IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

"C. M. Heard" <heard@pobox.com> Mon, 09 February 2015 06:08 UTC

Return-Path: <heard@pobox.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E95541A006D for <opsec@ietfa.amsl.com>; Sun, 8 Feb 2015 22:08:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BxCBgGGL_AJ0 for <opsec@ietfa.amsl.com>; Sun, 8 Feb 2015 22:08:58 -0800 (PST)
Received: from shell4.bayarea.net (shell4.bayarea.net [209.128.82.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B42EE1A006F for <opsec@ietf.org>; Sun, 8 Feb 2015 22:08:56 -0800 (PST)
Received: (qmail 27498 invoked from network); 8 Feb 2015 22:02:04 -0800
Received: from shell4.bayarea.net (209.128.82.1) by shell4.bayarea.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 8 Feb 2015 22:02:04 -0800
Date: Sun, 08 Feb 2015 22:02:04 -0800
From: "C. M. Heard" <heard@pobox.com>
X-X-Sender: heard@shell4.bayarea.net
To: Pete Resnick <presnick@qti.qualcomm.com>
In-Reply-To: <54D83FCE.4070804@qti.qualcomm.com>
Message-ID: <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net> <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com> <Pine.LNX.4.64.1502080813060.2950@shell4.bayarea.net> <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com> <Pine.LNX.4.64.1502081507150.24776@shell4.bayarea.net> <72C73500-E6C4-4D75-9CFA-8FE4B012AB9E@nominum.com> <7516AD5C-1152-4020-B050-FA0383B58DBA@viagenie.ca> <Pine.LNX.4.64.1502081734120.24776@shell4.bayarea.net> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com> <54D83FCE.4070804@qti.qualcomm.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/PBOpK0aySJZLdL6T-urCT8_6Mj4>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, Ted Lemon <Ted.Lemon@nominum.com>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>, The IESG <iesg@ietf.org>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 06:09:00 -0000

On Sun, 8 Feb 2015, Pete Resnick wrote:
> On 2/8/15 11:01 PM, Ted Lemon wrote:
> > Can you explain, in detail, what a DHCPv6 packet would look like that would
> > get past a filter because either it used unknown extension headers, or an
> > unknown protocol header?
> >    
> 
> Better yet, could you give an example packet with a fake new extension header
> that a middlebox would think is not a DHCPv6 packet, but in fact is?

Not with a fake extension header, but with a real one.  Suppose:

- A new extension header is defined that make sense to sandwich in 
  front of a DHCPv6 packet (not all do; some extension headers are 
  required to have a next header value of "no next header")

- This extension header is unknowm to a DHCPv6-Shield implementation

- This is extension header is known and considered valid by a host 
  that DHCPv6-Shield implementation is trying to protect

If I correctly understand Ted's position, he is saying that a 
DHCPv6-Shield implementation should unconditionally pass a packet 
containing a next header value it does not recognize.  In that case, 
a DHCPv6 packet containing the hypothesized new extension header 
described above would pass through the DHCPv6-Shield implementation 
and be processed by the host.

The current DHCPv6-Shield draft (and the variant language I proposed 
a few messages back) takes the position that whether a DHCPv6-Shield 
implementation passes a packet with an unknown next header value 
must be a user configurable option.  Some users may consider the 
above scenario too improbable to worry about and configure packets 
with unknown next header values to be passed.  Other users of a more 
paranoid persuation may have a different point of view.

Sorry, I said I was going to shut up.  Now I will.

//cmh

v2.23.0 | Report a Bug | By Email