IETF Logo Mail Archive

Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice

Washam Fan <washam.fan@gmail.com> Wed, 30 May 2012 08:39 UTC

Return-Path: <washam.fan@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 461B521F86FC for <v6ops@ietfa.amsl.com>; Wed, 30 May 2012 01:39:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IFrPb3plI+Or for <v6ops@ietfa.amsl.com>; Wed, 30 May 2012 01:39:09 -0700 (PDT)
Received: from mail-wg0-f42.google.com (mail-wg0-f42.google.com [74.125.82.42]) by ietfa.amsl.com (Postfix) with ESMTP id E705021F86B5 for <v6ops@ietf.org>; Wed, 30 May 2012 01:39:08 -0700 (PDT)
Received: by wgbds11 with SMTP id ds11so3026154wgb.1 for <v6ops@ietf.org>; Wed, 30 May 2012 01:39:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=fsZ0KFeTKHRvADQUDaZaLiOy1CrQjdXK7zwlMGQ5MHU=; b=T+RsCl6ASltp3nxea7yM2p/CGU4ii+teztjNhYcmKZt0mWS/Wj8S8osUL6QCnOA5AU DNOsK+Zaojl5MpYku/Dxz/r0/eR8RzyNf5FssFEGcRHZ7oLcxrt7Du83BHdVK3SgfjOK QEuAaUV4OE+yQTi4lO83zXWlWRKOAq33jC/56zUwAWb+jPrNBfRwn/gBg4qJDS9n6yFc gNwbGO7UQ43ZTfB7vZlfFoU7WRW0C9uHXnsruTc+hOo1FnIiRhR5FlOqc7RC/90MRrOS hGkBxejAUIrbsXipzd5Hu9/WSNf+hyj7AGo4kBT99YtU9XU0y4Wdz0Cj031FWIqISilf i87A==
MIME-Version: 1.0
Received: by 10.216.202.14 with SMTP id c14mr10603452weo.63.1338367146951; Wed, 30 May 2012 01:39:06 -0700 (PDT)
Received: by 10.216.241.15 with HTTP; Wed, 30 May 2012 01:39:06 -0700 (PDT)
In-Reply-To: <4FC5D745.4080203@globis.net>
References: <20120529143900.25613.76678.idtracker@ietfa.amsl.com> <3B0A71DA-8846-4FFF-9AD8-9B106EF8799B@gmail.com> <4FC52FD3.9060206@gont.com.ar> <4FC5D745.4080203@globis.net>
Date: Wed, 30 May 2012 16:39:06 +0800
Message-ID: <CAAuHL_D1F2fvRLLLsgH=M2ZTp+AkphsW6Ud3AmSnhnCCOV=tsw@mail.gmail.com>
From: Washam Fan <washam.fan@gmail.com>
To: Ray Hunter <v6ops@globis.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: v6ops@ietf.org, RJ Atkinson <rja.lists@gmail.com>, Fernando Gont <fernando@gont.com.ar>
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2012 08:39:10 -0000

Hi,

There is definitely theoretically false positives. But the possibility
should be very slim if rule 1-3 has been passed. Please note that only
if pass the previous 3 rules, the rule #4 would apply.

Thanks,
washam

2012/5/30 Ray Hunter <v6ops@globis.net>:
> +1 Agree with Fernando. Disagree with Ran. I don't agree that this is a
> blocking factor, and believed the WG had reached rough consensus.
>
> IMHO Initially, I was also concerned about false-positives, but after
> careful consideration I believe that if someone has chosen to implement RA
> Guard then the benefit of day 0 attack protection from false-negatives is
> worth far more than the downside of potentially dropping some false-positive
> link-local-only ICMPv6 packets.
>
> Operational experience has proven a "drop unknown by default" rule to be
> necessary: the reason this ID was written was because previous RA-Guard
> implementations which only filtered on positive identification were being
> bypassed in the wild.
>
> Flipping the default behaviour to "allow unknown by default" as Ran
> suggests, would IMVHO require tightening up the spec for an RA message so
> that they could always be 100% reliably parsed in all instances (including
> end host implementations) for RA Guard to remain useful, but that is outside
> the scope of the ID and would also limit future developments.
>
> If as an end user you don't like this compromise, don't buy a L2 switch that
> implements RA-Guard. Or turn it off globally. Or configure the port to be a
> router port (that allows all messages).
>
> regards,
> RayH
>
> Fernando Gont wrote:
>>
>> Hi, Ran,
>>
>> Thanks so much for your comments!
>>
>> Meta-answer: This document is a BCP on how to implement RA-Guard, *not*
>> a BCP that RA-Guard should be deployed. -- i.e., we're not saying
>> whether you should or should not deploy ra-guard, but rather "if you
>> implement ra-guard, you should do it this way".
>>
>> -- I'm just double-checking that this is the angle from which you've
>> read the document...
>>
>> More comments inline...
>>
>> On 05/29/2012 01:38 PM, RJ Atkinson wrote:
>>>
>>> 1) Layer-2 Processing Rule causes valid IPv6 packets to be dropped
>>>
>>>   MULTIPLE ISSUES:
>>>
>>>   Rule #4 in this document is overly restrictive.  Implementing
>>>   this rule has the effect of changing the IPv6 specifications
>>>   to prohibit otherwise legitimate packets that violate this new
>>>   and somewhat arbitrary rule, which is an unreasonable change.
>>>   In effect, this cure (i.e. Rule 4) is worse operationally than
>>>   the potential disease.
>>
>>
>> To some extent, RA-Guard does firewalling at layer-2. This means that,
>> as with stateless filtering, there's a point at which you need to draw a
>> line that says what you consider acceptable, and what not... and as with
>> layer-3 stateless firewalls, there is (at leasttheoretically speaking) a
>> risk of false positives. If those false positives outweigh the benefits
>> of firewalling in the first place, you simply do not deploy the firewall
>> (or in this case, RA-Guard)
>>
>> (more comments below)
>>
>>
>>>   Further, Layer-2 only devices (e.g. Ethernet bridges/switches) are
>>>   commonly, correctly, and legitimately used to interconnect different
>>>   segments of the same IPv6 subnetwork.  So a Layer-2 device cannot
>>>   know whether a particular RA Advertisement is valid or not -- that
>>>   information is simply not available at Layer-2 in a dependable way.
>>
>>
>> I those scenarios, you either manually configure every layer-2 device in
>> an appropriate way, or you simply do not deploy ra-guard.
>>
>>
>>>   Absent manual configuration that tells the Layer-2 device which ports
>>>   might connect to routers, the Layer-2 device separately cannot know
>>>   which "ports ... are not allowed to send ICMPv6 Router Advertisement
>>>   messages".
>>
>>
>> Exactly. You should manually configure the device with this information,
>> *and* you should manually enable ra-guard.
>>
>>
>>>   Separately, in a network that contains wireless elements, routers
>>>   might connect to different Layer-2 base stations at different times.
>>>   In turn, those different Layer-2 base stations are very likely to
>>>   connect to different Layer-2 ports on different Layer-2
>>> switches/bridges.
>>>   Such Layer-2 switches/bridges generally cannot know that a wireless
>>>   aspect exists in the deployment.  So this is another reason that a
>>>   Layer-2 only device is not the correct place to be trying to filter
>>>   ICMPv6 RA packets.
>>
>>
>> In those scenarios, you'd simply not deploy ra-guard.
>>
>> As noted at the beginning of this e-mail, my take is that you assume
>> that we're encouraging ra-guard deployment for the general case, But
>> this document simply specifies how you should *implement* ra-guard, and
>> doesn't argue in favor (or against) its deployment.
>>
>>
>>>   Removing this rule creates no new security risk as the any actual
>>>   problem packet can be detected and dropped later -- either by an
>>>   IPv6-capable router or an IPv6-capable firewall -- one that is
>>>   located at an IPv6 subnetwork boundary.
>>
>>
>> How would you block malicious RAs originating from the local subnetwork?
>>
>>
>>
>>>   There are existing openly specified, legitimate, IPv6 Destination
>>>   Options that can be somewhat large in size (notably: CALIPSO).
>>
>>
>> My take is that if you setup employs CALIPSO, and it leads to packets
>> with a header chain that spans multiple local MTUs, then you'd simply
>> not deploy RA-Guard.
>>
>> That say, would CALIPSO packets really lead to IPv6 header chains that
>> would span past 1500 bytes, or even past 1280 bytes?
>>
>>
>>>   PROPOSED ACTION:
>>>
>>>   The current Rule #4 should be have its meaning inverted (i.e. If a
>>>   Layer-2 device is unable to identify whether the packet is an ICMPv6
>>>   Router Advertisement, then the packet should be transmitted without
>>>   modification) and text referring to that rule also should be edited
>>>   heavily to outline the issues noted above as the reason for the
>>>   "transmit if in doubt" policy for a Layer-2 device.
>>
>>
>> As noted above, this document just specifies how to implement RA-Guard,
>> When it comes to actual deployment, there are may be trade-offs (as
>> discussed above). But if you do decide to deploy RA-Guard, you probably
>> do not want a "default allow" rule (because attackers would certainly
>> use any of the evasion techniques described in the document)...
>>
>> Please do let me know what you think...
>>
>> Cheers,
>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email