IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 09 February 2015 19:47 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 767151A1EF2; Mon, 9 Feb 2015 11:47:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-vN6Fq0JZMi; Mon, 9 Feb 2015 11:47:55 -0800 (PST)
Received: from mail-pa0-x234.google.com (mail-pa0-x234.google.com [IPv6:2607:f8b0:400e:c03::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EB041A1DFA; Mon, 9 Feb 2015 11:47:55 -0800 (PST)
Received: by mail-pa0-f52.google.com with SMTP id ey11so11569676pad.11; Mon, 09 Feb 2015 11:47:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=hdZUmHv6e3yX4mqRtifsS0PBNaa77nifByIUR3zlB9U=; b=afHAQCSU1gqjVe24A+718IkWXVjtUyABVVTFSsfm7+xq45b+7vThdgcojxf83iErt2 2peCJjFNiT+Pz/kgsWIjcDXvo4of/qVB5P/zRuCcpT2mIoLEhmZYvdyYKVHz0GzPYcJq 1U3mZhqKqDX6kCkDy+2HKziobdgfhVNWmI+sASCeAg6oHfO1VyB5yIybR9ugioPCzKSb 2cs/XF1n1djsJ8NfTmN251aNQNUE17USAPsTEDzILtGF+fCeOFx///uGaWRtAjJTal7z 6mom8LQfnQL+YprQMz265t1Gb30hXD47R/aNDM3CviVKRlP0Kt3i/mY7ON/8V+SfYSfm eJaw==
X-Received: by 10.70.38.3 with SMTP id c3mr32011761pdk.154.1423511274876; Mon, 09 Feb 2015 11:47:54 -0800 (PST)
Received: from ?IPv6:2406:e007:4f88:1:28cc:dc4c:9703:6781? ([2406:e007:4f88:1:28cc:dc4c:9703:6781]) by mx.google.com with ESMTPSA id j10sm17170107pdr.37.2015.02.09.11.47.49 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Feb 2015 11:47:53 -0800 (PST)
Message-ID: <54D90EE5.2060002@gmail.com>
Date: Tue, 10 Feb 2015 08:47:49 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Ted Lemon <Ted.Lemon@nominum.com>, Fernando Gont <fgont@si6networks.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net> <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com> <Pine.LNX.4.64.1502080813060.2950@shell4.bayarea.net> <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com> <Pine.LNX.4.64.1502081507150.24776@shell4.bayarea.net> <72C73500-E6C4-4D75-9CFA-8FE4B012AB9E@nominum.com> <7516AD5C-1152-4020-B050-FA0383B58DBA@viagenie.ca> <Pine.LNX.4.64.1502081734120.24776@shell4.bayarea.net> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com> <54D83FCE.4070804@qti.qualcomm.com> <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net> <96CE509D-3B6E-49B8-98F6-CB8581787D7E@nominum.com> <Pine.LNX.4.64.1502090708270.22936@shell4.bayarea.net> <174AA530-3993-4894-BCE7-2AE8818EB35E@nominum.com> <54D8F98D.1030101@si6networks.com> <B3474476-3FA1-484E-BAAD-E7A6474BA11C@nominum.com>
In-Reply-To: <B3474476-3FA1-484E-BAAD-E7A6474BA11C@nominum.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/-kuT4HSeDrTqI_hMTSFOjbUaWTU>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "C. M. Heard" <heard@pobox.com>, Pete Resnick <presnick@qti.qualcomm.com>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 19:47:57 -0000

On 10/02/2015 08:23, Ted Lemon wrote:
> On Feb 9, 2015, at 1:16 PM, Fernando Gont <fgont@si6networks.com> wrote:
>> 1) Let us assume that either a new EH that doesn't follow RFC6564 is
>> specified (since, as noted, RFC6564 doesn't buy you anything), or that
>> the proposal in draft-gont-6man-rfc6564bis-00 gets standardized, and
>> hence new EHs follow the EH format in that document.
> 
> Come on, Fernando, this is ridiculous.   RFC 6564 is normative.   We should not expect new EHs to be standardized that do not conform with RFC 6564.

Fair enough. But let's just say that DHCPv6 Shield sees a Next Header
value of 253. How does it know where to look for a potential UDP
header with port 546?

If you don't like 253 as an example, how about 143, or any
other value that isn't listed at
http://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#extension-header

I simply don't believe that any security product designer will do
anything except give up and discard the packet. Don't we want RFCs
to live in the real world?

    Brian

v2.23.0 | Report a Bug | By Email