Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Andrew Alston <Andrew.Alston@liquidtelecom.com> Mon, 25 October 2021 22:51 UTC

Return-Path: <andrew.alston@liquidtelecom.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95B263A110E for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 15:51:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.865
X-Spam-Level:
X-Spam-Status: No, score=-1.865 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=liquidtelecom.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HK3xN5s2gXbr for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 15:51:52 -0700 (PDT)
Received: from eu-smtp-delivery-182.mimecast.com (eu-smtp-delivery-182.mimecast.com [185.58.86.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A68A13A0F74 for <v6ops@ietf.org>; Mon, 25 Oct 2021 15:51:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=liquidtelecom.com; s=mimecast20210406; t=1635202262; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=05avKbCVc2nUETRfcbBU1swvKmVpnP23xRihfzLK08g=; b=TFnO7JdxeIVs23RZooYPH4+KrxfO9wCl1mNxRqOBzL6/iD0gyky+yZg4apXqbFdMY7lWuq MjLwHcwEfje/cQZL9W7+t4CD4xMsNUlQnm0LruHAbA4yMKAobrBmTOWR+wdKnkazQMz8rQ g3s8WH8lX6mzEPJMysVNmpFQwQUcgms=
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-am5eur03lp2053.outbound.protection.outlook.com [104.47.8.53]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-155-IwVLUtIxM3mwZC7Dz5HqBQ-2; Mon, 25 Oct 2021 23:50:59 +0100
X-MC-Unique: IwVLUtIxM3mwZC7Dz5HqBQ-2
Received: from AS8PR03MB7622.eurprd03.prod.outlook.com (2603:10a6:20b:346::6) by AS8PR03MB7587.eurprd03.prod.outlook.com (2603:10a6:20b:34d::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.18; Mon, 25 Oct 2021 22:50:58 +0000
Received: from AS8PR03MB7622.eurprd03.prod.outlook.com ([fe80::90ec:90d5:59c4:fef9]) by AS8PR03MB7622.eurprd03.prod.outlook.com ([fe80::90ec:90d5:59c4:fef9%6]) with mapi id 15.20.4628.020; Mon, 25 Oct 2021 22:50:58 +0000
From: Andrew Alston <Andrew.Alston@liquidtelecom.com>
To: Warren Kumari <warren@kumari.net>
CC: Gert Doering <gert@space.net>, Brian E Carpenter <brian.e.carpenter@gmail.com>, "v6ops@ietf.org" <v6ops@ietf.org>
Thread-Topic: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
Thread-Index: AQHXxp4zP+qugBEUYEKpNlrZT9uUPqvfT9WAgAQhrYCAAM2ggIAAAuGAgAADvQCAAAC4AIAAOW6A///WbgCAADRFgA==
Date: Mon, 25 Oct 2021 22:50:58 +0000
Message-ID: <1A8239F9-2487-4514-AC32-5B3CAD71675C@liquidtelecom.com>
References: <CB45220A-ECE6-492A-8A37-D189A71CDA2B@liquidtelecom.com> <CAHw9_iJy_OjSwRDRx5cbB6yhau7XzNUKTi49sHhi0CnmRARQUA@mail.gmail.com> <1F31CC6F-8471-4B50-AE3F-9E5FC76BB447@employees.org> <CAHw9_iKU5--mFq3swhSbGJHV9Y5H52cKcgeF=nBf1rqZeBMRJQ@mail.gmail.com> <YXciHYMNa6KJUohp@Space.Net> <ff55bdc4-9274-adc5-ef09-0d398b52342a@gmail.com> <YXcl2iQMvZe8ggLs@Space.Net> <0C1C8148-3D59-4C2A-A834-5B11854B3E7C@liquidtelecom.com> <CAHw9_iLm_T=F_m+Bie5ey6=PU18D610w6HsXY16f118hzmp5Kw@mail.gmail.com>
In-Reply-To: <CAHw9_iLm_T=F_m+Bie5ey6=PU18D610w6HsXY16f118hzmp5Kw@mail.gmail.com>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.53.21091200
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 76f94cad-eb89-4562-d5f0-08d99809e93e
x-ms-traffictypediagnostic: AS8PR03MB7587:
x-microsoft-antispam-prvs: <AS8PR03MB75874E1DCFA1E90BA2AB8915EE839@AS8PR03MB7587.eurprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: yEKg3E2o11wp9w+8EEgtROdC8PyHYHlBicrKOlT69hIz/tUO1OPyDrx8bwAmCBZK7N75XcFy3yYSg/ThPLWzTkQX8l6Rp4DX96AUPKGeiet16b1qj6eP+p0+4Blvd3G4FiuL0thI8koZ2WAJDdBlQtw9hYpTAaPUd3mt3tWYpOdIGWSdclio8raBhHchGKnBnWvjsxXgLJcq8hxw8nzG6GzCDSzCpsexMZu9fnI4HZdThIbTNbaLES/qKfa3RDMJX8pfWIjYewfxkVw396q79l0maCjuFjWQugGE/GF627qP1RiE7RNTbUw9HTPcqtgckcgcR+7CvdUtXMOcYofxILyZQ7hcRjpQHEYi79Dn05ZemnEimrUutlDNOIPX7Gn6uYaxw0A/vo8sw4RHOJ5NkywMuwuZZt+guYUCJjZl/S9B+UX/W7D8Gc+92APcJZtAqSeo8EUrdDdaxKyIhlRJsLM53DCgyaE3n39yJbDvhsb7FS7zPDFlwWekkEZKhRP3zAN1VQOlTOdDx3z6nmc15vwsZWliR6sPcVfvXS4yjypUrj675Uc7yOI5omvEyRXdR/Ht5QSwAspV6pGNuucGP2ZQ4tbSmLBIRpmnq/vv4xXODbJlakvVwtFx/zLJxtjv4rSIrauExD7u+EytnssYilFcoCfxHYnbBVxM+nCqpfFcoKAGvTsI5k0tl3USrEc2tD+LRjiH1qr+ev6fu8qZvpPn8TOE6psWp2ZvDijbVAlm/ZDW+o0KcnlF5SDgt/XGV/OpcBQEB4ifxYSDH6S0L7R3HmlVeZ3W5sm5gYp3Y2+HlpI2CscxtkIMfxnYJqRdjzHxN6s1fOqiJENtBbu2T8oVjgWLDJ4Vbm1rNjFeI/M=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8PR03MB7622.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(86362001)(186003)(83380400001)(166002)(91956017)(71200400001)(64756008)(76116006)(54906003)(38070700005)(66556008)(33656002)(66574015)(4326008)(2906002)(122000001)(6506007)(36756003)(5660300002)(508600001)(53546011)(6486002)(6916009)(66446008)(966005)(8676002)(8936002)(38100700002)(2616005)(316002)(15650500001)(66476007)(6512007)(66946007)(45980500001); DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?NThFMVdKZktOOHRQV2IxMjJLdm1LYmhrSUpVZ0NEbktBVTVSeTFQOHlnU1pE?= =?utf-8?B?c0Z4NGoxckk4K0FLMEJTeklwRmRHdU5nWHVEcG94MGZLNlhBcnNLRmNyTkVp?= =?utf-8?B?eG05U2tETGhsTlVFL0ljSnB5K0VFQzhaaVNzOEFPeWU5Rk13dDNkTE1CK1Q1?= =?utf-8?B?bVEySTBqWFhjSzczR0Q0b0U1OUphVHJKTkliOTBiamljaHJ6RWZiQ09DSTdD?= =?utf-8?B?VDB3bzZBdmlacmtrZ3d3Sy9lQ09TWGhhMjFSS1RVQWo3SXpRLzhpazRRd0Fn?= =?utf-8?B?dE5vaGIvb202RHVVNHE1d0prNFNvZ1Q1MU9Wd0JQTHo5N0kyd2lzZldQRWVB?= =?utf-8?B?bFI0L3M5MFd0YWxHTUMyS3VkZ0tkVWxhSDlhcXFFaGZmc1hzOFBaZldzSjZq?= =?utf-8?B?U284MXhtOHdPYTdHczlJemc3UVpncTFISXdDcEVoaXc1WnhsMm5PbGc5emFG?= =?utf-8?B?bDFkeC9rdnVCc1lXVGpMd2JUWDlnMDVBVmRFVUlzSVVHR1p0WWxmVXY3NXFW?= =?utf-8?B?YnRVOVRMLzNneDUrS0FGcndpcUF2K0xKNWFyS3M2MElGdHpwS00wSGhoVjh0?= =?utf-8?B?YnNMQXdhTWJITU1tRGZxcUljZE1INHRxOFJEd28rVkI1amU4eUpEUGdtb2Nk?= =?utf-8?B?K0lSWTdqR0JJT2IvZjJyZ2hrU0p2TTJtb0xXS0kzc0tTQlVTQnQ3bFFDbXpl?= =?utf-8?B?R3VvaHVzUS8xZzg3YW5Kbnk0c3d1djhhTXIyNmlMWlozdFM1eXNCTlorMDhl?= =?utf-8?B?SldhVXFZTDFYSXVmSmxPdmhsTFpENGdsWkg2c2xCc0FscllMZ0NJNnZIVTN5?= =?utf-8?B?ZUlCa1BOM3VXaDE0L1llOUpOM0EreXlxcjRGV2xxaVdJenRPNlkrbU9ybHJJ?= =?utf-8?B?cGZTcDNTZm9SRmV5VnBnUzhkckVnWWxMNXY2Z1VXR2tVZnM1UXR2QjBlZnFI?= =?utf-8?B?ZjNhektDeW5ZVnN5eVFtQXNISU1Vc005ajM1OTZMdXB3bUg0ZlJDcjNUUkZ4?= =?utf-8?B?VlZGWWErU1RzeWdManhYVFdZZXVoZUFLZTFwTTNFNGZQUUJoSXZpa3c0ZEwr?= =?utf-8?B?MzNxMkZIVnZqcEdRcG84Y1lqNEhnN1Arb05YWGdaaXBXQjlleUpldUM0eERY?= =?utf-8?B?dzlMeWphNXFYUVVPY1pBY1Y5R3hTZ3crSTJlYTE4N0c2dkFIdTJ6a00zbFMw?= =?utf-8?B?bHdqWHJoeTd0T2FSRllYcXRMTW5URG8rRkdnTGpPanNoM0ZETWJkekgxbGRS?= =?utf-8?B?Y1lJZVppWW1hamtMNW41OUFJMFkwY2JMSUVlYlI5bnhhaTY3TGNnTFFWNytB?= =?utf-8?B?UGd3Znh3TGhOeGp5cERWbE5LOUpMWFlQd0J5VVVINjUvK3IyRUZGd0VOdmRM?= =?utf-8?B?eDRHL3Z0TWxjZ2JTeDVsSFZMdlRWSk1qcVNSSTVDaUxpcGRVdzA1QjZJVTRh?= =?utf-8?B?bXhjZ1lVQm1mWk1TOTM2VFhCT1RyYkZxMlZUSy8zWWprRjEzVm5VYklkS29W?= =?utf-8?B?dWVPL3JFcGtTeEZWY2ZSaG5jZ25xZHFmTDd1Qzd1ZkZtY0JwOHJxQ1A3ZzVW?= =?utf-8?B?K3JYOHhLQ1F6TXhhRGpiRGJVNVNEV3ByTVJrK1NwbGw5Y3o3YWxZUFJiQXJ5?= =?utf-8?B?eHJBU2NkVnFlenIyNStqbVFLcjRXNjJiOU9aNnhyZXdBdFo0SGRyTDFLdlV3?= =?utf-8?B?QTF2MlJ4TWR3dTlEQk5yL2lUbExlTE1Nb3dVVjdDMnFjUDFwc0l2QVdJSjdV?= =?utf-8?B?d1FESTVwWlkrT0hOLzdwWk5PY1JyNDE3UEF6YUh1dHdYWHhCZWlFSmZCUnFJ?= =?utf-8?B?QTA3ZzVDaEs2Ym1YbjVSR2trS090U0pCNWlEYksxTEdicmpBeTlxd0J4WjdX?= =?utf-8?B?MFpaWUVEZk1LWU9EUFlFWFd3TXNWVmkwbG13MUJ4RGZvaFdHbUJZSURVaVRP?= =?utf-8?B?L0ZSSE4xWDlJMHdJMEhlSXFlVFo0aE1vTnBlODIydGg5dHlWMHNTWGprZ0Jn?= =?utf-8?B?MFZsVUliRE1vc1p6REpVZklJV2RTb3Z0ZUw3REF3RC9GQTRYVm5ad3d1UXdI?= =?utf-8?B?R2x4RUhSWDUwUStqcG4wTDJrd3JxbzNTcStFVGVQNSt6a1NkRkpvZkhPRjFH?= =?utf-8?B?SlhNVHZJWlQvbjFaRlN0SGJxUmZQVjVROWNKTG8wYUhnT2JtUm4zYnJzY25h?= =?utf-8?B?NSs4ZTNCY2hXclMrT1kxcDMyam9tOUY1dUNmbjVHYWZSNzJodXd3TW1qYVVE?= =?utf-8?B?RTcrN0pOY3pjRDFyZ3ViZjlWT25WL1k2ZzhEcDZpNWlleGhWUEtodnIvZzFk?= =?utf-8?B?aWxhamN4eDFIUVJZSGd5QmRHOGpRUGZhejV4RHA2VTArRFROQUhmUT09?=
MIME-Version: 1.0
X-OriginatorOrg: liquidtelecom.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8PR03MB7622.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 76f94cad-eb89-4562-d5f0-08d99809e93e
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2021 22:50:58.3748 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68792612-0f0e-46cb-b16a-fcb82fd80cb1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: As5UdLfWX5xMr6w4T69gd1gO8mT1bAjelCKRMEk2TbuZ4PVdqfrKaYl9eu4UbGcLluxb3wDUaIwSGrATP1Sy3NafvZKGb5QvxAtwA5Ruo3s=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR03MB7587
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=C82A168 smtp.mailfrom=andrew.alston@liquidtelecom.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: liquidtelecom.com
Content-Language: en-GB
Content-Type: multipart/alternative; boundary="_000_1A8239F924874514AC325B3CAD71675Cliquidtelecomcom_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/12PwgIRrXRqtKnU6XCrjebcih90>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 22:52:04 -0000

I'm assuming that in this scenario your "Rogue host A" is one that has intentionally added to the SRH domain (either by allowing your new ether-type, or manually removing the "limited domain prefix filter")? If so, then yes, bad things happen. This seems largely the same as "I decided to add "Rogue host A" to my MPLS domain so it could MPLS", or I added "Rogue host A" to my IGP, because reasons...
Making a host able to influence routing, whether it is part of something like MPLS, SR<something>, or in your IGP makes that host able to do bad things...


See that’s the thing Warren – with MPLS – it’s a default fail-closed – with a prefix list that has to be applied to every interface – well – things get missed.  And these prefix lists would have be applied to every L3 interface – and again – I fear you’re going to have tcam problems if you try and apply an LPM filter to every interface on a massive device with thousands of interfaces.  You can’t apply filters in the way you would for CoPP – these become specific prefix filters.  I’m just convinced that’s either practical or it’s going to really work,.  Also – if you look at the scenario I sketched – that rogue doesn’t doesn’t just affect you – because if it changes the source of the inner packet and causes it to broadcast – the replies are going to affect things on a far wider basis – your routers just became amplifiers for an attack aimed externally.



You are right – the ether-type may have sailed – but as I said – so far – my tests indicate that a single host would allow you to launch far more damaging attacks in this scenario than it would if it couldn’t inject weird packets



Andrew




Now - the inner packet is a v4 packet - it has a source set to random host attacker doesn’t like - and its destination is 255.255.255.255<http://255.255.255.255> - which thanks to rfc919 will not forward - when that deencap happens - does the packet get dropped because it can't be forwarded - or does it get treated as a local broadcast. This is a rather undefined scenario - if however it DOES get treated as a local broadcast - well - then we have a really big problem - that’s called smurf-v2 (and even if 255.255.255.255<http://255.255.255.255> doesn’t work - more specific broadcasts that are attached may well work). At this point - when the broadcast packet hits the hosts behind those broadcasts - they will reply to the spoofed source - this will follow stock standard routing outbound - and the protections we would normally use aren’t gonna work (the source of replies to the broadcast packets would be the hosts - they are permitted to send packets to the internet)

Another scenario - sending to multicast addresses post de-encap - do we have a potential attack vector to poison ND?  Again - haven't had the time to test this.

Same thing applies to a whole long list of other things - effectively - if you get one compromised host on the network that can inject a packet that will de-encap and act on the inner packet - with absolutely zero mechanisms for verification of what is in that inner packet or how to handle it - the list of possible problems is - extensive to say the last.  All I am saying is - we need to really step back and think - and I think this needs a veryyyyy close look - because in initial tests  I have done - and without the above additional tests - I can tell you my results are looking positively scary (and once I complete the full set I'll publish some scenarios and results with more detail)

Andrew


On 26/10/2021, 00:48, "v6ops on behalf of Gert Doering" <v6ops-bounces@ietf.org<mailto:v6ops-bounces@ietf.org> on behalf of gert@space.net<mailto:gert@space.net>> wrote:

    Hi,

    On Tue, Oct 26, 2021 at 10:44:32AM +1300, Brian E Carpenter wrote:
    > On 26-Oct-21 10:31, Gert Doering wrote:
    > > On Mon, Oct 25, 2021 at 05:20:51PM -0400, Warren Kumari wrote:
    > >> I somewhat like the idea of having a well known prefix for "limited
    > >> domains"
    >
    > fc00::/7 works well. RFC8994 is a worked example.

    So how would that work for an ISP network trying to run SR6, protecting
    its network from rogue hosts inside?  Without having GUAs on the SR6
    routers that would happily decapsulate incoming SR6 packets, and
    without violating lots of rules about "do not leak ULAs outside
    your network" (traceroute and other ICMP errors)?

    I lack imagination today...

    Gert Doering
            -- NetMaster
    --
    have you enabled IPv6 on something today...?

    SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
    Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
    D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
    Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279

_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops<https://www.ietf.org/mailman/listinfo/v6ops>


--
The computing scientist’s main challenge is not to get confused by the
complexities of his own making.
  -- E. W. Dijkstra