Re: [OPSEC] Fwd: New Version Notification for draft-gont-opsec-ip-options-filtering-01
Carlos Pignataro <cpignata@cisco.com> Fri, 13 May 2011 03:10 UTC
Return-Path: <cpignata@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C837E06E7 for <opsec@ietfa.amsl.com>; Thu, 12 May 2011 20:10:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7CV8vf4eGbjn for <opsec@ietfa.amsl.com>; Thu, 12 May 2011 20:10:55 -0700 (PDT)
Received: from av-tac-rtp.cisco.com (hen.cisco.com [64.102.19.198]) by ietfa.amsl.com (Postfix) with ESMTP id D996EE0696 for <opsec@ietf.org>; Thu, 12 May 2011 20:10:54 -0700 (PDT)
X-TACSUNS: Virus Scanned
Received: from rooster.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-rtp.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id p4D3AoCC020588; Thu, 12 May 2011 23:10:50 -0400 (EDT)
Received: from [10.117.115.50] (rtp-cpignata-8911.cisco.com [10.117.115.50]) by rooster.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id p4D3AnYv015671; Thu, 12 May 2011 23:10:49 -0400 (EDT)
Message-ID: <4DCCA138.2000908@cisco.com>
Date: Thu, 12 May 2011 23:10:48 -0400
From: Carlos Pignataro <cpignata@cisco.com>
Organization: cisco Systems, Inc.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.24) Gecko/20100228 Thunderbird/2.0.0.24 Mnenhy/0.7.6.0
MIME-Version: 1.0
To: Fernando Gont <fernando@gont.com.ar>
References: <4DB74CBD.2050003@gont.com.ar>
In-Reply-To: <4DB74CBD.2050003@gont.com.ar>
X-Enigmail-Version: 1.1.1
X-Face: *3w8NvnQ|kS~V{&{U}$?G9U9EJQ8p9)O[1[1F'1i>XIc$5FR!hdAIf5}'Xu-3`^Z']h0J* ccB'fl/XJYR[+, Z+jj`4%06nd'y9[ln&ScJT5S+O18e^
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "'opsec@ietf.org'" <opsec@ietf.org>
Subject: Re: [OPSEC] Fwd: New Version Notification for draft-gont-opsec-ip-options-filtering-01
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2011 03:10:59 -0000
Hi Fernando, I wanted to share some high-level comments on this I-D. I hope this is useful feedback. The great majority of this document as currently structured dives into details about fifteen IPv4 Options, assessing threat model -> impact if blocked -> advise. I think that the threat -> impact -> advise is a good model. However, this flow seems to make some strong underlying assumptions: 1. It may assume that the current state is that options are not blocked. But currently, IP optioned packets do not have unfiltered success in the Internet: http://www.ietf.org/mail-archive/web/int-area/current/msg02334.html http://www.ietf.org/mail-archive/web/int-area/current/msg02360.html 2. It assumes that devices (i.e., routers) have the capability to filter IP optioned packets with the per-option-value granularity. This might not generally be the case. 3. It assumes that a desired granularity is to filter at the option level, generally. This might result in increased and unjustified OpEx, and an operator might chose to simply make a blanked determination, even when the capability to filter per-option might exist. Additionally, 4. There may be more than "filter" versus "not-filter" options. Some platforms support ignoring IP options (i.e., acting as if an IP Optioned packet did not have options), and that is a potential recommendation. 5. Doing an enumeration of all options would either need to be exhaustive (and it appears that the document does not contain all option values from <http://www.iana.org/assignments/ip-parameters>, e.g., 147), or provide a catch-all final else clause in the conditional. This is also solved by providing a non-per-option-value discussion. Based on this, I believe that a document about ip-options-filtering should start at a much higher level discussing coarse granularity (less opex) options, as well as reasons for a perceived current state. There are operational considerations to doing per-option-value filtering versus generic option filtering or ignoring, and I believe those should be discussed early on on the document. Some more specific comments: I suspect that the phrase "IP Options filtering" that is used throughout the doc can be a bit ambiguous. The options are not filtered, the whole optioned datagram is. The intended status listed is BCP, and I wonder if that is what this document is providing. More than a current practice (which arguably is to filter or ignore without looking at the option value, modulo exceptions), it appears to provide Information about impact of filtering particular options. The first sentence of Section 3, "Router manufacturers tend to do IP option processing on the main processor, rather than on line cards", speaks to specific router distributed architecture, and I think it might be oversimplifying the current state. For EOO and NOOP, the advise is to: No security issues are known for this option, other than the general security implications of IP options discussed in Section 2. But I think that the general implications are the most important part of this document but are minimal. The document does not describe what the resulting disposition of a packet with many options should be. Nits: There seems to be an inconsistency with the timestamp option: The timestamp option has a number of security implications. Among them are: ... No security issues are known for this option, other than the general security implications of IP options discussed in Section 2. The short title is "IPv4 Security Assessment". There I hope these comments are clear, please do let me know anything that does not parse, I hope this is useful. Thanks, -- Carlos. On 4/26/2011 6:52 PM, Fernando Gont wrote: > Folks, > > We have published a revision of our I-D "IP Options Filtering > Recommendations". It is available at: > http://tools.ietf.org/html/draft-gont-opsec-ip-options-filtering-01 > > Publication of this document had been suggested at the Hiroshima IETF. > Version -00 had expired a while ago, and I decided to invest some time > and bring this document back to life. This time with much help from Ran > Atkinson, who is co-authoring this latest rev. > > Any comments will be welcome. > > Thanks! > > Best regards, > Fernando > > > > > -------- Original Message -------- > Subject: New Version Notification for > draft-gont-opsec-ip-options-filtering-01 > Date: Tue, 26 Apr 2011 15:31:13 -0700 (PDT) > From: IETF I-D Submission Tool <idsubmission@ietf.org> > To: fernando@gont.com.ar > CC: rja.lists@gmail.com > > > A new version of I-D, draft-gont-opsec-ip-options-filtering-01.txt has > been successfully submitted by Fernando Gont and posted to the IETF > repository. > > Filename: draft-gont-opsec-ip-options-filtering > Revision: 01 > Title: IP Options Filtering Recommendations > Creation_date: 2011-04-27 > WG ID: Independent Submission > Number_of_pages: 26 > > Abstract: > This document document provides advice on the filtering of packets > based on the IP options they contain. Additionally, it discusses the > operational and interoperability implications of such filtering. > > > > > The IETF Secretariat. > > > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec >
- [OPSEC] Fwd: New Version Notification for draft-g… Fernando Gont
- Re: [OPSEC] Fwd: New Version Notification for dra… Carlos Pignataro
- Re: [OPSEC] Fwd: New Version Notification for dra… Carlos Pignataro
- Re: [OPSEC] Fwd: New Version Notification for dra… Smith, Donald
- Re: [OPSEC] Fwd: New Version Notification for dra… Smith, Donald
- Re: [OPSEC] Fwd: New Version Notification for dra… Fernando Gont
- Re: [OPSEC] Fwd: New Version Notification for dra… Carlos Pignataro
- Re: [OPSEC] Fwd: New Version Notification for dra… Carlos Pignataro
- Re: [OPSEC] Fwd: New Version Notification for dra… Carlos Pignataro
- Re: [OPSEC] Fwd: New Version Notification for dra… Fernando Gont
- Re: [OPSEC] Fwd: New Version Notification for dra… Carlos Pignataro
- Re: [OPSEC] Fwd: New Version Notification for dra… Fernando Gont
- Re: [OPSEC] Fwd: New Version Notification for dra… Carlos Pignataro
- Re: [OPSEC] Fwd: New Version Notification for dra… Smith, Donald
- Re: [OPSEC] Fwd: New Version Notification for dra… Smith, Donald
- Re: [OPSEC] Fwd: New VersionNotification for draf… Panos Kampanakis
- [OPSEC] ietf-opsec-icmp-filtering (Was: New Versi… Carlos Pignataro
- Re: [OPSEC] Fwd: New VersionNotification for draf… Fernando Gont
- Re: [OPSEC] Fwd: New VersionNotification for draf… Smith, Donald
- Re: [OPSEC] Fwd: New VersionNotification for draf… Smith, Donald