IETF Logo Mail Archive

Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-filtering-03

"C. M. Heard" <heard@pobox.com> Fri, 06 October 2017 04:02 UTC

Return-Path: <heard@pobox.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7AC513304B for <opsec@ietfa.amsl.com>; Thu, 5 Oct 2017 21:02:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.21
X-Spam-Level:
X-Spam-Status: No, score=-0.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com; domainkeys=pass (1024-bit key) header.from=heard@pobox.com header.d=pobox.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pSXdVWHkVWyX for <opsec@ietfa.amsl.com>; Thu, 5 Oct 2017 21:02:20 -0700 (PDT)
Received: from sasl.smtp.pobox.com (pb-smtp2.pobox.com [64.147.108.71]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E501D1331E7 for <opsec@ietf.org>; Thu, 5 Oct 2017 21:02:19 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 7BEC2A91A5 for <opsec@ietf.org>; Fri, 6 Oct 2017 00:02:18 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sasl; bh=wbtSTRekh683Z6FZNNotwddDbK0=; b=m9Dw/1 twtp8HhJF5LMYdtqbTkZL6E0kkrvfaIK4Br0uL+5UMRp5QUAB744mivCFL5or9ET KvE+e3/ru0e3aM3snmjjmPZOjjgXHbl91WNJPsth4zPHS4pqKQfczkfEwy/zLOkp 85QALgNX2GFCLqOMclm5G6rNjVP5sVPQbXHgY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; q=dns; s=sasl; b=aSEyClrXujNLzOjOlpJmMGqdUxKOT/nR Se+lm1dONpkGgLD+yotFHfH7KRfSVSJxkcFbc4nidf1SR66na6GconLTx6tA2rYX yWtkwO58Trmjh9Fu6wIoZv4SOYsr9aaoGARNZY0Lmf8Wmrj7DRtlJNULLOxv3S8G bRgdM58wjBo=
Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 74266A91A2 for <opsec@ietf.org>; Fri, 6 Oct 2017 00:02:18 -0400 (EDT)
Received: from mail-qk0-f180.google.com (unknown [209.85.220.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id C5F0BA919F for <opsec@ietf.org>; Fri, 6 Oct 2017 00:02:17 -0400 (EDT)
Received: by mail-qk0-f180.google.com with SMTP id x82so6846173qkb.12 for <opsec@ietf.org>; Thu, 05 Oct 2017 21:02:17 -0700 (PDT)
X-Gm-Message-State: AMCzsaXrtwMatsOcp5711SDRxNVwmN0o3JKILOneACuTHLjl43EeLMT+ SWlwLg7ASjZMHuQmc5K7j5dBGhZaGgvvyCGmQVU=
X-Google-Smtp-Source: AOwi7QDTMgpVQbQM/YkPzWeB4DCCuDu1F8J9S50qhKEgALykZhTSAfcw9CTG8ETuIFnqEaKLMYUha4Dv5yI+c2cyGMQ=
X-Received: by 10.55.170.15 with SMTP id t15mr24643423qke.232.1507262537205; Thu, 05 Oct 2017 21:02:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.18.130 with HTTP; Thu, 5 Oct 2017 21:01:56 -0700 (PDT)
In-Reply-To: <BLUPR0501MB2051A8FFB1DAFDCA9873B9E6AE700@BLUPR0501MB2051.namprd05.prod.outlook.com>
References: <CACL_3VExxwN6z-WHbp3dcdLNV1JMVf=sgMVzh-k0shNJFeADbQ@mail.gmail.com> <BLUPR0501MB2051A8FFB1DAFDCA9873B9E6AE700@BLUPR0501MB2051.namprd05.prod.outlook.com>
From: "C. M. Heard" <heard@pobox.com>
Date: Thu, 05 Oct 2017 21:01:56 -0700
X-Gmail-Original-Message-ID: <CACL_3VFSHqU-D+NJu=k2-p4tbjZukT7i7WEoX+5kdUtdHB4Rjw@mail.gmail.com>
Message-ID: <CACL_3VFSHqU-D+NJu=k2-p4tbjZukT7i7WEoX+5kdUtdHB4Rjw@mail.gmail.com>
To: Ron Bonica <rbonica@juniper.net>
Cc: OPSEC <opsec@ietf.org>, Joe Touch <touch@strayalpha.com>, Bob Hinden <bob.hinden@gmail.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Content-Type: multipart/alternative; boundary="94eb2c0635661d0f57055ad8e8c9"
X-Pobox-Relay-ID: 2501FB72-AA4B-11E7-ABB0-575F0C78B957-06080547!pb-smtp2.pobox.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/HJ7sr1bBLW4BoP425WJMkk_-BKs>
Subject: Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-filtering-03
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Oct 2017 04:02:23 -0000

Hello Ron,

I think that the direction you propose will make this a much better
document. Modulo details it would certainly address my concerns.

I do however have come comments to make about router self-protection. RFC
6192 is all about a router filtering traffic addressed to itself, i.e.,
what it should process in its role as a host. A very restrictive "white
list" policy ( as outlined in RC 6192) is quite in order there. If there is
no need or use for extension headers for traffic destined to the control
plane, a very restrictive policy of dropping all packets addressed to the
control place hat have extension headers may indeed be in order.

It's a very different story, I think, for what a router does to protect
itself in its role as forwarding device.  There, if it complies with RFC
8200, the Hop-by-Hop Options header is the only one that can hurt it, if it
is able to forward at line rate at all. The choice boils down to whether to
process all, some, or no packets with Hop-by-Hop options. I think that we
need to loudly broadcast that ignoring all HbH Options headers is a
legitimate policy for this purpose, but dropping all packets with HbH
Options is not. If we can sell this to the world, it may be possible to
actually use the HbH options header, and get rid of abominations such as
the CONEX Destination Option.

The way you characterize the proposed second section sounds right on the
money to me.

I support your proposed way forward. Thank you.

Mike Heard

On Thu, Oct 5, 2017 at 11:04 AM, Ron Bonica <rbonica@juniper.net> wrote:

> Mike,
>
>
>
> I think that you just struck the note that Fernando and I missed. Transit
> routers filter extension headers for one of the following reasons:
>
>
>
> -          To protect themselves (as in RFC 6192)
>
> -          To protect downstream devices
>
>
>
> Therefore, the document should contain two clearly marked sections, one
> regarding EH filtering policies that protect the transit router and one
> regarding EH filtering policies that protect downstream devices.
>
>
>
> The first section can:
>
>
>
> -          Be very short (2 pages max)
>
> -          Be guided largely by RFC 8200
>
> -          Speak with some degree of authority (while still INFORMATIONAL)
>
>
>
> The second section should begin with a discussion of the relationship
> between the transit router and the downstream devices. Let’s assume that
> the transit router belongs to an ISP, while downstream devices fall into
> the following three classes:
>
>
>
> 1)      Belong to the ISP
>
> 2)      Belong to parties who want to be protected by the ISP (e.g., its
> customers)
>
> 3)      Belong to other parties
>
>
>
> Therefore, the transit router MAY discard packets that pose a threat to
> the first two classes of downstream device, but MUST NOT discard packets
> that are required by the third class of downstream device.
>
>
>
> From this point, we formulate a policy that **might** satisfy the above
> mentioned requirement. We mark this policy with the following caveats:
>
>
>
> -          It is a best guess
>
> -          If the policy is too permissive, downstream devices belonging
> to the ISP and those who it protects will not receive all of the protection
> possible
>
> -          If the policy is too restrictive, downstream devices belonging
> to other parties will experience collateral damage
>
> -          One size doesn’t fit all
>
>
>
> If we were to rework the document into this shape, would it address your
> concerns.
>
>
>
>                                                                Ron
>
>
>
>
>
>
>
> *From:* OPSEC [mailto:opsec-bounces@ietf.org] *On Behalf Of *C. M. Heard
> *Sent:* Wednesday, October 4, 2017 11:08 PM
> *To:* OPSEC <opsec@ietf.org>
> *Subject:* Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-filtering-03
>
>
>
> On Thu, 5 Oct 2017 11:10:06 +1300, Brian E Carpenter wrote:
>
> > On 05/10/2017 02:12, Joe Touch wrote:
>
> >
>
> >> On 9/29/2017 1:12 AM, Van De Velde, Gunter (Nokia - BE/Antwerp) wrote:
>
> >>>
>
> >>> This is to open a two week WGLC
>
> >>> for https://tools.ietf.org/html/draft-ietf-opsec-ipv6-eh-filtering-03
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dopsec-2Dipv6-2Deh-2Dfiltering-2D03&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=pDMOABefbu8JHcDH3rcHvzOABmSLo8X0KGbiPvLqnpA&s=M7xHnDuuJxhA21iLVXO_-AZjAhvXwgaN__niQRcoBwc&e=>
> .
>
> >>>
>
> >>
>
> >> I do not agree with the claims of this document. It "informationally"
>
> >> advises against support for key IPv6 capabilities and undermines the
>
> >> extensibility of IPv6 by making recommendations about discarding
>
> >> currently unassigned codepoints.
>
> >
>
> > Here's the problem, Joe. It's a fact of life that many firewalls
>
> > discard a lot of stuff that they shouldn't - that's why we wrote
>
> > RFC 7045 - but in the real world, operators blunder around based
>
> > on folklore and vendors' defaults. We can't change any of that, but
>
> > we can try to issue sensible advice that, overall, will limit the
>
> > resulting breakage. IMHO this document, positioned correctly as
>
> > Informational, will do that: on balance, it makes the world a better
>
> > place.
>
>
>
> I am afraid that I do not agree that the document, in its present form,
>
> will do that. It says:
>
>
>
>    The filtering policy typically depends on where in the network such
>
>    policy is enforced: when the policy is enforced in a transit network,
>
>    the policy typically follows a "black-list" approach, where only
>
>    packets with clear negative implications are dropped.  On the other
>
>    hand, when the policy is enforced closer to the destination systems,
>
>    the policy typically follows a "white-list" approach, where only
>
>    traffic that is expected to be received is allowed.  *The advice in*
>
> *   this document is aimed only at transit routers that may need to*
>
> *   enforce a filtering policy based on the EHs and IPv6 options a packet*
>
> *   may contain, following a "black-list" approach, and hence is likely*
>
> *   to be much more permissive that a filtering policy to be employed*
>
> *   e.g. at the edge of an enterprise network.*  The advice in this
>
>    document is meant to improve the current situation of the dropping of
>
>    packets with IPv6 EHs in the Internet [RFC7872 <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7872&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=pDMOABefbu8JHcDH3rcHvzOABmSLo8X0KGbiPvLqnpA&s=KqV5UiI6Ie51NtocuTw9zMCtHX8aMheboGCPVCzdepA&e=>].
>
>
> while at the same time promoting a ***default deny*** policy with
>
> respect to unrecognized options and unrecognized extension headers.
>
> That is antithetical to the mission of a ***transit router***, which
>
> is to get packets transparently from point A to point B. It is
>
> especially egregious to dispense this advice for unrecognized
>
> extension headers, since they are indistinguishable from unrecognized
>
> transport protocols. If these things are blocked by ***transit routers***
>
> it becomes  impossible to deploy any new options or transport protocols.
>
> But we already know that, don't we?
>
>
>
> If we want to give constructive advice that really will make the
>
> world a better place, we should:
>
>
> 1.) Advise operators of ***transit routers*** to be transparent to
>
> everything other than the Hop-by-Hop extensions header, and provide
>
> detailed advice on what to do (based on the updates in RFC 8200)
>
> about Hop-by-Hop options. The default should be IGNORE unless there
>
> is an option you need to process.
>
>
> 2.) Reserve all the detailed filtering advicee for operators of
>
> firewalls, enterprise routers, and other systems whose mission it
>
> is to protect the end systems behind them (or to prevent misbehavior
>
> by said end systems). A default deny for unrecognized stuff is not
>
> unreasonable for such systems.
>
>
> 3.) Remind implementors of the following requirement from RFC 7045:
>
>
>    Forwarding nodes MUST be configurable to allow packets containing
>
>    unrecognised extension headers, but the default configuration MAY
>
>    drop such packets.
>
>
> and add similar advice for options.
>
>
> Thanks and regards,
>
>
> Mike Heard
>
>

v2.23.0 | Report a Bug | By Email