Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
"C. M. Heard" <heard@pobox.com> Sun, 08 February 2015 18:54 UTC
Return-Path: <heard@pobox.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 418641A1BDA for <opsec@ietfa.amsl.com>; Sun, 8 Feb 2015 10:54:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4okY3AplhWiH for <opsec@ietfa.amsl.com>; Sun, 8 Feb 2015 10:54:44 -0800 (PST)
Received: from shell4.bayarea.net (shell4.bayarea.net [209.128.82.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECA0E1A1BD9 for <opsec@ietf.org>; Sun, 8 Feb 2015 10:54:43 -0800 (PST)
Received: (qmail 18028 invoked from network); 8 Feb 2015 10:47:58 -0800
Received: from shell4.bayarea.net (209.128.82.1) by shell4.bayarea.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 8 Feb 2015 10:47:58 -0800
Date: Sun, 08 Feb 2015 10:47:58 -0800
From: "C. M. Heard" <heard@pobox.com>
X-X-Sender: heard@shell4.bayarea.net
To: Ted Lemon <Ted.Lemon@nominum.com>
In-Reply-To: <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com>
Message-ID: <Pine.LNX.4.64.1502080813060.2950@shell4.bayarea.net>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net> <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/fU1C8Q4PmLo9BBd2_Xlh9a7gfRY>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "brian.e.carpenter@gmail.com" <brian.e.carpenter@gmail.com>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Feb 2015 18:54:45 -0000
On Sun, 8 Feb 2015, Ted Lemon wrote: > On Feb 7, 2015, at 10:37 PM, C. M. Heard <heard@pobox.com> wrote: > > That is incorrect because extension headers and upper layer headers > > share a numbering space. Upper layer headers do NOT follow the > > format in RFC 6564. That makes it in UNSAFE to attempt to skip over > > an unknown next header value. > > I addressed that in my DISCUSS position. Wherein you wrote: | If an unknown protocol header is seen, this will look to the | switch like a malformed IP extension header, but this is harmless | in the context of DHCPv6 shield because any such packet is by | definition _not_ a DHCPv6 packet. It is not necessarily true that an unknown upper layer protocol header will look like a malformed extension header to a device that assumes it is an extension header following the format in RFC 6564. If the value of the 2nd octet of the unknown header is v, then it won't appear malformed if at least 8*(v+1) bytes remain in the packet, starting from the beginning of the unknown header. At that point the device would be interpreting the payload of the unknown upper layer PDU as an extension header chain. In the benign case where the packet is a legitimate one with an upper layer protocol unknown to the device, it is likely (but not assured) that the chain would quickly terminate in something that looks like a malformed extension header. However, it would not be difficult to craft a packet that makes a very long apparent header chain. Depending on how the device processes header chains, that could easily be a vector for DOS attacks -- e.g., by consuming processing resources or by exercising a rarely used processing path. That is why I think it is UNSAFE to continue processing a header chain after encountering an unknown next header value. That being said, I think I agree with your main point: if the default for a DHCPv6-Shield device is to drop packets with unknown next header values, then a DHCPv6-Shield device will by default block unknown upper layer protocols, and that is not a desirable effect if the ONLY purpose of the device is to shield against rogue DHCPv6 packets. Perhaps a way forward would be to specify that a DHCPv6-Shield device SHOULD pass packets with unknown next header values if protection against rogue DHCPv6 packets is the ONLY purpose of the device, but it MAY default to blocking such packets (in accordance with RFC 7045) if other functionality is included. In any case, the behaviour MUST be user configurable (per RFC 7045). In my opinion, it's truly unfortunate that new IPv6 extension headers have not been banned outright in favor of using new destination options or upper layer protocol headers. That would make the correct action in this case unambiguous: pass the packet, as it's some protocol other than DHCPv6. RFC 6564 leaves the possibility of new extension headers open but raises they very high bar of proving that a new destination option or upper layer protocol header won't work. As far as I can see, that is an impossible bar to get over. > The fact that RA guard gives bad advice is no reason for the bad > advice to be repeated in this document. I agree that the advice should be the same. Mike Heard
- [OPSEC] Revisting Re: Ted Lemon's Discuss on draf… joel jaeggli
- Re: [OPSEC] Revisting Re: Ted Lemon's Discuss on … C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Joel Jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-d… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Marc Blanchet
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Pete Resnick
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian Haberman
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian Haberman
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli