IETF Logo Mail Archive

Re: [OPSEC] Fwd: New Version Notification for draft-gont-opsec-ip-options-filtering-01

Carlos Pignataro <cpignata@cisco.com> Fri, 13 May 2011 03:10 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C837E06E7 for <opsec@ietfa.amsl.com>; Thu, 12 May 2011 20:10:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7CV8vf4eGbjn for <opsec@ietfa.amsl.com>; Thu, 12 May 2011 20:10:55 -0700 (PDT)
Received: from av-tac-rtp.cisco.com (hen.cisco.com [64.102.19.198]) by ietfa.amsl.com (Postfix) with ESMTP id D996EE0696 for <opsec@ietf.org>; Thu, 12 May 2011 20:10:54 -0700 (PDT)
X-TACSUNS: Virus Scanned
Received: from rooster.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-rtp.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id p4D3AoCC020588; Thu, 12 May 2011 23:10:50 -0400 (EDT)
Received: from [10.117.115.50] (rtp-cpignata-8911.cisco.com [10.117.115.50]) by rooster.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id p4D3AnYv015671; Thu, 12 May 2011 23:10:49 -0400 (EDT)
Message-ID: <4DCCA138.2000908@cisco.com>
Date: Thu, 12 May 2011 23:10:48 -0400
From: Carlos Pignataro <cpignata@cisco.com>
Organization: cisco Systems, Inc.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24) Gecko/20100228 Thunderbird/2.0.0.24 Mnenhy/0.7.6.0
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <4DB74CBD.2050003@gont.com.ar>
In-Reply-To: <4DB74CBD.2050003@gont.com.ar>
X-Enigmail-Version: 1.1.1
X-Face: *3w8NvnQ|kS~V{&{U}$?G9U9EJQ8p9)O[1[1F'1i>XIc$5FR!hdAIf5}'Xu-3`^Z']h0J* ccB'fl/XJYR[+, Z+jj`4%06nd'y9[ln&ScJT5S+O18e^
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "'opsec@ietf.org'" <opsec@ietf.org>
Subject: Re: [OPSEC] Fwd: New Version Notification for draft-gont-opsec-ip-options-filtering-01
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2011 03:10:59 -0000

Hi Fernando,

I wanted to share some high-level comments on this I-D. I hope this is
useful feedback.

The great majority of this document as currently structured dives into
details about fifteen IPv4 Options, assessing threat model -> impact if
blocked -> advise. I think that the threat -> impact -> advise is a good
model.

However, this flow seems to make some strong underlying assumptions:
1. It may assume that the current state is that options are not blocked.
But currently, IP optioned packets do not have unfiltered success in the
Internet:
http://www.ietf.org/mail-archive/web/int-area/current/msg02334.html
http://www.ietf.org/mail-archive/web/int-area/current/msg02360.html

2. It assumes that devices (i.e., routers) have the capability to filter
IP optioned packets with the per-option-value granularity. This might
not generally be the case.

3. It assumes that a desired granularity is to filter at the option
level, generally. This might result in increased and unjustified OpEx,
and an operator might chose to simply make a blanked determination, even
when the capability to filter per-option might exist.

Additionally,

4. There may be more than "filter" versus "not-filter" options. Some
platforms support ignoring IP options (i.e., acting as if an IP Optioned
packet did not have options), and that is a potential recommendation.

5. Doing an enumeration of all options would either need to be
exhaustive (and it appears that the document does not contain all option
values from <http://www.iana.org/assignments/ip-parameters>, e.g., 147),
or provide a catch-all final else clause in the conditional. This is
also solved by providing a non-per-option-value discussion.

Based on this, I believe that a document about ip-options-filtering
should start at a much higher level discussing coarse granularity (less
opex) options, as well as reasons for a perceived current state. There
are operational considerations to doing per-option-value filtering
versus generic option filtering or ignoring, and I believe those should
be discussed early on on the document.

Some more specific comments:

I suspect that the phrase "IP Options filtering" that is used throughout
the doc can be a bit ambiguous. The options are not filtered, the whole
optioned datagram is.

The intended status listed is BCP, and I wonder if that is what this
document is providing. More than a current practice (which arguably is
to filter or ignore without looking at the option value, modulo
exceptions), it appears to provide Information about impact of filtering
particular options.

The first sentence of Section 3, "Router manufacturers tend to do IP
option processing on the main processor, rather than on line cards",
speaks to specific router distributed architecture, and I think it might
be oversimplifying the current state.

For EOO and NOOP, the advise is to:

   No security issues are known for this option, other than the general
   security implications of IP options discussed in Section 2.

But I think that the general implications are the most important part of
this document but are minimal.

The document does not describe what the resulting disposition of a
packet with many options should be.

Nits:

There seems to be an inconsistency with the timestamp option:

   The timestamp option has a number of security implications.  Among
   them are:
...
   No security issues are known for this option, other than the general
   security implications of IP options discussed in Section 2.

The short title is "IPv4 Security Assessment".

There

I hope these comments are clear, please do let me know anything that
does not parse, I hope this is useful.

Thanks,

-- Carlos.


On 4/26/2011 6:52 PM, Fernando Gont wrote:
> Folks,
> 
> We have published a revision of our I-D "IP Options Filtering
> Recommendations". It is available at:
> http://tools.ietf.org/html/draft-gont-opsec-ip-options-filtering-01
> 
> Publication of this document had been suggested at the Hiroshima IETF.
> Version -00 had expired a while ago, and I decided to invest some time
> and bring this document back to life. This time with much help from Ran
> Atkinson, who is co-authoring this latest rev.
> 
> Any comments will be welcome.
> 
> Thanks!
> 
> Best regards,
> Fernando
> 
> 
> 
> 
> -------- Original Message --------
> Subject: New Version Notification for
> draft-gont-opsec-ip-options-filtering-01
> Date: Tue, 26 Apr 2011 15:31:13 -0700 (PDT)
> From: IETF I-D Submission Tool <idsubmission@ietf.org>
> To: fernando@gont.com.ar
> CC: rja.lists@gmail.com
> 
> 
> A new version of I-D, draft-gont-opsec-ip-options-filtering-01.txt has
> been successfully submitted by Fernando Gont and posted to the IETF
> repository.
> 
> Filename:	 draft-gont-opsec-ip-options-filtering
> Revision:	 01
> Title:		 IP Options Filtering Recommendations
> Creation_date:	 2011-04-27
> WG ID:		 Independent Submission
> Number_of_pages: 26
> 
> Abstract:
> This document document provides advice on the filtering of packets
> based on the IP options they contain.  Additionally, it discusses the
> operational and interoperability implications of such filtering.
> 
> 
> 
> 
> The IETF Secretariat.
> 
> 
> 
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec
>

v2.23.0 | Report a Bug | By Email