IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

Ted Lemon <Ted.Lemon@nominum.com> Mon, 09 February 2015 16:45 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0704A1A1ACE; Mon, 9 Feb 2015 08:45:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 31DD6xyXDfEz; Mon, 9 Feb 2015 08:45:24 -0800 (PST)
Received: from sjc1-mx02-inside.nominum.com (sjc1-mx02-inside.nominum.com [64.89.234.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F9AD1A1ADB; Mon, 9 Feb 2015 08:45:00 -0800 (PST)
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by sjc1-mx02-inside.nominum.com (Postfix) with ESMTPS id 13C9FDA0219; Mon, 9 Feb 2015 16:45:00 +0000 (UTC)
Received: from webmail.nominum.com (cas-03.win.nominum.com [64.89.235.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by archivist.nominum.com (Postfix) with ESMTP id D5AF253E07D; Mon, 9 Feb 2015 08:44:59 -0800 (PST)
Received: from [10.0.20.107] (71.233.43.215) by CAS-03.WIN.NOMINUM.COM (64.89.235.66) with Microsoft SMTP Server (TLS) id 14.3.224.2; Mon, 9 Feb 2015 08:44:59 -0800
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Ted Lemon <Ted.Lemon@nominum.com>
In-Reply-To: <Pine.LNX.4.64.1502090708270.22936@shell4.bayarea.net>
Date: Mon, 09 Feb 2015 11:44:52 -0500
Content-Transfer-Encoding: quoted-printable
Message-ID: <174AA530-3993-4894-BCE7-2AE8818EB35E@nominum.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net> <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com> <Pine.LNX.4.64.1502080813060.2950@shell4.bayarea.net> <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com> <Pine.LNX.4.64.1502081507150.24776@shell4.bayarea.net> <72C73500-E6C4-4D75-9CFA-8FE4B012AB9E@nominum.com> <7516AD5C-1152-4020-B050-FA0383B58DBA@viagenie.ca> <Pine.LNX.4.64.1502081734120.24776@shell4.bayarea.net> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com> <54D83FCE.4070804@qti.qualcomm.com> <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net> <96CE509D-3B6E-49B8-98F6-CB8581787D7E@nominum.com> <Pine.LNX.4.64.1502090708270.22936@shell4.bayarea.net>
To: "C. M. Heard" <heard@pobox.com>
X-Mailer: Apple Mail (2.1878.6)
X-Originating-IP: [71.233.43.215]
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/cQ-hakj2xzCKVjxYDNwkNnSTCDA>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 16:45:26 -0000

On Feb 9, 2015, at 11:11 AM, C. M. Heard <heard@pobox.com> wrote:
> As I argue in 
> http://www.ietf.org/mail-archive/web/opsec/current/msg01817.html, 
> the switch opens itself up to DOS attacks if it assumes that any 
> unknown header in the chain conforms to RFC 6564 and attempts to 
> continue parsing the header chain.

Yes, you made this argument.   But how does this constitute a DoS attack?   You have a 1500 byte packet, and you have some kind of fast-path hardware that's trying to parse the packet. At some point it will either succeed or fail.   Most such hardware doesn't even look very far into the packet--maybe 256 bytes at most.

I asked you earlier in this conversation to describe a specific attack, not make general speculations.   Can you describe a specific attack here and explain why it is bad?   Remember that we are specifically talking about filtering DHCPv6 here, not solving the general problem of eliminating possibly bogus packets at the switching fabric so that hosts don't see them.

Remember too that the packet has to actually be _valid_ when it's forwarded to the host: it's not sufficient that it simply make it through the filter.   Otherwise the host will not see it as a DHCPv6 packet, and the shield will have succeeded even though it passed the packet.   So the packet has to use a valid chain of extension headers that the host can successfully parse, even if they are unknown to the switch.

Can you describe an attack that works in the presence of all these requirements?

v2.23.0 | Report a Bug | By Email