IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

"C. M. Heard" <heard@pobox.com> Mon, 09 February 2015 16:11 UTC

Return-Path: <heard@pobox.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0F5D1A1A81 for <opsec@ietfa.amsl.com>; Mon, 9 Feb 2015 08:11:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7YaYttyMi1v3 for <opsec@ietfa.amsl.com>; Mon, 9 Feb 2015 08:11:24 -0800 (PST)
Received: from shell4.bayarea.net (shell4.bayarea.net [209.128.82.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBFF41A1A83 for <opsec@ietf.org>; Mon, 9 Feb 2015 08:11:23 -0800 (PST)
Received: (qmail 14620 invoked from network); 9 Feb 2015 08:11:20 -0800
Received: from shell4.bayarea.net (209.128.82.1) by shell4.bayarea.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 9 Feb 2015 08:11:20 -0800
Date: Mon, 09 Feb 2015 08:11:20 -0800
From: "C. M. Heard" <heard@pobox.com>
X-X-Sender: heard@shell4.bayarea.net
To: Ted Lemon <Ted.Lemon@nominum.com>
In-Reply-To: <96CE509D-3B6E-49B8-98F6-CB8581787D7E@nominum.com>
Message-ID: <Pine.LNX.4.64.1502090708270.22936@shell4.bayarea.net>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net> <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com> <Pine.LNX.4.64.1502080813060.2950@shell4.bayarea.net> <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com> <Pine.LNX.4.64.1502081507150.24776@shell4.bayarea.net> <72C73500-E6C4-4D75-9CFA-8FE4B012AB9E@nominum.com> <7516AD5C-1152-4020-B050-FA0383B58DBA@viagenie.ca> <Pine.LNX.4.64.1502081734120.24776@shell4.bayarea.net> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com> <54D83FCE.4070804@qti.qualcomm.com> <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net> <96CE509D-3B6E-49B8-98F6-CB8581787D7E@nominum.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/UcOZnWCMy3eMgIs6llDUOa0VYCI>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 16:11:29 -0000

On Mon, 9 Feb 2015, Ted Lemon wrote:
> In addition to being known by the host, the extension header would 
> have to be a standard extension header that does not conform to 
> RFC 6564.  Otherwise, the switch can just skip over it even though 
> it's nominally "unknown."

That, unfortunately, is not true, as I have been trying repeatedly 
to explain.

When the switch encounters an unknown next header value, it does not 
know if that refers to a new extension header, which is required to 
conform to the format of RFC 6564, or an upper layer protocol 
header, which is NOT required to conform to RFC 6564.  As I argue in 
http://www.ietf.org/mail-archive/web/opsec/current/msg01817.html, 
the switch opens itself up to DOS attacks if it assumes that any 
unknown header in the chain conforms to RFC 6564 and attempts to 
continue parsing the header chain.

RFC 6564 gives the misleading impression that it actually solves a 
problem.  It does not.  This is at least the third time I've seem 
this discussion has come up.  For that reason it's time to retire 
RFC 6564, but that of course is a job for 6man, not opsec.

There was some discussion of this problem in 6man -- one proposal 
was draft-gont-6man-rfc6564bis, discussed Feb-May 2014 (see, e.g., 
http://www.ietf.org/mail-archive/web/ipv6/current/msg20710.html).  
6man never came to consensus that the problem was sufficiently 
important to solve, but I think the current discussion has 
hughlighted the importance of putting it to rest.  Secifically:

> ... in dropping packets with unknown extension headers, we are 
> _also_ dropping packets with unknown protocol headers.  That is 
> the real harm of the language of the document as it is currently 
> written.

THAT is a very a real problem in an Internet full of middleboxes.  
It would be fixed if the set of extension headers were closed off to 
further expansion.  Multiple technically viable ways to do this 
without sacrificing functionality have been proposed; this 
discussion sould, I hope, provide the motivation needed to get 6man 
to adopt one of those solutions (or something similar).

Sorry for the digression, but I think it was necessary to understand 
the problem.

//cmh

v2.23.0 | Report a Bug | By Email