Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
RJ Atkinson <rja.lists@gmail.com> Wed, 30 May 2012 01:02 UTC
Return-Path: <rja.lists@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEDF521F8716 for <v6ops@ietfa.amsl.com>; Tue, 29 May 2012 18:02:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.099
X-Spam-Level:
X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNJo4VTsP6Bh for <v6ops@ietfa.amsl.com>; Tue, 29 May 2012 18:02:39 -0700 (PDT)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6113121F8712 for <v6ops@ietf.org>; Tue, 29 May 2012 18:02:39 -0700 (PDT)
Received: by vcqp1 with SMTP id p1so2940480vcq.31 for <v6ops@ietf.org>; Tue, 29 May 2012 18:02:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=a/xtvlOEWlXPY/HOJsyWLMLRjn+i22EFvEy6zBDw5vA=; b=ia4MMMPb56l6uQ3iii63nB8xvP1WJcdZLCkDJ13NcyybJGteF5Ed+82joTXMjGE2x2 WBo6ROfnm9bdMn0+TLZoui4NM0+SZDvEBo9EoxzDUBmsdYUJIzEH9nsPAFFHBZK/BcXA tFszzkluTgIwK7k/FhygZc403lQEXmFf1MvAagbnrbB8OolcYPFOljg4nZH0ga2kiBsC lXdDvKLLTxTboCsKAKiCWiGgwSa4tTC8xjOFJEznoT8KucXUFNUVvoKRn8SGEBa2xRAW VyfuOX5LsPXOxA3czQcThHgzLnYJy4BE7Sl3KDHPcX0DChxVJmH+BNIvQ+dk0fI21B1T CJNg==
Received: by 10.52.155.193 with SMTP id vy1mr12660621vdb.123.1338339758403; Tue, 29 May 2012 18:02:38 -0700 (PDT)
Received: from [10.30.20.11] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id t15sm27116565vdj.3.2012.05.29.18.02.36 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 29 May 2012 18:02:37 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="iso-8859-1"
From: RJ Atkinson <rja.lists@gmail.com>
In-Reply-To: <4FC52FD3.9060206@gont.com.ar>
Date: Tue, 29 May 2012 21:02:35 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <AB2444D4-E85B-4E61-9944-47FB1E369203@gmail.com>
References: <20120529143900.25613.76678.idtracker@ietfa.amsl.com> <3B0A71DA-8846-4FFF-9AD8-9B106EF8799B@gmail.com> <4FC52FD3.9060206@gont.com.ar>
To: Fernando Gont <fernando@gont.com.ar>
X-Mailer: Apple Mail (2.1278)
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2012 01:02:41 -0000
On 29 May 2012, at 16:21 , Fernando Gont wrote: > Meta-answer: This document is a BCP on how to implement RA-Guard, *not* > a BCP that RA-Guard should be deployed. -- i.e., we're not saying > whether you should or should not deploy ra-guard, but rather "if you > implement ra-guard, you should do it this way". > > -- I'm just double-checking that this is the angle from which you've > read the document... Yes. If a Layer-2 device that implements the RA Guard feature is unable to discern whether a packet contains an RA or not -- then that device ought to bridge/transmit the uncertain packet rather than drop it. > On 05/29/2012 01:38 PM, RJ Atkinson wrote: >> 1) Layer-2 Processing Rule causes valid IPv6 packets to be dropped >> >> MULTIPLE ISSUES: >> >> Rule #4 in this document is overly restrictive. Implementing >> this rule has the effect of changing the IPv6 specifications >> to prohibit otherwise legitimate packets that violate this new >> and somewhat arbitrary rule, which is an unreasonable change. >> In effect, this cure (i.e. Rule 4) is worse operationally than >> the potential disease. > > To some extent, RA-Guard does firewalling at layer-2. No. It doesn't. If one wants to raise the issue of options, optional headers, and fragmentation, then one really really has some Layer-3 capabilities -- or ought to. > This means that,as with stateless filtering, there's a point at which you > need to draw a line that says what you consider acceptable, and what not... > and as with layer-3 stateless firewalls, there is (at least theoretically > speaking) a risk of false positives. If those false positives outweigh the > benefits of firewalling in the first place, you simply do not deploy the firewall > (or in this case, RA-Guard) Not a good comparison. Many stateless firewalls that are widely deployed transmit uncertain packets, rather than dropping them. Separately, folks do NOT want IPv6 to be broken and balkanised in the way that IPv4 was. This spec can be fixed. The earlier note described a simple and sufficient fix. >> Further, Layer-2 only devices (e.g. Ethernet bridges/switches) are >> commonly, correctly, and legitimately used to interconnect different >> segments of the same IPv6 subnetwork. So a Layer-2 device cannot >> know whether a particular RA Advertisement is valid or not -- that >> information is simply not available at Layer-2 in a dependable way. > > I those scenarios, you either manually configure every layer-2 device in > an appropriate way, or you simply do not deploy ra-guard. That doesn't work, as I noted in the original post. >> Absent manual configuration that tells the Layer-2 device which ports >> might connect to routers, the Layer-2 device separately cannot know >> which "ports ... are not allowed to send ICMPv6 Router Advertisement >> messages". > > Exactly. You should manually configure the device with this information, > *and* you should manually enable ra-guard. However, this document doesn't require that such implementations even possess the capability of being configured with that data. So again, not a good reason. >> Separately, in a network that contains wireless elements, routers >> might connect to different Layer-2 base stations at different times. >> In turn, those different Layer-2 base stations are very likely to >> connect to different Layer-2 ports on different Layer-2 switches/bridges. >> Such Layer-2 switches/bridges generally cannot know that a wireless >> aspect exists in the deployment. So this is another reason that a >> Layer-2 only device is not the correct place to be trying to filter >> ICMPv6 RA packets. > > In those scenarios, you'd simply not deploy ra-guard. That is not noted in Security Considerations for this document. > As noted at the beginning of this e-mail, my take is that you assume > that we're encouraging ra-guard deployment for the general case, No I don't. > But this document simply specifies how you should *implement* ra-guard, and > doesn't argue in favor (or against) its deployment. The proposed implementation is broken. It requires that RA-Guard implementations drop completely valid non-RA IPv6 packets in some situations. >> Removing this rule creates no new security risk as the any actual >> problem packet can be detected and dropped later -- either by an >> IPv6-capable router or an IPv6-capable firewall -- one that is >> located at an IPv6 subnetwork boundary. > > How would you block malicious RAs originating from the local subnetwork? With a real RA Guard, implemented properly, that knows it is dropping packets that (1) contain an RA message type and (2) are invalid. The problem is with your concept of a Layer-2 only device that is an RA Guard. The functions needed to make a correct determination about packets aren't available in (most, all) Layer-2-only devices. Devices that implement RA Guard need to have at least sufficient Layer-3 capabilities to distinguish RA packets from non-RA packets. With such correct implementations, Rule 4 being inverted is a hop. With incorrect implementations, Rule 4 being inverted ensures that valid IPv6 packets are not dropped. >> PROPOSED ACTION: >> >> The current Rule #4 should be have its meaning inverted (i.e. If a >> Layer-2 device is unable to identify whether the packet is an ICMPv6 >> Router Advertisement, then the packet should be transmitted without >> modification) and text referring to that rule also should be edited >> heavily to outline the issues noted above as the reason for the >> "transmit if in doubt" policy for a Layer-2 device. > > As noted above, this document just specifies how to implement RA-Guard, ...which specification is incomplete or wrong, as I noted in my previous note. > When it comes to actual deployment, there are may be trade-offs (as > discussed above). But if you do decide to deploy RA-Guard, you probably > do not want a "default allow" rule (because attackers would certainly > use any of the evasion techniques described in the document)... (ASIDE: "Security Considerations" needs more specific and detailed discussion of those deployment and operational trade-offs than it has at present.) I know of lots of folks who'd be interested in RA-Guard, if the specification weren't broken in a way that can cause valid IPv6 packets that are not RA packets to be dropped. So they would prefer the inversion of Rule 4. One of the main advantages of IPv6 is that it is not currently broken by lots of mis-specified (pseudo-)security devices. Please change this document so that it won't cause valid IPv6 non-RA packets to be dropped. Please don't break IPv6. Yours, Ran
- [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-imp… The IESG
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Marc Lampo
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ray Hunter
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Washam Fan
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… George, Wes
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Joel M. Halpern
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ran Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Joel jaeggli
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Marc Blanchet
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ray Hunter
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Joel M. Halpern
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Nick Hilliard
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-imp… The IESG