Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
Joel Jaeggli <joelja@bogus.com> Sat, 07 February 2015 20:25 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B5CA1A0404; Sat, 7 Feb 2015 12:25:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4TbrHskHgIV; Sat, 7 Feb 2015 12:25:40 -0800 (PST)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EF071A00A7; Sat, 7 Feb 2015 12:25:40 -0800 (PST)
Received: from [192.168.44.15] (71-9-224-93.static.reno.nv.charter.com [71.9.224.93]) (authenticated bits=0) by nagasaki.bogus.com (8.14.9/8.14.9) with ESMTP id t17KPa3D082968 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 7 Feb 2015 20:25:37 GMT (envelope-from joelja@bogus.com)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Joel Jaeggli <joelja@bogus.com>
X-Mailer: iPhone Mail (12B466)
In-Reply-To: <20150207194616.20651.30892.idtracker@ietfa.amsl.com>
Date: Sat, 07 Feb 2015 12:25:30 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com>
To: Ted Lemon <ted.lemon@nominum.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/fhgxoDELwPDp6goIqyIHdVifmr0>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, "brian.e.carpenter@gmail.com" <brian.e.carpenter@gmail.com>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Feb 2015 20:25:42 -0000
Right one would expect future extension headers to match the TLV expectations of 6564. I can live with the removal of filtering advice but I'd like to see that run past the working group at the very least. Sent from my iPhone > On Feb 7, 2015, at 11:46, Ted Lemon <ted.lemon@nominum.com> wrote: > > Ted Lemon has entered the following ballot position for > draft-ietf-opsec-dhcpv6-shield-05: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-opsec-dhcpv6-shield/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > When I began with this DISCUSS, my understanding was that in order to > implement DHCPv6 Shield and be sure of stopping all DHCP packets, it > would, as the document says, be necessary to filter packets with unknown > IPv6 headers. This would likely mean that the layer 2 switching fabric > of a network supporting DHCPv6 shield would be unable to carry any IP > packets containing not only unknown IP extension headers, but also > packets containing unknown (to the switching fabric) protocol headers. > Consequently I suggested a fairly elaborate way to mitigate the risk > without requiring that all such packets be filtered. > > However, after discussing this at length with Fernando, I realized that > it was actually not at all necessary to filter unknown IPv6 headers. > The reason for this is that we can safely assume that any IP extension > header that appears in a packet conforms to RFC 6564. This means that > switches implementing DHCPv6 shield can at least in principle skip over > unknown IP extension headers. If an unknown protocol header is seen, > this will look to the switch like a malformed IP extension header, but > this is harmless in the context of DHCPv6 shield because any such packet > is by definition _not_ a DHCPv6 packet. I believe that a switching > fabric should not default to dropping packets it doesn't recognize, > because this pretty much guarantees that new protocols can't be deployed > even in site-specific situations. > > Therefore, I believe that this document should not only not require > filtering unknown IP extension headers, but should not even mention > filtering them. It may be that some implementations may need to filter > them for other reasons, but this is already allowed by RFC 7045, and > therefore needn't be mentioned here. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > This is the original text of this DISCUSS: > > This text makes sense, but I think it needs to be changed somewhat: > > 3. When parsing the IPv6 header chain, if the packet is identified > to be a DHCPv6 packet meant for a DHCPv6 client or the packet > contains an unrecognized Next Header value, DHCPv6-Shield MUST > drop the packet, and SHOULD log the packet drop event in an > implementation-specific manner as a security alert. > DHCPv6-Shield MUST provide a configuration knob that controls > whether packets with unrecognized Next Header values are dropped; > this configuration knob MUST default to "drop". > > RATIONALE: An unrecognized Next Header value could possibly > identify an IPv6 Extension Header, and thus be leveraged to > conceal a DHCPv6-server packet (since there is no way for > DHCPv6-Shield to parse past unrecognized Next Header values > [I-D.gont-6man-rfc6564bis]). [RFC7045] requires that nodes be > configurable with respect to whether packets with unrecognized > headers are forwarded, and allows the default behavior to be > that such packets be dropped. > > I think it's worth considering whether the default setting for this > configuration knob should be "drop" or "pass." The problem with > defaulting to "drop" is that it means that extension headers the DHCPv6 > Shield device does not understand fail to pass, which could cause > operational problems. The problem with not defaulting to "drop" you > have already explained. I do not think that the threat of DHCPv6 > spoofing is sufficient to justify defaulting to drop. Yes, DHCPv6 > spoofing can cause operational issues. So can filtering "unknown" > headers. > > The frustrating thing about this document is that it actually solves the > problem the wrong way. What this document should recommend is filtering > of DHCPv6 packets from _clients_. If a rogue DHCP server can't see > client multicasts because DHCPv6 shield is blocking them, then it can't > know to attack DHCPv6 clients. This substantially limits the rogue's > ability to attack DHCPv6 clients on the local subnet. If you combine > that with server packet filtering but do not block unknown headers, I > think you have achieved a good tradeoff between the problems caused by > whatever spoofing might get to a client using an unknown header and the > problems caused by blocking non-DHCP packets that use that unknown header > for some legitimate purpose. > > So, realizing that this would be a major change, the way I would LIKE you > to address this discuss is to add DHCPv6 client packet filtering. You > could also address it by changing the default for the unknown header > filter, but I would understand if you felt that this was inadequate. Or > you could argue persuasively that I'm wrong, which has been known to > happen. :) > > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec >
- [OPSEC] Revisting Re: Ted Lemon's Discuss on draf… joel jaeggli
- Re: [OPSEC] Revisting Re: Ted Lemon's Discuss on … C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Joel Jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-d… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Marc Blanchet
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Pete Resnick
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian Haberman
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian Haberman
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli