IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

Fernando Gont <fgont@si6networks.com> Mon, 09 February 2015 19:18 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D18231A877B; Mon, 9 Feb 2015 11:18:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hek-bNxwTOPp; Mon, 9 Feb 2015 11:18:31 -0800 (PST)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 869641A8781; Mon, 9 Feb 2015 11:17:59 -0800 (PST)
Received: from cl-1071.udi-01.br.sixxs.net ([2001:1291:200:42e::2]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <fgont@si6networks.com>) id 1YKtqE-0007xI-63; Mon, 09 Feb 2015 20:17:54 +0100
Message-ID: <54D9072F.9020406@si6networks.com>
Date: Mon, 09 Feb 2015 16:14:55 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Ted Lemon <Ted.Lemon@nominum.com>, "C. M. Heard" <heard@pobox.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net> <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com> <Pine.LNX.4.64.1502080813060.2950@shell4.bayarea.net> <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com> <Pine.LNX.4.64.1502081507150.24776@shell4.bayarea.net> <72C73500-E6C4-4D75-9CFA-8FE4B012AB9E@nominum.com> <7516AD5C-1152-4020-B050-FA0383B58DBA@viagenie.ca> <Pine.LNX.4.64.1502081734120.24776@shell4.bayarea.net> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com> <54D83FCE.4070804@qti.qualcomm.com> <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net> <96CE509D-3B6E-49B8-98F6-CB8581787D7E@nominum.com>
In-Reply-To: <96CE509D-3B6E-49B8-98F6-CB8581787D7E@nominum.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/ptNumey1X6vYhBTOJJCn0yXx6Kg>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, The IESG <iesg@ietf.org>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 19:18:33 -0000

On 02/09/2015 11:41 AM, Ted Lemon wrote:
> On Feb 9, 2015, at 1:02 AM, C. M. Heard <heard@pobox.com> wrote:
>> - A new extension header is defined that make sense to sandwich in
>>  front of a DHCPv6 packet (not all do; some extension headers are 
>> required to have a next header value of "no next header")
>> 
>> - This extension header is unknowm to a DHCPv6-Shield
>> implementation
>> 
>> - This is extension header is known and considered valid by a host
>>  that DHCPv6-Shield implementation is trying to protect
> 
> In addition to being known by the host, the extension header would
> have to be a standard extension header that does not conform to RFC
> 6564.   Otherwise, the switch can just skip over it even though it's
> nominally "unknown."   Having skipped over it, it would correctly
> reach the UDP protocol header, and notice that the packet was a DHCP
> packet.
> 
> I think it's safe to assume that no future extension header that is
> standardized will fail to conform to RFC 6564.

It is not. As noted, RFC6564 doesn't buy you anything. And if we decide
to fix the problem in question (e.g., as described in
draft-gont-6man-rfc6564bis-00.txt), then I can guarantee that new IPv6
EHs will *not* follow the format in RFC6564.

(And I'd say that "assumptions" have been the source of most security
flaws in protocols and implementations I've seen).


> Hence, we do not
> need to worry that the host will be able to parse a new extension
> header, but that the DHCPv6-shield device will not.   Hence, there is
> no need to drop packets with unknown extension headers.
> 
> This is particularly important, because in dropping packets with
> unknown extension headers, we are _also_ dropping packets with
> unknown protocol headers.   That is the real harm of the language of
> the document as it is currently written.

You can't be worried about new transport protocols and at the same time
support RFC6564. If you assume that new EHs will follow RFC6564, then
you're banning *from scratch* deployment of new transport protocols (!).

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email