IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 09 February 2015 04:58 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D57F61A0029; Sun, 8 Feb 2015 20:58:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.697
X-Spam-Level:
X-Spam-Status: No, score=0.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FRT_POSSIBLE=2.697, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rnPFdkVXYORT; Sun, 8 Feb 2015 20:58:52 -0800 (PST)
Received: from mail-pa0-x233.google.com (mail-pa0-x233.google.com [IPv6:2607:f8b0:400e:c03::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BF0B1A0027; Sun, 8 Feb 2015 20:58:52 -0800 (PST)
Received: by mail-pa0-f51.google.com with SMTP id eu11so9409599pac.10; Sun, 08 Feb 2015 20:58:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=ZcRPhF0LZ4YqePTGZ1009C/+GaRPuRDrGg/0tjjSSW4=; b=0Pp7qTLeiRA/XMd9gNK4CqZ+pWzIgf9DXD4kOBTnUdc2my5LX/NfSQbM/kgGfk1vKp n6HBAZI+/HFOkBUJkR8n53W0cWr8HRqmQInCQL0Kwpal70lNBbEQiRaRfSlTAx7OqmW3 TzgLb1ndaozS84DQUHM9VVpeX5gIXv4xfBy/F3ABWwWNMuQDdltT0mlQcTVIHay3NH/Q 45l18GjTjCGHHGG72KaSVPPkVLAOBN6C6q/VlgA3A9eFm0VCTNFvMj83k39xnhedLVtw sGco4bwnNiifW7bS4lf8xaLlOPXdCVMVou5U9Poj4ebnPZ/MqktFbE7p5anvgU1vPPaD si0g==
X-Received: by 10.66.219.35 with SMTP id pl3mr25791964pac.32.1423457931644; Sun, 08 Feb 2015 20:58:51 -0800 (PST)
Received: from ?IPv6:2406:e007:7afb:1:28cc:dc4c:9703:6781? ([2406:e007:7afb:1:28cc:dc4c:9703:6781]) by mx.google.com with ESMTPSA id f12sm15009887pat.43.2015.02.08.20.58.46 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 08 Feb 2015 20:58:50 -0800 (PST)
Message-ID: <54D83E7F.3040207@gmail.com>
Date: Mon, 09 Feb 2015 17:58:39 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Ted Lemon <Ted.Lemon@nominum.com>, "C. M. Heard" <heard@pobox.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net> <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com> <Pine.LNX.4.64.1502080813060.2950@shell4.bayarea.net> <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com> <Pine.LNX.4.64.1502081507150.24776@shell4.bayarea.net> <72C73500-E6C4-4D75-9CFA-8FE4B012AB9E@nominum.com> <7516AD5C-1152-4020-B050-FA0383B58DBA@viagenie.ca> <Pine.LNX.4.64.1502081734120.24776@shell4.bayarea.net> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com>
In-Reply-To: <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/F2m9hTOhiL1sov8rGZ0b2cGLFQI>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 04:58:54 -0000

On 09/02/2015 17:14, Ted Lemon wrote:
> On Feb 8, 2015, at 8:47 PM, C. M. Heard <heard@pobox.com> wrote:
>> Yes, but there is a situation in which it is not possibile to make a 
>> positive identification where a given packet is or is not a DHCPv6 
>> packet.
> 
> Can you carefully describe in detail how this could happen?

Ted, I think we have to say Hi to the elephant in the corner of the
room. There is a fundamental flaw in the IPv6 design, which is that
there is no way, in the general case, to distinguish an unknown
extension header from an unknown upper layer protocol. Now this
doesn't matter too much in a middlebox-free Internet, since (with the
well-specified exception of the hop-by-hop header) nobody ever needs
to make that distinction, since unknowns cause a packet drop at the
destination anyway. Steve Deering told me in Vancouver that this is
just fine, because middleboxes are evil anyway. But that doesn't
wash. A middlebox that is trying to flush out a specific type of
upper layer protocol (such as DHCPv6) needs to parse all extension
headers, including ones it doesn't understand, in case there is
an instance of the upper layer protocol behind it.

In the real world, that means that such middleboxes, if they are
of the paranoid security persuasion, will discard packets that,
as far as they are concerned, are unparseable.

I'm afraid that IETF documents that don't recognise this fact of life
will not be taken seriously.

    Brian

v2.23.0 | Report a Bug | By Email