IETF Logo Mail Archive

Re: [savi] Potential issue for all SAVI mechanisms?

Jean-Michel Combes <jeanmichel.combes@gmail.com> Mon, 05 September 2011 17:09 UTC

Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC07C21F883A for <savi@ietfa.amsl.com>; Mon, 5 Sep 2011 10:09:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.011
X-Spam-Level:
X-Spam-Status: No, score=-103.011 tagged_above=-999 required=5 tests=[AWL=-0.012, BAYES_00=-2.599, J_CHICKENPOX_29=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3MZRhkv27hoR for <savi@ietfa.amsl.com>; Mon, 5 Sep 2011 10:09:12 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id CA18021F861A for <savi@ietf.org>; Mon, 5 Sep 2011 10:09:11 -0700 (PDT)
Received: by yxj17 with SMTP id 17so2869770yxj.31 for <savi@ietf.org>; Mon, 05 Sep 2011 10:10:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=3xyImY6KVw5V1zF9VUF98FcwavMo0lxJe80/8DLXm/U=; b=tXmBrWSzoxk7kSkWMSo9H2gnJ0IWpcWmQtMOcDAmEjL60KJPUR+pMgQy0/ByKfP9lv MzIpRKjAOsyyk1IOQlf+o9c91axdWjEhng71+Gf4u3Afy170ehenOXo+lRzwOmlj2Ic/ 16j0xkWoLuEJCIoZuoid/ooPbt1vqWQlNxw3Q=
MIME-Version: 1.0
Received: by 10.236.200.195 with SMTP id z43mr18739292yhn.127.1315242656208; Mon, 05 Sep 2011 10:10:56 -0700 (PDT)
Received: by 10.146.83.11 with HTTP; Mon, 5 Sep 2011 10:10:56 -0700 (PDT)
In-Reply-To: <CAA7e52oei4d9A2BcBnpGikreQ575Z1na7U+7oWCwsEvcosQPyg@mail.gmail.com>
References: <4E01F2FF.7030108@acm.org> <BANLkTikn45azMHnnduE3BG2o2ttB2Q7syg@mail.gmail.com> <4E0A11D8.5010300@joelhalpern.com> <BANLkTik0fM4xF_iYbZBv6uQ5LwnTS+foyg@mail.gmail.com> <CAA7e52oei4d9A2BcBnpGikreQ575Z1na7U+7oWCwsEvcosQPyg@mail.gmail.com>
Date: Mon, 05 Sep 2011 19:10:56 +0200
Message-ID: <CAA7e52qv+XtVzGy-rS0r9DUxyxA4DZeESz6QR7ExB2mjbdr4+w@mail.gmail.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: SAVI Mailing List <savi@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [savi] Potential issue for all SAVI mechanisms?
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Sep 2011 17:09:12 -0000

A friendly reminder:
> Comments/alternative text (deadline: 8-september-2011) are welcome!

Thanks!

Best regards.

JMC.

2011/8/18 Jean-Michel Combes <jeanmichel.combes@gmail.com>:
> Hi,
>
> I would like to come back on this point and find a consensus.
> Here is the text I propose to be added in the Security Considerations
> section of any SAVI solution document (i.e., FCFS, DHCP, SEND and MIX
> documents) as residential threats:
>
> <TEXT: only keep ND for FCFS/SEND SAVI and only keep UDP(DHCP) for DHCP SAVI>
> o SAVI limitations
> In some cases, the SAVI device could not be able to process IP packets
> and so to update correctly the Binding Table. For example, this could
> be the case for encrypted packets (i.e., with IPsec/ESP) or fragmented
> packets. To mitigate this last case, the SAVI device SHOULD proceed as
> follows:
> - If the Next Header value inside the Fragment header is ND/UDP(DHCP),
> the packet is processed by the SAVI device,
> - If the Next Header value inside the Fragment header is not
> ND/UDP(DHCP) but there is a binding, the packet is processed by the
> SAVI device,
> - Else the packet is dropped and the incident is logged.
> </TEXT>
>
> Comments/alternative text (deadline: 8-september-2011) are welcome!
>
> Thanks in advance.
>
> Best regards.
>
> JMC.
>
> 2011/6/28 Jean-Michel Combes <jeanmichel.combes@gmail.com>:
>> Hi Joel,
>>
>> 2011/6/28 Joel M. Halpern <jmh@joelhalpern.com>:
>>> I don't think this works.
>>> The question is not how often ND packets have that structure, but whether
>>> 1) Hosts will accept ND packets with that structure
>>> and
>>> 2) Other protocols will use that structure.
>>>
>>> If both of those are true, which they currently are, then a SAVI device
>>> can not detect an ND packet which is fragmented and hiding behind
>>> destination options.
>>> But, contrary to your resolution below, since other protocols use that
>>> construct, SAVI devices can not simply drop all packets that are
>>> fragmented and where the only visible next header is destination options
>>> (or AH, or ESP.)  they would be dropping legitimate data packets.
>>
>> Yep, I missed this ... So, a new proposal:
>> - if the Next Header value inside the Fragment header is ND/UDP(DHCP),
>> the packet is processed by the SAVI device
>> - if the Next Header value inside the Fragment header is not
>> ND/UDP(DHCP) and there is a binding, the packet is processed by the
>> SAVI device
>> - else the packet is dropped and the incident is logged
>>
>>>
>>> It does not matter whether any legitimate sender of ND messages would
>>> ever use that construct.
>>>
>>> As far as I can tell, the only path to sanity here is for the hosts not
>>> to accept such packets.
>>> And that is a matter for 6man, not for SAVI.  We should simply document
>>> this as a residual threat.
>>
>> IMHO, this is a matter for SAVI too, because, if the SAVI device is
>> not able to process fragmented ND/DHCP packets from a node to
>> correctly update the Binding Table, by default, any packet from this
>> node will be dropped by the SAVI device even if hosts accept such
>> packets.
>>
>> Cheers.
>>
>> JMC.
>>
>>>
>>> Yours,
>>> Joel
>>>
>>>
>>> On 6/28/2011 1:26 PM, Jean-Michel Combes wrote:
>>>> Based on RFC 2460:
>>>> (1) the Next Header value inside the Fragment header identifies the
>>>> first header of the Fragmentable Part of the original packet
>>>> (2) The Unfragmentable Part consists of the IPv6 header plus any
>>>> extension headers that must be processed by nodes en route to the
>>>> destination, that is, all headers up to and including the Routing
>>>> header if present, else the Hop-by-Hop Options header if present, else
>>>> no extension headers.
>>>> (3) Extension header order is: IPv6 header, Hop-by-Hop Options header,
>>>> Destination Options header, Routing header, Fragment header,
>>>> Authentication header, Encapsulating Security Payload header,
>>>> Destination Options header, upper-layer header
>>>>
>>>> So, as far as I can see, there are only 3 scenarios where the Next
>>>> Header value inside the Fragment header is not ND(including SEND, as
>>>> this is just ND options)/DHCP:
>>>> (a) AH
>>>> (b) ESP
>>>> (c) Destination Option
>>>>
>>>> IMHO, ND/DHCP messages with such extension headers are not common ...
>>>>
>>>>
>>>>> >
>>>>> >  Then the SAVI devices can assume and require that the known ULP is
>>>>> >  contained in the first fragment, thus they can determine whether a
>>>>> >  packet is ND/DHCP/SEND, and reject any such packets that include a
>>>>> >  fragment header.
>>>> Indeed, we could assume for each SAVI mechanism that:
>>>> - if the Next Header value inside the Fragment header is ND/UDP(DHCP),
>>>> the packet is processed
>>>> - else the packet is dropped and the incident is logged
>>>>
>>>> As SAVI has a site/link scope, with the logs, IMHO, it should be
>>>> easier for the SAVI admin to understand/solve the issue.
>>>>
>>>> Best regards.
>>>>
>>>> JMC.
>>>>
>>>>
>>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email