IETF Logo Mail Archive

Re: [savi] Potential issue for all SAVI mechanisms?

"Jun Bi" <junbi@cernet.edu.cn> Wed, 22 June 2011 06:13 UTC

Return-Path: <junbi@cernet.edu.cn>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15C9911E8094 for <savi@ietfa.amsl.com>; Tue, 21 Jun 2011 23:13:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.903
X-Spam-Level:
X-Spam-Status: No, score=-99.903 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FH_HAS_XAIMC=2.696, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DZaFRm1XKUBW for <savi@ietfa.amsl.com>; Tue, 21 Jun 2011 23:13:16 -0700 (PDT)
Received: from cernet.edu.cn (sea.net.edu.cn [202.112.39.2]) by ietfa.amsl.com (Postfix) with SMTP id 84F3011E8090 for <savi@ietf.org>; Tue, 21 Jun 2011 23:13:12 -0700 (PDT)
Received: from junbiVAIOz138([59.66.24.191]) by cernet.edu.cn(AIMC 3.2.0.0) with SMTP id jm124e01a4d0; Wed, 22 Jun 2011 14:13:06 +0800
Message-ID: <F99E78390AD34DEF90AD750AA2C44E2F@junbiVAIOz138>
From: Jun Bi <junbi@cernet.edu.cn>
To: marcelo bagnulo braun <marcelo@it.uc3m.es>, savi@ietf.org
References: <BANLkTi=Te8AS+sdhOGtCvgFqa48dHc80WQ@mail.gmail.com> <F29187458BA64F46BE7069B37C4CF19D@junbiVAIOz138> <4E013482.3080405@joelhalpern.com> <70DEE8BFA1794CA9B6694032363C3460@junbiVAIOz138><4E01799E.7010109@joelhalpern.com> <4E017E70.9020907@it.uc3m.es>
In-Reply-To: <4E017E70.9020907@it.uc3m.es>
Date: Wed, 22 Jun 2011 14:13:06 +0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"; reply-type="response"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109
X-AIMC-AUTH: junbi
X-AIMC-MAILFROM: junbi@cernet.edu.cn
X-AIMC-Msg-ID: MA4gQ90B
Subject: Re: [savi] Potential issue for all SAVI mechanisms?
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2011 06:13:17 -0000

For DHCP reply, it is the samilar case at RA turst port, it can be handled 
only at DHCP-TRUST port.

thanks,
Jun

-----原始邮件----- 
From: marcelo bagnulo braun
Sent: Wednesday, June 22, 2011 1:32 PM
To: savi@ietf.org
Subject: Re: [savi] Potential issue for all SAVI mechanisms?

Right, for the SLAAC case we should differentiate two cases:
the case of RA and the case of NS and NA.

The case of RA i think it is easy to solve. Only RA coming from trusted
ports should be processed and if you have an attacker there you have
bigger problems than the possibility of receiving fragmented RAs. The
current SLAAC draft doesn states that a SAVI device must only process RA
coming from trusted ports, but i think we should add text about this.

The case of NA and NS is much more difficult to handle since they are
the main messages used by non trusted hosts/ports.
In this case, i still think that it would be importnat to understnad if
there is reasonable cases where a legitimate user needs to send
fragmented NA and NS.

Regards, marcelo



El 22/06/11 07:11, Joel M. Halpern escribió:
> You are missing the point.
> There is no rule that prevents a legitimate host from choosing to fragment 
> the packets.
> Therefore, we can not simply drop short fragments.
> This means that a malicious device can choose to generate short fragments 
> in order to mislead the filters.  It can not mislead the filters about the 
> IP address.  But it can create false DHCP replies or RAs.
>
> The net effect would be to cause hosts to be unable to communicate, since 
> they would be using improper addresses.
>
> yours,
> Joel
>
> On 6/22/2011 12:35 AM, Jun Bi wrote:
>> In the Ethernet environment, the MTU is 1500, DHCP reply is not a large
>> packet and it won't be fragmented.
>> Maybe the packet size of RA is large and might be fragmented, but it is
>> not processed in SAVI.
>>
>> thanks,
>> Jun Bi
>>
>> -----原始邮件----- From: Joel M. Halpern
>> Sent: Wednesday, June 22, 2011 8:17 AM
>> To: Jun Bi
>> Cc: Jean-Michel Combes ; SAVI Mailing List
>> Subject: Re: [savi] Potential issue for all SAVI mechanisms?
>>
>> I do not think this is a sufficient answer. Whether the device is a
>> switch or a router, reassembling or maintaining packet state across
>> fragements is a non-trivial undertaking.
>>
>> I can imagine some kludges to get around this, but they have broader
>> impact than just SAVI. (For example, rejecting first packets that do
>> not have enough information to determine whether or not they are
>> claiming to be RAs or DHCP replies.)
>>
>> Yours,
>> Joel
>>
>> On 6/21/2011 9:56 AM, Jun Bi wrote:
>>> Hi Jean-Michel,
>>>
>>> What we are talking about "savi switch" is a 2.5 layer switch (layer 2
>>> switch in data plan with layer 3-aware in controll/management plan).
>>> So what I know from switch vendor is that the 2.5 layer switch chip or
>>> the stronger CPU can handel it.
>>> For example, the chip can recongnize the Protocol ID field of IP packets
>>> to recongznie HDCP or NDP packets (even in fragments),
>>> then copy them to switch CPU. The CPU can handle it.
>>>
>>> The SAVI switch has been really implmented and deployed, so I did really
>>> see any problem in real network.
>>> BTW, it seems that SAVI switch doesn't snoop and process RA packets for
>>> binding, so maybe RA packet is different.
>>>
>>> thanks,
>>> Jun Bi
>>>
>>> -----原始邮件----- From: Jean-Michel Combes
>>> Sent: Tuesday, June 21, 2011 9:37 PM
>>> To: SAVI Mailing List
>>> Subject: [savi] Potential issue for all SAVI mechanisms?
>>>
>>> Hi,
>>>
>>> Maybe you already know that there is a discussion on v6ops/6man MLs
>>> about RA Guard evasion (cf.
>>> http://www.ietf.org/mail-archive/web/ipv6/current/msg14204.html).
>>> One of the methods to perform this evasion is fragmentation: it seems
>>> that a L2 device would not be able to re-assemble all the fragments
>>> without an important extra-cost and so would not be able to determine
>>> whether or not the message is a Router Advertisement (cf.
>>> http://www.ietf.org/mail-archive/web/ipv6/current/msg14240.html).
>>>
>>> Knowing that:
>>> (1) In common use-case, SAVI device is a L2 device
>>> (2) SAVI mechanisms are based on NDP/SEND/DHCP messages inspection
>>>
>>> I am wondering whether or not fragmentation would not impact strongly
>>> SAVI specifications too: any fragmented NDP/SEND/DHCP message could
>>> not update correctly the Binding Table and so what would be the
>>> consequences?
>>>
>>> I would appreciate comments from WG members, especially
>>> implementors/manufacturers, about this.
>>>
>>> Thanks in advance for your replies.
>>>
>>> Best regards.
>>>
>>> JMC.
>>> _______________________________________________
>>> savi mailing list
>>> savi@ietf.org
>>> https://www.ietf.org/mailman/listinfo/savi
>>> _______________________________________________
>>> savi mailing list
>>> savi@ietf.org
>>> https://www.ietf.org/mailman/listinfo/savi
>>
>>
> _______________________________________________
> savi mailing list
> savi@ietf.org
> https://www.ietf.org/mailman/listinfo/savi

_______________________________________________
savi mailing list
savi@ietf.org
https://www.ietf.org/mailman/listinfo/savi

v2.23.0 | Report a Bug | By Email