IETF Logo Mail Archive

Re: [v6ops] Security Considerations for draft-gont-v6ops-ipv6-ehs-in-real-world

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 04 September 2014 00:41 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE0821A8774 for <v6ops@ietfa.amsl.com>; Wed, 3 Sep 2014 17:41:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E274gbMyGHiv for <v6ops@ietfa.amsl.com>; Wed, 3 Sep 2014 17:41:50 -0700 (PDT)
Received: from mail-pa0-x236.google.com (mail-pa0-x236.google.com [IPv6:2607:f8b0:400e:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 797821A8775 for <v6ops@ietf.org>; Wed, 3 Sep 2014 17:41:50 -0700 (PDT)
Received: by mail-pa0-f54.google.com with SMTP id fb1so18660785pad.27 for <v6ops@ietf.org>; Wed, 03 Sep 2014 17:41:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=HY5oynRkWaR1t6mMlDZqMrHwDpvm7bU3np45NbKbanQ=; b=p2b4FPxhkBN0yZFOkHbckEGIf6k9qSJZaEIIVf1v1HEToytgCP81AHpnnHSkvMZlm8 F0pBhBZAZGPxMykYrOcfc6XH7Y/X79nFKUsmQoNWSZ8lzxMIBPH3L7oT+n8CQOmtXGGi JOQswFexdduC8pHbjF+vE9dB1wJ/4gWuzq6QJdcFFsdCEcc3V4ERX7JRacTG5Rk72/EG 9wwz+cVyv+0PyEudjlHhErbdzCvfMCrf2jEDRAk9PBS+4JqK5+o8gYbSR6WJ2U4v7KOd m8YS4c8ntNaZJOoGwNtoXbsaiRyQuo4UQ3NMowv/D3flisd4ogLmnaSd5RpGxmNz8wcM u9zg==
X-Received: by 10.66.192.195 with SMTP id hi3mr1662316pac.117.1409791310259; Wed, 03 Sep 2014 17:41:50 -0700 (PDT)
Received: from [192.168.178.23] (71.193.69.111.dynamic.snap.net.nz. [111.69.193.71]) by mx.google.com with ESMTPSA id pm1sm81381pdb.58.2014.09.03.17.41.48 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 03 Sep 2014 17:41:49 -0700 (PDT)
Message-ID: <5407B564.7060003@gmail.com>
Date: Thu, 04 Sep 2014 12:42:12 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Mark Andrews <marka@isc.org>
References: <54074E9B.5030007@si6networks.com> <20140903235529.C08031E5282B@rock.dv.isc.org>
In-Reply-To: <20140903235529.C08031E5282B@rock.dv.isc.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/Mctut0rlIMnWff4rcbc376pP00I
Cc: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>, draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org
Subject: Re: [v6ops] Security Considerations for draft-gont-v6ops-ipv6-ehs-in-real-world
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 00:41:52 -0000

On 04/09/2014 11:55, Mark Andrews wrote:
> In message <54074E9B.5030007@si6networks.com>, Fernando Gont writes:
>> Folks,
>>
>> Based on the recent discussions, we're planning to update Section 5.2
>> (which contains all the discussion about the ICMP-based attack vector)
>> of the aforementioned I-D as follows. Please let us know if you have any
>> comments:
>>
>> ---- cut here ----
>> 5.2.  A possible attack vector
>>
>>    The widespread filtering of IPv6 packets
> 
> 	with Extension Headers by enterprise firewalls
> 
>>                                               employing IPv6 Extension
>>    Headers can, in some scenarios, be exploited for malicious purposes:
>>    if packets employing IPv6 EHs are known to be filtered on the path
>>    from one system (say, "A") to another (say, "B"), an attacker could
>>    cause packets sent from A to B to be dropped by sending a forged
>>    ICMPv6 Packet Too Big (PTB) [RFC4443] error message to A (with a
>>    Next-Hop MTU smaller than 1280), such that subsequent packets from A
>>    to B include a fragment header (i.e., they result in atomic fragments
>>    [RFC6946]).
> 
> IPv6 packets with fragmentation headers get through if you don't
> stuff a device with deliberately blocks them in the path.  This is
> self inflicted pain.

I think the problem is that isn't painful at all to the people who
configure the blocking device. It's only painful to actual users.

   Brian
>

v2.23.0 | Report a Bug | By Email