IETF Logo Mail Archive

Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows

Truman Boyes <truman@suspicious.org> Sun, 23 August 2009 05:04 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD7E13A6A66 for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 22 Aug 2009 22:04:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GqCNV1S7FD36 for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 22 Aug 2009 22:04:30 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2FD683A67D1 for <v6ops-archive@lists.ietf.org>; Sat, 22 Aug 2009 22:04:30 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Mf5AI-000FqV-U6 for v6ops-data0@psg.com; Sun, 23 Aug 2009 04:58:50 +0000
Received: from [2001:470:8859:cafe:20c:29ff:fec5:e30a] (helo=research.suspicious.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <truman@suspicious.org>) id 1Mf5AD-000FpZ-9W for v6ops@ops.ietf.org; Sun, 23 Aug 2009 04:58:48 +0000
Received: from [IPv6:2001::53aa:64c:0:e0bf:9f0d:6265] (unknown [IPv6:2001:0:53aa:64c:0:e0bf:9f0d:6265]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by research.suspicious.org (Postfix) with ESMTPSA id D46DA7FE0; Sun, 23 Aug 2009 00:58:42 -0400 (EDT)
Cc: IPv6 Operations <v6ops@ops.ietf.org>
Message-Id: <390865C6-3343-4C31-9767-6E0FCA4481DD@suspicious.org>
From: Truman Boyes <truman@suspicious.org>
To: james woodyatt <jhw@apple.com>
In-Reply-To: <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-17--34100891"
Mime-Version: 1.0 (Apple Message framework v935.3)
Subject: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Date: Sun, 23 Aug 2009 00:58:42 -0400
References: <805241AA-DC9A-4498-9D54-8D491DD62A0D@apple.com> <2D21500B-207B-43FB-9728-8A7BCEC82CB1@apple.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B3E6@il-ex01.ad.checkpoint.com> <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com>
X-Mailer: Apple Mail (2.935.3)
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

Greetings,

This is quite confusing from an implementation perspective; security  
is not explicitly increased by prohibiting non-encrypted tunnels but  
allowing encrypted (ESP or AH) traffic flows. Wouldn't this simply  
serve as a driver to make all tunnel encapsulations use ESP/AH?

Kind regards,
Truman Boyes


On 22/08/2009, at 3:03 PM, james woodyatt wrote:

> On Aug 22, 2009, at 04:01, Yaron Sheffer wrote:
>>
>> In other words, the CPE is only required to verify that the *outer*  
>> packet
>> is protected; if it is not protected, the standard internal- 
>> initiator policy
>> applies, plus the gateway should drop suspicious GRE and IP-IP  
>> tunnels.
>
> Ah, I think I see where the confusion is arising.  The  
> recommendation to allow IPsec AH and ESP transport mode in both  
> directions suffice to police the outer packet header chain.
>
> R20  In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit
>      the forwarding of packets, to and from legitimate node addresses,
>      with destination extension headers of type "Authenticated Header
>      (AH)" [RFC4302] in their outer IP extension header chain.
>
> R21  In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit
>      the forwarding of packets, to and from legitimate node addresses,
>      with an upper layer protocol of type "Encapsulating Security
>      Payload (ESP)" [RFC4303] in their outer IP extension header  
> chain.
>
> What you would prefer to see is that section 3.2.7 be deleted in its  
> entirety, which is precisely what I proposed at IETF 75 in  
> Stockholm, and which failed to achieve consensus.  Perhaps, after  
> further discussion, this option will seem sensible to a larger  
> fraction of participants?
>
> However, I should note that allowing outbound tunnel initiations  
> still doesn't address the concern I described in my previous message.
>
> [My proposed text for section 3.2.7 to address this concern.]
>>>
>
>>> While residential IPv6 gateways are not expected to prohibit  
>>> virtual private networks from operating with tunnel endpoints  
>>> located at interior nodes, it is important to protect interior  
>>> networks from being reachable through routes created remotely by  
>>> exploiting vulnerable interior hosts.  Therefore, residential IPv6  
>>> gateways are expected to require tunnel encapsulations to be  
>>> protected by a cryptographic protocol.
>
> If the perception is that flows encapsulated in tunnels must be  
> subject to a stateful filtering regime to protect the interior  
> network against exploits against vulnerable tunnel endpoint hosts,  
> and if requiring such encapsulated flows to be encrypted with IPsec- 
> in-IPv6-in-IPv6 is regarded as an acceptable way to meet the  
> perceived need to protect all encapsulated flows with a  
> cryptographic protocol, then simply treating outbound tunnel  
> initiations as any other unrecognized protocol would be insufficient  
> to address the objections in the working group to taking this draft  
> to Last Call.
>
> How should we proceed?
>
>
> --
> james woodyatt <jhw@apple.com>
> member of technical staff, communications engineering
>
>
>

v2.23.0 | Report a Bug | By Email