Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
Fernando Gont <fgont@si6networks.com> Sun, 08 February 2015 18:04 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ACA21A1BAF; Sun, 8 Feb 2015 10:04:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PtosTgCgyb3a; Sun, 8 Feb 2015 10:04:48 -0800 (PST)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 957B91A1BA0; Sun, 8 Feb 2015 10:04:48 -0800 (PST)
Received: from [186.134.12.169] (helo=[192.168.123.126]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <fgont@si6networks.com>) id 1YKWDq-000144-Pw; Sun, 08 Feb 2015 19:04:43 +0100
Message-ID: <54D7A51D.9050008@si6networks.com>
Date: Sun, 08 Feb 2015 15:04:13 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Ted Lemon <Ted.Lemon@nominum.com>, Joel Jaeggli <joelja@bogus.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <FBCB9A82-C8AF-4319-9795-6402921A791E@nominum.com> <54D6A719.1010401@gmail.com>
In-Reply-To: <54D6A719.1010401@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/oymZjtirCABdnrBtv1ZOxm_q1AA>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Feb 2015 18:04:50 -0000
On 02/07/2015 09:00 PM, Brian E Carpenter wrote: > On 08/02/2015 09:37, Ted Lemon wrote: >> On Feb 7, 2015, at 1:25 PM, Joel Jaeggli <joelja@bogus.com> wrote: >>> Right one would expect future extension headers to match the TLV >>> expectations of 6564. I can live with the removal of filtering >>> advice but I'd like to see that run past the working group at the >>> very least. >> >> Sounds like a good plan. Thanks! > > However, I don't think you should remove this sentence and the > normative reference to RFC 7045: > > [RFC7045] requires that nodes be configurable with respect to whether > packets with unrecognized headers are forwarded, and allows the > default behavior to be that such packets be dropped. Well, IMO, what Ted is essentially saying is that we cannot take the advice from RFC7045 (!). When this document says that DHCPv6 shield should (by default) filter packets with unrecognized IPv6 extension headers, t does so by backing the requirement with RFC7045. Namely, it says: ---- cut here ---- 3. When parsing the IPv6 header chain, if the packet is identified to be a DHCPv6 packet meant for a DHCPv6 client or the packet contains an unrecognized Next Header value, DHCPv6-Shield MUST drop the packet, and SHOULD log the packet drop event in an implementation-specific manner as a security alert. DHCPv6-Shield MUST provide a configuration knob that controls whether packets with unrecognized Next Header values are dropped; this configuration knob MUST default to "drop". RATIONALE: An unrecognized Next Header value could possibly identify an IPv6 Extension Header, and thus be leveraged to conceal a DHCPv6-server packet (since there is no way for DHCPv6-Shield to parse past unrecognized Next Header values [I-D.gont-6man-rfc6564bis]). [RFC7045] requires that nodes be configurable with respect to whether packets with unrecognized headers are forwarded, and allows the default behavior to be that such packets be dropped. ---- cut here ---- Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [OPSEC] Revisting Re: Ted Lemon's Discuss on draf… joel jaeggli
- Re: [OPSEC] Revisting Re: Ted Lemon's Discuss on … C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Joel Jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-d… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Marc Blanchet
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Pete Resnick
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian Haberman
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian Haberman
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli