IETF Logo Mail Archive

Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Mark Andrews <marka@isc.org> Tue, 27 November 2018 00:07 UTC

Return-Path: <marka@isc.org>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6712813106F; Mon, 26 Nov 2018 16:07:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Twvu8lv1f-d6; Mon, 26 Nov 2018 16:07:46 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D6BF12DF72; Mon, 26 Nov 2018 16:07:46 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 9DCB13AC858; Tue, 27 Nov 2018 00:07:33 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id EF6EA160067; Tue, 27 Nov 2018 00:07:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id CDBF1160082; Tue, 27 Nov 2018 00:07:11 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id PBlGRuhJbzyS; Tue, 27 Nov 2018 00:07:11 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 2E3A8160067; Tue, 27 Nov 2018 00:07:09 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CABcZeBMw+ZS=VAtrciGEKkQodCXmP-WSGjjoGYyrK+328kCBnw@mail.gmail.com>
Date: Tue, 27 Nov 2018 11:06:51 +1100
Cc: Joe Touch <touch@strayalpha.com>, opsec@ietf.org, IETF discussion list <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, tsv-art@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <01CACB34-C018-4EC5-A437-90F745856549@isc.org>
References: <154300282321.9639.11604402305352742547@ietfa.amsl.com> <C4886ABA-3BBE-46AE-B2D9-9A6836D7A8BB@strayalpha.com> <2c28d4ac-87de-bcaf-54e8-4e745235c800@gmail.com> <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <d6deb7af-99dd-9013-2722-8ebbe00c0b37@si6networks.com> <1CB13135-D87A-4100-8668-D761058E1388@strayalpha.com> <4138e2eb-71e0-4c3d-36cb-38da8369a7c6@si6networks.com> <1BEB4C2C-0873-4D08-8A7D-1C3E30AC374F@strayalpha.com> <CABcZeBMw+ZS=VAtrciGEKkQodCXmP-WSGjjoGYyrK+328kCBnw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/POGVHiE9OctSt-4uKL4-WacNur4>
Subject: Re: [Tsv-art] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2018 00:07:48 -0000

The same is true in DNS. Recursive servers end up having to probe with different extensions set.  Such
probing is being turned off for basic EDNS because it leads to false positives about what the remote
server support which in turn breaks DNSSEC which depends on EDNS and being able to set the DO flag bit.

One source vendors are so fed up with this stupidity by firewall vendors that they are collectively
going to stop shipping code that automatically attempts to work around this breakage.  The big open
recursive resolver operators are also turning off work arounds.  This at least will mean that DNSSEC
will become more reliable.  https://dnsflagday.net

https://ednscomp.isc.org/compliance/summary.html has lots of time series showing how different extension
mechanisms are blocked / mis-handled.

EDNS has stated from day 1 that unknown EDNS flags are to be ignored yet there are firewall vendors that
seem to think it is a good idea to block them.  It took years for DO to be allow through by most firewalls.

EDNS has stated from day 1 that unknown EDNS versions are supposed to be responded to by BADVERS with the
highest version supported but we still have firewall vendors block EDNS version != 0 requests.

EDNS also says that unknown EDNS options are to be ignored by the server yet there are firewalls that block
them by default.  There are those that block NSID options in the request by default, but it something the
DNS operator has to enable in the server for there to be a NSID in the response.

None of this blockage provides any real security.  Name servers handle all of these extensions and don’t
fall over.

There really is too much paranoia by firewall and other vendors.  Just because something is using a extension
mechanism it doesn’t mean that it is dangerous or abuse.

Getting back to IPv6 headers ASIC’s that can’t skip over fragmentation headers are just plain broken.
ASIC’s that can’t generate PTB responses are just plain broken.  These are part of basic IPv6.  Neither
should require hitting the slow path.

Mark


> On 27 Nov 2018, at 2:18 am, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> Picking a random message to reply to.
> 
> I'm not any kind of IPv6 expert, so I'm not taking a position on the goodness or badness of extension headers.
> 
> With that said, we do have a fair amount of experience with trying to deploy new protocols in the face of significant levels of network-level filtering; TLS 1.3 was delayed by a year or so when we discovered that there were middleboxes which made incorrect assumptions about our extension points. At the end of the day, we got things working, but at the cost of some not very attractive hacks, and if you look at QUIC, a lot of the design is motivated by concealing extension points from network intermediaries in order to avoid a replay of this scenario. Otherwise, we're worried that we won't be able to extend the protocol in the future.
> 
> So, at least from the endpoint's perspective, a situation in which network intermediaries block any new protocol features they don't recognize is not really great.
> 
> -Ekr
> 
> 
> 
> 
> 
> 
> On Mon, Nov 26, 2018 at 6:36 AM Joe Touch <touch@strayalpha.com> wrote:
> 
> 
> > On Nov 25, 2018, at 11:54 PM, Fernando Gont <fgont@si6networks.com> wrote:
> > 
> > What this doc tries to do is to analyze the possible effects of
> > different types and options, and only advice to drop them when there is
> > a clear reason to do so.
> 
> It claims those actions based on security. This is not a security issue. It is a revenue preservation issue.
> 
> There is a big difference between using a protocol feature and abusing it. The implication that merely using some of these features is a security issue and an abuse is the problem with this document - and the approach of similar documents.
> 
> Joe

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email