[OPSEC] Revisting Re: Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT) (now 06)
joel jaeggli <joelja@bogus.com> Wed, 18 March 2015 17:39 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA581A003B; Wed, 18 Mar 2015 10:39:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jjQm1CXo2rTk; Wed, 18 Mar 2015 10:39:13 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2FA11A87D1; Wed, 18 Mar 2015 10:39:07 -0700 (PDT)
Received: from mb-aye.local (64.125.197.170.IPYX-102339-ZYO.zip.zayo.com [64.125.197.170] (may be forged)) (authenticated bits=0) by nagasaki.bogus.com (8.14.9/8.14.9) with ESMTP id t2IHcwpX034413 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 18 Mar 2015 17:38:59 GMT (envelope-from joelja@bogus.com)
Message-ID: <5509B82E.9070108@bogus.com>
Date: Wed, 18 Mar 2015 10:38:54 -0700
From: joel jaeggli <joelja@bogus.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Thunderbird/36.0
MIME-Version: 1.0
To: Ted Lemon <Ted.Lemon@nominum.com>, Fernando Gont <fgont@si6networks.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com> <54D83FCE.4070804@qti.qualcomm.com> <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net> <96CE509D-3B6E-49B8-98F6-CB8581787D7E@nominum.com> <Pine.LNX.4.64.1502090708270.22936@shell4.bayarea.net> <174AA530-3993-4894-BCE7-2AE8818EB35E@nominum.com> <54D8F98D.1030101@si6networks.com> <B3474476-3FA1-484E-BAAD-E7A6474BA11C@nominum.com> <54D90EE5.2060002@gmail.com> <5C9CF492-A795-4023-BB91-28B1B52706E4@nominum.com> <54D92987.2080505@gmail.com> <CDA3CF60-BB2E-4F77-B325-B3057C01FBD1@nominum.com> <Pine.LNX.4.64.1502091713320.26279@shell4.bayarea.net> <FFC8BDEA-51BB-4D18-8240-F360CD9A7566@nominum.com> <54D98F62.4080508@bogus.com> <ADCFDFED-5EF9-4121-A323-562C1E33C2F5@nominum.com> <54DA500C.5070908@si6networks.com> <FFAF547B-0F11-4382-B9B6-4932455F88C9@nominum.com>
In-Reply-To: <FFAF547B-0F11-4382-B9B6-4932455F88C9@nominum.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="deCWPQXaTIpTDuVGggtBwSBGsDWqJWsJp"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/-XiMWqaDx6IfXOBAuAKROnBmoV8>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "C. M. Heard" <heard@pobox.com>, Pete Resnick <presnick@qti.qualcomm.com>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: [OPSEC] Revisting Re: Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT) (now 06)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 17:39:15 -0000
On 2/10/15 12:49 PM, Ted Lemon wrote: > On Feb 10, 2015, at 1:38 PM, Fernando Gont <fgont@si6networks.com> > wrote: >> Not sure what the "(as opposed to an extension header)" means. >> Could you elaborate/clarify a bit? > > What I'm proposing is that unknown codes can be assumed to be > extension headers. Any known code may be either an extension header > or a protocol header, but then it's a known code, so not a problem. > But rereading the text, that parenthetical does seem unnecessary. > > Anyway, it sounds like we now have some text to argue about that we > might be able to agree on, so I will defer to you on tweaking it--I > just wanted to give you a sense of what I had in mind. The main > thing I want to avoid is a recommendation that the basic shield > algorithm by default drop unknown extension and transport headers, > but I agree that it's good to say what to do if the hardware can't > support that fully. We got a new version of this draft on 2/25 which I kinda of lost track of in the midst of two IESG review calls. http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-opsec-dhcpv6-shield-06.txt It stops short of my interpretation of Ted's position, with the reordered and clarified test in section 3. the new explanatory text in in the security considerations: The recommendations in this document represent the ideal behavior of a DHCPv6 shield device. However, in order to implement DHCPv6 shield on the fast path, it may be necessary to limit the depth into the packet that can be scanned before giving up. In circumstances where there is such a limitation, it is recommended that implementations drop packets after attempting to find a protocol header up to that limit, whatever it is. Ideally, such devices should be configurable with a list of protocol header identifiers so that if new transport protocols are standardized after the device is released, they can be added to the list of protocol header types that the device recognizes. Since any protocol header that is not a UDP header would be passed by the DHCPv6 shield algorithm, this would allow such devices to avoid blocking the use of new transport protocols. When an implementation must stop searching for recognizable header types in a packet due to such limitations, whether the device passes or drop that packet SHOULD be configurable.
- [OPSEC] Revisting Re: Ted Lemon's Discuss on draf… joel jaeggli
- Re: [OPSEC] Revisting Re: Ted Lemon's Discuss on … C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Joel Jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-d… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Marc Blanchet
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Pete Resnick
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian Haberman
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian Haberman
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli