Re: [savi] Potential issue for all SAVI mechanisms?
Jean-Michel Combes <jeanmichel.combes@gmail.com> Mon, 05 September 2011 17:09 UTC
Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC07C21F883A for <savi@ietfa.amsl.com>; Mon, 5 Sep 2011 10:09:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.011
X-Spam-Level:
X-Spam-Status: No, score=-103.011 tagged_above=-999 required=5 tests=[AWL=-0.012, BAYES_00=-2.599, J_CHICKENPOX_29=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3MZRhkv27hoR for <savi@ietfa.amsl.com>; Mon, 5 Sep 2011 10:09:12 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id CA18021F861A for <savi@ietf.org>; Mon, 5 Sep 2011 10:09:11 -0700 (PDT)
Received: by yxj17 with SMTP id 17so2869770yxj.31 for <savi@ietf.org>; Mon, 05 Sep 2011 10:10:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=3xyImY6KVw5V1zF9VUF98FcwavMo0lxJe80/8DLXm/U=; b=tXmBrWSzoxk7kSkWMSo9H2gnJ0IWpcWmQtMOcDAmEjL60KJPUR+pMgQy0/ByKfP9lv MzIpRKjAOsyyk1IOQlf+o9c91axdWjEhng71+Gf4u3Afy170ehenOXo+lRzwOmlj2Ic/ 16j0xkWoLuEJCIoZuoid/ooPbt1vqWQlNxw3Q=
MIME-Version: 1.0
Received: by 10.236.200.195 with SMTP id z43mr18739292yhn.127.1315242656208; Mon, 05 Sep 2011 10:10:56 -0700 (PDT)
Received: by 10.146.83.11 with HTTP; Mon, 5 Sep 2011 10:10:56 -0700 (PDT)
In-Reply-To: <CAA7e52oei4d9A2BcBnpGikreQ575Z1na7U+7oWCwsEvcosQPyg@mail.gmail.com>
References: <4E01F2FF.7030108@acm.org> <BANLkTikn45azMHnnduE3BG2o2ttB2Q7syg@mail.gmail.com> <4E0A11D8.5010300@joelhalpern.com> <BANLkTik0fM4xF_iYbZBv6uQ5LwnTS+foyg@mail.gmail.com> <CAA7e52oei4d9A2BcBnpGikreQ575Z1na7U+7oWCwsEvcosQPyg@mail.gmail.com>
Date: Mon, 05 Sep 2011 19:10:56 +0200
Message-ID: <CAA7e52qv+XtVzGy-rS0r9DUxyxA4DZeESz6QR7ExB2mjbdr4+w@mail.gmail.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: SAVI Mailing List <savi@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [savi] Potential issue for all SAVI mechanisms?
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Sep 2011 17:09:12 -0000
A friendly reminder: > Comments/alternative text (deadline: 8-september-2011) are welcome! Thanks! Best regards. JMC. 2011/8/18 Jean-Michel Combes <jeanmichel.combes@gmail.com>: > Hi, > > I would like to come back on this point and find a consensus. > Here is the text I propose to be added in the Security Considerations > section of any SAVI solution document (i.e., FCFS, DHCP, SEND and MIX > documents) as residential threats: > > <TEXT: only keep ND for FCFS/SEND SAVI and only keep UDP(DHCP) for DHCP SAVI> > o SAVI limitations > In some cases, the SAVI device could not be able to process IP packets > and so to update correctly the Binding Table. For example, this could > be the case for encrypted packets (i.e., with IPsec/ESP) or fragmented > packets. To mitigate this last case, the SAVI device SHOULD proceed as > follows: > - If the Next Header value inside the Fragment header is ND/UDP(DHCP), > the packet is processed by the SAVI device, > - If the Next Header value inside the Fragment header is not > ND/UDP(DHCP) but there is a binding, the packet is processed by the > SAVI device, > - Else the packet is dropped and the incident is logged. > </TEXT> > > Comments/alternative text (deadline: 8-september-2011) are welcome! > > Thanks in advance. > > Best regards. > > JMC. > > 2011/6/28 Jean-Michel Combes <jeanmichel.combes@gmail.com>: >> Hi Joel, >> >> 2011/6/28 Joel M. Halpern <jmh@joelhalpern.com>: >>> I don't think this works. >>> The question is not how often ND packets have that structure, but whether >>> 1) Hosts will accept ND packets with that structure >>> and >>> 2) Other protocols will use that structure. >>> >>> If both of those are true, which they currently are, then a SAVI device >>> can not detect an ND packet which is fragmented and hiding behind >>> destination options. >>> But, contrary to your resolution below, since other protocols use that >>> construct, SAVI devices can not simply drop all packets that are >>> fragmented and where the only visible next header is destination options >>> (or AH, or ESP.) they would be dropping legitimate data packets. >> >> Yep, I missed this ... So, a new proposal: >> - if the Next Header value inside the Fragment header is ND/UDP(DHCP), >> the packet is processed by the SAVI device >> - if the Next Header value inside the Fragment header is not >> ND/UDP(DHCP) and there is a binding, the packet is processed by the >> SAVI device >> - else the packet is dropped and the incident is logged >> >>> >>> It does not matter whether any legitimate sender of ND messages would >>> ever use that construct. >>> >>> As far as I can tell, the only path to sanity here is for the hosts not >>> to accept such packets. >>> And that is a matter for 6man, not for SAVI. We should simply document >>> this as a residual threat. >> >> IMHO, this is a matter for SAVI too, because, if the SAVI device is >> not able to process fragmented ND/DHCP packets from a node to >> correctly update the Binding Table, by default, any packet from this >> node will be dropped by the SAVI device even if hosts accept such >> packets. >> >> Cheers. >> >> JMC. >> >>> >>> Yours, >>> Joel >>> >>> >>> On 6/28/2011 1:26 PM, Jean-Michel Combes wrote: >>>> Based on RFC 2460: >>>> (1) the Next Header value inside the Fragment header identifies the >>>> first header of the Fragmentable Part of the original packet >>>> (2) The Unfragmentable Part consists of the IPv6 header plus any >>>> extension headers that must be processed by nodes en route to the >>>> destination, that is, all headers up to and including the Routing >>>> header if present, else the Hop-by-Hop Options header if present, else >>>> no extension headers. >>>> (3) Extension header order is: IPv6 header, Hop-by-Hop Options header, >>>> Destination Options header, Routing header, Fragment header, >>>> Authentication header, Encapsulating Security Payload header, >>>> Destination Options header, upper-layer header >>>> >>>> So, as far as I can see, there are only 3 scenarios where the Next >>>> Header value inside the Fragment header is not ND(including SEND, as >>>> this is just ND options)/DHCP: >>>> (a) AH >>>> (b) ESP >>>> (c) Destination Option >>>> >>>> IMHO, ND/DHCP messages with such extension headers are not common ... >>>> >>>> >>>>> > >>>>> > Then the SAVI devices can assume and require that the known ULP is >>>>> > contained in the first fragment, thus they can determine whether a >>>>> > packet is ND/DHCP/SEND, and reject any such packets that include a >>>>> > fragment header. >>>> Indeed, we could assume for each SAVI mechanism that: >>>> - if the Next Header value inside the Fragment header is ND/UDP(DHCP), >>>> the packet is processed >>>> - else the packet is dropped and the incident is logged >>>> >>>> As SAVI has a site/link scope, with the logs, IMHO, it should be >>>> easier for the SAVI admin to understand/solve the issue. >>>> >>>> Best regards. >>>> >>>> JMC. >>>> >>>> >>>> >>> >> >
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- [savi] Potential issue for all SAVI mechanisms? Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… marcelo bagnulo braun
- Re: [savi] Potential issue for all SAVI mechanism… marcelo bagnulo braun
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Mikael Abrahamsson
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Erik Nordmark
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Erik Nordmark
- Re: [savi] Potential issue for all SAVI mechanism… Eric Levy-Abegnoli
- Re: [savi] Potential issue for all SAVI mechanism… Erik Nordmark
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Guang Yao
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Fred Baker
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Fred Baker
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García