IETF Logo Mail Archive

Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Randy Bush <randy@psg.com> Wed, 05 December 2018 17:10 UTC

Return-Path: <randy@psg.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C83C5130E29; Wed, 5 Dec 2018 09:10:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Tzs0S8aTLbi; Wed, 5 Dec 2018 09:10:25 -0800 (PST)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E7B212DF72; Wed, 5 Dec 2018 09:10:25 -0800 (PST)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1gUagp-00011D-8b; Wed, 05 Dec 2018 17:10:23 +0000
Date: Wed, 05 Dec 2018 09:10:22 -0800
Message-ID: <m236rbnblt.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Nick Hilliard <nick@foobar.org>
Cc: opsec@ietf.org, IETF Rinse Repeat <ietf@ietf.org>, tsv-art@ietf.org
In-Reply-To: <a96a4567-4247-c4d5-9c65-43960e98d17c@foobar.org> <9a613af3-c71e-1c30-d10a-f8a57aee3250@foobar.org>
References: <977CA53D-7F72-4443-9DE2-F75F7A7C1569@strayalpha.com> <20181126175336.GW72840@Space.Net> <c959d8cb6f6a04a8da8318cfa89da341@strayalpha.com> <2425355d-e7cc-69dd-5b5d-78966056fea7@foobar.org> <C4D47788-0F3D-4512-A4E3-11F3E6EC230B@strayalpha.com> <8d3d3b05-ecc3-ad54-cb86-ffe6dc4b4f16@gmail.com> <C929A8B9-D65C-4EF7-9707-2238AE389BE3@strayalpha.com> <CAL9jLaY4h75KK4Bh-kZC6-5fJupaNdUfm1gK2Dg99jBntMCEyQ@mail.gmail.com> <C47149DC-CAF2-449F-8E18-A0572BBF4746@strayalpha.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/25.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/fbEfr4StLQT_hsBrOFzi1xEcKRs>
Subject: Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 17:10:27 -0000

> If J Random Hacker in his mom's basement can launch an attack which
> takes down your network core because your management planes can't
> handle 1Tbit, or more realistically 10gbit, of HBH packets, then that
> is categorically a network security issue, even if it is a secondary
> effect.

security failure is almost always a secondary effect.  we usually do not
intentionally design in specific security vulnerabilities.  well, RH0 i
guess; every rule has exceptions.  but we don't have to knowingly add an
other.

perhaps there is a signal here where folk who operate the network worry
about the operational consequences of ipv6 protocol purism.  perhaps we
have seen this before.  i suspect we will see it again.

> What do we do?
> 
> 1. declare that these routers should be able to process terabits of
>    HBH packets (or experimental EHs because we don't know whether
>    experimental EHs are required to be processed HBH or by end points
>    only).

and i presume i can print this rfc on paper and put it in the floppy
drive slot of my routers and they will suddenly be able to process
terabits of hbh on the slow path.  cool!

> 2. formally drop the requirement for intermediate routers to process
>    HBH headers

we do not really have an actually deployable choice other than this.

> 3. build routers which will take some HBH headers at low packet rates
>    and drop the rest (+ update rfcs to make this formally compliant).

and put this into my routers' floopy slot too?  we're talking EXISTING
ROUTERS that are just not going to be able to make this happen.

if this was an ideal world, i would focus on war, hunger, the resurgence
of fascism, etc.  an undeployable protocol requirement is pretty far
down my priority list.

randy

v2.23.0 | Report a Bug | By Email