IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

Pete Resnick <presnick@qti.qualcomm.com> Mon, 09 February 2015 05:04 UTC

Return-Path: <presnick@qti.qualcomm.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90E971A0035; Sun, 8 Feb 2015 21:04:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExIoH9hdUYwz; Sun, 8 Feb 2015 21:04:20 -0800 (PST)
Received: from sabertooth01.qualcomm.com (sabertooth01.qualcomm.com [65.197.215.72]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDCB61A0027; Sun, 8 Feb 2015 21:04:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1423458260; x=1454994260; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=/mAPYhbR0K2vTJaZ8sV+KoFYN1gcQrmuxE2WV3cefxU=; b=X4C32LcTBE7WZqfyZOW5Wu3FTHLJRxnjBoZbaZIPnjjk0qJtNRKTXWP7 +/SaNtH+yCFHjVO1fVWR6CSRqI6k6N7LW3rv+hKXBW1bXlR3gPmjqnoFO 9V62n8fxN7fzD/atnMZ/oPi4W/oFJkTVF7Lv1fXvjevk7IGqmuXqCumqc c=;
X-IronPort-AV: E=McAfee;i="5600,1067,7706"; a="82932267"
Received: from ironmsg03-r.qualcomm.com ([172.30.46.17]) by sabertooth01.qualcomm.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Feb 2015 21:04:20 -0800
X-IronPort-AV: E=Sophos;i="5.09,541,1418112000"; d="scan'208";a="847464807"
Received: from nasanexm01f.na.qualcomm.com ([10.85.0.32]) by Ironmsg03-R.qualcomm.com with ESMTP/TLS/RC4-SHA; 08 Feb 2015 21:04:20 -0800
Received: from presnick-mac.local (10.80.80.8) by NASANEXM01F.na.qualcomm.com (10.85.0.32) with Microsoft SMTP Server (TLS) id 15.0.995.29; Sun, 8 Feb 2015 21:04:16 -0800
Message-ID: <54D83FCE.4070804@qti.qualcomm.com>
Date: Sun, 08 Feb 2015 23:04:14 -0600
From: Pete Resnick <presnick@qti.qualcomm.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.7; en-US; rv:1.9.1.9) Gecko/20100630 Eudora/3.0.4
MIME-Version: 1.0
To: Ted Lemon <Ted.Lemon@nominum.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net> <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com> <Pine.LNX.4.64.1502080813060.2950@shell4.bayarea.net> <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com> <Pine.LNX.4.64.1502081507150.24776@shell4.bayarea.net> <72C73500-E6C4-4D75-9CFA-8FE4B012AB9E@nominum.com> <7516AD5C-1152-4020-B050-FA0383B58DBA@viagenie.ca> <Pine.LNX.4.64.1502081734120.24776@shell4.bayarea.net> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com>
In-Reply-To: <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.80.80.8]
X-ClientProxiedBy: NASANEXM01H.na.qualcomm.com (10.85.0.34) To NASANEXM01F.na.qualcomm.com (10.85.0.32)
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/Ns3yh5R3St9_ITgE-cXjCeG2RmI>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "C. M. Heard" <heard@pobox.com>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 05:04:22 -0000

On 2/8/15 11:01 PM, Ted Lemon wrote:
> On Feb 8, 2015, at 11:58 PM, Brian E Carpenter<brian.e.carpenter@gmail.com>  wrote:
>    
>> A middlebox that is trying to flush out a specific type of
>> upper layer protocol (such as DHCPv6) needs to parse all extension
>> headers, including ones it doesn't understand, in case there is
>> an instance of the upper layer protocol behind it.
>>
>> In the real world, that means that such middleboxes, if they are
>> of the paranoid security persuasion, will discard packets that,
>> as far as they are concerned, are unparseable.
>>      
> Can you explain, in detail, what a DHCPv6 packet would look like that would get past a filter because either it used unknown extension headers, or an unknown protocol header?
>    

Better yet, could you give an example packet with a fake new extension 
header that a middlebox would think is not a DHCPv6 packet, but in fact is?

pr

-- 
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478

v2.23.0 | Report a Bug | By Email