IETF Logo Mail Archive

Re: [Status] Jari Arkko's BLOCK on charter-ietf-spring-00-06

joel jaeggli <joelja@bogus.com> Sat, 12 October 2013 00:14 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: status@ietfa.amsl.com
Delivered-To: status@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B64711E81C1; Fri, 11 Oct 2013 17:14:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1gDv8FX7i603; Fri, 11 Oct 2013 17:14:24 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by ietfa.amsl.com (Postfix) with ESMTP id 7151B11E81C5; Fri, 11 Oct 2013 17:14:21 -0700 (PDT)
Received: from mb-aye.lan (50-0-150-57.dsl.static.sonic.net [50.0.150.57]) (authenticated bits=0) by nagasaki.bogus.com (8.14.4/8.14.4) with ESMTP id r9C0EIFN072160 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sat, 12 Oct 2013 00:14:19 GMT (envelope-from joelja@bogus.com)
Content-Type: multipart/signed; boundary="Apple-Mail=_883C2AE2-831A-4D79-B40E-2C48C505889A"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: joel jaeggli <joelja@bogus.com>
In-Reply-To: <5256E527.1030806@cisco.com>
Date: Fri, 11 Oct 2013 17:14:19 -0700
Message-Id: <7F164648-BC3F-4605-9818-AAA02AB44344@bogus.com>
References: <525639F6.8010503@cisco.com> <201310101354.r9ADsib8019588@cichlid.raleigh.ibm.com> <70D84A40-EB41-4D70-983A-DE3EB9FFE876@piuha.net> <5256E527.1030806@cisco.com>
To: stbryant@cisco.com
X-Mailer: Apple Mail (2.1510)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (nagasaki.bogus.com [147.28.0.81]); Sat, 12 Oct 2013 00:14:20 +0000 (UTC)
Cc: Thomas Narten <narten@us.ibm.com>, Jari Arkko <jari.arkko@piuha.net>, "iesg@ietf.org" <iesg@ietf.org>, "status@ietf.org" <status@ietf.org>
Subject: Re: [Status] Jari Arkko's BLOCK on charter-ietf-spring-00-06
X-BeenThere: status@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Stacked Tunnels for Source Routing \(STATUS\)." <status.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/status>, <mailto:status-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/status>
List-Post: <mailto:status@ietf.org>
List-Help: <mailto:status-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/status>, <mailto:status-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Oct 2013 00:14:26 -0000

On Oct 10, 2013, at 10:34 AM, Stewart Bryant <stbryant@cisco.com> wrote:

> On 10/10/2013 17:39, Jari Arkko wrote:
>> Thomas,
>> 
>>> I think a key point is that with IPv6, we are talking (potentially)
>>> end-to-end exposure of an attack vector. You can have arbitrary end
>>> nodes anywhere on the Internet injecting traffic that potentially
>>> directly invokes or impacts source routing. In contrast, one can view
>>> MPLS as an L2 technology below IP. That means it's deployed in a much
>>> more restricted setting and a normal sender of TCP/IP has a much more
>>> restricted attack vector for doing anything that impacts MPLS directly
>>> (this is key diffference). That means the threat surface for attacks
>>> on MPLS are very different than for IPv6 more generally.
>> Yes - a good point. That is one of those restricted cases where it is possible to provide a reasonably secure solution.
>> 
>> But my understanding is that SPRING was at IPv6 layer as well as on MPLS layer… although the charter does not explicitly say it. Just that it is not IPv4…
>> 
>> If SPRING is expected to run at the IPv6 layer, what is the plan to contain the vulnerability?
>> 
>> Jari
>> 
>> .
>> 
> The following was just posted on the STATUS list and clarifies
> intended IPv6 scope.
> All,
> 
> On the topic of MPLS vs IPv6 - one being L2 hence more secure then the
> other (L3) I would like to observe that any decently managed network
> would already today prohibit to accept any external packets which have
> as destination an infrastructure address of such network. That is the
> basic protection scheme against DOS/DDOS attacks to the
> infrastructure.
> 
Well… not really. we have a lovely document on control-plane protection which encapsulates what a number of operators consider good if not best practice RFC 6192.

One of the recommendations there is to allow but rate limit icmp necessary for for diagnostics. In some circles, icmp is considered an OAM diagnostic function. the operative observation though is the resource consumption potential is sufficicently trivial to understand that it can be managed with rather simple policing.

> When such packet is detected it should be dropped - not "stripped from
> explicit routes" like the above charter update would tend to suggest.
> 
> As some may recall in the past we have been working on automating such
> ACLs installation based in internal IGP addresses on all border
> routers under same administrative domain within single AS or number of
> ASes to ease operational burden. Not sure if all vendors support such
> automation today.
> 
> I think what needs to be understood that segment routing is not
> internet wide source routing technology. It is carefully crafted path
> engineering and packet encapsulation technique within controlled set
> of domains which really do not compare to the original issues and
> security concerns of source routing.
> 
> Best,
> R.
> 
> I could 
> 
> OLD
> The initial data planes that will be considered are MPLS
> and IPv6.
> NEW
> The initial data planes that will be considered are MPLS
> and IPv6 in constrained network scopes.
> 
> END
> 
> Stewart
> 
>

v2.23.0 | Report a Bug | By Email