IETF Logo Mail Archive

Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Joe Touch <touch@strayalpha.com> Wed, 05 December 2018 14:31 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 354BB130E0C; Wed, 5 Dec 2018 06:31:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.221
X-Spam-Level:
X-Spam-Status: No, score=-1.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LnMSPqSObmZC; Wed, 5 Dec 2018 06:31:05 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD874130E54; Wed, 5 Dec 2018 06:30:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=wlnm/4w9iSDtG9UBpB6P5vmcGxkLVOnN2AoqN06lXww=; b=1n6KbLsx+4vwTmlkpw98fg3+I mUihhudeKt4Np381Sw6KrBAJB2FPQTA5uIXSWfzdCp+Jh2hQh0FzvZRwp1bkcYzyj07J8y0mZj40l zn9w5laiHhUwxQnYZnja/uQRDkVG8ELTVgI1pJE6rzVNH+QgkACc63UiCBqR7FW/W9lwVCRKZupHH BRs8Dv6VR37lXRaBmfKwUe5d+FsFj4fsYsmflUa6U9F8o3kpyfTcPs7Ud8l/wB6uGBhuYYLcdZ5fm NZF1RYVvA6TytXgqbU0QpfX8NkXlA/DZLNC1CVXrO5jXGYmUCGuL6VAH8z8iRx+GpffCHBwUfcx5w 7ppuJTpKQ==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:57250 helo=[192.168.1.16]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <touch@strayalpha.com>) id 1gUYCQ-000YSE-IP; Wed, 05 Dec 2018 09:30:51 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Joe Touch <touch@strayalpha.com>
X-Mailer: iPad Mail (16B92)
In-Reply-To: <a96a4567-4247-c4d5-9c65-43960e98d17c@foobar.org>
Date: Wed, 05 Dec 2018 06:30:49 -0800
Cc: David Farmer <farmer@umn.edu>, IETF-Discussion Discussion <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, opsec@ietf.org, tsv-art@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <C250CA48-CB45-4683-B96C-B977A6688655@strayalpha.com>
References: <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <20181126175336.GW72840@Space.Net> <c959d8cb6f6a04a8da8318cfa89da341@strayalpha.com> <2425355d-e7cc-69dd-5b5d-78966056fea7@foobar.org> <C4D47788-0F3D-4512-A4E3-11F3E6EC230B@strayalpha.com> <8d3d3b05-ecc3-ad54-cb86-ffe6dc4b4f16@gmail.com> <C929A8B9-D65C-4EF7-9707-2238AE389BE3@strayalpha.com> <CAL9jLaY4h75KK4Bh-kZC6-5fJupaNdUfm1gK2Dg99jBntMCEyQ@mail.gmail.com> <C47149DC-CAF2-449F-8E18-A0572BBF4746@strayalpha.com> <CAL9jLaYfysKm7qrG=+jq7zV=5ODnSX-tAhBAiTU7SzYF-YmcGw@mail.gma il.com> <728C6048-896E-4B12-B80B-2091D7373D16@strayalpha.com> <CAL9jLaYHVdHr+rVoWeNtXTXgLxbTaX8V9gn3424tvsLW60Kvow@mail.gmail.com> <5E70C208-0B31-4333-BB8C-4D45E678E878@isc.org> <CAN-Dau0go6_Puf0A9e7KBpk0ApJBUvcxYtezxnwNc-8pKJ3PwQ@mail.gmail.com> <4D69FA8E-FB8A-4A16-9CA6-690D8AE33C9E@strayalpha.com> <9a613af3-c71e-1c30-d10a-f8a57aee3250@foobar.org> <8FE8712B-4CFC-450F-AEB8-A7CCD7D2F121@strayalpha.com> <a96a4567-4247-c4d5-9c65-43960e98d17c@foobar.org>
To: Nick Hilliard <nick@foobar.org>
X-OutGoing-Spam-Status: No, score=-0.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/0t6Oe8uoVKv5mPgzNNLnJM6pnjE>
Subject: Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 14:31:12 -0000


> On Dec 5, 2018, at 5:54 AM, Nick Hilliard <nick@foobar.org> wrote:
> 
> Joe Touch wrote on 05/12/2018 13:12:
>> The choices below don’t include declaring this a security risk and
>> turning it off.
>> If you want to change the standard, do so. But this isn’t a step
>> isn’t that direction. And the previous attempts only show why IPv6
>> has adoption problems.
>> The standard can still be changed, but regardless, this simply is not
>> a security issue and shouldn’t be sold as one.
> If J Random Hacker in his mom's basement can launch an attack which takes down your network core because your management planes can't handle 1Tbit, or more realistically 10gbit, of HBH packets, then that is categorically a network security issue, even if it is a secondary effect.

So every SNMP packet is an attack as well? As is every routing packet?

A security issue is created when a packet can cause *disproportionate* load. Otherwise it’s just called load.

The security issue is the implementation not throttling such packets to avoid having 10G of them shutting down the control plane. Yes, that’s a security issue, but it’s not the fault of the HBH packets.

Joe

v2.23.0 | Report a Bug | By Email