IETF Logo Mail Archive

Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

"Fred Baker (fred)" <fred@cisco.com> Tue, 12 November 2013 21:54 UTC

Return-Path: <fred@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2551721E80E4 for <v6ops@ietfa.amsl.com>; Tue, 12 Nov 2013 13:54:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.432
X-Spam-Level:
X-Spam-Status: No, score=-110.432 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZfAxlFtiBCr for <v6ops@ietfa.amsl.com>; Tue, 12 Nov 2013 13:54:18 -0800 (PST)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id F2AA421F9D28 for <v6ops@ietf.org>; Tue, 12 Nov 2013 13:54:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5289; q=dns/txt; s=iport; t=1384293258; x=1385502858; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=oWhOeOB9PKS1bwQXxy26k0sPQ5VhhzWeqMuLEhjkFQw=; b=EL0DMMsAkWBwGeEHRFGkjkMAsolimXG8GXls0s4GyRerBj2DDFlAPl6S GR9UAgkJ6sS3Ow9AykG+GLI4c3u25Lp2jOi+CY7Ps7ViCNeHvDB7qrw8M KNXe1bPfR5AwoaTmCyMokGXqgtbRoZHQzOdyko2DqLtYvEf+B/PIgT5MT 0=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag4FAJWiglKtJV2Y/2dsb2JhbABagwc4U78jgSoWdIImAQEEZSQCAQhGMiUCBCEMh2cNvy+OFoFQgyCBEQOQMIEwhi+SCoMmgWoHFwYc
X-IronPort-AV: E=Sophos; i="4.93,688,1378857600"; d="asc'?scan'208"; a="283918336"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-7.cisco.com with ESMTP; 12 Nov 2013 21:54:17 +0000
Received: from xhc-aln-x14.cisco.com (xhc-aln-x14.cisco.com [173.36.12.88]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id rACLsHF1025339 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <v6ops@ietf.org>; Tue, 12 Nov 2013 21:54:17 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.122]) by xhc-aln-x14.cisco.com ([173.36.12.88]) with mapi id 14.03.0123.003; Tue, 12 Nov 2013 15:54:16 -0600
From: "Fred Baker (fred)" <fred@cisco.com>
To: "v6ops@ietf.org WG" <v6ops@ietf.org>
Thread-Topic: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
Thread-Index: AQHO3/G7AQKm550kHkGXsuv091nq1Q==
Date: Tue, 12 Nov 2013 21:54:16 +0000
Message-ID: <989B8ED6-273E-45D4-BFD8-66A1793A1C9F@cisco.com>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com>
In-Reply-To: <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.19.64.121]
Content-Type: multipart/signed; boundary="Apple-Mail=_E6159D46-DEB4-43E6-8356-4705C6A8B81F"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2013 21:54:23 -0000

This is a comment as a participant, not as a chair.

I find myself scratching my head with this, and found myself scratching my head with what became RFC 6092.

My first premise in both cases is that a firewall primarily mitigates attacks on the bandwidth of a network and an aggregated network. An attack that actually hits a host or application will have to be defended against by the host/application or a security service provided by some other device in the network; firewall rules provide a form of defense in depth, but no more. I compare a firewall to the human skin. The skin is, itself, hardly necessary for the "health security" of the body, as the other systems of the body could be active and mitigate attacks on the body. However, it makes active use of those capabilities less of a requirement by preventing certain classes of attacks.

My second premise is that any communication attempt directed to a network, or to a application in a network, that doesn't have a application in the network that willingly communicates with it is an attack.

Now, we have tools - PCP, UPnP - that enable an application to inform the network of its approving presence. If I want someone to be able to connect to a given device using IPsec, when the device comes up, it can inform the network of a n-tuple {application address, IPsec protocol ID, <any>}, and "poke a hole" in a firewall regardless of the description of the firewall. The administration can also log such requests and apply its own policy on whether it honors them. If I want them to initiate SMTP or https connections to a given system, it can similarly announce itself as {address, TCP, port, any, any}, and allow incoming SMTP connections to it.

So regardless of the firewall type, we have tools to enable an application in the network to make itself available to peers "outside". And of course, as suggested in zone-based defenses and in RFC 6092, when a application initiates a connection outside, by implication the firewall can open a "hole" for the return traffic.

So the only protocols, or peers using protocols, under discussion are those that have no application that is willing to have sessions initiated to it from the outside of the network.

RFC 6092 permits IPsec packets as a blanket rule. That facilitates two attacks. First, there is a form of network scanning enabled; a application outside the network can initiate IKE connections to addresses it thinks might exist in the network (observing, for example, email envelope information to find such addresses); if it gets a reply, something is using the address. Second, it can busy out the verification/decrypt unit in a application simply by sending it IPsec traffic that does not have a proper key. That can DOS the application's CPU resources or its communication resources. Now, if a application wants to communicate in that way and recognizes the vulnerability, it can open that hole. But if a application doesn't want to communicate that way (for example, it implements IPsec but the applications it uses have no keys to validate data with), what is the argument for leaving the vulnerability open?

draft-ietf-v6ops-balanced-ipv6-security implements a similar, and much wider, vulnerability. I might well have an http server in my network, but that doesn't imply that all hosts in my network are http servers. Even if many of the hosts in my network are http servers, that doesn't imply that my policy enables access to them from all possible clients. My http server can open a hole for itself, and can be armored to defend it against the many attacks that plague that protocol. My telephones (Cisco 9971 and iPhone 5) are, or can be, http servers as well. Does that mean that my call configuration and history should be available to anyone who wonders about it? Is the presence of one server a reason to expose the many hosts in my network that only operate as clients to HTTP initiated from the outside?

http://www.economist.com/news/science-and-technology/21589383-stung-revelations-ubiquitous-surveillance-and-compromised-software

From my perspective, I think I would prefer that the firewall - if implemented - blocked everything, and applications within the network advised the firewall(s) of traffic that they are willing to receive. If a potential session has no willing counterpart within my network, I don't see the argument for letting the first packet in.

v2.23.0 | Report a Bug | By Email