IETF Logo Mail Archive

Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Nick Hilliard <nick@foobar.org> Wed, 05 December 2018 15:17 UTC

Return-Path: <nick@foobar.org>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25F2712F1A2; Wed, 5 Dec 2018 07:17:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kHb_--H45iCB; Wed, 5 Dec 2018 07:17:24 -0800 (PST)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E5B9130DEE; Wed, 5 Dec 2018 07:17:22 -0800 (PST)
X-Envelope-To: ietf@ietf.org
Received: from cupcake.local (089-101-195156.ntlworld.ie [89.101.195.156] (may be forged)) (authenticated bits=0) by mail.netability.ie (8.15.2/8.15.2) with ESMTPSA id wB5FHKlw064773 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 5 Dec 2018 15:17:20 GMT (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host 089-101-195156.ntlworld.ie [89.101.195.156] (may be forged) claimed to be cupcake.local
To: Joe Touch <touch@strayalpha.com>
Cc: David Farmer <farmer@umn.edu>, IETF-Discussion Discussion <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, opsec@ietf.org, tsv-art@ietf.org
References: <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <2425355d-e7cc-69dd-5b5d-78966056fea7@foobar.org> <C4D47788-0F3D-4512-A4E3-11F3E6EC230B@strayalpha.com> <8d3d3b05-ecc3-ad54-cb86-ffe6dc4b4f16@gmail.com> <C929A8B9-D65C-4EF7-9707-2238AE389BE3@strayalpha.com> <CAL9jLaY4h75KK4Bh-kZC6-5fJupaNdUfm1gK2Dg99jBntMCEyQ@mail.gmail.com> <C47149DC-CAF2-449F-8E18-A0572BBF4746@strayalpha.com> <CAL9jLaYfysKm7qrG=+jq7zV=5ODnSX-tAhBAiTU7SzYF-YmcGw@mail.gma il.com> <728C6048-896E-4B12-B80B-2091D7373D16@strayalpha.com> <CAL9jLaYHVdHr+rVoWeNtXTXgLxbTaX8V9gn3424tvsLW60Kvow@mail.gmail.com> <5E70C208-0B31-4333-BB8C-4D45E678E878@isc.org> <CAN-Dau0go6_Puf0A9e7KBpk0ApJBUvcxYtezxnwNc-8pKJ3PwQ@mail.gmail.com> <4D69FA8E-FB8A-4A16-9CA6-690D8AE33C9E@strayalpha.com> <9a613af3-c71e-1c30-d10a-f8a57aee3250@foobar.org> <8FE8712B-4CFC-450F-AEB8-A7CCD7D2F121@strayalpha.com> <a96a4567-4247-c4d5-9c65-43960e98d17c@foobar.org> <C250CA48-CB45-4683-B96C-B977A6688655@strayalpha.com>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <070ed0d8-f7cc-9634-7367-69c09d9eeaf3@foobar.org>
Date: Wed, 05 Dec 2018 15:17:19 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 PostboxApp/6.1.6
MIME-Version: 1.0
In-Reply-To: <C250CA48-CB45-4683-B96C-B977A6688655@strayalpha.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/f3CS1OBKswGs5iqnXRgrgw2JMFc>
Subject: Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 15:17:37 -0000

Joe Touch wrote on 05/12/2018 14:30:
> So every SNMP packet is an attack as well? As is every routing
> packet?

snmp packets are either directed at a router or else directed through a 
router.  If they are directed at a router, then they will be filtered / 
rate-limited on the data plane before they ever hit the management plane 
because no-one with half a brain cell is going to let their dfz core 
router open to snmp abuse.  If they're pure data plane packets, then the 
management plane will never hear about them in the first place.

Routing protocol packets are considered to be a potential attack vector, 
but again are subject to the limitation that if they are generated by 
third parties (i.e. unrelated parties, as compared to directly connected 
second parties who might have a legitimate reason for sending specific 
types of routing protocol packets - and not others), then they are 
routinely filtered out and/or rate limited before being forwarded to any 
router management plane.  In any event, they are also subject to 
policers / shapers before hitting the management planes, regardless of 
source.

Packets with HBH EHs are fundamentally different in this regard because 
they are data plane packets which are mandated by protocol to be 
processed on the management plane on every forwarding plane that they 
hit, even if this isn't their destination point.  This is what's 
different and what is so dangerous about HBH packets, and why they need 
the sort of specific consideration that doesn't apply to most other 
types of packets.

Thankfully rfc8200 recategorised them so that intermediate nodes are no 
longer required to process them.

> A security issue is created when a packet can cause*disproportionate*
> load. Otherwise it’s just called load.

This is exactly what we are talking about: terabits of data-plane 
traffic hitting a management plane because the protocol says that that's 
what needs to happen.

Terabits of data-plane traffic hitting a management plane which can only 
handle kilobits or megabits of data is  disproportionate.  You can 
trivially assess the level of disproportionality by noting the orders of 
magnitude in the numbers.  Is 6 orders of magnitude disproportionate 
enough? One order of magnitude is enough for me.  Trashed control planes 
are trashed, regardless of the scale of the trashing.

> The security issue is the implementation not throttling such packets
> to avoid having 10G of them shutting down the control plane. Yes,
> that’s a security issue, but it’s not the fault of the HBH packets.

It's a direct consequence of what the defining protocol used to say, 
except that vendors had more sense than to take protocols literally, and 
operations people have more sense than to leave their networks open to 
catastrophic abuse vectors just because it was written in a formal 
specification.

Common sense is, thankfully, one of the optimisation considerations 
applied when dealing with the conflicting standpoints presented by 
protocols and reality.

Nick

v2.23.0 | Report a Bug | By Email