IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

"C. M. Heard" <heard@pobox.com> Sun, 08 February 2015 23:21 UTC

Return-Path: <heard@pobox.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8344F1A1AB4 for <opsec@ietfa.amsl.com>; Sun, 8 Feb 2015 15:21:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0S_E45zJ3XTs for <opsec@ietfa.amsl.com>; Sun, 8 Feb 2015 15:21:55 -0800 (PST)
Received: from shell4.bayarea.net (shell4.bayarea.net [209.128.82.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 486C11A6FFA for <opsec@ietf.org>; Sun, 8 Feb 2015 15:21:55 -0800 (PST)
Received: (qmail 2573 invoked from network); 8 Feb 2015 15:21:46 -0800
Received: from shell4.bayarea.net (209.128.82.1) by shell4.bayarea.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 8 Feb 2015 15:21:46 -0800
Date: Sun, 08 Feb 2015 15:21:46 -0800
From: "C. M. Heard" <heard@pobox.com>
X-X-Sender: heard@shell4.bayarea.net
To: Ted Lemon <Ted.Lemon@nominum.com>
In-Reply-To: <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com>
Message-ID: <Pine.LNX.4.64.1502081507150.24776@shell4.bayarea.net>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net> <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com> <Pine.LNX.4.64.1502080813060.2950@shell4.bayarea.net> <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/2VvsjIXE1pJRM2yNMFaQeSwo9x0>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "brian.e.carpenter@gmail.com" <brian.e.carpenter@gmail.com>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Feb 2015 23:21:56 -0000

On Sun, 8 Feb 2015, Ted Lemon wrote:
> On Feb 8, 2015, at 1:47 PM, C. M. Heard <heard@pobox.com> wrote:
> > It is not necessarily true that an unknown upper layer protocol 
> > header will look like a malformed extension header to a device that 
> > assumes it is an extension header following the format in RFC 6564.  
...
> This may or may not be true, but to the extent that it's true, 
> it's already addressed in RFC 7045, and it's addressed correctly 
> there.  There is no need to strengthen the advice in RFC 7045 
> here, which this document currently does, and indeed this is 
> completely unrelated to the supposed purpose of the document, 
> which is to prevent DHCP packets sent by unauthorized servers from 
> reaching clients.

Would your objections be addressed if Section 3 of the draft were 
replaced by something along the lines of the following?

=============================== cut here ===============================
3.  When parsing the IPv6 header chain, if the packet contains an
    unrecognized Next Header value, DHCPv6-Shield MUST be configurable
    to pass the packet.  The default configuration MAY drop such packets.
    When such a packet is dropped, DHCPv6-Shield SHOULD log the packet
    drop event in an implementation-specific manner as a security alert.

          RATIONALE: An unrecognized Next Header value could possibly
          identify an IPv6 Extension Header, and thus be leveraged to
          conceal a DHCPv6-server packet that should be dropped, or it
          may identify an unrecognized upper layer protocol, which
          should be passed.  There is no reliable way to tell the
          difference.  The advice given here is consistent with the
          requirements levied by [RFC7045] on forwarding nodes with
          respect to handling of unrecognized extension headers.

4.  When parsing the IPv6 header chain, if the packet is identified
    to be a DHCPv6 packet meant for a DHCPv6 client, DHCPv6-Shield MUST
    drop the packet, and SHOULD log the packet drop event in an
    implementation-specific manner as a security alert.
=============================== cut here ===============================

//cmh

v2.23.0 | Report a Bug | By Email