IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

Fernando Gont <fgont@si6networks.com> Sun, 08 February 2015 18:09 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A087E1A1B93; Sun, 8 Feb 2015 10:09:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S8lExwT2MseK; Sun, 8 Feb 2015 10:09:47 -0800 (PST)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB5581A1B71; Sun, 8 Feb 2015 10:09:47 -0800 (PST)
Received: from [186.134.12.169] (helo=[192.168.123.126]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <fgont@si6networks.com>) id 1YKWIa-000155-Bf; Sun, 08 Feb 2015 19:09:37 +0100
Message-ID: <54D7A634.2070909@si6networks.com>
Date: Sun, 08 Feb 2015 15:08:52 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: "C. M. Heard" <heard@pobox.com>, Ted Lemon <ted.lemon@nominum.com>, Joel Jaeggli <joelja@bogus.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net>
In-Reply-To: <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/827HDRZpTHrY11ZnJZDtPLIIunY>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "brian.e.carpenter@gmail.com" <brian.e.carpenter@gmail.com>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Feb 2015 18:09:52 -0000

Hi, Mike,

FWIW, I made exactly the same point during the IESG-review discussions
-- i.e., I agree 100% with what you've said.

IMO, the default should be "drop", since that's the more sensible option
from a security standpoint... and because RFC7045 (the RFC that
clarifies what to do with IPv6 EHs) allows us to do so.

Thanks,
Fernando




On 02/08/2015 12:37 AM, C. M. Heard wrote:
> On Sat, 7 Feb 2015, Ted Lemon wrote:
>> However, after discussing this at length with Fernando, I realized that
>> it was actually not at all necessary to filter unknown IPv6 headers.  
>> The reason for this is that we can safely assume that any IP extension
>> header that appears in a packet conforms to RFC 6564.   This means that
>> switches implementing DHCPv6 shield can at least in principle skip over
>> unknown IP extension headers.
> 
> That is incorrect because extension headers and upper layer headers 
> share a numbering space.  Upper layer headers do NOT follow the 
> format in RFC 6564.  That makes it in UNSAFE to attempt to skip over 
> an unknown next header value.  The decision to drop or pass must be 
> made when an unknown extension header is encountered.
> 
> Whether the default is drop or pass when encountering an unknown 
> next header value may be worth reconsidering.  However, I strongly 
> agree with Brian Carpenter that the normative reference to RFC 7045 
> should be retained, and with it the requirement that the behaviour 
> upon encountering an unknown next header value be user configurable.
> 
> Mike Heard
> 
> P.S.  For previous discussion please see:
> 
> http://www.ietf.org/mail-archive/web/opsec/current/msg01481.html
> http://www.ietf.org/mail-archive/web/v6ops/current/msg18529.html
> 
> and please note that RFC 7113 (RA-Guard) specifies the same 
> behaviour as does draft-ietf-opsec-dhcpv6-shield-05.
> 
> On Sat, 7 Feb 2015, Joel Jaeggli wrote:
>> Right one would expect future extension headers to match the TLV 
>> expectations of 6564. I can live with the removal of filtering 
>> advice but I'd like to see that run past the working group at the 
>> very least.
>>
>> Sent from my iPhone
>>
>>> On Feb 7, 2015, at 11:46, Ted Lemon <ted.lemon@nominum.com> wrote:
>>>
>>> Ted Lemon has entered the following ballot position for
>>> draft-ietf-opsec-dhcpv6-shield-05: Discuss
>>>
>>> When responding, please keep the subject line intact and reply to all
>>> email addresses included in the To and CC lines. (Feel free to cut this
>>> introductory paragraph, however.)
>>>
>>>
>>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
>>> for more information about IESG DISCUSS and COMMENT positions.
>>>
>>>
>>> The document, along with other ballot positions, can be found here:
>>> http://datatracker.ietf.org/doc/draft-ietf-opsec-dhcpv6-shield/
>>>
>>>
>>>
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>>
>>> When I began with this DISCUSS, my understanding was that in order to
>>> implement DHCPv6 Shield and be sure of stopping all DHCP packets, it
>>> would, as the document says, be necessary to filter packets with unknown
>>> IPv6 headers.   This would likely mean that the layer 2 switching fabric
>>> of a network supporting DHCPv6 shield would be unable to carry any IP
>>> packets containing not only unknown IP extension headers, but also
>>> packets containing unknown (to the switching fabric) protocol headers.  
>>> Consequently I suggested a fairly elaborate way to mitigate the risk
>>> without requiring that all such packets be filtered.
>>>
>>> However, after discussing this at length with Fernando, I realized that
>>> it was actually not at all necessary to filter unknown IPv6 headers.  
>>> The reason for this is that we can safely assume that any IP extension
>>> header that appears in a packet conforms to RFC 6564.   This means that
>>> switches implementing DHCPv6 shield can at least in principle skip over
>>> unknown IP extension headers.   If an unknown protocol header is seen,
>>> this will look to the switch like a malformed IP extension header, but
>>> this is harmless in the context of DHCPv6 shield because any such packet
>>> is by definition _not_ a DHCPv6 packet.   I believe that a switching
>>> fabric should not default to dropping packets it doesn't recognize,
>>> because this pretty much guarantees that new protocols can't be deployed
>>> even in site-specific situations.
>>>
>>> Therefore, I believe that this document should not only not require
>>> filtering unknown IP extension headers, but should not even mention
>>> filtering them.   It may be that some implementations may need to filter
>>> them for other reasons, but this is already allowed by RFC 7045, and
>>> therefore needn't be mentioned here.
>>>
>>>
>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
>>>
>>> This is the original text of this DISCUSS:
>>>
>>> This text makes sense, but I think it needs to be changed somewhat:
>>>
>>>   3.  When parsing the IPv6 header chain, if the packet is identified
>>>       to be a DHCPv6 packet meant for a DHCPv6 client or the packet
>>>       contains an unrecognized Next Header value, DHCPv6-Shield MUST
>>>       drop the packet, and SHOULD log the packet drop event in an
>>>       implementation-specific manner as a security alert.
>>>       DHCPv6-Shield MUST provide a configuration knob that controls
>>>       whether packets with unrecognized Next Header values are dropped;
>>>       this configuration knob MUST default to "drop".
>>>
>>>          RATIONALE: An unrecognized Next Header value could possibly
>>>          identify an IPv6 Extension Header, and thus be leveraged to
>>>          conceal a DHCPv6-server packet (since there is no way for
>>>          DHCPv6-Shield to parse past unrecognized Next Header values
>>>          [I-D.gont-6man-rfc6564bis]).  [RFC7045] requires that nodes be
>>>          configurable with respect to whether packets with unrecognized
>>>          headers are forwarded, and allows the default behavior to be
>>>          that such packets be dropped.
>>>
>>> I think it's worth considering whether the default setting for this
>>> configuration knob should be "drop" or "pass."   The problem with
>>> defaulting to "drop" is that it means that extension headers the DHCPv6
>>> Shield device does not understand fail to pass, which could cause
>>> operational problems.   The problem with not defaulting to "drop" you
>>> have already explained.   I do not think that the threat of DHCPv6
>>> spoofing is sufficient to justify defaulting to drop.   Yes, DHCPv6
>>> spoofing can cause operational issues.   So can filtering "unknown"
>>> headers.
>>>
>>> The frustrating thing about this document is that it actually solves the
>>> problem the wrong way.   What this document should recommend is filtering
>>> of DHCPv6 packets from _clients_.   If a rogue DHCP server can't see
>>> client multicasts because DHCPv6 shield is blocking them, then it can't
>>> know to attack DHCPv6 clients.   This substantially limits the rogue's
>>> ability to attack DHCPv6 clients on the local subnet.   If you combine
>>> that with server packet filtering but do not block unknown headers, I
>>> think you have achieved a good tradeoff between the problems caused by
>>> whatever spoofing might get to a client using an unknown header and the
>>> problems caused by blocking non-DHCP packets that use that unknown header
>>> for some legitimate purpose.
>>>
>>> So, realizing that this would be a major change, the way I would LIKE you
>>> to address this discuss is to add DHCPv6 client packet filtering.   You
>>> could also address it by changing the default for the unknown header
>>> filter, but I would understand if you felt that this was inadequate.   Or
>>> you could argue persuasively that I'm wrong, which has been known to
>>> happen. :)
>>>
>>>
>>> _______________________________________________
>>> OPSEC mailing list
>>> OPSEC@ietf.org
>>> https://www.ietf.org/mailman/listinfo/opsec
>>>
>>
>>
> 
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec
> 


-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email