Re: [OPSEC] I-D Action: draft-ietf-opsec-ipv6-eh-filtering-07.txt

Michael Dougherty <jerniman@jernilan.net> Sun, 24 January 2021 14:16 UTC

Return-Path: <jerniman@jernilan.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C9143A0CBB; Sun, 24 Jan 2021 06:16:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.701
X-Spam-Level:
X-Spam-Status: No, score=-1.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (bad RSA signature)" header.d=netorgft3201145.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yHLeZkSlWN1Q; Sun, 24 Jan 2021 06:16:29 -0800 (PST)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2127.outbound.protection.outlook.com [40.107.236.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 999533A0CBA; Sun, 24 Jan 2021 06:16:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fcqlw+EtlIhhbA2xzGyNK8+uQwTityTI+429xagunO9kxD8WxcwZ4EHYPASrJj/6DHaP/Gi6xjZeh/fPoOUccFOLiAsqqjmmVz7WhftD0yi9dBcD3ElOuAGi/53hRJZNe7WJ2xSvEJvVF6EKea5W3NIB19XsEh7oDuMFbFSBHUNLTM4viVU71yR2iJt+dQzx2rIZeCfint/gKT0gwQrZTBWOhrnxCSzUeC8zZYd8dDCSxnaNXDr2aO83xp16re/DQP687xZU72pM/rSVdFMkUKiSRNPaf9yEZFEPUwzff7691Q5y/EqKsdGVBoO4GaN0SjxQxxtPr67ZVo3AbJuCsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hs/5Rzfu6L6peZiEOZR7QplDTnO20SPbpu/X+VX/oAo=; b=F7WBCSUWLhSTng53fRAlUyZK5QDVz/56qZ99YNH+Rtm+1Np5MbDeQnEty0JitbYH++35GHSmrTQ9Lvc9uwWBNQuVSVX/jfNHwktsBfQ5+vDBQ64Iljfykgy5w/bfYrlSCAjRP4wFTqXIxO/8B25DSnDfqbv4jVs/EmtgVAe52ZU2fd847Op874EL7eZ9JK4M5bNGQn3fvFwl4LJQvXs6sUv5hX8f1VhjJvte8tBVAN9BNjOf3ZgTZ1vRrT05TnKJTiYBupExqONwf9SzWJbc2Jvlj5Um14XmgARIbI86Bzk/Xn0/08C98KZsLR/dYDBwdrRbXtkjB0Pj2J4LQC+j6w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jernilan.net; dmarc=pass action=none header.from=jernilan.net; dkim=pass header.d=jernilan.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT3201145.onmicrosoft.com; s=selector2-NETORGFT3201145-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hs/5Rzfu6L6peZiEOZR7QplDTnO20SPbpu/X+VX/oAo=; b=PQTSXLPSC7icqHCKtdzaOv55EHS18WkQ4ywMsTVsmHluy0fFtDDtwSPFhdwAWS6xJnjM2WRScLB2Ga2SK7cCLx+9jzQUtJlqFcZBLK9MqoU+amBP/hr1oP/l7aXtFzLHkwdXqxbCz5eUva6q6Jc12NLobPak/SLc9+wIMemftVw=
Received: from (20.177.243.97) by BL0PR13MB4241.namprd13.prod.outlook.com (20.177.240.87) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.5; Sun, 24 Jan 2021 14:16:25 +0000
Received: from BL0PR13MB4305.namprd13.prod.outlook.com ([fe80::51f0:c837:a740:1811]) by BL0PR13MB4305.namprd13.prod.outlook.com ([fe80::51f0:c837:a740:1811%5]) with mapi id 15.20.3805.013; Sun, 24 Jan 2021 14:16:25 +0000
From: Michael Dougherty <jerniman@jernilan.net>
To: Fernando Gont <fgont@si6networks.com>, "opsec@ietf.org" <opsec@ietf.org>
CC: "liushucheng@huawei.com" <liushucheng@huawei.com>, "i-d-announce-owner@ietf.org" <i-d-announce-owner@ietf.org>
Thread-Topic: I-D Action: draft-ietf-opsec-ipv6-eh-filtering-07.txt
Thread-Index: AQHW75UlVWnMVCkYlEW/zk7f17ZMdqo2SDcAgAA7ygA=
Date: Sun, 24 Jan 2021 14:16:24 +0000
Message-ID: <E29A8F2F-EEF6-4DBB-9C91-3781828321A1@jernilan.net>
References: <161109288484.2686.1614871839620987885@ietfa.amsl.com> <D1128302-7FEB-4DE3-A859-364129A2C762@jernilan.net> <461ce180-69be-2fdf-aece-c7250a9f886a@si6networks.com>
In-Reply-To: <461ce180-69be-2fdf-aece-c7250a9f886a@si6networks.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: si6networks.com; dkim=none (message not signed) header.d=none;si6networks.com; dmarc=none action=none header.from=jernilan.net;
x-originating-ip: [2601:146:4000:1e24:903:6353:8f69:6480]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 067bbedd-4f83-4a60-5dcc-08d8c072a212
x-ms-traffictypediagnostic: BL0PR13MB4241:
x-microsoft-antispam-prvs: <BL0PR13MB42415BE225359C4761BF4E52AABE9@BL0PR13MB4241.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qyx+vpu5X7LoWHRPjc+TNEtoXamDBchk6YXx8B8FO7fa+AwDgo23AXOCB3al+VNCT2SNKiT0NfHD4gzznxBsyW0vcq6ppzM9E6Apq4zaCkJMFd1IN6+iJqBPnzcHGof0/42n/fbP299miW64kdDwr9500lQnTRtccOajpCu1LxndLcVsBO54KrgkChT/gA3gISghtEmRAKActAh9D8JYwFbsmuteUPO8rghEKXwvu1pPu4PIJxxp9fyd+V9xA7rK31dPfyRYGglvoNjHejDqtQkjgtNBWNAl7gY35aKpzO3HnR43gYxT85api4CB1PZVLjsc5P/DThgVIGBxSgdGhuxBM9+chSCmIRylBWjaPwQkhkm1zmJGOzDq1KdX9qZBFxnC4Xkh7tPOUJ6I9DyycGJDCceOy7ZZn4+5nUDKyyR7UxV2yxUKcMiW4G+e7qsObe1b59gM4lbOgYEN8MpmGdRAN3BWsN+hg/a/QF58o8ijJbZU54ERPWUWJPc1x01/RE/q/FkVu8Rve4JXp68A6CHXGIHPpiNFqr2GvoR2Oywm5z/ouufXtHaFodChyJmuH4BGT5h6F+gUid+vno3fMrG3I1mE3NHDAJeTm+wUqWcqwALO1THtmwU3+0FM+bShjZ3ytmigUnScOUdOXAzm7Cfciobhx60fr4JYPmtkd1Q=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR13MB4305.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(366004)(39830400003)(376002)(396003)(36756003)(508600001)(66446008)(64756008)(66556008)(66476007)(71200400001)(83380400001)(53546011)(6486002)(33656002)(316002)(6512007)(66574015)(5660300002)(66946007)(4326008)(186003)(2616005)(6506007)(86362001)(54906003)(76116006)(110136005)(8676002)(8936002)(2906002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: ZCxudrVLiQLwtXiLrpgrBxWfhtMTlo6+jEb1LLsNotv+Oe9HKNyYBahixeSq6kIZowrx+rdA6+j32+x3tuMSKUyXqVEkXiLKOeTvZcH1Kvv4xaNi3GBBpWck3VwxGJJ79+tty2k1g2QEfzah07MnPMB7OncbDqz2QvXTnPyCeCHYXEPrk8BtubEsf4cu24r1wa6GukZ5oHYR9dKI5YWizY54LqTDNd59hoNSfAvGSgKhL01N6GC+ovbLn6iloQaJMwVgtFxbh9CRMIFdvjN/XzeiSrf573DjmCWB0993aUgb4dEsGgeHqh9iUIZK/L375Pa9ru7TGop0OEHR53M0+ERLEbrchMQU6OkqJlAWeRKokaBOahDnaX3GjbrPXBv7RJWsr62foyLdFfS+QqZJIoQ6Y1mQDauzhhoHeAAinAn6YJ9YZEmwEl0NQMn40LF9iRYdJs3wC4hj/Ba4CkWTW+cvSVdavydq6h3RxX6i887579C+dd1BPNzF61y8azBdY1ZyhzDzIbw/Blyxy/AzrQqp6HXDIT0ZcOaAf3cUVYF5MaoyQm0nG68dljhMY2QDNjB/gPXp5YhSTWbeV2uTfRD/j5k3v/MF1b8sjeVukHZTfM5NVC8hqLUqaz/6lH79dCGKBu+OZrLdi3PV32dnCk61X1D53/G009j508FNn2UGXKCSQ4jkLQwEmD11IRE3QcnWzKBoUzKetf3XUsM2GKWmnE5hZHsYoUUtQ4yVpR3CKn9krTOwADI0KaAj8y5JwBCBY5T5vuqlOkxwoM7pYCJ2ttR/fSihBVdo27IjRMDulTFdZbdkka98DTYIVr+P5zmfobi+hIdD5iz+o/Hca6uypw/iJLvKb+sqVE9eKJLZPSBxsQ7Frla9MVnYnnQhsRgl1ZXOhZTEOkJaosuB2MNT7zol6GTogaepMr6zSBIxZyVZbTtzh0k1NeHKCsFWLACERmBK5qx2pwXaE/jn2EwlXY5VKnKfYCZ+OKtDma2DmF2Xx31P9Mv/qOwVHSDRrNpMsZJe1qHM3PG1IQUoDYrCC+GukapBl/MWFkTXqmzVjzpBz1Q0pEL81bNafWf7+bPaYb5HYRgQAKr6CD59St58ViER9UmvHGTZmQDofgBXIckXINniJ/0JRDX3OjQ/sGzUiJitPUuSGScrkc1e5Q==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <0513F2F7343E5D498AF75016CDA0C56C@namprd13.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: jernilan.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR13MB4305.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 067bbedd-4f83-4a60-5dcc-08d8c072a212
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jan 2021 14:16:24.9133 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: db8d507a-ea83-464e-9d3e-9354bf2944bb
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: va66AwNIjnnc7VXFpepdJ8Ie+iplX85dZL+akgdN60ihWywp3DQR3DPILEYWo9GRp9HedeMd3NlYcHwxBdAVTg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR13MB4241
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/-VwAHwLXBrK8UUkNbK4VMsKfpzU>
Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-ipv6-eh-filtering-07.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2021 14:16:34 -0000

Hello Fernando,

Thanks for the reply, I wasn’t sure if you received my message, but I am glad that it has helped. I reviewed your comments and responded to them below. I am happy to help out.

-michael

On 1/24/21, 12:45 AM, "Fernando Gont" <fgont@si6networks.com> wrote:

    Hello, Michael,

    Thanks a lot for your input! In-line...

    On 20/1/21 22:31, Michael Dougherty wrote:
    > Greetings,
    > 
    > This was an interesting topic and write up. I have a few comments
    > related to writing structure and readability.
    > 
    > Original: While some operators "officially" drop packets that contain
    > IPv6 EHs, it is possible that some of the measured packet drops be
    > the result of improper configuration defaults, or inappropriate
    > advice in this area.
    > 
    > Suggestion: While some operators "officially" drop packets that
    > contain IPv6 EHs; it is possible that some of the measured packet
    > drops be the result of improper configuration defaults, or
    > inappropriate advice in this area.

    Wouldn't the s/,/;/ make the two sentences more unrelated, when they are 
    actually meant to be closely-related?

//MD Reply - 24JAN2021 \\

The use of the semi-colon would be a good fit here, since the two sections are related but are separate sentence clauses - technically it would work. Take a look at my rewrite below, hopefully it still conveys the idea. 

Possible rewrite: While some operators "officially" drop packets containing IPv6 EHs, inappropriate defaults or incorrect advice in this area may result in the recording of elevated drops.

    > Original: The advice in this document is aimed only at transit
    > routers that may need to enforce a filtering policy based on the EHs
    > and IPv6 options a packet may contain, following a "deny-list"
    > approach, and hence is likely to be much more permissive that a
    > filtering policy to be employed at e.g. the edge of an enterprise
    > network.
    > 
    > Suggestion: The advice in this document is aimed only at transit
    > routers that may need to enforce a filtering policy based on the EHs
    > and IPv6 options a packet may contain, following a "deny-list"
    > approach, and hence is likely to be much more permissive than a
    > filtering policy to be employed at, e.g., the edge of an enterprise
    > network.

    Will do!


    > 
    > Original: Section 4.2, first paragraph, second sentence Essentially,
    > packets that contain IPv6 options might need to be processed by an
    > IPv6 router's general-purpose CPU,and hence could present a DDoS risk
    > to that router's general-purpose CPU (and thus to the router
    > itself).
    > 
    > Suggestion: Essentially, packets that contain IPv6 options that might
    > need to be processed by an IPv6 router's general-purpose CPU and
    > could present a DDoS risk to that router's general-purpose CPU.

    Will do.


    > 
    > Comments: 1 - Within the last sentence of the third paragraph within
    > the "Introduction" sections. There is a comment about "inappropriate
    > and missing guidelines". Who dictates or decides what is
    > inappropriate?

    Well, that's indeed subjective. One might say that, for example, "drop 
    all packets with EHs (regarding the EH-chain length) at transit routers" 
    is probably inappropriate.

    That said, if you have any suggested tweaks, please do let us know (I'm 
    all for improving the document).

MD: I reviewed the RFC7872 and you could maybe rephrase to include the call out of 7872, but also cover anything that might be considered.

/// The advice conveyed in this document is to assist network operators with developing or refining packet dropping policies for IPv6 EH entering or leaving their operational responsibilities. Guidelines contained in RFC7872 may not have information for specific use cases or situations; this document may positively affect updated policies.  \\\

    > 2 - First bullet point in Section 2.3, change
    > "recognise" to "recognize" 3

    Will do.


    > - Within the last paragraph of section
    > 2.3, part of the comment ".... it is generally desirable that the
    > sender be signaled of the packet drop...." While the idea is valid,
    > it might be a good idea to note that such a signal might attract
    > malicious attention or threat-actors.

    You mean "expose the filtering policy"? If not, please elaborate. :-)

MD Response: Yes, that is exactly what I am referencing. Sending back an ICMP error message to the originating host may expose the "reporting devices" existence or operation. 


    > 4 - Section 3.4.4.4. It might
    > be best to specify what type of IPSEC deployment is involved,
    > host-to-host, site-to-site, site-to-host? 

    Could you please elaborate a bit on this one?

MD Response: It was more so a comment regarding how specific you want to be with the possibly breaking IPSec deployments. In general, yes, calling out as you have would cover various deployments or operational considerations. Being this document is aimed towards transit and possibly applicable to IXP's, they may not be mindful of how end-users might be operating. 

    > 5 - Section 3.4.5.5.
    > Advise, hasn't AH been depreciated as an insecure methodology versus
    > ESP?

    That'd generally be my take. But AH has never been formally obsoleted. 
    While double-checking this, I ended up finding this thread 
    (http://www.sandelman.ottawa.on.ca/ipsec/2000/06/threads.html#00063 ) in 
    which some folks have actually suggested that, but it looks like the 
    idea didn't fly.

MD Response: It seems you are correct, at a standards level AH appears to be not be officially depreciated. While it sounds like there is discussion and need to do so, it has not been done. I will say some vendors do recommend ESP over AH, such as Juniper in their 2012 document, "Concepts & Examples ScreenOS Reference Guide Virtual Private Networks." Regardless, you can probably ignore my previous comment. 

    Thanks!

    Regards,
    -- 
    Fernando Gont
    SI6 Networks
    e-mail: fgont@si6networks.com
    PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492