Re: [OPSEC] FW: I-D Action: draft-ietf-opsec-dhcpv6-shield-07.txt
Fernando Gont <fgont@si6networks.com> Mon, 06 July 2015 19:51 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6033F1A8847; Mon, 6 Jul 2015 12:51:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mMxfC6dB4jBO; Mon, 6 Jul 2015 12:51:25 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 154B31A8746; Mon, 6 Jul 2015 12:51:25 -0700 (PDT)
Received: from [186.137.82.224] (helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <fgont@si6networks.com>) id 1ZCCQB-0000C9-92; Mon, 06 Jul 2015 21:51:19 +0200
Message-ID: <559ADA13.4050709@si6networks.com>
Date: Mon, 06 Jul 2015 16:42:11 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: "C. M. Heard" <heard@pobox.com>, joel jaeggli <joelja@bogus.com>
References: <Pine.LNX.4.64.1506010905270.7187@shell4.bayarea.net> <559045AF.9060607@bogus.com> <CACL_3VEEitM-QnJxPmRE4nz5ALdRqfvxEiBXMg2m5fAoXfsk1A@mail.gmail.com>
In-Reply-To: <CACL_3VEEitM-QnJxPmRE4nz5ALdRqfvxEiBXMg2m5fAoXfsk1A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/TcO5k5pUaxbCCgjaa7-tBJN4_6Q>
Cc: "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, OPSEC <opsec@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Gunter Van de Velde <gunterv.velde@huawei.com>
Subject: Re: [OPSEC] FW: I-D Action: draft-ietf-opsec-dhcpv6-shield-07.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 19:51:29 -0000
On 07/04/2015 06:14 PM, C. M. Heard wrote: >> sorry for the delay, imho section 5 bullet 3 I think preserves the >> document's intent. There was substantial dicussion in the IESG >> respecting the handling of unknown or unparasable header chains that >> resulted in the slouch towards the text as you see it today. > > The text in bullet 3 does a fine job of saying how to handle unrecognized > Next Header values. However, it does NOT say what to do when receiving > a DHCPv6 packet meant for a DHCPv6 client. In -05 (the version that was > the subject of intense discussion), bullet 3 did contain such instructions: > "When parsing the IPv6 header chain, if the packet is identified to be a > DHCPv6 packet meant for a DHCPv6 client or the packet contains an > unrecognized Next Header value, DHCPv6-Shield MUST drop the > packet […]." Pete Resnick's ballot comments suggested splitting this > bullet up into two parts. The part dealing with unrecognized Next Header > values made it into -07; the part dealing with DHCPv6 packets meant for > DHCPv6 clients did not. You're 100% correct. > The remedy I propose is to include the omitted part of Pete's suggested > text, as follows: > > OLD: > 3. DHCPv6-Shield MUST provide a configuration knob that controls > whether packets with unrecognized Next Header values are dropped; > this configuration knob MUST default to "drop". When parsing the > IPv6 header chain, if the packet contains an unrecognized Next > Header value and the configuration knob is configured to "drop", > DHCPv6-Shield MUST drop the packet, and ought to log the packet > drop event in an implementation-specific manner as a security > fault. > > RATIONALE: An unrecognized Next Header value could possibly > identify an IPv6 Extension Header, and thus be leveraged to > conceal a DHCPv6-server packet (since there is no way for > DHCPv6-Shield to parse past unrecognized Next Header values > [I-D.gont-6man-rfc6564bis]). [RFC7045] requires that nodes be > configurable with respect to whether packets with unrecognized > headers are forwarded, and allows the default behavior to be > that such packets be dropped. > > 4. In all other cases, DHCPv6-Shield MUST pass the packet as usual. > NEW: > 3. DHCPv6-Shield MUST provide a configuration knob that controls > whether packets with unrecognized Next Header values are dropped; > this configuration knob MUST default to "drop". When parsing the > IPv6 header chain, if the packet contains an unrecognized Next > Header value and the configuration knob is configured to "drop", > DHCPv6-Shield MUST drop the packet, and ought to log the packet > drop event in an implementation-specific manner as a security > fault. > > RATIONALE: An unrecognized Next Header value could possibly > identify an IPv6 Extension Header, and thus be leveraged to > conceal a DHCPv6-server packet (since there is no way for > DHCPv6-Shield to parse past unrecognized Next Header values > [I-D.gont-6man-rfc6564bis]). [RFC7045] requires that nodes be > configurable with respect to whether packets with unrecognized > headers are forwarded, and allows the default behavior to be > that such packets be dropped. > > 4. When parsing the IPv6 header chain, if the packet is identified > to be a DHCPv6 packet meant for a DHCPv6 client, DHCPv6-Shield > MUST drop the packet, and ought to the packet drop event in an > implementation-specific manner as a security alert. > > 5. In all other cases, DHCPv6-Shield MUST pass the packet as usual. > END. This is how we've fixed the document, with the addition of a "RATIONALE" in bullet 4. Thanks so much! -- You've done a lot in keeping this document correct. Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [OPSEC] I-D Action: draft-ietf-opsec-dhcpv6-shiel… internet-drafts
- Re: [OPSEC] I-D Action: draft-ietf-opsec-dhcpv6-s… C. M. Heard
- Re: [OPSEC] FW: I-D Action: draft-ietf-opsec-dhcp… C. M. Heard
- Re: [OPSEC] I-D Action: draft-ietf-opsec-dhcpv6-s… Fernando Gont
- Re: [OPSEC] FW: I-D Action: draft-ietf-opsec-dhcp… Fernando Gont
- Re: [OPSEC] FW: I-D Action: draft-ietf-opsec-dhcp… C. M. Heard