IETF Logo Mail Archive

Re: [savi] Potential issue for all SAVI mechanisms?

"Jun Bi" <junbi@cernet.edu.cn> Wed, 24 August 2011 03:57 UTC

Return-Path: <junbi@cernet.edu.cn>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED78421F8ADC for <savi@ietfa.amsl.com>; Tue, 23 Aug 2011 20:57:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.602
X-Spam-Level:
X-Spam-Status: No, score=-99.602 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, FH_HAS_XAIMC=2.696, HTML_MESSAGE=0.001, J_CHICKENPOX_29=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLoj26oxjU6f for <savi@ietfa.amsl.com>; Tue, 23 Aug 2011 20:57:31 -0700 (PDT)
Received: from cernet.edu.cn (mail.cernet.edu.cn [202.112.39.2]) by ietfa.amsl.com (Postfix) with SMTP id 31E3621F8A70 for <savi@ietf.org>; Tue, 23 Aug 2011 20:57:29 -0700 (PDT)
Received: from junbiVAIOz138([59.66.24.128]) by cernet.edu.cn(AIMC 3.2.0.0) with SMTP id jm74e54a043; Wed, 24 Aug 2011 11:58:38 +0800
Message-ID: <E42897DEBD36439F8CB036D7D3F47D05@junbiVAIOz138>
From: Jun Bi <junbi@cernet.edu.cn>
To: Guang Yao <yaoguang.china@gmail.com>, Jean-Michel Combes <jeanmichel.combes@gmail.com>
References: <4E01F2FF.7030108@acm.org><BANLkTikn45azMHnnduE3BG2o2ttB2Q7syg@mail.gmail.com><4E0A11D8.5010300@joelhalpern.com><BANLkTik0fM4xF_iYbZBv6uQ5LwnTS+foyg@mail.gmail.com><CAA7e52oei4d9A2BcBnpGikreQ575Z1na7U+7oWCwsEvcosQPyg@mail.gmail.com> <CA+=FF_6VYCvTmk5-aoaPYYnz=ywMUJsxf6qpQkf8dm7b47s4jg@mail.gmail.com>
In-Reply-To: <CA+=FF_6VYCvTmk5-aoaPYYnz=ywMUJsxf6qpQkf8dm7b47s4jg@mail.gmail.com>
Date: Wed, 24 Aug 2011 10:55:25 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0135_01CC624C.53F76320"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109
X-AIMC-AUTH: junbi
X-AIMC-MAILFROM: junbi@cernet.edu.cn
X-AIMC-Msg-ID: f8ubEw0B
Cc: SAVI Mailing List <savi@ietf.org>
Subject: Re: [savi] Potential issue for all SAVI mechanisms?
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2011 03:57:32 -0000

I agree with Guang Yao.

thanks,
Jun Bi

From: Guang Yao 
Sent: Monday, August 22, 2011 5:19 PM
To: Jean-Michel Combes 
Cc: SAVI Mailing List 
Subject: Re: [savi] Potential issue for all SAVI mechanisms?

Hi, 

I agree with the text. However, in DHCP case, only DHCP message from dhcp-trust and savi-validation port is processed by the SAVI device. So I add the condition as follows.

-If the Next Header value inside the Fragment header is DHCP, /and if the packet is from dhcp-trust port or SAVI-validation port/, the packet is processed by the SAVI device, 

If this condition can be implied from existing text, just remove it.

Besides, I wonder whether it is necessary to include this in the MIX document, as MIX document doesn't specify the details of packet process. If FCFS/DHCP/SEND can each handle this problem separately, MIX can also handle this problem.



Best regards,
Guang


2011/8/19 Jean-Michel Combes <jeanmichel.combes@gmail.com>

  Hi,

  I would like to come back on this point and find a consensus.
  Here is the text I propose to be added in the Security Considerations
  section of any SAVI solution document (i.e., FCFS, DHCP, SEND and MIX
  documents) as residential threats:

  <TEXT: only keep ND for FCFS/SEND SAVI and only keep UDP(DHCP) for DHCP SAVI>
  o SAVI limitations
  In some cases, the SAVI device could not be able to process IP packets
  and so to update correctly the Binding Table. For example, this could
  be the case for encrypted packets (i.e., with IPsec/ESP) or fragmented
  packets. To mitigate this last case, the SAVI device SHOULD proceed as
  follows:

  - If the Next Header value inside the Fragment header is ND/UDP(DHCP),

  the packet is processed by the SAVI device,

  - If the Next Header value inside the Fragment header is not

  ND/UDP(DHCP) but there is a binding, the packet is processed by the
  SAVI device,
  - Else the packet is dropped and the incident is logged.
  </TEXT>

  Comments/alternative text (deadline: 8-september-2011) are welcome!

  Thanks in advance.

  Best regards.

  JMC.

  2011/6/28 Jean-Michel Combes <jeanmichel.combes@gmail.com>:

  > Hi Joel,
  >
  > 2011/6/28 Joel M. Halpern <jmh@joelhalpern.com>:
  >> I don't think this works.
  >> The question is not how often ND packets have that structure, but whether
  >> 1) Hosts will accept ND packets with that structure
  >> and
  >> 2) Other protocols will use that structure.
  >>
  >> If both of those are true, which they currently are, then a SAVI device
  >> can not detect an ND packet which is fragmented and hiding behind
  >> destination options.
  >> But, contrary to your resolution below, since other protocols use that
  >> construct, SAVI devices can not simply drop all packets that are
  >> fragmented and where the only visible next header is destination options
  >> (or AH, or ESP.)  they would be dropping legitimate data packets.
  >
  > Yep, I missed this ... So, a new proposal:
  > - if the Next Header value inside the Fragment header is ND/UDP(DHCP),
  > the packet is processed by the SAVI device
  > - if the Next Header value inside the Fragment header is not
  > ND/UDP(DHCP) and there is a binding, the packet is processed by the
  > SAVI device
  > - else the packet is dropped and the incident is logged
  >
  >>
  >> It does not matter whether any legitimate sender of ND messages would
  >> ever use that construct.
  >>
  >> As far as I can tell, the only path to sanity here is for the hosts not
  >> to accept such packets.
  >> And that is a matter for 6man, not for SAVI.  We should simply document
  >> this as a residual threat.
  >
  > IMHO, this is a matter for SAVI too, because, if the SAVI device is
  > not able to process fragmented ND/DHCP packets from a node to
  > correctly update the Binding Table, by default, any packet from this
  > node will be dropped by the SAVI device even if hosts accept such
  > packets.
  >
  > Cheers.
  >
  > JMC.
  >
  >>
  >> Yours,
  >> Joel
  >>
  >>
  >> On 6/28/2011 1:26 PM, Jean-Michel Combes wrote:
  >>> Based on RFC 2460:
  >>> (1) the Next Header value inside the Fragment header identifies the
  >>> first header of the Fragmentable Part of the original packet
  >>> (2) The Unfragmentable Part consists of the IPv6 header plus any
  >>> extension headers that must be processed by nodes en route to the
  >>> destination, that is, all headers up to and including the Routing
  >>> header if present, else the Hop-by-Hop Options header if present, else
  >>> no extension headers.
  >>> (3) Extension header order is: IPv6 header, Hop-by-Hop Options header,
  >>> Destination Options header, Routing header, Fragment header,
  >>> Authentication header, Encapsulating Security Payload header,
  >>> Destination Options header, upper-layer header
  >>>
  >>> So, as far as I can see, there are only 3 scenarios where the Next
  >>> Header value inside the Fragment header is not ND(including SEND, as
  >>> this is just ND options)/DHCP:
  >>> (a) AH
  >>> (b) ESP
  >>> (c) Destination Option
  >>>
  >>> IMHO, ND/DHCP messages with such extension headers are not common ...
  >>>
  >>>
  >>>> >
  >>>> >  Then the SAVI devices can assume and require that the known ULP is
  >>>> >  contained in the first fragment, thus they can determine whether a
  >>>> >  packet is ND/DHCP/SEND, and reject any such packets that include a
  >>>> >  fragment header.
  >>> Indeed, we could assume for each SAVI mechanism that:
  >>> - if the Next Header value inside the Fragment header is ND/UDP(DHCP),
  >>> the packet is processed
  >>> - else the packet is dropped and the incident is logged
  >>>
  >>> As SAVI has a site/link scope, with the logs, IMHO, it should be
  >>> easier for the SAVI admin to understand/solve the issue.
  >>>
  >>> Best regards.
  >>>
  >>> JMC.
  >>>
  >>>
  >>>
  >>
  >
  _______________________________________________
  savi mailing list
  savi@ietf.org
  https://www.ietf.org/mailman/listinfo/savi




--------------------------------------------------------------------------------
_______________________________________________
savi mailing list
savi@ietf.org
https://www.ietf.org/mailman/listinfo/savi

v2.23.0 | Report a Bug | By Email