IETF Logo Mail Archive

Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06

Joe Touch <touch@strayalpha.com> Wed, 05 December 2018 22:53 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9D6E12E043; Wed, 5 Dec 2018 14:53:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.22
X-Spam-Level:
X-Spam-Status: No, score=-1.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z_z38roF3_RW; Wed, 5 Dec 2018 14:53:56 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29F0B126CC7; Wed, 5 Dec 2018 14:53:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=WseRQi3ZrUYqdhH2IQ+PugMGS+r/UVBNt4Ppt9TQyks=; b=sGQy2cjyBVgnYdNw8nqiFIZ3t 5QF28l9vF5S2mdEgNtvNw9/LJEImXxWASDptN5Ps5fAQMhBvb36dTQDccDP30SlpLgoonH7OzFmeX JEbG+F3Li/e4OqKkOYIRps2VyfVk18wBVxlvCQJ6j/6cl7FvA0Pv9O3l1LP5gEfdbmosSiwq/Tng9 YoYSgjKCLy9xi8DCJZ5v9NvLy114rTj+hbH1DGdc4WoIE4eNV93fEZt1rdUho26wZ4xOTxS12ZYSg kSVAqS0W+yQ8hy3ixz526LGtxOEjeJAvS2gk0q1EUcile9X6qrzbQIGiTf1qpsHngFJYisWI4mCrO L9jX+R0VQ==;
Received: from [172.58.21.134] (port=51373 helo=[IPv6:2607:fb90:5ab9:34a3:a5d1:5453:14c2:db03]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <touch@strayalpha.com>) id 1gUg3F-00469p-Nt; Wed, 05 Dec 2018 17:53:54 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail-2AAC2CF4-9C55-4B04-8064-E774515AE534"
Mime-Version: 1.0 (1.0)
From: Joe Touch <touch@strayalpha.com>
X-Mailer: iPhone Mail (16B92)
In-Reply-To: <6b9dac4f-4d57-7778-bbbe-78ebe399962f@huitema.net>
Date: Wed, 05 Dec 2018 14:53:52 -0800
Cc: Gert Doering <gert@space.net>, Ole Troan <otroan@employees.org>, tsv-art <tsv-art@ietf.org>, OPSEC <opsec@ietf.org>, IETF-Discussion Discussion <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <38262252-AECF-427E-9216-3732C9973BFB@strayalpha.com>
References: <CAN-Dau0go6_Puf0A9e7KBpk0ApJBUvcxYtezxnwNc-8pKJ3PwQ@mail.gmail.com> <4D69FA8E-FB8A-4A16-9CA6-690D8AE33C9E@strayalpha.com> <20181205122142.GJ1543@Space.Net> <F17C4944-09EC-4AAC-84A0-B660E36AAE89@strayalpha.com> <20181205133821.GL1543@Space.Net> <B6280E0C-6B20-43C1-BB34-170FB06F1EF7@strayalpha.com> <20181205135723.GN1543@Space.Net> <54C715AE-8931-4FA9-AA01-2311EB0055F0@employees.org> <20181205164558.GQ1543@Space.Net> <CCFEFC5B-53AE-4079-B64A-A72A71274FAD@employees.org> <20181205180855.GR1543@Space.Net> <6b9dac4f-4d57-7778-bbbe-78ebe399962f@huitema.net>
To: Christian Huitema <huitema@huitema.net>
X-OutGoing-Spam-Status: No, score=-0.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/xpGUWJfObxtoyttvamgIQzaSa4M>
Subject: Re: [Tsv-art] [OPSEC] Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2018 22:53:58 -0000

+1

> On Dec 5, 2018, at 11:26 AM, Christian Huitema <huitema@huitema.net> wrote:
> 
> 
>> On 12/5/2018 10:08 AM, Gert Doering wrote:
>>> On Wed, Dec 05, 2018 at 06:57:28PM +0100, Ole Troan wrote:
>>> You are creating the ???perceived??? security problem yourself, by requiring processing deeper into the packet than is required.
>>> Just comply with RFC8200. As long as a router is not configured to process any HBH options, it can ignore the header.
>>> You seem to think HBH still means ???punt to software???. If it ever meant that.
>>> 
>>> There???s no need for rate-limiting for not processing HBH obviously.
>> I *must* be able to look at the protocol field of packets coming in on
>> our borders (see detailed description on our rate-limiting rules in 
>> another mail of today).  If there are EHs in the way so our routers' 
>> hardware cannot decide if this is a TCP or UDP packet, these packets 
>> go down the drain.
> Gert, I think that you are actually pointing at a significant issue with the draft. 
> 
> The draft goes into an evaluation of "security issues", without actually explaining some basic assumptions. For example, it is hard to believe that a router forwarding too many packets of any kind will cause an issue for the security *of that router*. But on the other hand there is a widely distributed practice of network equipment attempting to provide differential treatment of packets based on protocol types and port numbers. That practice is not acknowledged in the RFC that specify IPv6. In fact, the IPv6 design assumes that routers only look at the address and flow-id fields. This design is actually a departure from IPv4, whose       header format makes it easy to skip over the option field and assess the "five tuple".
> 
> The draft *implicitly* assumes that routers will try to find the protocol and port numbers "because of security reasons", but never actually delineates these reasons. I think the discussion would be much more productive if the draft started by explaining why network managers believe that access to the "five tuple" is essential for a variety of reasons, many of which are only tangentially related to "security". At that point we can have a discussion between protocol designers assuming that the network routers shall only look at IPv6 addresses and that everything else is end-to-end on one side, and on the other side network managers explaining why they need access to the payload type and port numbers.
> 
> My personal preferences on the subject are not very relevant, and I could actually line up arguments for both sides of that debate. But I believe that getting to a resolution there would be much better than arguing piecemeal over this or that end-to-end option.
> 
> -- Christian Huitema
> 
> 
> 
> _______________________________________________
> Tsv-art mailing list
> Tsv-art@ietf.org
> https://www.ietf.org/mailman/listinfo/tsv-art

v2.23.0 | Report a Bug | By Email