IETF Logo Mail Archive

Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text

Ole Troan <otroan@employees.org> Wed, 22 April 2015 07:27 UTC

Return-Path: <otroan@employees.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D08F81B32B5 for <v6ops@ietfa.amsl.com>; Wed, 22 Apr 2015 00:27:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mU9T6R93VWGb for <v6ops@ietfa.amsl.com>; Wed, 22 Apr 2015 00:27:12 -0700 (PDT)
Received: from banjo.employees.org (banjo.employees.org [IPv6:2001:1868:205::19]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC01E1B329A for <v6ops@ietf.org>; Wed, 22 Apr 2015 00:27:05 -0700 (PDT)
Received: from banjo.employees.org (localhost [127.0.0.1]) by banjo.employees.org (Postfix) with ESMTP id 57F6D60CC; Wed, 22 Apr 2015 00:27:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=employees.org; h=subject :mime-version:content-type:from:in-reply-to:date:cc:message-id :references:to; s=selector1; bh=DHuuXmPDh0j/tMg5mc9+/leqmAE=; b= ekSWO9MzcON2WmlWLuhJEDuJzmx1bIipLQ+z50NeS6MtCUsS6LoQt/651SeZX7A0 GoTwpCCjTLEv9WkVMxoIcfrSDKqoxKEvd41ucWEQ8NkMcnA12qsS2t6Eq7yQOvdC hUe90vU4nFxX7eAWUwj+YDWtJPdcSJcWqgd2LWB1444=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=employees.org; h=subject :mime-version:content-type:from:in-reply-to:date:cc:message-id :references:to; q=dns; s=selector1; b=QMBhf0DQJhT+VP/ccvjKqql9Gx Py6lUQ/i9bNOCeywrWE0eR9gju0YS5A1TM9AqzZztIffhBvczbBL/YDwmnqKT1tH L0AgaiwweywUEwyRKHLxuppuWgPLMg+NF943uOVX3Pj7elqtTAiHZ/ZtVEhUew/n sJVE8mqx/Bf0/leNg=
Received: from gomlefisk.localdomain (unknown [173.38.220.50]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: otroan) by banjo.employees.org (Postfix) with ESMTPSA id 97DFB60B7; Wed, 22 Apr 2015 00:27:03 -0700 (PDT)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by gomlefisk.localdomain (Postfix) with ESMTP id 2C07C4305C99; Wed, 22 Apr 2015 09:27:01 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-Type: multipart/signed; boundary="Apple-Mail=_7CB169CF-71FB-4DB2-ACC0-C2E46CD7DBC9"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5b6
From: Ole Troan <otroan@employees.org>
In-Reply-To: <20150422.084056.74672865.sthaug@nethelp.no>
Date: Wed, 22 Apr 2015 09:27:00 +0200
Message-Id: <FE19165A-A01C-48E7-B9AD-C929252600FB@employees.org>
References: <553696EC.4060207@isi.edu> <55369855.1040101@joelhalpern.com> <55369B2D.80906@isi.edu> <20150422.084056.74672865.sthaug@nethelp.no>
To: sthaug@nethelp.no
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/7kdNFihHe2UeyacWpQmOoFN_PCc>
Cc: draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org, v6ops@ietf.org, fgont@si6networks.com, merike@doubleshotsecurity.com
Subject: Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 07:27:17 -0000

Steinar,

>> Protecting the control plane can be done by the receiving host
>> (destination router).
> 
> This is a fundamental disagreement. Protecting the control plane needs
> to be done by *all* intermediate routers in today's somewhat hostile
> Internet environment. That also includes some traffic not explicitly
> addressed to the routers themselves (for instance traceroute to a
> destination reached *through* the routers). Only looking at traffic
> addressed to the routers themselves is not sufficient.

assuming we’re talking about a transit provider and transit traffic.
to help those of us who are lacking operational clue, could you expand on the cases where this is necessary?

>> Protecting the network as a whole is useful, and may involve some level
>> of DPI - or may not. If the traffic is encrypted, then only the
>> destination router can protect itself anyway. But dropping the packets
>> because of EH use just makes the filtering router an attacker to the E2E
>> communication between the routers.
> 
> We have some services that are available within our AS, and should not
> be available outside the AS. One such example is DNS resolvers (there
> are others). We have chosen to block such services at the border - by
> having the border routers explicitly blocking UDP/TCP port 53 to the
> resolver addresses. This obviously means the border routers must be
> able to *find* the UDP/TCP header in that part of the IPv6 packet they
> are able to inspect at line rate. This is not "DPI" in any sense of
> the word - it is very basic filtering.
> 
> And here, I assume, is the next disagreement. If the UDP/TCP headers
> cannot be found because IPv6 EHs have pushed them beyond what the
> routers can inspect at line rate - the packet will be dropped.

if you drop packets with DA == your DNS server where you cannot find the L4 information, that seems perfectly fine.
if you drop packets with _any_ DA where you cannot find (or understand) the L4 information then you are offering broken service. again talking about transit here.
to do the former you don’t need to parse deep into the packet, nor deprecate EHs.

> If we can get improved filtering capabilities in our routers as part
> of regular equipment upgrade cycles - great, everybody is happy. But
> we are not likely to buy significantly more expensive routers *just*
> to be able to peek further into the packets (number of customers
> needing this are *many* orders of magnitude too low - if they exist
> at all).

even if you had routers that could parse to the end of the packet, I don’t quite see how that “helps”. the Internet’s success is to a large extent based on being able to route around broken networks, like this would be.

cheers,
Ole

v2.23.0 | Report a Bug | By Email