Re: [OPSEC] review draft-gont-opsec-icmp-ingress-filtering-02
"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Sat, 16 July 2016 05:01 UTC
Return-Path: <cpignata@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE4A12D638 for <opsec@ietfa.amsl.com>; Fri, 15 Jul 2016 22:01:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.808
X-Spam-Level:
X-Spam-Status: No, score=-15.808 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JAHa6TjV118D for <opsec@ietfa.amsl.com>; Fri, 15 Jul 2016 22:01:08 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B85012D643 for <OpSec@ietf.org>; Fri, 15 Jul 2016 22:01:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3314; q=dns/txt; s=iport; t=1468645268; x=1469854868; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=gtNlQY/At8vCmv5aljZl/zYEQ31NRD2Gfd0xrTCaBSw=; b=i93PqriR/B6o5oWJ/NEkqzipf5kE+aXSycZoYo5Gag3KlgtBcLV2lCrC zRR+29BcBpUTlkCwBBi5z1Oj9MtceJZEhVw3h+AdtDU5iKhPALSzs7j0r 895iKvRz5FyPnJvKA/olWPoFq74W7sHug5ke1l482YnL6ogF4IMMnYLO1 k=;
X-Files: signature.asc : 841
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AtAgBavolX/4UNJK1dgz9WfAa4coF5IoV4AoEpOBQBAQEBAQEBZSeEXAEBBAEBASFLCwULAgEIGCoCAicLJQIEDgUOiBoIDrAcjg0BAQEBAQEBAQEBAQEBAQEBAQEBAQEOCQWGKoF4glWHQSuCLwWTYIVBAYM2gW6JOoFriAiFQpAcAR42g3NuhmR/AQEB
X-IronPort-AV: E=Sophos;i="5.28,371,1464652800"; d="asc'?scan'208";a="297645613"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 16 Jul 2016 05:01:07 +0000
Received: from XCH-RTP-018.cisco.com (xch-rtp-018.cisco.com [64.101.220.158]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id u6G517Gx013083 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 16 Jul 2016 05:01:07 GMT
Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-018.cisco.com (64.101.220.158) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sat, 16 Jul 2016 01:01:06 -0400
Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1210.000; Sat, 16 Jul 2016 01:01:06 -0400
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Joel Jaeggli <joelja@bogus.com>
Thread-Topic: [OPSEC] review draft-gont-opsec-icmp-ingress-filtering-02
Thread-Index: AQHR3lTu39szQZ9aXkOn6f570psOV6AaxIGA
Date: Sat, 16 Jul 2016 05:01:05 +0000
Message-ID: <A4EAEE73-0A10-4D5C-BC75-FED60C12DC2D@cisco.com>
References: <d56e3c89-500e-6411-b10c-0af42219c1c4@bogus.com>
In-Reply-To: <d56e3c89-500e-6411-b10c-0af42219c1c4@bogus.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.86.242.168]
Content-Type: multipart/signed; boundary="Apple-Mail=_B74305EA-D98E-4274-B998-994123C164BB"; protocol="application/pgp-signature"; micalg="pgp-sha256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/N1BZct0iZHeDosWrE42yeZ59TLs>
Cc: "opsec@ietf.org" <OpSec@ietf.org>
Subject: Re: [OPSEC] review draft-gont-opsec-icmp-ingress-filtering-02
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jul 2016 05:01:10 -0000
Hi, I had not read this document before, but I’ll piggy back two quick additional comments: 1. Since this doc seems to (mostly) use IPv4 examples, it should likely cover IPV4 NAT implications (i.e., modifying the IP header but not the embedded header, or masking an attack because lack of check). 2. Since RFC 4884, PS, updates both 792, 4443, it seems important to also cover the multi-part (e.g., Figure 2) Thanks! — Carlos. > On Jul 15, 2016, at 12:53 AM, joel jaeggli <joelja@bogus.com> wrote: > > Greetings, > > I reviewed this probably later then I should have after volunteering to > do so. > > The mechanism proposed in > > draft-gont-opsec-icmp-ingress-filtering > > is akin to a strict mode RPF check for the IP Destination header > contained in an ICMP error message though in practical terms a device > such as a firewall without recourse to a routing table would probably > employ an access list for enforcement. > > While similar to other antispoofing measures one can employ to prevent > spoofed traffic with internal source addresses from ingressing a network > it may be technically infeasible to implement in the same mediation > devices e.g. routers or switches, a problem we also noted with icmp6 > payload inspection in RFC 7690 section 4. > > I'm sympathic generally to this draft, section 5 implementation details > could be rewriten more cleanly to suggest how it is implemented. e.g. > > IF embedded packet's Destination Address is from within my network > THEN forward as appropriate > > The destination match is due to a learned route (which assumes some > minimal level of path or routing symmetry which firewalls tend to > require anyway); or an access list. > > Thanks > joel > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec
- Re: [OPSEC] review draft-gont-opsec-icmp-ingress-… Mikael Abrahamsson
- Re: [OPSEC] review draft-gont-opsec-icmp-ingress-… Carlos Pignataro (cpignata)
- [OPSEC] review draft-gont-opsec-icmp-ingress-filt… joel jaeggli