IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

Fernando Gont <fgont@si6networks.com> Mon, 09 February 2015 19:10 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 313F81A8724; Mon, 9 Feb 2015 11:10:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MEBvJAmHvKkO; Mon, 9 Feb 2015 11:10:18 -0800 (PST)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B18441A7029; Mon, 9 Feb 2015 11:10:12 -0800 (PST)
Received: from cl-1071.udi-01.br.sixxs.net ([2001:1291:200:42e::2]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <fgont@si6networks.com>) id 1YKtia-0007u1-4C; Mon, 09 Feb 2015 20:10:00 +0100
Message-ID: <54D8F98D.1030101@si6networks.com>
Date: Mon, 09 Feb 2015 15:16:45 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Ted Lemon <Ted.Lemon@nominum.com>, "C. M. Heard" <heard@pobox.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net> <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com> <Pine.LNX.4.64.1502080813060.2950@shell4.bayarea.net> <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com> <Pine.LNX.4.64.1502081507150.24776@shell4.bayarea.net> <72C73500-E6C4-4D75-9CFA-8FE4B012AB9E@nominum.com> <7516AD5C-1152-4020-B050-FA0383B58DBA@viagenie.ca> <Pine.LNX.4.64.1502081734120.24776@shell4.bayarea.net> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com> <54D83FCE.4070804@qti.qualcomm.com> <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net> <96CE509D-3B6E-49B8-98F6-CB8581787D7E@nominum.com> <Pine.LNX.4.64.1502090708270.22936@shell4.bayarea.net> <174AA530-3993-4894-BCE7-2AE8818EB35E@nominum.com>
In-Reply-To: <174AA530-3993-4894-BCE7-2AE8818EB35E@nominum.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/UFhiWyqp5JrFwf7sV1w09sNiTlo>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 19:10:23 -0000

Ted,

Please let me describe a scenario for an attack that would work if we
don't enforce the filtering rules from the current version of the I-D.

Before getting into the specific details, please let me provide some
background.

** Background **

* As have been noted multiple times, IPv6 Extension Headers and
Transport Protocols share the same name space. Given an
unrecognized/unknown EH/Protocol type, there's no way for you to know
how to parse it: since it could be ether an EH, or a transport protocol.

* RFC6564 has a major flaw, since it defines a "unified format for EHs".
But per the above, it is impossible to tell when you should assume that
what follows is an EH (in RFC6564 format) or a new transport protocol.

* There's nothing that we can do to fix RFC6564 itself in this respect.
The only possible option is to replace RFC6564 with something such as:
<https://tools.ietf.org/id/draft-gont-6man-rfc6564bis-00.txt>.
Regardless of whether the IETF decides to fix this problem or not, the
problem is there.

* If you assume that an unrecognized header follows the format in
RFC6564, you will hurt the deployment of new transport protocols.

* RFC7045 is the current IETF advice on the topic. DHCPv6 shield
complies with it -- as noted a few times... even by Brian Carpenter
(co-author of the aforementioned document). If you disagree with what
DHCPv6-shield is currently doing, you're essentially disagreeing with
6man's advice on the topic.


** Attack scenario **

1) Let us assume that either a new EH that doesn't follow RFC6564 is
specified (since, as noted, RFC6564 doesn't buy you anything), or that
the proposal in draft-gont-6man-rfc6564bis-00 gets standardized, and
hence new EHs follow the EH format in that document.

2) Such EH, according to the rules you had proposed (namely "assume
RFC6564 for unrecognized headers"), would be passed/allowed, since it
would be considered a "transport protocol" rather than an EH.

3) Now, let us assume that such EH has been implemented by a target
host. An attacker could send a DHCPv6-server packet with includes one of
the aforementioned EHs. The DHCPv6-shiled device would (according to
your rules) pass this packet, and the target host would receive it.

4) As a result of the above, an attacker would have been able to sneak a
DHCPv6-server packet past the DHCPv6 shield device.


This is an attack vector we mean to block. The current version of
DHCPv6-shield would block it. If we were to modify the document as you
suggest, it wouldn't.

Thanks,
Fernando




On 02/09/2015 01:44 PM, Ted Lemon wrote:
> On Feb 9, 2015, at 11:11 AM, C. M. Heard <heard@pobox.com> wrote:
>> As I argue in 
>> http://www.ietf.org/mail-archive/web/opsec/current/msg01817.html, 
>> the switch opens itself up to DOS attacks if it assumes that any 
>> unknown header in the chain conforms to RFC 6564 and attempts to 
>> continue parsing the header chain.
> 
> Yes, you made this argument.   But how does this constitute a DoS attack?   You have a 1500 byte packet, and you have some kind of fast-path hardware that's trying to parse the packet. At some point it will either succeed or fail.   Most such hardware doesn't even look very far into the packet--maybe 256 bytes at most.
> 
> I asked you earlier in this conversation to describe a specific attack, not make general speculations.   Can you describe a specific attack here and explain why it is bad?   Remember that we are specifically talking about filtering DHCPv6 here, not solving the general problem of eliminating possibly bogus packets at the switching fabric so that hosts don't see them.
> 
> Remember too that the packet has to actually be _valid_ when it's forwarded to the host: it's not sufficient that it simply make it through the filter.   Otherwise the host will not see it as a DHCPv6 packet, and the shield will have succeeded even though it passed the packet.   So the packet has to use a valid chain of extension headers that the host can successfully parse, even if they are unknown to the switch.
> 
> Can you describe an attack that works in the presence of all these requirements?
> 


-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email