IETF Logo Mail Archive

Re: [v6ops] Fwd: New Version Notification for draft-wkumari-long-headers-01.txt

Nick Hilliard <nick@inex.ie> Fri, 05 July 2013 14:07 UTC

Return-Path: <nick@inex.ie>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C938711E80A5 for <v6ops@ietfa.amsl.com>; Fri, 5 Jul 2013 07:07:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kphkA6Vfind5 for <v6ops@ietfa.amsl.com>; Fri, 5 Jul 2013 07:07:09 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) by ietfa.amsl.com (Postfix) with ESMTP id BDB0021F9DEE for <v6ops@ietf.org>; Fri, 5 Jul 2013 07:06:59 -0700 (PDT)
X-Envelope-To: v6ops@ietf.org
Received: from crumpet.dyn.netability.ie (pancake.netability.ie [87.198.142.197]) (authenticated bits=0) by mail.netability.ie (8.14.7/8.14.5) with ESMTP id r65E6tid039092 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 5 Jul 2013 15:06:56 +0100 (IST) (envelope-from nick@inex.ie)
X-Authentication-Warning: cheesecake.netability.ie: Host pancake.netability.ie [87.198.142.197] claimed to be crumpet.dyn.netability.ie
Message-ID: <51D6D2FF.40305@inex.ie>
Date: Fri, 05 Jul 2013 15:06:55 +0100
From: Nick Hilliard <nick@inex.ie>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Joe Touch <touch@isi.edu>
References: <20130703235521.17726.15468.idtracker@ietfa.amsl.com> <0BDA30D8-AEDC-4E18-8ACE-64A032305F07@kumari.net> <1372897534.35448.YahooMailNeo@web2802.biz.mail.ne1.yahoo.com> <CAD6AjGSGeNHPUs9+F6OOAeDOy_FZpTOGkH6viX_fENca4H8X0g@mail.gmail.com> <1372899240.80312.YahooMailNeo@web2803.biz.mail.ne1.yahoo.com> <51D614F6.4030000@isi.edu> <51D6A1C9.8030208@inex.ie> <51D6C2FF.4090103@isi.edu> <51D6C509.7040806@inex.ie> <51D6C66E.5060901@isi.edu> <51D6C7D2.6020504@inex.ie> <51D6CBB9.2060200@isi.edu>
In-Reply-To: <51D6CBB9.2060200@isi.edu>
X-Enigmail-Version: 1.5.1
X-Company-Info-1: Internet Neutral Exchange Association Limited. Registered in Ireland No. 253804
X-Company-Info-2: Registered Offices: 1-2, Marino Mart, Fairview, Dublin 3
X-Company-Info-3: Internet Neutral Exchange Association Limited is limited by guarantee
X-Company-Info-4: Offices: 4027 Kingswood Road, Citywest, Dublin 24.
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Fwd: New Version Notification for draft-wkumari-long-headers-01.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2013 14:07:10 -0000

On 05/07/2013 14:35, Joe Touch wrote:
> ... then limiting the forwarding chain won't help because these aren't
> forwarded by that router.

then your understanding of modern routers is incorrect.

Let's say you have an IPv6 address on a router interface - it doesn't
matter if it's used for management or not.  If it's pingable, then the ping
packets will be directed to the router management or route processor engine
for slow path processing.  We use control plan policing or equivalent
technologies to ensure that packets of this form do not overload the RE / RP.

In order to implement CoPP/RE firewalling, we need hardware ACL support to
be able to distinguish between the sorts of packets that we want to see and
the ones we don't.  In practice, this means implementing sophisticated ACL
+ QoS support in hardware. Consequently, this means that we need the
ability to inspect reasonably deeply into ipv6 packet headers.

On several well known router engines, this functionality is not there
because the lookup engines cannot inspect far enough into the packet header
to handle ipv6 headers properly.  Consequently, large chunks of the
internet run on equipment which cannot be protected against trivial pps
based ipv6 attacks.  On some of them, it turns out that it doesn't matter
whether it's pingable or not, because you can craft IPv6 packets which can
bypass the hardware classification mechanisms.  All you need to know is the
ipv6 address of any interface on the box, and you can trivially trash it
remotely.

On this basis, I would suggest that this is not just a technical problem,
but a really serious technical problem with potentially devastating
operational consequences.

Nick

v2.23.0 | Report a Bug | By Email