IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

"C. M. Heard" <heard@pobox.com> Tue, 10 February 2015 17:26 UTC

Return-Path: <heard@pobox.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B785D1A1A72 for <opsec@ietfa.amsl.com>; Tue, 10 Feb 2015 09:26:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tiux4j3m2b8y for <opsec@ietfa.amsl.com>; Tue, 10 Feb 2015 09:26:01 -0800 (PST)
Received: from shell4.bayarea.net (shell4.bayarea.net [209.128.82.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 817061A1AE0 for <opsec@ietf.org>; Tue, 10 Feb 2015 09:25:58 -0800 (PST)
Received: (qmail 13993 invoked from network); 10 Feb 2015 09:25:53 -0800
Received: from shell4.bayarea.net (209.128.82.1) by shell4.bayarea.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 10 Feb 2015 09:25:53 -0800
Date: Tue, 10 Feb 2015 09:25:53 -0800
From: "C. M. Heard" <heard@pobox.com>
X-X-Sender: heard@shell4.bayarea.net
To: joel jaeggli <joelja@bogus.com>
In-Reply-To: <54D98F62.4080508@bogus.com>
Message-ID: <Pine.LNX.4.64.1502100758100.3427@shell4.bayarea.net>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <7516AD5C-1152-4020-B050-FA0383B58DBA@viagenie.ca> <Pine.LNX.4.64.1502081734120.24776@shell4.bayarea.net> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com> <54D83FCE.4070804@qti.qualcomm.com> <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net> <96CE509D-3B6E-49B8-98F6-CB8581787D7E@nominum.com> <Pine.LNX.4.64.1502090708270.22936@shell4.bayarea.net> <174AA530-3993-4894-BCE7-2AE8818EB35E@nominum.com> <54D8F98D.1030101@si6networks.com> <B3474476-3FA1-484E-BAAD-E7A6474BA11C@nominum.com> <54D90EE5.2060002@gmail.com> <5C9CF492-A795-4023-BB91-28B1B52706E4@nominum.com> <54D92987.2080505@gmail.com> <CDA3CF60-BB2E-4F77-B325-B3057C01FBD1@nominum.com> <Pine.LNX.4.64.1502091713320.26279@shell4.bayarea.net> <FFC8BDEA-51BB-4D18-8240-F360CD9A7566@nominum.com> <54D98F62.4080508@bogus.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/cEqunt9HQuzH5AK5DUe_lsMR8-I>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, Ted Lemon <Ted.Lemon@nominum.com>, Fernando Gont <fgont@si6networks.com>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>, The IESG <iesg@ietf.org>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 17:26:02 -0000

On Mon, 9 Feb 2015, joel jaeggli wrote:
> On 2/9/15 7:09 PM, Ted Lemon wrote:
> > I think what will happen in practice is that there will be some
> > fast-path logic that looks at the first 256 bytes of the packet at
> > most, and probably discards it if it can't be made sense of by the
> > end of those 256 bytes.   I am completely okay with that.   What I am
> > not okay with is advocating this behavior in a BCP.
> 
> We do ourselves and the community a disservice when we fail to include
> discussion  of operational divergence from expected behavior. if whe can
> find a position that falls short of advocacy where does that leave us?

Allow me to point out that a device that is unable to parse the entire 
IPv6 header chain is not compliant with the draft as now written:

   1.  DHCPv6-Shield MUST parse the entire IPv6 header chain present in
       the packet, to identify whether it is a DHCPv6 packet meant for a
       DHCPv6 client (i.e., a DHCPv6-server message).

          RATIONALE: DHCPv6-Shield implementations MUST NOT enforce a
          limit on the number of bytes they can inspect (starting from
          the beginning of the IPv6 packet), since this could introduce
          false-negatives: DHCP6-server packets received on ports not
          allowed to receive such packets could be allowed simply
          because the DHCPv6-Shield device does not parse the entire
          IPv6 header chain present in the packet.

The implication is that if the header chain exceeds the size that 
can be looked at with fast-path logic, the packet would need to be 
kicked onto a slow path -- where the potential DoS exposure that 
I've pointed out would very likely be a real problem.

//cmh

v2.23.0 | Report a Bug | By Email