IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

Fernando Gont <fgont@si6networks.com> Mon, 09 February 2015 19:10 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFE711A7029; Mon, 9 Feb 2015 11:10:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PdfYLYfORcuR; Mon, 9 Feb 2015 11:10:41 -0800 (PST)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 291CD1A6FF0; Mon, 9 Feb 2015 11:10:33 -0800 (PST)
Received: from cl-1071.udi-01.br.sixxs.net ([2001:1291:200:42e::2]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <fgont@si6networks.com>) id 1YKtj2-0007ui-D1; Mon, 09 Feb 2015 20:10:28 +0100
Message-ID: <54D90317.4070205@si6networks.com>
Date: Mon, 09 Feb 2015 15:57:27 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Ted Lemon <Ted.Lemon@nominum.com>, "C. M. Heard" <heard@pobox.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net> <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com> <Pine.LNX.4.64.1502080813060.2950@shell4.bayarea.net> <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com>
In-Reply-To: <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/cStmjZDxBNqzqeylS0806pDvqrU>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "brian.e.carpenter@gmail.com" <brian.e.carpenter@gmail.com>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 19:10:42 -0000

On 02/08/2015 04:24 PM, Ted Lemon wrote:
> On Feb 8, 2015, at 1:47 PM, C. M. Heard <heard@pobox.com> wrote:
>> It is not necessarily true that an unknown upper layer protocol 
>> header will look like a malformed extension header to a device that
>>  assumes it is an extension header following the format in RFC
>> 6564. If the value of the 2nd octet of the unknown header is v,
>> then it won't appear malformed if at least 8*(v+1) bytes remain in
>> the packet, starting from the beginning of the unknown header.  At
>> that point the device would be interpreting the payload of the
>> unknown upper layer PDU as an extension header chain.  In the
>> benign case where the packet is a legitimate one with an upper
>> layer protocol unknown to the device, it is likely (but not
>> assured) that the chain would quickly terminate in something that
>> looks like a malformed extension header.  However, it would not be
>> difficult to craft a packet that makes a very long apparent header
>> chain.  Depending on how the device processes header chains, that
>> could easily be a vector for DOS attacks -- e.g., by consuming
>> processing resources or by exercising a rarely used processing
>> path.  That is why I think it is UNSAFE to continue processing a
>> header chain after encountering an unknown next header value.
> 
> This may or may not be true, but to the extent that it's true, it's
> already addressed in RFC 7045, and it's addressed correctly there.
> There is no need to strengthen the advice in RFC 7045 here, which
> this document currently does

Why do you think this document "strengthens the advice in RFC7045", as
opposed to it actually *complying* with what's in RFC7045?

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email