[OPSEC] review draft-gont-opsec-icmp-ingress-filtering-02
joel jaeggli <joelja@bogus.com> Fri, 15 July 2016 04:54 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FAFA12D663 for <opsec@ietfa.amsl.com>; Thu, 14 Jul 2016 21:54:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.187
X-Spam-Level:
X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B0HSYGGCOSpH for <opsec@ietfa.amsl.com>; Thu, 14 Jul 2016 21:54:05 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B7B212D626 for <OpSec@ietf.org>; Thu, 14 Jul 2016 21:54:02 -0700 (PDT)
Received: from mb-2.local (port-87-193-211-36.static.qsc.de [87.193.211.36]) (authenticated bits=0) by nagasaki.bogus.com (8.15.2/8.15.2) with ESMTPSA id u6F4rxWB062955 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <OpSec@ietf.org>; Fri, 15 Jul 2016 04:54:01 GMT (envelope-from joelja@bogus.com)
X-Authentication-Warning: nagasaki.bogus.com: Host port-87-193-211-36.static.qsc.de [87.193.211.36] claimed to be mb-2.local
To: "opsec@ietf.org" <OpSec@ietf.org>
From: joel jaeggli <joelja@bogus.com>
Message-ID: <d56e3c89-500e-6411-b10c-0af42219c1c4@bogus.com>
Date: Fri, 15 Jul 2016 06:53:55 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Thunderbird/47.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="wOHabSVFfUARUHww7H3aGv8njUWguXcKX"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/5QwOhtJpOjFyp6k5b9KnK4yJqo4>
Subject: [OPSEC] review draft-gont-opsec-icmp-ingress-filtering-02
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2016 04:54:06 -0000
Greetings, I reviewed this probably later then I should have after volunteering to do so. The mechanism proposed in draft-gont-opsec-icmp-ingress-filtering is akin to a strict mode RPF check for the IP Destination header contained in an ICMP error message though in practical terms a device such as a firewall without recourse to a routing table would probably employ an access list for enforcement. While similar to other antispoofing measures one can employ to prevent spoofed traffic with internal source addresses from ingressing a network it may be technically infeasible to implement in the same mediation devices e.g. routers or switches, a problem we also noted with icmp6 payload inspection in RFC 7690 section 4. I'm sympathic generally to this draft, section 5 implementation details could be rewriten more cleanly to suggest how it is implemented. e.g. IF embedded packet's Destination Address is from within my network THEN forward as appropriate The destination match is due to a learned route (which assumes some minimal level of path or routing symmetry which firewalls tend to require anyway); or an access list. Thanks joel
- Re: [OPSEC] review draft-gont-opsec-icmp-ingress-… Mikael Abrahamsson
- Re: [OPSEC] review draft-gont-opsec-icmp-ingress-… Carlos Pignataro (cpignata)
- [OPSEC] review draft-gont-opsec-icmp-ingress-filt… joel jaeggli