr… Sander Steffann
- Re: We don't seem to be following our processes (… Brian E Carpenter
- Re: [spring] We don't seem to be following our pr… Fernando Gont
- Re: We don't seem to be following our processes (… Joel M. Halpern
- Re: We don't seem to be following our processes (… Tom Herbert
- Re: We don't seem to be following our processes (… Fernando Gont
- Re: [spring] We don't seem to be following our pr… otroan
- Re: We don't seem to be following our processes (… otroan
- Re: We don't seem to be following our processes (… Brian E Carpenter
- Re: [spring] We don't seem to be following our pr… Brian E Carpenter
- Re: [spring] We don't seem to be following our pr… Fernando Gont
- Re: We don't seem to be following our processes (… Fernando Gont
- Re: We don't seem to be following our processes (… Fernando Gont
- Re: [spring] We don't seem to be following our pr… Fernando Gont
- Re: We don't seem to be following our processes (… Tom Herbert
- Re: We don't seem to be following our processes (… Ole Troan
- Re: We don't seem to be following our processes (… Brian E Carpenter
- Re: [spring] We don't seem to be following our pr… Brian E Carpenter
- Re: We don't seem to be following our processes (… Joel M. Halpern
- Re: We don't seem to be following our processes (… Fernando Gont
- Re: [spring] We don't seem to be following our pr… Fernando Gont
- Re: We don't seem to be following our processes (… Fernando Gont
- Separating issues (was Re: [spring] We don't seem… Suresh Krishnan
- RE: Separating issues (was Re: [spring] We don't … Ketan Talaulikar (ketant)
- Re: We don't seem to be following our processes (… otroan
- Re: We don't seem to be following our processes (… Joel M. Halpern
- Re: We don't seem to be following our processes (… Mark Smith
- Re: We don't seem to be following our processes (… otroan
- Re: We don't seem to be following our processes (… otroan
- Re: [spring] We don't seem to be following our pr… Robert Raszuk
- Re: [spring] We don't seem to be following our pr… Alexandre Petrescu
- Re: Network Programming - Penultimate Segment Pop… Darren Dukes (ddukes)
- Re: We don't seem to be following our processes (… Fernando Gont
- Re: Network Programming - Penultimate Segment Pop… Fernando Gont
- Re: [spring] We don't seem to be following our pr… Darren Dukes (ddukes)
- Re: [spring] We don't seem to be following our pr… Robert Raszuk
- Re: We don't seem to be following our processes (… Tom Herbert
- Re: Network Programming - Penultimate Segment Pop… Tom Herbert
- Re: [spring] Network Programming - Penultimate Se… Robert Raszuk
- Re: [spring] We don't seem to be following our pr… Fernando Gont
- Re: [spring] We don't seem to be following our pr… Fernando Gont
- Re: [spring] We don't seem to be following our pr… Brian E Carpenter
- Re: We don't seem to be following our processes (… Mark Smith
- IPv6 header insertion in a controlled domain otroan
- IPv6 header insertion in a controlled domain otroan
- Re: IPv6 header insertion in a controlled domain Fernando Gont
- Re: IPv6 header insertion in a controlled domain otroan
- Re: IPv6 header insertion in a controlled domain Sander Steffann
- Re: IPv6 header insertion in a controlled domain Gyan Mishra
- Re: IPv6 header insertion in a controlled domain otroan
- Re: IPv6 header insertion in a controlled domain Joel M. Halpern
- Re: IPv6 header insertion in a controlled domain Gyan Mishra
- Re: IPv6 header insertion in a controlled domain otroan
- Re: IPv6 header insertion in a controlled domain Tom Herbert
- Re: IPv6 header insertion in a controlled domain jmh.direct@joelhalpern.com
- Re: IPv6 header insertion in a controlled domain otroan
- Re: IPv6 header insertion in a controlled domain Gyan Mishra
- Re: IPv6 header insertion in a controlled domain Gyan Mishra
- Re: IPv6 header insertion in a controlled domain otroan
- Re: IPv6 header insertion in a controlled domain otroan
- Re: IPv6 header insertion in a controlled domain otroan
- Re: We don't seem to be following our processes (… Alexandre Petrescu
- Re: IPv6 header insertion in a controlled domain Sander Steffann
- Re: IPv6 header insertion in a controlled domain Brian E Carpenter
- Re: IPv6 header insertion in a controlled domain Warren Kumari
- Re: IPv6 header insertion in a controlled domain otroan
- Re: IPv6 header insertion in a controlled domain Gyan Mishra
- RE: We don't seem to be following our processes (… Ron Bonica
- RE: IPv6 header insertion in a controlled domain Ron Bonica
- Re: IPv6 header insertion in a controlled domain Sander Steffann
- Re: IPv6 header insertion in a controlled domain Gyan Mishra
- RE: IPv6 header insertion in a controlled domain Ron Bonica
- Re: IPv6 header insertion in a controlled domain otroan
- RE: [spring] We don't seem to be following our pr… bruno.decraene
- Re: IPv6 header insertion in a controlled domain Fernando Gont
- Re: IPv6 header insertion in a controlled domain Tom Herbert
- Re: IPv6 header insertion in a controlled domain Gyan Mishra
- Re: IPv6 header insertion in a controlled domain Fernando Gont
- RE: IPv6 header insertion in a controlled domain Ron Bonica
- Re: IPv6 header insertion in a controlled domain Gyan Mishra
- Re: IPv6 header insertion in a controlled domain Fernando Gont
- Re: topics to circulate Alexandre Petrescu
- Re: topics to circulate Gyan Mishra
- Re: topics to circulate Erik Kline
- Re: topics to circulate Alexandre Petrescu
- Re: topics to circulate Alexandre Petrescu
- Re: IPv6 header insertion in a controlled domain Alexandre Petrescu
- Re: IPv6 header insertion in a controlled domain Alexandre Petrescu