IETF Logo Mail Archive

Re: [Tsv-art] HbH flags [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]

Joe Touch <touch@strayalpha.com> Thu, 06 December 2018 04:57 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E81D131023; Wed, 5 Dec 2018 20:57:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.919
X-Spam-Level:
X-Spam-Status: No, score=-0.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MIME_QP_LONG_LINE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ox-UXzYNbjSS; Wed, 5 Dec 2018 20:57:38 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB528131021; Wed, 5 Dec 2018 20:57:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ihUvZ5RkfxzFdWjwy1dsNojF8JsCyahjDcQ09WWRwjY=; b=zAq1ohHsfVqoECaolPWMt8deX Hb80HSBHk3SUE0J5PRFQX/XI8qsR/LWzObCqOHQX5DexfAEYVxlYZ9bxOI8CztFZMZfVPYY6Ia7SR jVR9j5pDZv497n20raHxXEdz5fR4xyzxQ8d828fRw35BkU9JCcmLhkJTf7hMnAqBQZvEAhWfkX74j N4GDAa9Zc4qKU+QnVco2ksq1D1sV5te0RqigASxweHA3v9FVvNOsyLG22ZTryQEfe6mbmKxzLV63y 3jQp1moq8KhScZph7kMqk1YdF1UwYYjRsbon0JRLmxxBOvnKEV+0TGmXClc4ZVMVyKR2mDaPRqRQ2 SDa6sIgyQ==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:53867 helo=[192.168.1.179]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <touch@strayalpha.com>) id 1gUljD-000buZ-Mz; Wed, 05 Dec 2018 23:57:38 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Joe Touch <touch@strayalpha.com>
X-Mailer: iPhone Mail (16B92)
In-Reply-To: <260f1445-0690-691b-5aea-83b7a43bfdcb@gmail.com>
Date: Wed, 05 Dec 2018 20:57:22 -0800
Cc: Christopher Morrow <morrowc.lists@gmail.com>, ietf <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, opsec wg mailing list <opsec@ietf.org>, tsv-art@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <39A24B3F-1332-4A9B-AAF3-0E9B896F7906@strayalpha.com>
References: <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <6C50775C-EB67-4236-93B8-DF0259E04167@strayalpha.com> <20181126175336.GW72840@Space.Net> <c959d8cb6f6a04a8da8318cfa89da341@strayalpha.com> <2425355d-e7cc-69dd-5b5d-78966056fea7@foobar.org> <C4D47788-0F3D-4512-A4E3-11F3E6EC230B@strayalpha.com> <8d3d3b05-ecc3-ad54-cb86-ffe6dc4b4f16@gmail.com> <C929A8B9-D65C-4EF7-9707-2238AE389BE3@strayalpha.com> <CAL9jLaY4h75KK4Bh-kZC6-5fJupaNdUfm1gK2Dg99jBntMCEyQ@mail.gmail.com> <C47149DC-CAF2-449F-8E18-A0572BBF4746@strayalpha.com> <CAL9jLaYfysKm7qrG=+jq7zV=5ODnSX-tAhBAiTU7SzYF-YmcGw@mail.gma il.com> <728C6048-896E-4B12-B80B-2091D7373D16@strayalpha.com> <8a676a4a-c76d-9fa5-ce79-534a14cf0511@gmail.com> <2386B45D-8AEE-4C95-BB00-A5A2ABF63F8A@strayalpha.com> <e5198c02-ebc6-ee3e-96cb-fd2831164f41@gmail.com> <02AD0268-BFB8-4CA2-8985-08AFE6013ABB@strayalpha.com> <6c071ce7-609b-fcf2-8977-9159afece9ec@gmail.com> <E008EA4B-74D3-4251-BFB8-B88F544B2A99@strayalpha.com> <260f1445-0690-691b-5aea-83b7a 43bfdcb@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/B2Rc0W-7N1ZMaadQ_OVx9zPjyAs>
Subject: Re: [Tsv-art] HbH flags [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 04:57:43 -0000

Then explain what it means to mark an EH as ‘drop if not supported’ if it isn’t dropped where - well - NOT SUPPORTED.

Or ICMP where not supported. 

Or any of those values. 

I’m talking about a conflict in the text of 8200 - which has those fields as required to support - and 7045, which says they can be silently ignored. 

> On Dec 5, 2018, at 4:38 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
> 
>> On 2018-12-06 13:17, Joe Touch wrote:
>> I am referring to the standards. They’re in direct conflict. 
> 
> I see no conflict between RFC8200 and RFC7045. RFC2460 is obsolete, so it doesn't matter.
> 
>    Brian
> 
>> 
>>>> On Dec 5, 2018, at 4:05 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>>>> 
>>>> On 2018-12-06 11:50, Joe Touch wrote:
>>>> 
>>>> 
>>>>>> On Dec 5, 2018, at 12:04 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>>>>>> 
>>>>>> On 2018-12-06 01:16, Joe Touch wrote:
>>>>>> 
>>>>>> 
>>>>>> On Dec 4, 2018, at 8:46 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>>>>>> 
>>>>>>>> Nobody deprecated the flags that require HBH options to be processed or dropped if not supported. 
>>>>>>> 
>>>>>>> Intentionally. If a forwarding node is transparent to HbH options,
>>>>>>> it is not looking at those flags. If it is looking at HbH options,
>>>>>>> it will obey those flags. Why is that a problem?
>>>>>> 
>>>>>> What exactly does ‘transparent to HbH options mean’ if not ‘not supported’?
>>>>> 
>>>>> It means a forwarding node that uses the exception added by RFC7045 and simply
>>>>> doesn't even look for an HbH header. The flag bits are invisible and irrelevant
>>>>> to such a node. The flag bits apply as defined for a forwarding node that *does*
>>>>> process HbH options, so they certainly should not be deprecated
>>>> 
>>>> Do why bother with “drop if not supported” if not supported can mean silently skipped over?
>>> 
>>> Ah. I assume that you are not referring to RFC7045 + RFC8200 (the standards)
>>> but to https://tools.ietf.org/html/draft-ietf-opsec-ipv6-eh-filtering-06#section-3.4.1.5 , which is quite nuanced. All I can say is that *if* we are going to issue guidance for security-based filtering of HbH headers, that advice seems realistic. It does include this:
>>>  ...  Finally, when
>>>  packets containing a HBH Options EH are processed in the slow-path,
>>>  and the underlying platform does not have any mitigation options
>>>  available for attacks based on these packets, we recommend that such
>>>  platforms discard packets containing IPv6 HBH Options EHs.
>>> Frankly I don't think you'd find any operational security practitioner who disagrees with this.
>>> 
>>> Whether we *should* issue guidance for security-based filtering of HbH headers is a broader question. All I would say is that if we don't, then either somebody else will, or default-deny will remain as the most common practice.
>>> 
>>> Brian
>>> 
>>>> Or the other variants?
>>>> 
>>>> They’re now meaningless but required to support. You don’t see the contradiction?
>>>> 
>>>> 
>>>>> 
>>>>> Brian
>>>>> 
>>>>>> 
>>>>>> In that case, the flags have exactly no meaning anywhere. But they’re not deprecated.
>>>>>> 
>>>>>> That makes no sense at all.
>>>>>> 
>>>>>> Joe
>>>>>> .
>>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>> 
>> 
>

v2.23.0 | Report a Bug | By Email