IETF Logo Mail Archive

RE: Questions regarding the security mechanisms//RE: CRH and RH0

Ron Bonica <rbonica@juniper.net> Fri, 15 May 2020 20:21 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D89123A094C for <ipv6@ietfa.amsl.com>; Fri, 15 May 2020 13:21:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.272
X-Spam-Level:
X-Spam-Status: No, score=-2.272 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=jyBd/hnR; dkim=pass (1024-bit key) header.d=juniper.net header.b=kKPw0ebK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AYJPOEBlN7Sw for <ipv6@ietfa.amsl.com>; Fri, 15 May 2020 13:21:39 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 695603A0942 for <6man@ietf.org>; Fri, 15 May 2020 13:21:39 -0700 (PDT)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 04FKIpQ4000832; Fri, 15 May 2020 13:21:26 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=InCLY3SVGvkBKijPwiTzH20mBFmSCZxWqYmBoiq6r1M=; b=jyBd/hnRsHIfr4Ku7YgApr+cHJ3kh/I6c1U58yOqkSm6n5+IRBcNKVzzPc4iRExhg9P7 8z1OTqf3BEmvDNmptyjquSSpgVcxarrQuda4p84keBweiSEoTvORqBYIBzquWDCgsc9W 86/jpcBxsHKKWs+yLUJZ5429tMSeH/riJ/XZTyfZdfFTc2fUyW2eQ6RSZAFJjh38qzo/ o06c0n7xNEcCH31T0FejGAprot55KjCL5vt+IOENRca4MbrqHo+L/alA+9dUWlNxKXCk LfDsEzPyaBRkweABhI5J4Ue/kmfyEfAs1CBq4+r5Tos2O/JzT5YF5AmORAiaXWCqtndu qg==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2170.outbound.protection.outlook.com [104.47.55.170]) by mx0a-00273201.pphosted.com with ESMTP id 3100ygf3sm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 15 May 2020 13:21:26 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G9zQ4z4EbbQ3zhT9gR4JsjYxu171XLGd4f4Ydj+PsoAmGkss/S+HZBR5kUulZm4bV8aqeFMd93mSoHj9VZyClDbKPscYME4gI90a+hcquelsSxF/Ht9w5h4obR5aGMBQQvFC1RAxFKiXcG6c24kljVAYX/bQA/+I5rps3Tr8n+8Pa3WqGcAd/F3kJCX68oiW1CyMQIHXOsFVO0xGns68UY6kesBiW0bKxZav5QU0Ks3IgVLMxgc5qnBjpLnhPg41poBeY6dhDpsSoDyGRXFEoyyV8N4cAMP5qy8jiE7hPkO8Nv6BJ6YwM+GpUX3rfX9ZvLaueG0C2FGE0fzhtnlnlQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=InCLY3SVGvkBKijPwiTzH20mBFmSCZxWqYmBoiq6r1M=; b=VD0NXg2E6nQpHKDzgcN+Ng4U43w4zdfOAgEN1LVZuVyE4pGuDIMtFS5cuEViHg6C7wl1uKsrvfv9X+c4ih0cIwcqofwlrKOm4sEqlX5bCSD+4Z92x+NH9IxAp4r0E9nAOsYokMCExUnG6cNWHWGwbjAX/B2MLwjklwGgtNTuhV7dJM3IR+ErAwd7X/MZmOLDlveehxpV+GSKsZ/MRqQznH0F0HafPa/e6DOb8/j/crlhjSz26hecN3LH4sskJ1/aTLheqoXdrHXmLs5owKmESQ3frhNP6tZRuxV1sxyo4I9x17oC7uOSehejVUn6ZSJvCYnokh30ssqJWTy2M9X1kA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=InCLY3SVGvkBKijPwiTzH20mBFmSCZxWqYmBoiq6r1M=; b=kKPw0ebK7EDpjZ1fC99LX6ycYPS4STVncqhK/2cODfl1HWhjJWQAa7PgGeEGY82dKWxdUksoEAec1mZfOFfxFsnEr+nL6ob4cXzKGAQmrPy2PJmFrpYydVpSye3itU9IosX7fi4uMSsKTGBDu/qNDKnzI8g3rI/7g0tYPjW/pbI=
Received: from DM6PR05MB6348.namprd05.prod.outlook.com (2603:10b6:5:122::15) by DM6PR05MB4106.namprd05.prod.outlook.com (2603:10b6:5:84::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.11; Fri, 15 May 2020 20:21:23 +0000
Received: from DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3]) by DM6PR05MB6348.namprd05.prod.outlook.com ([fe80::c020:3bf5:7230:75e3%4]) with mapi id 15.20.3021.010; Fri, 15 May 2020 20:21:23 +0000
From: Ron Bonica <rbonica@juniper.net>
To: Fernando Gont <fgont@si6networks.com>, qinfengwei <qinfengwei@chinamobile.com>, "'Xiejingrong (Jingrong)'" <xiejingrong@huawei.com>, 'Bob Hinden' <bob.hinden@gmail.com>, "'Darren Dukes (ddukes)'" <ddukes@cisco.com>
CC: '6man' <6man@ietf.org>
Subject: RE: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Topic: Questions regarding the security mechanisms//RE: CRH and RH0
Thread-Index: AdYqA0uTBELEk8r7RxOFOlq1QjWhwwAniBKgABOLx4AAAYa3AAAAEivg
Date: Fri, 15 May 2020 20:21:23 +0000
Message-ID: <DM6PR05MB63486BC1056350B4E6B744FEAEBD0@DM6PR05MB6348.namprd05.prod.outlook.com>
References: <23488ea0d4eb474c9d7155086f940dae@huawei.com> <006c01d62aa1$8c195520$a44bff60$@com> <DM6PR05MB634863122645FD4981B97F71AEBD0@DM6PR05MB6348.namprd05.prod.outlook.com> <e4cfefa0-eeb4-22ee-6d9b-1abac21ce962@si6networks.com>
In-Reply-To: <e4cfefa0-eeb4-22ee-6d9b-1abac21ce962@si6networks.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-05-15T20:21:22Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=93450d1b-0ee7-43ac-a716-7a8bbc5b98bb; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
authentication-results: si6networks.com; dkim=none (message not signed) header.d=none;si6networks.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [108.28.233.91]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: b4829027-d93b-49fe-4c9c-08d7f90d8994
x-ms-traffictypediagnostic: DM6PR05MB4106:
x-microsoft-antispam-prvs: <DM6PR05MB4106321FD60142CD1CBB566DAEBD0@DM6PR05MB4106.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 04041A2886
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zsOBQ9KdXDWQX0xOzfYF/vNIchtUEew5fFJwPfpuDTUm5XAiPfUzKzfUlW/A1HC6vggWDo4xzhMOcE4RaL19BGsZojOk5mLz/QhTSsWKaxRqy6XBdLMGywS/ivbSBcB/IpE5dWnSZGP62hPI6mdxiROkpKxD/WTATDT2JWZR9fIIebJt2qxJmJdTSjO6vRoJ4QKX3gbsPUsXRfLD9P3xCO297UwjlKou3Uo7+ap9fSN4TEA5r/99Jw7ksNsixadg2Q2dzmknvZiqryvYoxWd4pwpcfKFIMRzKJVdVCQv8p4wqLmFniOW7uJQfK0LUpDDBx/iLRyi9exT5HLowVl+wzdgZ/wW6bUY8FiUBVHq3D9OF7e+bINT1ntprRma8uex6EijKa3fSZJbxDjyC8xDow==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR05MB6348.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(346002)(366004)(136003)(396003)(39860400002)(86362001)(15650500001)(2906002)(186003)(33656002)(64756008)(5660300002)(76116006)(66446008)(66556008)(66946007)(66476007)(110136005)(26005)(316002)(478600001)(8936002)(66574014)(4326008)(8676002)(966005)(7696005)(9686003)(55016002)(71200400001)(53546011)(6506007)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: JHuNaD7SzMakQenBEmR1e17gEQXnY69LmonQ25wfVtgaqxo2BH1GF0VxqWf5zJc/uMAdJH6WNGqjn/hGJsKtJA7vbVh9a4vy0WaN+SM8UrGlQYgIJbMGPXA3brdBJjae97mtrOJ9FtqG9FxGOC7zeIT0Un7zjc1oV44ciRfgCxJf265Vztxm6ZniMUh8svS1Gdbt7voAyOlp3SmlbUJ/xKbswc3ysu1N1hNYIHl+1MErsnG+hQ3R2DeGjd8Q6Z/t0MiYv5eLNnob7TOtCgJtYzmn9Sbg1X6UymLej1PgrqSq1aKPmd02mr5YmQr6vlcZab9dH7C+Iy8weYDZFMUElYdTnHRuVTLvDmqu36YMu18w5YzYPtmVc9TkYX7JZaPIR6b100R1z65iV3NOdIU7TxRI9G3+AfdPBLcXHYHsgBwxfufJz03JqVRbmwo4DAF7baw/RwLfQ+ZYp0b/cD6EOBfeK/A2kx2ZP5D2NCtYGlVMyTyAcl9Hzs+PoU5sK28Y
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: b4829027-d93b-49fe-4c9c-08d7f90d8994
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2020 20:21:23.3563 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IZDeKR8AscheFuWSPA7Zl4Pk2m2Pjll5nhbBT8dPHdacjMhYg0DGZUGqdpxF0bgay9vrPnda53hfGsCZ+nBbXw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4106
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-15_07:2020-05-15, 2020-05-15 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 malwarescore=0 mlxscore=0 suspectscore=0 clxscore=1011 lowpriorityscore=0 mlxlogscore=999 priorityscore=1501 cotscore=-2147483648 impostorscore=0 bulkscore=0 adultscore=0 phishscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2004280000 definitions=main-2005150168
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/0EbK-RAVPqTI3EV6mnITgUcZmh4>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2020 20:21:49 -0000

Fernando,

Good point. In order to use CRH as an attack vector, the attacker would need to know something about CRH to IPv6 address mappings.

I am assuming that the attacker has this information, either from an inside source (e.g., a disgruntled employee) or from effective guesswork.

                                                                                                                                     Ron



Juniper Business Use Only

-----Original Message-----
From: Fernando Gont <fgont@si6networks.com> 
Sent: Friday, May 15, 2020 4:16 PM
To: Ron Bonica <rbonica@juniper.net>; qinfengwei <qinfengwei@chinamobile.com>; 'Xiejingrong (Jingrong)' <xiejingrong@huawei.com>; 'Bob Hinden' <bob.hinden@gmail.com>; 'Darren Dukes (ddukes)' <ddukes@cisco.com>
Cc: '6man' <6man@ietf.org>
Subject: Re: Questions regarding the security mechanisms//RE: CRH and RH0

[External Email. Be cautious of content]


Ron,

On 15/5/20 17:08, Ron Bonica wrote:
> Fengwei, Jingrong,
>
> Your raise excellent questions, and I will try to address them.
>
> In 2007,  security researchers demonstrated that Routing headers can be used attack vectors. See the following slide deck:
>
> - 
> https://urldefense.com/v3/__http://www.secdev.org/conf/IPv6_RH_securit
> y-csw07.pdf__;!!NEt6yMaO-gk!V5RFYkrbeopG4qEvGTKEn3T-EjmwQ85kbakl0Wbppt
> beU0S5zl5X7vOoMeAD5NxQ$
>
> Therefore, we conclude that if a network contains nodes that process the CRH, it MUST deploy ACLs at its edge. These ACLs:
>       - MUST be sufficiently restrictive to filter harmful packets
>       - SHOULD NOT be so restrictive that they filter harmless packets.

I have not read your CRH draft (hence my comments might be non-sense), but it would seem to me that if the labels/SIDs you employ in CRH need mappings in the routers, and/or this functionality is turned off by default (i.e., support for CRH needs to be explitly enabled on the devices expected to use CRH), this is already a major difference and win over RHT0.

The main issue behind RHT0 and, for instance, IPv4 SR is that such functionality was enabled by default, and that all Internet nodes were in the position to process these packets.

If this is not the case, me, as an attacker, would have a much harder time exploiting CRH because I wouldn't even be able to get packets containing a CRH past my CE Router.

Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email