IETF Logo Mail Archive

Re: [Status] Jari Arkko's BLOCK on charter-ietf-spring-00-06

Hannes Gredler <hannes@juniper.net> Fri, 11 October 2013 18:33 UTC

Return-Path: <hannes@juniper.net>
X-Original-To: status@ietfa.amsl.com
Delivered-To: status@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF01521F9CC0; Fri, 11 Oct 2013 11:33:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.932
X-Spam-Level:
X-Spam-Status: No, score=-4.932 tagged_above=-999 required=5 tests=[AWL=1.667, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5+CUWf7zHsrV; Fri, 11 Oct 2013 11:33:21 -0700 (PDT)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe004.messaging.microsoft.com [207.46.163.27]) by ietfa.amsl.com (Postfix) with ESMTP id 86C5421F9C9B; Fri, 11 Oct 2013 11:33:08 -0700 (PDT)
Received: from mail15-co9-R.bigfish.com (10.236.132.235) by CO9EHSOBE019.bigfish.com (10.236.130.82) with Microsoft SMTP Server id 14.1.225.22; Fri, 11 Oct 2013 18:33:03 +0000
Received: from mail15-co9 (localhost [127.0.0.1]) by mail15-co9-R.bigfish.com (Postfix) with ESMTP id 51CAE4C0225; Fri, 11 Oct 2013 18:33:03 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:132.245.1.149; KIP:(null); UIP:(null); IPV:NLI; H:BLUPRD0512HT002.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -1
X-BigFish: VPS-1(zzdb82h98dIzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzzz2fh2a8h839h944hd25he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1c0dh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1fe8h1ff5h209eh1155h)
Received-SPF: pass (mail15-co9: domain of juniper.net designates 132.245.1.149 as permitted sender) client-ip=132.245.1.149; envelope-from=hannes@juniper.net; helo=BLUPRD0512HT002.namprd05.prod.outlook.com ; .outlook.com ;
Received: from mail15-co9 (localhost.localdomain [127.0.0.1]) by mail15-co9 (MessageSwitch) id 1381516381598526_29161; Fri, 11 Oct 2013 18:33:01 +0000 (UTC)
Received: from CO9EHSMHS010.bigfish.com (unknown [10.236.132.241]) by mail15-co9.bigfish.com (Postfix) with ESMTP id 8DEB426007C; Fri, 11 Oct 2013 18:33:01 +0000 (UTC)
Received: from BLUPRD0512HT002.namprd05.prod.outlook.com (132.245.1.149) by CO9EHSMHS010.bigfish.com (10.236.130.20) with Microsoft SMTP Server (TLS) id 14.16.227.3; Fri, 11 Oct 2013 18:33:01 +0000
Received: from juniper.net (193.110.54.36) by pod51010.outlook.com (10.255.215.163) with Microsoft SMTP Server (TLS) id 14.16.371.2; Fri, 11 Oct 2013 18:32:55 +0000
Date: Fri, 11 Oct 2013 20:32:22 +0200
From: Hannes Gredler <hannes@juniper.net>
To: Jari Arkko <jari.arkko@piuha.net>
Message-ID: <20131011183222.GA30073@juniper.net>
References: <525639F6.8010503@cisco.com> <201310101354.r9ADsib8019588@cichlid.raleigh.ibm.com> <70D84A40-EB41-4D70-983A-DE3EB9FFE876@piuha.net> <5256E527.1030806@cisco.com> <37FBE6FA-0ECE-478A-861A-FD4CC0A8FC74@piuha.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <37FBE6FA-0ECE-478A-861A-FD4CC0A8FC74@piuha.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Originating-IP: [193.110.54.36]
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: Thomas Narten <narten@us.ibm.com>, "iesg@ietf.org" <iesg@ietf.org>, "status@ietf.org" <status@ietf.org>, stbryant@cisco.com
Subject: Re: [Status] Jari Arkko's BLOCK on charter-ietf-spring-00-06
X-BeenThere: status@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Stacked Tunnels for Source Routing \(STATUS\)." <status.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/status>, <mailto:status-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/status>
List-Post: <mailto:status@ietf.org>
List-Help: <mailto:status-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/status>, <mailto:status-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2013 18:33:37 -0000

On Fri, Oct 11, 2013 at 04:11:53PM +0300, Jari Arkko wrote:
| After some off-line chatting, I have a proposal for text to be added to the charter:
| 
| There are a number of serious security concerns with source routing at the IP layer [RFC 5095].  As a part of its work, the working group will define the new IPv6-based routing header in way that blind attacks are never possible, i.e., attackers will be unable to send source routed packets that get successfully processed, without being part of the negations for setting up the source routes or being able to eavesdrop legitimate source routed packets. In some networks this base level security may be complemented with other mechanisms, such as packet filtering, cryptographic security, etc.
| 
| Would this work for people? FWIW from what I can tell, the above should be relatively easily doable, short cookies in headers, etc. It would remove my main concern of accidentally turned on devices becoming a security hole. It would also help deployment, as firewalls might otherwise default to blocking all kinds of routing headers.

jari,

i do not think that packet-filtering is feasible on the default-free-zone
on the internet. - can you take off packet-filtering in favour of security cookies ?

tx,

/hannes

v2.23.0 | Report a Bug | By Email