IETF Logo Mail Archive

Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops

Fernando Gont <fgont@si6networks.com> Tue, 19 August 2014 17:19 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C49E31A04E9; Tue, 19 Aug 2014 10:19:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJX9yc70ZEZf; Tue, 19 Aug 2014 10:19:43 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C57D1A048D; Tue, 19 Aug 2014 10:19:43 -0700 (PDT)
Received: from 18-132-17-190.fibertel.com.ar ([190.17.132.18] helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.83) (envelope-from <fgont@si6networks.com>) id 1XJn4N-0005F5-QH; Tue, 19 Aug 2014 19:19:40 +0200
Message-ID: <53F386F2.2060900@si6networks.com>
Date: Tue, 19 Aug 2014 14:18:42 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Jeroen Massar <jeroen@massar.ch>, IPv6 Operations <v6ops@ietf.org>
References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> <53F34EC0.30400@massar.ch> <53F37C72.6040406@si6networks.com> <53F37FE6.6080306@massar.ch>
In-Reply-To: <53F37FE6.6080306@massar.ch>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/RimQwB_x7N0H8ZJ308aL6T2kl4k
Cc: "'opsec@ietf.org'" <opsec@ietf.org>, Nick Hilliard <nick@foobar.org>
Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 17:19:45 -0000

On 08/19/2014 01:48 PM, Jeroen Massar wrote:
>> Should we include something alng this lines to the countermeasures
>> listed in draft-gont-v6ops-ipv6-ehs-in-real-world, or were you thinking
>> about something else?
> 
> While it kind-of has a place there, (ipv6-ehs-in-real-world) is a
> "current state of the Internet" regarding this problem, it thus
> introduces the problem.
> 
> Hence, a short, separate document which updates ICMPv4 + ICMPv6
> referencing that draft would be more appropriate IMHO.

Ok, makes sense.



>>> Hence, why it is a good idea to do the same checks for IPv4 too
>>> and why I avoid mentioning what kind of attack it was solving.
>>> It is just good hygiene to check validity of things.
>>
>> FWIW, I had posted this thingy a while ago:
>> <http://www.gont.com.ar/papers/filtering-of-icmp-error-messages.pdf>
>> -- essentially BCP38 on the ICMPv4 payload..
> 
> aka RFC 5927, though only informational even though it went through WG
> review it seems.

It took 7 years to publish... and not because of slacking. It was
insane. :-)

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email