IETF Logo Mail Archive

Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice

RJ Atkinson <rja.lists@gmail.com> Fri, 01 June 2012 12:44 UTC

Return-Path: <rja.lists@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C36811E8536 for <v6ops@ietfa.amsl.com>; Fri, 1 Jun 2012 05:44:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.511
X-Spam-Level:
X-Spam-Status: No, score=-3.511 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PYHMKBOCds+b for <v6ops@ietfa.amsl.com>; Fri, 1 Jun 2012 05:44:52 -0700 (PDT)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id A456F21F8C0D for <v6ops@ietf.org>; Fri, 1 Jun 2012 05:44:47 -0700 (PDT)
Received: by vcqp1 with SMTP id p1so1400929vcq.31 for <v6ops@ietf.org>; Fri, 01 Jun 2012 05:44:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=rpofXknMoub05rQWoq5VBXYL2pshZLEPa1YJFTTZSnI=; b=mOd2QLxI8PZVehRq+ZsiTx6HL+7HjIAIlSKfYdEJd61Mb9f05wLudvK+MfrO8+YOlz ebsJr1FMxF7q1VcR0DsMHROKc165ZcsWkkhrjURtDWRwvrJ4FQ/X651Rr10C71eBn0Xk 7ywu9QCojDDTFY1U9kiILYWugJuxYhQd3+9p0KLCXKpqRGORiiM2FeEzUnfSmbTAoeb6 hD9HIe47LWYK9+cXrD7iWAfXgmvs/y0v/VqhUwMgsPuHsiVi1g9xRx9nXxM11WaUfF2t AI7XFAmea3Q611JVDhXBny8eI6Ti8x0ZVEf5up573Wtx2dLo4y4zA+KBBLJ5WEMj+AsE uOgA==
Received: by 10.52.93.50 with SMTP id cr18mr2318779vdb.41.1338554687030; Fri, 01 Jun 2012 05:44:47 -0700 (PDT)
Received: from [10.30.20.11] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id n2sm2907507vdj.3.2012.06.01.05.44.45 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 01 Jun 2012 05:44:45 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="iso-8859-1"
From: RJ Atkinson <rja.lists@gmail.com>
In-Reply-To: <4FC81786.10207@gont.com.ar>
Date: Fri, 01 Jun 2012 08:44:46 -0400
Content-Transfer-Encoding: 7bit
Message-Id: <F6D9E3C8-9360-4EB1-BB05-1F29ED42D21D@gmail.com>
References: <7BAC243D-7B55-460E-B36C-52CA83F12B78@gmail.com> <4FC6AAD4.4090108@si6networks.com> <13205C286662DE4387D9AF3AC30EF456D76C44FF13@EMBX01-WF.jnpr.net> <4FC7864D.8000307@si6networks.com> <13205C286662DE4387D9AF3AC30EF456D76C450163@EMBX01-WF.jnpr.net> <4FC7934B.4010205@si6networks.com> <49E46AEE-9BB2-4A08-8069-29D692B21B6B@gmail.com> <4FC7BE00.10403@si6networks.com> <67981392-14C0-46D6-B8E4-D50BEDF7D5FE@gmail.com> <4FC81786.10207@gont.com.ar>
To: Fernando Gont <fernando@gont.com.ar>
X-Mailer: Apple Mail (2.1278)
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2012 12:44:53 -0000

On 31  May 2012, at 21:14 , Fernando Gont wrote:
> But it was argued (in 6man) that of parsing the entire IPv6 header
> chain at a layer-2 device was easily doable, and hence there was no need
> to limit possible extensions of ND (based on ext headers).

If the RA Guard built into the Layer-2 device is built using
software on an off the shelf CPU/NP, then the device likely 
can't parse the entire IPv6 header chain at wire speed -- 
thereby creating a new easily exploited DOS attack vector
on the RA Guard device.  This seems like a cure worse than
the disease -- as the Ethernet switch connecting everything dies.

> In any case, if anything, this would be an argument to the extent to
> which ra-guard is simple/possible to implement, rather than about
> whether we should leave rule #4 in or out.

No.  It is a reality-check.  Absent custom silicon (FPGA/ASIC),
it isn't going to be practical to parse deeply into the packet
at interesting fractions of wire-speed.  So deploying the RA Guard
will create a new avoidable DOS attack vector.

To prevent that, no matter what the RA Guard spec says, it is extremely
likely that many implementations will give up on parsing after N bytes
-- and generally it is a byte limit (rather than a header count limit)
from an implementation perspective.

>> So some (we hope not many) real world RA Guard implementations will
>> not be able to figure out whether a particular valid IPv6 packet is
>> valid or not, due to implementation-specific limitations of that
>> particular RA Guard implementation.
> 
> I would expect that RA-Guard implementation enforce a limit on the
> number of ext headers that they process (rather than of "bytes" that are
> "jumped over").

That expectation appears to be disjoint from the way this is likely
to be implemented, especially on a Layer-2 only device.

Ethernet switch implementers are, for performance reasons, under
a lot of pressure to avoid a "store and forward" implementation
strategy.  Instead, to get the switching times down into a range
competitive with the marketplace, the switches try to forward
frames after looking at the first N bytes (for the smallest N practical,
as a larger N typically increases the switch latency).  In turn,
many customers buy switches with smaller switching latency.  So
their product optimisation is strongly biased away from being able
to perform deep packet inspection -- which is what RA Guard effectively
requires.

My expectation is that useful RA Guards will be implemented inside
firewalls or inside IPv6 routers that have extensive ACL capabilities
(extensive L4 ACLs typically require packet parsing and examination
well beyond the IPv6 base header, so adding the RA Guard won't be as
big a change).

> My take is that those packets will not survive the public IPv6 Internet.
> Stateless firewalls will block those packets when the
> implementation-specific limit is hit.

A state-less firewall is much more likely to use a store-and-decide
architecture than a Layer-2 switch, precisely because their main purpose
is Deep Packet Inspection.  

Firewalls typically have some implementation-specific DPI limit, 
but they normally go MUCH deeper into a packet than a Layer-2 device 
such as an Ethernet switch.  

Also, a state-less firewall is much more likely to have some form of
silicon assistance (e.g. FPGA/ASIC) in parsing into the packets
to keep performance up.  This also helps firewalls with functions 
such as allowing some ICMP message types, but disallowing other 
ICMP message types.

Based on these implementation differences, the RA Guard built into
a Layer-2 switch is the likely place that otherwise valid packets 
might be dropped.  The firewalls are much more likely to be able
to parse the whole received 1st fragment and make an informed decision.


>> Since the hosts will be protecting themselves from any RAs trying to
>> hide behind Fragment Headers, there is no risk to having Rule 4
>> either disappear or be changed to allow all packets where the
>> particular RA Guard implementation can't figure out whether a given
>> IPv6 packet is valid or not.
> 
> I fully agree with this when it comes to updated host implementations.
> However, if the rules are changed as you indicate, those "legacy"
> implementations that still allow the use of fragmentation with ND would
> remain vulnerable.

The probability is that those host implementations will get updated
MUCH MUCH faster than the RA Guard implementations built to this spec
could be implemented, shipped, and deployed.  The host OS implementers
have been known to ship exactly this kind of security fix in maintenance 
releases, without waiting for a new major release of their OS.

Rule 4 ought not to allow an uninformed drop.  If the RA Guard parses
the whole packet and confirms that the full header chain isn't present 
in a 1st fragment packet, then dropping that packet is OK.  

However, if the RA Guard can't decide -- which will only be due to some
implementation limitation within that RA Guard -- then the packet 
should be sent along.

One of the differences between the IETF and some other standards
bodies is that the IETF tries to remain grounded in implementation
realities.  In this case, that means we want a specification that
is realistic about various products having varying ability to 
perform DPI at speed to check for rogue RAs.

"Do no harm" is a very good principle here that needs to be kept in mind.
Dropping valid IPv6 packets is harmful to the network, and needs to be 
explicitly forbidden.  The best way to ensure this is to modify Rule 4.

>> At a more architectural level, if the IPv6 specs need to change, then
>> I'd like to see those changes proposed and accepted by the 6MAN WG
>> (or its successors) -- rather than having an IETF recommended 
>> operational practice have the result of changing the IPv6 specs 
>> without bothering to update the actual IPv6 specs.
> 
> I personally believe that the specs should be changed -- for instance,
> we're pursuing that effort in 6man with
> draft-gont-6man-oversized-header-chain (about which 6man should be
> polled soon).

I'm glad we at least agree on process.  I look forward to seeing the
new revision of these I-Ds.

Yours,

Ran

v2.23.0 | Report a Bug | By Email