Re: [secdir] SecDir review of draft-ietf-6man-ext-transmit-03

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 26 September 2013 05:21 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 714C221F9CEA; Wed, 25 Sep 2013 22:21:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.562
X-Spam-Level:
X-Spam-Status: No, score=-102.562 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t+juXxepBv4Q; Wed, 25 Sep 2013 22:21:38 -0700 (PDT)
Received: from mail-pb0-x229.google.com (mail-pb0-x229.google.com [IPv6:2607:f8b0:400e:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id 53AC111E8146; Wed, 25 Sep 2013 22:21:38 -0700 (PDT)
Received: by mail-pb0-f41.google.com with SMTP id rp2so637044pbb.14 for <multiple recipients>; Wed, 25 Sep 2013 22:21:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=1z44fY5xejgrqg56S0dL8nfqxIIRdEwyEfEEjW1O9tI=; b=mRWc+Xf6SvpOBDxyQ3ZlDSLaJCei/dD3Og7Uh5hxvb7t70NnLiumO4PPYy3U/qFnie bFbqgb5Ft4bJlKSpifFnHHPBOLzrdP7UAyI5BTVafx96jL9g5T8Ih83Ya0wJFkqhVwkU wFSxJd8LdVdCc4PwIobtERjv650tDgBzVTBWf80VMIZEdNGQsI8txUOH3hymsBFEIIH+ lS+g4u9auzCwbCEBkO4rZMHXTd6am2yARHL6bL39MtwYhY8bH3/MEHv55FkqT4lV8sDX Ek2S6QerKUb9oQjkIfqu1CaCpSF5pz/blRNBkwHtvspOzn+6CAWCi9wndxdrsjbrQe/s 8NXw==
X-Received: by 10.68.96.130 with SMTP id ds2mr26996820pbb.99.1380172897969; Wed, 25 Sep 2013 22:21:37 -0700 (PDT)
Received: from [192.168.178.20] (90.200.69.111.dynamic.snap.net.nz. [111.69.200.90]) by mx.google.com with ESMTPSA id dw3sm51641181pbc.17.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 25 Sep 2013 22:21:37 -0700 (PDT)
Message-ID: <5243C45A.3070708@gmail.com>
Date: Thu, 26 Sep 2013 17:21:30 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Murphy, Sandra" <Sandra.Murphy@parsons.com>
References: <24B20D14B2CD29478C8D5D6E9CBB29F677CE96C5@CVA-MB002.centreville.ads.sparta.com>
In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F677CE96C5@CVA-MB002.centreville.ads.sparta.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: "draft-ietf-6man-ext-transmit.all@tools.ietf.org" <draft-ietf-6man-ext-transmit.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-6man-ext-transmit-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 05:21:39 -0000

Sandy,

Thanks again for the extensive review. We have a new version out:

The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-6man-ext-transmit

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-6man-ext-transmit-04

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-6man-ext-transmit-04

Now some direct responses to your review:

On 24/09/2013 10:50, Murphy, Sandra wrote:
...

> The security considerations section discusses mandated behavior for
> firewalls in particular, but without explaining the security
> implications of that mandated behavior.  

A new paragraph has been added.

...

> 
> RFC 4727 security considerations section speaks of the security
> concerns of experimental values that would apply to unrecognized
> extension headers as well.  RFC6564 mentions the potential for a
> covert channel through forwarded unrecognized extension headers.  The
> security considerations section here would be improved by using or
> referring to those sorts of discussions.

OK

> 
> Aside from the security considerations section, I puzzled over many
> parts of this document.  I am not an IPv6 implementers (or of anything
> else), but I believe that some of the language would be ambiguous in
> implementing this draft.
> 
> standardized vs standard vs experimental
> ----------------------------------------
> 
> The draft text says "standardized" in many places where it appears it
> means "published in an IETF specification", and in other places where it
> appears it means "an extension header defined as a standard".  

I think that comes to the same thing. Some extension headers are hidden
in broader specs, others have stand-alone RFCs.

> Sometimes
> "standardized" and "experimental" seem to be mutually exclusive.
> Sometimes "experimental" seems to be one of the set of "standardized'
> extensions.

That, unfortunately, is reality. RFC5201 is an Experimental RFC that defines
an extension header. RFC4727 is a Proposed Standard RFC that defines values
for experimental use. RFC3692 is a BCP that does the same (and, I think, makes
the assignment for RFC5201 illegal, if you're picky).

> That language should be cleared up.
> 
> I read this presuming that "standard/standardized" and "experimental"
> mean "defined in an IETF Standards Track RFC" and "defined in an IETF
> Experimental RFC".  That should be clearer.

We've defined and tried to clarify the terminology, but the confusion is intrinsic
to the existing RFCs. We've attempted to be consistent, at least.

> "by default" and "configuration" and "policy"
> --------------------------------------------
> 
> Section 2.1 says:
> 
> I found the text concerning configuration of policy to discard unrecognize
> extensions and default behavior to be unclear:
> 
> The section starts with:
> 
>                                                        Exceptionally, if
>    this node is designed to examine extension headers for any reason,
>    such as firewalling, it MUST recognise and deal appropriately with
>    all standardised IPv6 extension header types 
> 
> and then
> 
>    RFC 2460 requires destination hosts to discard packets containing
>    unrecognised extension headers.  However, intermediate forwarding
>    nodes SHOULD NOT do this by default,
> 
> and then
> 
>    Experimental IPv6 extension headers, including types 253 and 254
>    defined by [RFC3692] and [RFC4727], SHOULD be treated in the same way
>    as standardised extension headers, but they MAY be dropped by
>    default.
> 
> The text "SHOULD NOT do this by default" and "MAY be dropped by
> default" sound inconsistent to me.

Yes, those ideas are squeezed into too few words.
> 
> 
> The text goes on to say:
> 
>    Forwarding nodes MUST be configurable to allow packets containing
>    unrecognised extension headers, but such packets MAY be dropped by
>    default.
> 
> The text "SHOULD NOT do this by default" and "MAY be dropped by
> default" sound inconsistent to me.
> 
> I'm not clear of the intent.  

What we are trying to do is reconcile the IPv6 architecture that *requires"
all forwarding nodes to allow all extension headers with the firewall role
that requires firewalls to drop suspect packets. We've tuned the language.
There is a logical cascade here:

All nodes MUST recognise all valid extension headers
  Firewalls MUST NOT discard extension headers without good reason
  (expressed as SHOULD NOT discard valid headers by default)
     Except that firewalls MAY discard experimental/unrecognised headers by default.


> The first paragraph above, I believe, is
> arguing against having a hard coded response to unrecognized extension
> headers.  The later text mandating configurability is intended, I
> believe, to force/allow the operator to make a deliberate choice.  But
> then allowing the configuration to have a default that would drop
> unrecognized extension headers seems to me to return to the situation
> the first paragraph warns against.

That's not intended, but we're ttrying to be realistic about what firewall
vendors are likely to set as defaults.  We don't think they would allow
experimental values through by default, whatever we wrote.

> 
> IANA considerations section
> ---------------------------
> 
>    IANA is requested to clearly mark in the Assigned Internet Protocol  
>    Numbers registry those values which are also IPv6 Extension Header
>    types defined by an IETF action, for example by adding an extra
>    column to indicate this.
> 
> I believe "an IETF action" is unclear.  By RFC5237, these fields in the
> current registry are presently assigned by "IESG Approval or Standards
> Action".  

IANA didn't query this, but you are right. We didn't put "Standards Action"
because of experimental values. We need to put "Standards Action or
IESG Approval" to match RFC5226.

> I don't know that you want IESG Approval (which requires no
> RFC) for new extension types.  If I'm right that you expect standard
> extension headers to be defined in Standrads Track RFCs and experimental
> extension headers to be defined in Experimental RFCs, I believe that you
> want "Standards Action or IETF Review".  But I'm not an expert in IANA
> registries, you probably should get another opinion.
> 
>    Additionally, IANA is requested to replace the existing empty IPv6
>    Next Header Types registry by an IPv6 Extension Header Types
>    registry.
> 
> Given that the new registry has a new name, there is no need to replace
> the existing registry with the renamed registry.  True, it is empty
> except for a reference to the protocol numbers registry, but there are
> references in documentation etc. to the Next Header Types registry that
> would become dangling references.  Might as well leave it.

Good catch, but I think leaving it empty is also misleading. We have now
asked IANA to insert a pointer to redirect the dangling reference.

> 
> Section 4.2 of RFC5226 has an explicit template for "What to Put in
> Documents That Create a Registry".  The information in this section
> covers most of what is needed, but not all.  It would be easiest to just
> follow the template.

I'll check, but I think that following IANA's comments we have
covered everthinng now.

> 
> Section 2.1 says
> 
>                                                  Packets containing
>    standardised and undeprecated Routing Headers SHOULD be forwarded by
>    default.  At the time of writing, these include Type 2 [RFC6275],
>    Type 3 [RFC6554],
> 
> I am not certain what the new extension header IANA registry should
> say in this case.  The protocol numbers registry lists only the type
> 43, with routing types in a subregistry of the Internet Protocol
> Version 6 (IPv6) Parameters registry.

Yes, they don't seem to belong here.

> 
> The IPv6 parameters registry also shows that some of the registered
> options for Destination Options and Hop-by-Hop Options are Standards
> Track and some are Experimental, so I'm not sure what the registry
> entries should say for those extension headers.  That's particularly
> important given the encouragement to use these Destination Options in
> lieu of creating new extension headers.  Not that it looks like anyone
> is paying any attention to that advice.

The option headers themselves are standards track, being built into RFC2460.
We really don't want to dive into individual options in this document.
Admittedly, firewall developers may feel they have to do so, but we can't
legislate everything.

> 
> Quibbles
> -------
> 
> Section 1 says:
> 
>              This document focuses on clarifying how the header chain
>    should be traversed in the current IPv6 architecture.
> 
> I don't believe that this document changes how the header chain is
> traversed, but how unrecognzied headers are treated.

Correct.

> 
> 
> In section 3 Security Considerations
> 
>                                      In particular, packets containing
>    standard extension headers are only to be discarded as a result of a
>    configurable policy.
> 
> This disagrees with Section 2.1, which says that 
> 
>                                             The default configuration
>    SHOULD allow all standardised extension headers.
> 
> 
> and
> 
>    Forwarding nodes MUST be configurable to allow packets containing
>    unrecognised extension headers, but such packets MAY be dropped by
>    default.
> 
> which both seem to allow discarding without an explicit configuration
> to discard.

For headers unknown to the firewall, yes. We don't seriously expect anything
else as a factory default.

> 
> In Section 3
> 
>    will need to take account of them. 
> 
> I think you mean "take them into account".

OK

> 
> --Sandy
> 
> Based on checking RFC4727, RFC3692, RFC6564, RFC2460, RFC5237, RFC2780, RFC5226, IANA registry for Assigned Internet Protocol Numbers, RFC6275, RFC6554, and IANA registry for Destination Options and Hop-by-Hop Options.  So I could easily be confused.
>