IETF Logo Mail Archive

Re: [v6ops] new draft: draft-taylor-v6ops-fragdrop

Warren Kumari <warren@kumari.net> Sat, 20 October 2012 00:49 UTC

Return-Path: <warren@kumari.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA17F21F8522 for <v6ops@ietfa.amsl.com>; Fri, 19 Oct 2012 17:49:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.142
X-Spam-Level:
X-Spam-Status: No, score=-102.142 tagged_above=-999 required=5 tests=[AWL=0.457, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3nPBN7c+rGf for <v6ops@ietfa.amsl.com>; Fri, 19 Oct 2012 17:49:42 -0700 (PDT)
Received: from vimes.kumari.net (smtp1.kumari.net [204.194.22.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B02F21F8903 for <v6ops@ietf.org>; Fri, 19 Oct 2012 17:49:41 -0700 (PDT)
Received: from [10.196.219.128] (1-195.icannmeeting.org [199.91.195.1]) by vimes.kumari.net (Postfix) with ESMTPSA id 0869A1B401C3; Fri, 19 Oct 2012 20:49:41 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Warren Kumari <warren@kumari.net>
In-Reply-To: <20121018223121.28B2C2A0041D@drugs.dv.isc.org>
Date: Fri, 19 Oct 2012 20:49:41 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <A08D31C1-5CF5-4380-851A-62F35FF11636@kumari.net>
References: <201210161245.q9GCj0i26478@ftpeng-update.cisco.com> <E1829B60731D1740BB7A0626B4FAF0A65E0DEDF3A2@XCH-NW-01V.nw.nos.boeing.com> <507DA6A3.20807@inex.ie> <E1829B60731D1740BB7A0626B4FAF0A65E0DEDF3C3@XCH-NW-01V.nw.nos.boeing.com> <507DAB13.2010704@inex.ie> <E1829B60731D1740BB7A0626B4FAF0A65E0DEDF3CE@XCH-NW-01V.nw.nos.boeing.com> <507DDF8A.9010607@inex.ie> <E1829B60731D1740BB7A0626B4FAF0A65E0DEDF5AB@XCH-NW-01V.nw.nos.boeing.com> <BB219517-B488-4777-AE9C-35C57BE91263@kumari.net> <Pine.LNX.4.64.1210171337470.7337@shell4.bayarea.net> <AC530E99-4054-4B0A-9B5C-30F9EF4A530C@kumari.net> <20121018223121.28B2C2A0041D@drugs.dv.isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.1499)
Cc: V6 Ops <v6ops@ietf.org>
Subject: Re: [v6ops] new draft: draft-taylor-v6ops-fragdrop
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Oct 2012 00:49:43 -0000

On Oct 18, 2012, at 6:31 PM, Mark Andrews <marka@isc.org> wrote:

> 
> repl: bad addresses:
> 	C. M. Heard <heard@pobox.com> -- no at-sign after local-part (<)
> 
> In message <AC530E99-4054-4B0A-9B5C-30F9EF4A530C@kumari.net>, Warren Kumari writes:
>> 
>> Yes, and part of the reason that packets are not reaching the core infrastr=
>> ucture at line rate is because operators have the ability to examine traffi=
>> c destined for the core infrastructure and filter / rate-limit it to someth=
>> ing reasonable. I may want to allow e.g traceroute to "core" stuff and toss=
>> that in one rate-limit bucket, but never allow SSH towards my core.  If I =
>> have fragments I have no way of knowing what they are supposed to be part o=
>> f, and so, er=85 =
> 
> So you want allow fragmented ICMP directed at core routers through and are worried
> that some non initial TCP fragments might make it through.  As far as I can tell
> letting through non initial TCP fragments doesn't increase your risk or attack
> surface at all.

Ah, sorry, I guess I was unclear --  the connection from the data plane to the control plane is much much smaller than the data plane interfaces. This means that I need to protect the CP / CP interface by classifying and filtering / policing / rate-limiting traffic before it hits the CP interface. This means that I need to be able to examine the traffic to classify it. If I get a fragment, I have no way of knowing what it is for, and so have no way of knowing which rate-limiter to apply. This means I can a: just drop it, b: guess at a classification, c: have a classifier for all fragments or d: just accept all frags.

This is part of a more general problem -- if I have a router with a 10G interface facing "the Internet"[0] and e.g a webserver connected behind it with a 1G interface I'd like to make sure that only port 80/443 traffic is vying for the limited bandwidth. As I cannot reassemble on the router, I cannot classify what non-initial fragments are to know if they should be allowed.
Yes, an attacker can (obviously) still DoS me with >1Gbps of traffic on port 80, but at least I can filter out the stupid attacks on other ports (which works surprisingly well :-P)

W 

[0]: any network filled with badness...


> Mark
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> 

--
Curse the dark, or light a match. You decide, it's your dark.
                -- Valdis Kletnieks

v2.23.0 | Report a Bug | By Email