Re: Questions regarding the security mechanisms//RE: CRH and RH0
Fernando Gont <fgont@si6networks.com> Fri, 15 May 2020 20:16 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73BF43A08ED for <ipv6@ietfa.amsl.com>; Fri, 15 May 2020 13:16:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tpMoPfG5QJ-q for <ipv6@ietfa.amsl.com>; Fri, 15 May 2020 13:16:41 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59EBC3A095D for <6man@ietf.org>; Fri, 15 May 2020 13:16:39 -0700 (PDT)
Received: from [192.168.0.10] (unknown [181.45.84.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 5ACAC28154E; Fri, 15 May 2020 20:16:33 +0000 (UTC)
Subject: Re: Questions regarding the security mechanisms//RE: CRH and RH0
To: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>, qinfengwei <qinfengwei@chinamobile.com>, "'Xiejingrong (Jingrong)'" <xiejingrong@huawei.com>, 'Bob Hinden' <bob.hinden@gmail.com>, "'Darren Dukes (ddukes)'" <ddukes@cisco.com>
Cc: '6man' <6man@ietf.org>
References: <23488ea0d4eb474c9d7155086f940dae@huawei.com> <006c01d62aa1$8c195520$a44bff60$@com> <DM6PR05MB634863122645FD4981B97F71AEBD0@DM6PR05MB6348.namprd05.prod.outlook.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <e4cfefa0-eeb4-22ee-6d9b-1abac21ce962@si6networks.com>
Date: Fri, 15 May 2020 17:16:26 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <DM6PR05MB634863122645FD4981B97F71AEBD0@DM6PR05MB6348.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/pcY3zIHfQfPoCdu3dBHDGYFCNQM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2020 20:16:45 -0000
Ron, On 15/5/20 17:08, Ron Bonica wrote: > Fengwei, Jingrong, > > Your raise excellent questions, and I will try to address them. > > In 2007, security researchers demonstrated that Routing headers can be used attack vectors. See the following slide deck: > > - http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf > > Therefore, we conclude that if a network contains nodes that process the CRH, it MUST deploy ACLs at its edge. These ACLs: > - MUST be sufficiently restrictive to filter harmful packets > - SHOULD NOT be so restrictive that they filter harmless packets. I have not read your CRH draft (hence my comments might be non-sense), but it would seem to me that if the labels/SIDs you employ in CRH need mappings in the routers, and/or this functionality is turned off by default (i.e., support for CRH needs to be explitly enabled on the devices expected to use CRH), this is already a major difference and win over RHT0. The main issue behind RHT0 and, for instance, IPv4 SR is that such functionality was enabled by default, and that all Internet nodes were in the position to process these packets. If this is not the case, me, as an attacker, would have a much harder time exploiting CRH because I wouldn't even be able to get packets containing a CRH past my CE Router. Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- Questions regarding the security mechanisms//RE: … Xiejingrong (Jingrong)
- 答复: Questions regarding the security mechanisms//… qinfengwei
- RE: Questions regarding the security mechanisms//… Ron Bonica
- Re: Questions regarding the security mechanisms//… Fernando Gont
- RE: Questions regarding the security mechanisms//… Ron Bonica
- Re: Questions regarding the security mechanisms//… Fernando Gont
- Re: Questions regarding the security mechanisms//… Tom Herbert
- RE: Questions regarding the security mechanisms//… Ron Bonica
- RE: Questions regarding the security mechanisms//… Xiejingrong (Jingrong)
- RE: Questions regarding the security mechanisms//… Xiejingrong (Jingrong)
- RE: Questions regarding the security mechanisms//… Xiejingrong (Jingrong)
- RE: Questions regarding the security mechanisms//… S Moonesamy
- RE: Questions regarding the security mechanisms//… Xiejingrong (Jingrong)
- Re: Questions regarding the security mechanisms//… Fernando Gont
- RE: Questions regarding the security mechanisms//… Ron Bonica
- Re: Questions regarding the security mechanisms//… Joel M. Halpern
- Re: Questions regarding the security mechanisms//… John Scudder
- Re: Questions regarding the security mechanisms//… Nick Hilliard
- Re: Questions regarding the security mechanisms//… Gyan Mishra
- RE: Questions regarding the security mechanisms//… Xiejingrong (Jingrong)
- RE: Questions regarding the security mechanisms//… Xiejingrong (Jingrong)
- RE: Questions regarding the security mechanisms//… Xiejingrong (Jingrong)
- Re: Questions regarding the security mechanisms//… John Scudder
- Re: Questions regarding the security mechanisms//… Robert Raszuk
- RE: Questions regarding the security mechanisms//… Xiejingrong (Jingrong)
- Re: Questions regarding the security mechanisms//… Nick Hilliard
- Re: Questions regarding the security mechanisms//… John Scudder
- Re: Questions regarding the security mechanisms//… John Scudder
- Re: Questions regarding the security mechanisms//… John Scudder
- Re: Questions regarding the security mechanisms//… Robert Raszuk
- Re: Questions regarding the security mechanisms//… Ole Troan
- Re: Questions regarding the security mechanisms//… John Scudder
- RE: Questions regarding the security mechanisms//… Ron Bonica
- RE: Questions regarding the security mechanisms//… Ron Bonica
- Re: Questions regarding the security mechanisms//… Joel M. Halpern
- RE: Questions regarding the security mechanisms//… Ron Bonica
- Re: Questions regarding the security mechanisms//… Ole Troan