Re: [savi] Potential issue for all SAVI mechanisms?
Jean-Michel Combes <jeanmichel.combes@gmail.com> Mon, 05 September 2011 17:07 UTC
Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2BE721F8B8F for <savi@ietfa.amsl.com>; Mon, 5 Sep 2011 10:07:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.012
X-Spam-Level:
X-Spam-Status: No, score=-103.012 tagged_above=-999 required=5 tests=[AWL=-0.013, BAYES_00=-2.599, J_CHICKENPOX_29=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQdQUMIUfsxf for <savi@ietfa.amsl.com>; Mon, 5 Sep 2011 10:07:57 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id AB7A321F8B85 for <savi@ietf.org>; Mon, 5 Sep 2011 10:07:57 -0700 (PDT)
Received: by gxk19 with SMTP id 19so4089858gxk.31 for <savi@ietf.org>; Mon, 05 Sep 2011 10:09:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=dpyOT6Z570YtI65ZoA2V5CoPFKKEmQPyPKrxD0BN51o=; b=gLg4XEl+DTKHtU4t9OoxAnEwer8WTYpbsoXf2POVk4OTlZgtjQJeA1dvcpCyzOJgcM FPmg91DRDKsiV0ESmmZls099t2NQfbUDE6NMFvbi4PPtXtBJc+qDYYYvE3qK2Uq1Fm3z ft0Lv/QMhQSwGK9FvCSRyuKOkhQEBBHVBIsZU=
MIME-Version: 1.0
Received: by 10.236.200.195 with SMTP id z43mr18733559yhn.127.1315242580976; Mon, 05 Sep 2011 10:09:40 -0700 (PDT)
Received: by 10.146.83.11 with HTTP; Mon, 5 Sep 2011 10:09:40 -0700 (PDT)
In-Reply-To: <4E548BD0.20907@joelhalpern.com>
References: <4E01F2FF.7030108@acm.org> <BANLkTikn45azMHnnduE3BG2o2ttB2Q7syg@mail.gmail.com> <4E0A11D8.5010300@joelhalpern.com> <BANLkTik0fM4xF_iYbZBv6uQ5LwnTS+foyg@mail.gmail.com> <CAA7e52oei4d9A2BcBnpGikreQ575Z1na7U+7oWCwsEvcosQPyg@mail.gmail.com> <CA+=FF_6VYCvTmk5-aoaPYYnz=ywMUJsxf6qpQkf8dm7b47s4jg@mail.gmail.com> <E42897DEBD36439F8CB036D7D3F47D05@junbiVAIOz138> <4E548BD0.20907@joelhalpern.com>
Date: Mon, 05 Sep 2011 19:09:40 +0200
Message-ID: <CAA7e52qOJoOEr8Fmco4XjQgGvzq8td_MHnmMp0SmiDTOJxa0GA@mail.gmail.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Guang Yao <yaoguang.china@gmail.com>, SAVI Mailing List <savi@ietf.org>
Subject: Re: [savi] Potential issue for all SAVI mechanisms?
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Sep 2011 17:07:58 -0000
2011/8/24 Joel M. Halpern <jmh@joelhalpern.com>: > Without arguing about what document things belong in, the proposed text is > just a paraphrase of one half of what "trusted port for dhcp" meands. > the other half, "untrusted port for dhcp" means that if the Next Header > value is detectably DHCP, but the port is not trusted for DHCP, it should be > dropped. > Those are, I believe already in the document. > > The issue we are discussing is what more should be said about the cases > where the Next Header value can not be found. This arises either when > either fragmentation moves the next header to the next message, or extra > headers move it outside of the parse capabilities of the device. Yes, this is the issue. > > It is probably sufficient to simply note that the trusted port enforcement > does not handle those cases. > > The reason for putting it in the MIX document is that there is a very > similar issue for NS detection. Yes. BTW, maybe, MIX deployment may complicate the situation too because this includes many SAVI solutions (and so their consequent drawbacks). Best regards. JMC. > > Yours, > Joel > > On 8/23/2011 10:55 PM, Jun Bi wrote: >> >> I agree with Guang Yao. >> thanks, >> Jun Bi >> *From:* Guang Yao <mailto:yaoguang.china@gmail.com> >> *Sent:* Monday, August 22, 2011 5:19 PM >> *To:* Jean-Michel Combes <mailto:jeanmichel.combes@gmail.com> >> *Cc:* SAVI Mailing List <mailto:savi@ietf.org> >> *Subject:* Re: [savi] Potential issue for all SAVI mechanisms? >> Hi, >> I agree with the text. However, in DHCP case, only DHCP message from >> dhcp-trust and savi-validation port is processed by the SAVI device. So >> I add the condition as follows. >> -If the Next Header value inside the Fragment header is DHCP, / and if >> the packet is from dhcp-trust port or SAVI-validation port/, the packet >> is processed by the SAVI device, >> If this condition can be implied from existing text, just remove it. >> Besides, I wonder whether it is necessary to include this in the MIX >> document, as MIX document doesn't specify the details of packet process. >> If FCFS/DHCP/SEND can each handle this problem separately, MIX can also >> handle this problem. >> >> Best regards, >> Guang >> >> 2011/8/19 Jean-Michel Combes <jeanmichel.combes@gmail.com >> <mailto:jeanmichel.combes@gmail.com>> >> >> Hi, >> >> I would like to come back on this point and find a consensus. >> Here is the text I propose to be added in the Security Considerations >> section of any SAVI solution document (i.e., FCFS, DHCP, SEND and MIX >> documents) as residential threats: >> >> <TEXT: only keep ND for FCFS/SEND SAVI and only keep UDP(DHCP) for >> DHCP SAVI> >> o SAVI limitations >> In some cases, the SAVI device could not be able to process IP packets >> and so to update correctly the Binding Table. For example, this could >> be the case for encrypted packets (i.e., with IPsec/ESP) or fragmented >> packets. To mitigate this last case, the SAVI device SHOULD proceed as >> follows: >> - If the Next Header value inside the Fragment header is ND/UDP(DHCP), >> the packet is processed by the SAVI device, >> - If the Next Header value inside the Fragment header is not >> ND/UDP(DHCP) but there is a binding, the packet is processed by the >> SAVI device, >> - Else the packet is dropped and the incident is logged. >> </TEXT> >> >> Comments/alternative text (deadline: 8-september-2011) are welcome! >> >> Thanks in advance. >> >> Best regards. >> >> JMC. >> >> 2011/6/28 Jean-Michel Combes <jeanmichel.combes@gmail.com >> <mailto:jeanmichel.combes@gmail.com>>: >> > Hi Joel, >> > >> > 2011/6/28 Joel M. Halpern <jmh@joelhalpern.com >> <mailto:jmh@joelhalpern.com>>: >> >> I don't think this works. >> >> The question is not how often ND packets have that structure, >> but whether >> >> 1) Hosts will accept ND packets with that structure >> >> and >> >> 2) Other protocols will use that structure. >> >> >> >> If both of those are true, which they currently are, then a SAVI >> device >> >> can not detect an ND packet which is fragmented and hiding behind >> >> destination options. >> >> But, contrary to your resolution below, since other protocols >> use that >> >> construct, SAVI devices can not simply drop all packets that are >> >> fragmented and where the only visible next header is destination >> options >> >> (or AH, or ESP.) they would be dropping legitimate data packets. >> > >> > Yep, I missed this ... So, a new proposal: >> > - if the Next Header value inside the Fragment header is >> ND/UDP(DHCP), >> > the packet is processed by the SAVI device >> > - if the Next Header value inside the Fragment header is not >> > ND/UDP(DHCP) and there is a binding, the packet is processed by the >> > SAVI device >> > - else the packet is dropped and the incident is logged >> > >> >> >> >> It does not matter whether any legitimate sender of ND messages >> would >> >> ever use that construct. >> >> >> >> As far as I can tell, the only path to sanity here is for the >> hosts not >> >> to accept such packets. >> >> And that is a matter for 6man, not for SAVI. We should simply >> document >> >> this as a residual threat. >> > >> > IMHO, this is a matter for SAVI too, because, if the SAVI device is >> > not able to process fragmented ND/DHCP packets from a node to >> > correctly update the Binding Table, by default, any packet from this >> > node will be dropped by the SAVI device even if hosts accept such >> > packets. >> > >> > Cheers. >> > >> > JMC. >> > >> >> >> >> Yours, >> >> Joel >> >> >> >> >> >> On 6/28/2011 1:26 PM, Jean-Michel Combes wrote: >> >>> Based on RFC 2460: >> >>> (1) the Next Header value inside the Fragment header identifies >> the >> >>> first header of the Fragmentable Part of the original packet >> >>> (2) The Unfragmentable Part consists of the IPv6 header plus any >> >>> extension headers that must be processed by nodes en route to the >> >>> destination, that is, all headers up to and including the Routing >> >>> header if present, else the Hop-by-Hop Options header if >> present, else >> >>> no extension headers. >> >>> (3) Extension header order is: IPv6 header, Hop-by-Hop Options >> header, >> >>> Destination Options header, Routing header, Fragment header, >> >>> Authentication header, Encapsulating Security Payload header, >> >>> Destination Options header, upper-layer header >> >>> >> >>> So, as far as I can see, there are only 3 scenarios where the Next >> >>> Header value inside the Fragment header is not ND(including >> SEND, as >> >>> this is just ND options)/DHCP: >> >>> (a) AH >> >>> (b) ESP >> >>> (c) Destination Option >> >>> >> >>> IMHO, ND/DHCP messages with such extension headers are not >> common ... >> >>> >> >>> >> >>>> > >> >>>> > Then the SAVI devices can assume and require that the known >> ULP is >> >>>> > contained in the first fragment, thus they can determine >> whether a >> >>>> > packet is ND/DHCP/SEND, and reject any such packets that >> include a >> >>>> > fragment header. >> >>> Indeed, we could assume for each SAVI mechanism that: >> >>> - if the Next Header value inside the Fragment header is >> ND/UDP(DHCP), >> >>> the packet is processed >> >>> - else the packet is dropped and the incident is logged >> >>> >> >>> As SAVI has a site/link scope, with the logs, IMHO, it should be >> >>> easier for the SAVI admin to understand/solve the issue. >> >>> >> >>> Best regards. >> >>> >> >>> JMC. >> >>> >> >>> >> >>> >> >> >> > >> _______________________________________________ >> savi mailing list >> savi@ietf.org <mailto:savi@ietf.org> >> https://www.ietf.org/mailman/listinfo/savi >> >> _______________________________________________ >> savi mailing list >> savi@ietf.org >> https://www.ietf.org/mailman/listinfo/savi >> >> >> _______________________________________________ >> savi mailing list >> savi@ietf.org >> https://www.ietf.org/mailman/listinfo/savi >
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- [savi] Potential issue for all SAVI mechanisms? Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… marcelo bagnulo braun
- Re: [savi] Potential issue for all SAVI mechanism… marcelo bagnulo braun
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Mikael Abrahamsson
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Erik Nordmark
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Erik Nordmark
- Re: [savi] Potential issue for all SAVI mechanism… Eric Levy-Abegnoli
- Re: [savi] Potential issue for all SAVI mechanism… Erik Nordmark
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Guang Yao
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Fred Baker
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Fred Baker
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García