IETF Logo Mail Archive

Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Mark Andrews <marka@isc.org> Wed, 05 December 2018 06:14 UTC

Return-Path: <marka@isc.org>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 765CF128CB7; Tue, 4 Dec 2018 22:14:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJvBXiHmBSRC; Tue, 4 Dec 2018 22:14:49 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82440127333; Tue, 4 Dec 2018 22:14:49 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 4A88B3AB067; Wed, 5 Dec 2018 06:14:47 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 28C9B160046; Wed, 5 Dec 2018 06:14:17 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id F386416007B; Wed, 5 Dec 2018 06:14:16 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Emo_ZDZhJX09; Wed, 5 Dec 2018 06:14:16 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 8BFFA160046; Wed, 5 Dec 2018 06:14:15 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAL9jLaYHVdHr+rVoWeNtXTXgLxbTaX8V9gn3424tvsLW60Kvow@mail.gmail.com>
Date: Wed, 05 Dec 2018 17:14:11 +1100
Cc: Joe Touch <touch@strayalpha.com>, ietf <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, opsec wg mailing list <opsec@ietf.org>, tsv-art@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5E70C208-0B31-4333-BB8C-4D45E678E878@isc.org>
References: <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <d6deb7af-99dd-9013-2722-8ebbe00c0b37@si6networks.com> <1CB13135-D87A-4100-8668-D761058E1388@strayalpha.com> <0f56c25d-7ac7-e534-4e2c-cc09f5154e77@foobar.org> <28EDE667-457E-4AED-8480-F27ECAA8E985@strayalpha.com> <6bd1ec94-f420-1f4c-9254-941814704dbb@gmail.com> <6be84ccf-9a72-2694-e19d-fa19043a0cb1@huitema.net> <4C249487-BD58-41BB-B8B6-081323E29F6C@strayalpha.com> <20181126075746.GO72840@Space.Net> <6C50775C-EB67-4236-93B8-DF0259E04167@strayalpha.com> <20181126175336.GW72840@Space.Net> <c959d8cb6f6a04a8da8318cfa89da341@strayalpha.com> <2425355d-e7cc-69dd-5b5d-78966056fea7@foobar.org> <C4D47788-0F3D-4512-A4E3-11F3E6EC230B@strayalpha.com> <8d3d3b05-ecc3-ad54-cb86-ffe6dc4b4f16@gmail.com> <C929A8B9-D65C-4EF7-9707-2238AE389BE3@strayalpha.com> <CAL9jLaY4h75KK4Bh-kZC6-5fJupaNdUfm1gK2Dg99jBntMCEyQ@mail.gmail.com> <C47149DC-CAF2-449F-8E18-A0572BBF4746@strayalpha.com> <CAL9jLaYfysKm7qrG=+jq7zV=5ODnSX-tAhBAiTU7SzYF-YmcGw@mail.gmail.com> <728C6048-896E-4B12-B80B-2091D7373D16@strayalpha.com> <CAL9jLaYHVdHr+rVoWeNtXTXgLxbTaX8V9gn3424tvsLW60Kvow@mail.gmail.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/LePo1KofwxyNgwe_7PjrhB0AF_k>
Subject: Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 06:14:51 -0000


> On 5 Dec 2018, at 4:37 pm, Christopher Morrow <morrowc.lists@gmail.com> wrote:
> 
> 
> 
> On Tue, Dec 4, 2018 at 11:32 PM Joe Touch <touch@strayalpha.com> wrote:
> 
> 
> On Dec 4, 2018, at 8:11 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
> 
>> That works only for HBH options of type 00. Others require particular actions when not supported.
>> 
>> 
>> can you expand on this some?
> 
> Nobody deprecated the flags that require HBH options to be processed or dropped if not supported. 
> 
> 
> Oh, you are highlighting the difference between the 'theory' and 'practice'. ok.
>  
> And if there is a security risk to the control plane, it is using that place for slow path processing without properly limiting its use of shared resources. 
> 
> 
> sure, that's a fine point. Doesn't actually change the state of the world where: "If your control-plane collapses, you have an unavailability event" which is a security problem. It's also an operational problem and likely a cost problem :( but... maintaining availability is part of what a good isp security group will do for the isp.

And the correct thing to do is to FIX THE BROKEN PRODUCT.  

If a ssh implementation is broken we don’t drop SSH packets.  We fix the broken implementation of ssh.

If there is a SQL injection problem we fix that problem rather than dropping HTTP
and HTTPS packets.

If a router can’t handle all legal packets at line rate the router needs to fixed.

Punting stuff to be processed by the same CPU that process the routing table worked
for a while.  There is no rule that says routers can’t have multiple CPUs some of
which are dedicated to handling the control plane and other that deal with everything
else that has been punted.  Design the router so that the control plane doesn’t get
overloaded and the exceptional packet get handled.

Generating PTB’s shouldn’t be seen as exceptional.  Fragmented packets shouldn’t be
seen as exceptional. 

> This idea that packets processed as intended are a security risk is like saying big packets are a security risk to small packets. It may be a bad design but it doesn’t mean such packets are inherently a security risk. 
> 
> 
> it seems weird that in this case 'this is not a security problem', but sending a packet that breaks some assumptions in the applications at the end points and causes unexpected problems with the end point(s) (say sql injection in a web server or breaking some ssh server through some vulnerability) is a security problem?

> Instead of rat-holing on this point though, don't you actually care that the end points can do their work regardless of the network devices? (smart edges, dumb core ... that sort of thing)
> 
> -chris

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email