IETF Logo Mail Archive

Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Joe Touch <touch@strayalpha.com> Wed, 05 December 2018 13:12 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EFD3124D68; Wed, 5 Dec 2018 05:12:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.921
X-Spam-Level:
X-Spam-Status: No, score=-0.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYiTjZFB2-20; Wed, 5 Dec 2018 05:12:51 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 100F8124BF6; Wed, 5 Dec 2018 05:12:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=gqaZu64wbfpfCg93df5wfO+o8mGw6lVBPmOS59YX728=; b=sWNGX4jjDGdCNig/DeBLjfgPL a1OfqeMSEnhZpDi6tP1Ps7OXuEFVFNzWcwEoIW7/8TqtpW9kO18dSJkPG2UxUHCxvxz1r7L6QfqZe 3c+LLFcz+G8WTqr0VKBLbMARGOnwYVtYbVTFOzYQQdC3xrY4O7IRN3T1tUZxmgcx/qSFLH7/UuYfr kwodfDrq7SkBqdv4MqyUfUUWSQmT3U2twPyL7ZNFLk04NsfJ5dYfH0n9IOG74nYFgNeOxIw3+YbTq PAibeL8bT+6ZwEU9TRSy1BoFx/4y8ml4UbetA1R32Y9wEsRumtEyQvjRB5e3JukMlYAT/UeE6v3NT gIPsSk2NA==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:57172 helo=[192.168.1.16]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <touch@strayalpha.com>) id 1gUWyv-003b94-7u; Wed, 05 Dec 2018 08:12:50 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Joe Touch <touch@strayalpha.com>
X-Mailer: iPad Mail (16B92)
In-Reply-To: <9a613af3-c71e-1c30-d10a-f8a57aee3250@foobar.org>
Date: Wed, 05 Dec 2018 05:12:48 -0800
Cc: David Farmer <farmer@umn.edu>, IETF-Discussion Discussion <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, opsec@ietf.org, tsv-art@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <8FE8712B-4CFC-450F-AEB8-A7CCD7D2F121@strayalpha.com>
References: <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <4C249487-BD58-41BB-B8B6-081323E29F6C@strayalpha.com> <20181126075746.GO72840@Space.Net> <6C50775C-EB67-4236-93B8-DF0259E04167@strayalpha.com> <20181126175336.GW72840@Space.Net> <c959d8cb6f6a04a8da8318cfa89da341@strayalpha.com> <2425355d-e7cc-69dd-5b5d-78966056fea7@foobar.org> <C4D47788-0F3D-4512-A4E3-11F3E6EC230B@strayalpha.com> <8d3d3b05-ecc3-ad54-cb86-ffe6dc4b4f16@gmail.com> <C929A8B9-D65C-4EF7-9707-2238AE389BE3@strayalpha.com> <CAL9jLaY4h75KK4Bh-kZC6-5fJupaNdUfm1gK2Dg99jBntMCEyQ@mail.gmail.com> <C47149DC-CAF2-449F-8E18-A0572BBF4746@strayalpha.com> <CAL9jLaYfysKm7qrG=+jq7zV=5ODnSX-tAhBAiTU7SzYF-YmcGw@mail.gma il.com> <728C6048-896E-4B12-B80B-2091D7373D16@strayalpha.com> <CAL9jLaYHVdHr+rVoWeNtXTXgLxbTaX8V9gn3424tvsLW60Kvow@mail.gmail.com> <5E70C208-0B31-4333-BB8C-4D45E678E878@isc.org> <CAN-Dau0go6_Puf0A9e7KBpk0ApJBUvcxYtezxnwNc-8pKJ3PwQ@mail.gmail.com> <4D69FA8E-FB8A-4A16-9CA6-690D8AE33C9E@strayalpha.com> <9a613af3-c 71e-1c30-d10a-f8a57aee3250@foobar.org>
To: Nick Hilliard <nick@foobar.org>
X-OutGoing-Spam-Status: No, score=-0.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/bCGASIoYwAcsGRr1lwxYBATkqhc>
Subject: Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 13:12:52 -0000

The choices below don’t include declaring this a security risk and turning it off.

If you want to change the standard, do so. But this isn’t a step isn’t that direction. And the previous attempts only show why IPv6 has adoption problems.

The standard can still be changed, but regardless, this simply is not a security issue and shouldn’t be sold as one.

Joe

> On Dec 5, 2018, at 4:48 AM, Nick Hilliard <nick@foobar.org> wrote:
> 
> Joe Touch wrote on 05/12/2018 12:13:
>> Then THAT is the security issue..  Not the packets that cause a broken implementation to have problems.
> 
> In this specific case:
> 
> 1. the protocol definition states that HBH packets should be processed per intermediate node.
> 
> 2. even small routers can now handle terabits of data plane throughput.
> 
> What do we do?
> 
> 1. declare that these routers should be able to process terabits of HBH packets (or experimental EHs because we don't know whether experimental EHs are required to be processed HBH or by end points only).
> 
> 2. formally drop the requirement for intermediate routers to process HBH headers
> 
> 3. build routers which will take some HBH headers at low packet rates and drop the rest (+ update rfcs to make this formally compliant).
> 
> 4. something else.
> 
> Nick

v2.23.0 | Report a Bug | By Email