IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

Brian Haberman <brian@innovationslab.net> Mon, 09 February 2015 13:12 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9D4E1A039A; Mon, 9 Feb 2015 05:12:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7QxNtsgltHlT; Mon, 9 Feb 2015 05:11:59 -0800 (PST)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B4AD1A00EA; Mon, 9 Feb 2015 05:11:59 -0800 (PST)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id E575D880F5; Mon, 9 Feb 2015 05:11:58 -0800 (PST)
Received: from clemson.local (clairseach.fuaim.com [206.197.161.141]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 1ED1F71B0001; Mon, 9 Feb 2015 05:11:56 -0800 (PST)
Message-ID: <54D8B220.2030204@innovationslab.net>
Date: Mon, 09 Feb 2015 08:12:00 -0500
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: "C. M. Heard" <heard@pobox.com>, Pete Resnick <presnick@qti.qualcomm.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net> <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com> <Pine.LNX.4.64.1502080813060.2950@shell4.bayarea.net> <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com> <Pine.LNX.4.64.1502081507150.24776@shell4.bayarea.net> <72C73500-E6C4-4D75-9CFA-8FE4B012AB9E@nominum.com> <7516AD5C-1152-4020-B050-FA0383B58DBA@viagenie.ca> <Pine.LNX.4.64.1502081734120.24776@shell4.bayarea.net> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com> <54D83FCE.4070804@qti.qualcomm.com> <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net>
In-Reply-To: <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="RjXOffUAQUSosDWSGcn2G7gGgjQh2rEqS"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/xArzzfwqcYp_NXK-2FmsEOprqGY>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, Ted Lemon <Ted.Lemon@nominum.com>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>, The IESG <iesg@ietf.org>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 13:12:02 -0000

Let me chime in here with two points...

On 2/9/15 1:02 AM, C. M. Heard wrote:
> On Sun, 8 Feb 2015, Pete Resnick wrote:
>> On 2/8/15 11:01 PM, Ted Lemon wrote:
>>> Can you explain, in detail, what a DHCPv6 packet would look like that would
>>> get past a filter because either it used unknown extension headers, or an
>>> unknown protocol header?
>>>    
>>
>> Better yet, could you give an example packet with a fake new extension header
>> that a middlebox would think is not a DHCPv6 packet, but in fact is?
> 
> Not with a fake extension header, but with a real one.  Suppose:
> 
> - A new extension header is defined that make sense to sandwich in 
>   front of a DHCPv6 packet (not all do; some extension headers are 
>   required to have a next header value of "no next header")
> 
> - This extension header is unknowm to a DHCPv6-Shield implementation
> 
> - This is extension header is known and considered valid by a host 
>   that DHCPv6-Shield implementation is trying to protect

The above is a typical scenario where different code bases update their
capabilities on different time scales.  Any time a new feature/function
is added, there will be a risk of incompatible functionality within the
set of devices that compose the network path from source to destination.

> 
> If I correctly understand Ted's position, he is saying that a 
> DHCPv6-Shield implementation should unconditionally pass a packet 
> containing a next header value it does not recognize.  In that case, 
> a DHCPv6 packet containing the hypothesized new extension header 
> described above would pass through the DHCPv6-Shield implementation 
> and be processed by the host.

I have interpreted Ted's position to be that this document should simply
point to RFC 7045 (or its successor) for handling unknown extension headers.

Regards,
Brian

v2.23.0 | Report a Bug | By Email