IETF Logo Mail Archive

[OPSEC] Revisting Re: Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT) (now 06)

joel jaeggli <joelja@bogus.com> Wed, 18 March 2015 17:39 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA581A003B; Wed, 18 Mar 2015 10:39:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jjQm1CXo2rTk; Wed, 18 Mar 2015 10:39:13 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2FA11A87D1; Wed, 18 Mar 2015 10:39:07 -0700 (PDT)
Received: from mb-aye.local (64.125.197.170.IPYX-102339-ZYO.zip.zayo.com [64.125.197.170] (may be forged)) (authenticated bits=0) by nagasaki.bogus.com (8.14.9/8.14.9) with ESMTP id t2IHcwpX034413 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 18 Mar 2015 17:38:59 GMT (envelope-from joelja@bogus.com)
Message-ID: <5509B82E.9070108@bogus.com>
Date: Wed, 18 Mar 2015 10:38:54 -0700
From: joel jaeggli <joelja@bogus.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Thunderbird/36.0
MIME-Version: 1.0
To: Ted Lemon <Ted.Lemon@nominum.com>, Fernando Gont <fgont@si6networks.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com> <54D83FCE.4070804@qti.qualcomm.com> <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net> <96CE509D-3B6E-49B8-98F6-CB8581787D7E@nominum.com> <Pine.LNX.4.64.1502090708270.22936@shell4.bayarea.net> <174AA530-3993-4894-BCE7-2AE8818EB35E@nominum.com> <54D8F98D.1030101@si6networks.com> <B3474476-3FA1-484E-BAAD-E7A6474BA11C@nominum.com> <54D90EE5.2060002@gmail.com> <5C9CF492-A795-4023-BB91-28B1B52706E4@nominum.com> <54D92987.2080505@gmail.com> <CDA3CF60-BB2E-4F77-B325-B3057C01FBD1@nominum.com> <Pine.LNX.4.64.1502091713320.26279@shell4.bayarea.net> <FFC8BDEA-51BB-4D18-8240-F360CD9A7566@nominum.com> <54D98F62.4080508@bogus.com> <ADCFDFED-5EF9-4121-A323-562C1E33C2F5@nominum.com> <54DA500C.5070908@si6networks.com> <FFAF547B-0F11-4382-B9B6-4932455F88C9@nominum.com>
In-Reply-To: <FFAF547B-0F11-4382-B9B6-4932455F88C9@nominum.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="deCWPQXaTIpTDuVGggtBwSBGsDWqJWsJp"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/-XiMWqaDx6IfXOBAuAKROnBmoV8>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "C. M. Heard" <heard@pobox.com>, Pete Resnick <presnick@qti.qualcomm.com>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: [OPSEC] Revisting Re: Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT) (now 06)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 17:39:15 -0000

On 2/10/15 12:49 PM, Ted Lemon wrote:
> On Feb 10, 2015, at 1:38 PM, Fernando Gont <fgont@si6networks.com>
> wrote:
>> Not sure what the "(as opposed to an extension header)" means.
>> Could you elaborate/clarify a bit?
> 
> What I'm proposing is that unknown codes can be assumed to be
> extension headers.   Any known code may be either an extension header
> or a protocol header, but then it's a known code, so not a problem.
> But rereading the text, that parenthetical does seem unnecessary.
> 
> Anyway, it sounds like we now have some text to argue about that we
> might be able to agree on, so I will defer to you on tweaking it--I
> just wanted to give you a sense of what I had in mind.   The main
> thing I want to avoid is a recommendation that the basic shield
> algorithm by default drop unknown extension and transport headers,
> but I agree that it's good to say what to do if the hardware can't
> support that fully.

We got a new version of this draft on 2/25 which I kinda of lost track
of in the midst of two IESG review calls.

http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-opsec-dhcpv6-shield-06.txt

It stops short of  my interpretation  of Ted's position, with the
reordered and clarified test in section 3. the new explanatory text in
in the security considerations:

   The recommendations in this document represent the ideal behavior of
   a DHCPv6 shield device.  However, in order to implement DHCPv6 shield
   on the fast path, it may be necessary to limit the depth into the
   packet that can be scanned before giving up.  In circumstances where
   there is such a limitation, it is recommended that implementations
   drop packets after attempting to find a protocol header up to that
   limit, whatever it is.  Ideally, such devices should be configurable
   with a list of protocol header identifiers so that if new transport
   protocols are standardized after the device is released, they can be
   added to the list of protocol header types that the device
   recognizes.  Since any protocol header that is not a UDP header would
   be passed by the DHCPv6 shield algorithm, this would allow such
   devices to avoid blocking the use of new transport protocols.  When
   an implementation must stop searching for recognizable header types
   in a packet due to such limitations, whether the device passes or
   drop that packet SHOULD be configurable.

v2.23.0 | Report a Bug | By Email