Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-filtering-03
joel jaeggli <joelja@bogus.com> Fri, 06 October 2017 05:48 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64D3513420F for <opsec@ietfa.amsl.com>; Thu, 5 Oct 2017 22:48:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qf-N71zUui8L for <opsec@ietfa.amsl.com>; Thu, 5 Oct 2017 22:48:29 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6B611270AB for <opsec@ietf.org>; Thu, 5 Oct 2017 22:48:28 -0700 (PDT)
Received: from mb.local ([IPv6:2601:647:4201:9721:955a:5cff:62f4:a809]) (authenticated bits=0) by nagasaki.bogus.com (8.15.2/8.15.2) with ESMTPSA id v965mP8F018580 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Fri, 6 Oct 2017 05:48:26 GMT (envelope-from joelja@bogus.com)
X-Authentication-Warning: nagasaki.bogus.com: Host [IPv6:2601:647:4201:9721:955a:5cff:62f4:a809] claimed to be mb.local
To: Ron Bonica <rbonica@juniper.net>, "C. M. Heard" <heard@pobox.com>, OPSEC <opsec@ietf.org>, Joe Touch <touch@strayalpha.com>, Bob Hinden <bob.hinden@gmail.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>
References: <CACL_3VExxwN6z-WHbp3dcdLNV1JMVf=sgMVzh-k0shNJFeADbQ@mail.gmail.com> <BLUPR0501MB2051A8FFB1DAFDCA9873B9E6AE700@BLUPR0501MB2051.namprd05.prod.outlook.com>
From: joel jaeggli <joelja@bogus.com>
Message-ID: <4fc640bb-4b03-578c-1904-77628d002e73@bogus.com>
Date: Thu, 05 Oct 2017 22:48:25 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:56.0) Gecko/20100101 Thunderbird/56.0
MIME-Version: 1.0
In-Reply-To: <BLUPR0501MB2051A8FFB1DAFDCA9873B9E6AE700@BLUPR0501MB2051.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/pTrIKMP8zU3PhIo2Zwi_aWAeJc0>
Subject: Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-filtering-03
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Oct 2017 05:48:31 -0000
On 10/5/17 11:04, Ron Bonica wrote: > Mike, > > > > I think that you just struck the note that Fernando and I missed. > Transit routers filter extension headers for one of the following reasons: > > > > - To protect themselves (as in RFC 6192) > > - To protect downstream devices > > > > Therefore, the document should contain two clearly marked sections, one > regarding EH filtering policies that protect the transit router and one > regarding EH filtering policies that protect downstream devices. > > > > The first section can: > > > > - Be very short (2 pages max) > > - Be guided largely by RFC 8200 > > - Speak with some degree of authority (while still INFORMATIONAL) > > > > The second section should begin with a discussion of the relationship > between the transit router and the downstream devices. Let’s assume that > the transit router belongs to an ISP, while downstream devices fall into > the following three classes: > > > > 1) Belong to the ISP > > 2) Belong to parties who want to be protected by the ISP (e.g., its > customers) > > 3) Belong to other parties Traffic on a isp either the isp's traffic or a customers (customer is transitive, a customer of a customer is customer traffic). traffic which neither to a customer or the isp is party to unwanted, whether it's there due to malice or intention. what services one offers to a customer seems entirely like a contractual detail. strictly speaking the destination of a packet may not be the destination address in the ip header as when the TTL is lowered or when hop by hop options are employed. > > > Therefore, the transit router MAY discard packets that pose a threat to > the first two classes of downstream device, but MUST NOT discard packets > that are required by the third class of downstream device. > > > From this point, we formulate a policy that **might** satisfy the above > mentioned requirement. We mark this policy with the following caveats: > > > > - It is a best guess > > - If the policy is too permissive, downstream devices belonging > to the ISP and those who it protects will not receive all of the > protection possible > > - If the policy is too restrictive, downstream devices > belonging to other parties will experience collateral damage > > - One size doesn’t fit all > > > > If we were to rework the document into this shape, would it address your > concerns. > > > > Ron > > > > > > > > *From:*OPSEC [mailto:opsec-bounces@ietf.org] *On Behalf Of *C. M. Heard > *Sent:* Wednesday, October 4, 2017 11:08 PM > *To:* OPSEC <opsec@ietf.org> > *Subject:* Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-filtering-03 > > > > On Thu, 5 Oct 2017 11:10:06 +1300, Brian E Carpenter wrote: > >> On 05/10/2017 02:12, Joe Touch wrote: > >> > >>> On 9/29/2017 1:12 AM, Van De Velde, Gunter (Nokia - BE/Antwerp) wrote: > >>>> > >>>> This is to open a two week WGLC > >>>> for https://tools.ietf.org/html/draft-ietf-opsec-ipv6-eh-filtering-03 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dopsec-2Dipv6-2Deh-2Dfiltering-2D03&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=pDMOABefbu8JHcDH3rcHvzOABmSLo8X0KGbiPvLqnpA&s=M7xHnDuuJxhA21iLVXO_-AZjAhvXwgaN__niQRcoBwc&e=>. > >>>> > >>> > >>> I do not agree with the claims of this document. It "informationally" > >>> advises against support for key IPv6 capabilities and undermines the > >>> extensibility of IPv6 by making recommendations about discarding > >>> currently unassigned codepoints. > >> > >> Here's the problem, Joe. It's a fact of life that many firewalls > >> discard a lot of stuff that they shouldn't - that's why we wrote > >> RFC 7045 - but in the real world, operators blunder around based > >> on folklore and vendors' defaults. We can't change any of that, but > >> we can try to issue sensible advice that, overall, will limit the > >> resulting breakage. IMHO this document, positioned correctly as > >> Informational, will do that: on balance, it makes the world a better > >> place. > > > > I am afraid that I do not agree that the document, in its present form, > > will do that. It says: > > > > The filtering policy typically depends on where in the network such > > policy is enforced: when the policy is enforced in a transit network, > > the policy typically follows a "black-list" approach, where only > > packets with clear negative implications are dropped. On the other > > hand, when the policy is enforced closer to the destination systems, > > the policy typically follows a "white-list" approach, where only > > traffic that is expected to be received is allowed. /_The advice in_/ > > /_ this document is aimed only at transit routers that may need to_/ > > /_ enforce a filtering policy based on the EHs and IPv6 options a packet_/ > > /_ may contain, following a "black-list" approach, and hence is likely_/ > > /_ to be much more permissive that a filtering policy to be employed_/ > > /_ e.g. at the edge of an enterprise network._/ The advice in this > > document is meant to improve the current situation of the dropping of > > packets with IPv6 EHs in the Internet [RFC7872 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7872&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=pDMOABefbu8JHcDH3rcHvzOABmSLo8X0KGbiPvLqnpA&s=KqV5UiI6Ie51NtocuTw9zMCtHX8aMheboGCPVCzdepA&e=>]. > > > while at the same time promoting a **/_default deny_/** policy with > > respect to unrecognized options and unrecognized extension headers. > > That is antithetical to the mission of a **/_transit router_/**, which > > is to get packets transparently from point A to point B. It is > > especially egregious to dispense this advice for unrecognized > > extension headers, since they are indistinguishable from unrecognized > > transport protocols. If these things are blocked by **/_transit routers_/** > > it becomes impossible to deploy any new options or transport protocols. > > But we already know that, don't we? > > > > If we want to give constructive advice that really will make the > > world a better place, we should: > > > 1.) Advise operators of **/_transit routers_/** to be transparent to > > everything other than the Hop-by-Hop extensions header, and provide > > detailed advice on what to do (based on the updates in RFC 8200) > > about Hop-by-Hop options. The default should be IGNORE unless there > > is an option you need to process. > > > 2.) Reserve all the detailed filtering advicee for operators of > > firewalls, enterprise routers, and other systems whose mission it > > is to protect the end systems behind them (or to prevent misbehavior > > by said end systems). A default deny for unrecognized stuff is not > > unreasonable for such systems. > > > 3.) Remind implementors of the following requirement from RFC 7045: > > > Forwarding nodes MUST be configurable to allow packets containing > > unrecognised extension headers, but the default configuration MAY > > drop such packets. > > > and add similar advice for options. > > > Thanks and regards, > > > Mike Heard > > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec >
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Brian E Carpenter
- [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-filteri… Van De Velde, Gunter (Nokia - BE/Antwerp)
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Joe Touch
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Ron Bonica
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Bob Hinden
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Brian E Carpenter
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… C. M. Heard
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Tim Chown
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Ron Bonica
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Ron Bonica
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Joe Touch
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Brian E Carpenter
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… C. M. Heard
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… joel jaeggli
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Ron Bonica
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… joel jaeggli
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Fernando Gont
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Fernando Gont
- Re: [OPSEC] WGLC for draft-ietf-opsec-ipv6-eh-fil… Van De Velde, Gunter (Nokia - BE/Antwerp)
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Brian E Carpenter
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Fernando Gont
- Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-ipv… Brian E Carpenter
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Brian E Carpenter
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Bob Hinden
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Ole Troan
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Nick Hilliard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-eh-… C. M. Heard