IETF Logo Mail Archive

Re: [Tsv-art] HbH flags [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]

Christopher Morrow <morrowc.lists@gmail.com> Thu, 06 December 2018 05:02 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B247E131027; Wed, 5 Dec 2018 21:02:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tW0MbceWKkGX; Wed, 5 Dec 2018 21:02:07 -0800 (PST)
Received: from mail-it1-x12b.google.com (mail-it1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1CA9131021; Wed, 5 Dec 2018 21:02:06 -0800 (PST)
Received: by mail-it1-x12b.google.com with SMTP id c9so23980107itj.1; Wed, 05 Dec 2018 21:02:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iP53YQxm40zioBz/TBywQnpLfZqcTKwbzlKLkAUOGws=; b=ZBpP/t37XS+sXO+DftJ2f4UtOWC/0zvNb2tDd14GsN0QfZ3D/nlDwvmNWzwe4sfaNp W6KXjC4OnsmOSa83OFDj5x4OgNi9nc3CqTlnaUmvsf9Lbjhxg5J47PUg6wR2dp67BeqB zb82eh2Ee7VPal4XifdR50O6jqwCFc7FhjisUgNbjp15rBbog9sy6VditBzf2GM8Wpga YVAA6M0+ILIxmb7dw+bB5sTF3PNyniEcIY9ML1GoDlcTz6ekJe9kbqamtIcO3OFt4t97 GSOop+D3A70820ijWm+utyVuU4DO+4F5ylqoqsLnETRzmP/eA3AURuMXnFPzjcFBbDtu X0HQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iP53YQxm40zioBz/TBywQnpLfZqcTKwbzlKLkAUOGws=; b=WSZ2FQX+dyIdo5hO8tgYXiYYuEPgl+NiAKwAsXapUmSN5lwXeLDX9eGu/zXDmTL6TM XEu6UfCI8ogSiemXeQUi7cgCr+tCuMeAKEvW5ClCPN6QLzzwqh3GGqwEkQF2RpBzWmTq Pbz2XfsoQj5IjJXUX8n5uyrADGv6LEFNVzgCvR4234Iy6XTAhRyPlXyn9ElAhtUYAUFE X/KqCyZfg792AoD2X94dnUy5wRnkqDrBe6OfusKTcrGVlyjLi+9S5tURuCjQK0f6C6sh A1lP5VoXddSclArF4jcGlYHZbgoy2L38iH1/rJwt7/5jY+E0du8KYHHqJabADKoo3nhR 02bA==
X-Gm-Message-State: AA+aEWYxtU6eDRu8774A6Zcb8BcI/DS+DIz7IHyps4/yixkk2svGvMPG ZaRRSNM8JDeZbf28T7QR5UR/jEXsHvqmcF6J4d0=
X-Google-Smtp-Source: AFSGD/V/8PBj3nBWwCzmnZXOx5RNWavXRZJu1QnT/eS7meFicncMl/cbWxFcmVUDXV9368O5+p6igax0kQUMC+eVpuk=
X-Received: by 2002:a24:32c5:: with SMTP id j188mr17468825ita.139.1544072526078; Wed, 05 Dec 2018 21:02:06 -0800 (PST)
MIME-Version: 1.0
References: <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <6C50775C-EB67-4236-93B8-DF0259E04167@strayalpha.com> <20181126175336.GW72840@Space.Net> <c959d8cb6f6a04a8da8318cfa89da341@strayalpha.com> <2425355d-e7cc-69dd-5b5d-78966056fea7@foobar.org> <C4D47788-0F3D-4512-A4E3-11F3E6EC230B@strayalpha.com> <8d3d3b05-ecc3-ad54-cb86-ffe6dc4b4f16@gmail.com> <C929A8B9-D65C-4EF7-9707-2238AE389BE3@strayalpha.com> <CAL9jLaY4h75KK4Bh-kZC6-5fJupaNdUfm1gK2Dg99jBntMCEyQ@mail.gmail.com> <C47149DC-CAF2-449F-8E18-A0572BBF4746@strayalpha.com> <728C6048-896E-4B12-B80B-2091D7373D16@strayalpha.com> <8a676a4a-c76d-9fa5-ce79-534a14cf0511@gmail.com> <2386B45D-8AEE-4C95-BB00-A5A2ABF63F8A@strayalpha.com> <e5198c02-ebc6-ee3e-96cb-fd2831164f41@gmail.com> <02AD0268-BFB8-4CA2-8985-08AFE6013ABB@strayalpha.com> <6c071ce7-609b-fcf2-8977-9159afece9ec@gmail.com> <E008EA4B-74D3-4251-BFB8-B88F544B2A99@strayalpha.com> <260f1445-0690-691b-5aea-83b7a43bfdcb@gmail.com> <39A24B3F-1332-4A9B-AAF3-0E9B896F7906@strayalpha.com>
In-Reply-To: <39A24B3F-1332-4A9B-AAF3-0E9B896F7906@strayalpha.com>
From: Christopher Morrow <morrowc.lists@gmail.com>
Date: Thu, 06 Dec 2018 00:01:55 -0500
Message-ID: <CAL9jLaYPPiXECcLdCfe35tCwBaSvswObo7skO7pqN2t2TXskqw@mail.gmail.com>
To: Joe Touch <touch@strayalpha.com>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, ietf <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, opsec wg mailing list <opsec@ietf.org>, tsv-art@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006ca947057c536622"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/DNcfD-t_ClGZhjKiHOWtewUehUU>
Subject: Re: [Tsv-art] HbH flags [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 05:02:13 -0000

On Wed, Dec 5, 2018 at 11:57 PM Joe Touch <touch@strayalpha.com> wrote:

> Then explain what it means to mark an EH as ‘drop if not supported’ if it
> isn’t dropped where - well - NOT SUPPORTED.
>
> Or ICMP where not supported.
>
> Or any of those values.
>
> I’m talking about a conflict in the text of 8200 - which has those fields
> as required to support - and 7045, which says they can be silently ignored.
>
>
How is it, for example, different to put ipv6 packets into an MPLS path
doing nothing along 'many' hops (except forwarding the packets along), and
then once you pop out of the tunnel start processing the packet as you
(joe) would want.

Versus just ignoring the offensive EHs along the same path outside of MPLS
and then dealing with them after you pop out the last router in the chain?

In my mind this is what Brian (and me and apparently 8200) are proposing:
"edge site sends packet with offensive header(s) to ISP, ISP ignores EHs
and forwards across (potentially many) routers/as-hops and far end edge
site gets the packet and parses EHs to it's hearts content."


> > On Dec 5, 2018, at 4:38 PM, Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
> >
> >> On 2018-12-06 13:17, Joe Touch wrote:
> >> I am referring to the standards. They’re in direct conflict.
> >
> > I see no conflict between RFC8200 and RFC7045. RFC2460 is obsolete, so
> it doesn't matter.
> >
> >    Brian
> >
> >>
> >>>> On Dec 5, 2018, at 4:05 PM, Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
> >>>>
> >>>> On 2018-12-06 11:50, Joe Touch wrote:
> >>>>
> >>>>
> >>>>>> On Dec 5, 2018, at 12:04 PM, Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
> >>>>>>
> >>>>>> On 2018-12-06 01:16, Joe Touch wrote:
> >>>>>>
> >>>>>>
> >>>>>> On Dec 4, 2018, at 8:46 PM, Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
> >>>>>>
> >>>>>>>> Nobody deprecated the flags that require HBH options to be
> processed or dropped if not supported.
> >>>>>>>
> >>>>>>> Intentionally. If a forwarding node is transparent to HbH options,
> >>>>>>> it is not looking at those flags. If it is looking at HbH options,
> >>>>>>> it will obey those flags. Why is that a problem?
> >>>>>>
> >>>>>> What exactly does ‘transparent to HbH options mean’ if not ‘not
> supported’?
> >>>>>
> >>>>> It means a forwarding node that uses the exception added by RFC7045
> and simply
> >>>>> doesn't even look for an HbH header. The flag bits are invisible and
> irrelevant
> >>>>> to such a node. The flag bits apply as defined for a forwarding node
> that *does*
> >>>>> process HbH options, so they certainly should not be deprecated
> >>>>
> >>>> Do why bother with “drop if not supported” if not supported can mean
> silently skipped over?
> >>>
> >>> Ah. I assume that you are not referring to RFC7045 + RFC8200 (the
> standards)
> >>> but to
> https://tools.ietf.org/html/draft-ietf-opsec-ipv6-eh-filtering-06#section-3.4.1.5
> , which is quite nuanced. All I can say is that *if* we are going to issue
> guidance for security-based filtering of HbH headers, that advice seems
> realistic. It does include this:
> >>>  ...  Finally, when
> >>>  packets containing a HBH Options EH are processed in the slow-path,
> >>>  and the underlying platform does not have any mitigation options
> >>>  available for attacks based on these packets, we recommend that such
> >>>  platforms discard packets containing IPv6 HBH Options EHs.
> >>> Frankly I don't think you'd find any operational security practitioner
> who disagrees with this.
> >>>
> >>> Whether we *should* issue guidance for security-based filtering of HbH
> headers is a broader question. All I would say is that if we don't, then
> either somebody else will, or default-deny will remain as the most common
> practice.
> >>>
> >>> Brian
> >>>
> >>>> Or the other variants?
> >>>>
> >>>> They’re now meaningless but required to support. You don’t see the
> contradiction?
> >>>>
> >>>>
> >>>>>
> >>>>> Brian
> >>>>>
> >>>>>>
> >>>>>> In that case, the flags have exactly no meaning anywhere. But
> they’re not deprecated.
> >>>>>>
> >>>>>> That makes no sense at all.
> >>>>>>
> >>>>>> Joe
> >>>>>> .
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>
> >>
> >
>
>

v2.23.0 | Report a Bug | By Email