Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice

[RJ Atkinson <rja.lists@gmail.com>]

On 29  May 2012, at 10:39 , The IESG wrote:
> The IESG has received a request from the IPv6 Operations WG (v6ops) to
> consider the following document:
> - 'Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)'
>  <draft-ietf-v6ops-ra-guard-implementation-04.txt> as Best Current
> Practice

While I generally support publication of this document, there is 
a blocking issue that ought to be resolved prior to publication.


1) Layer-2 Processing Rule causes valid IPv6 packets to be dropped

  MULTIPLE ISSUES:

  Rule #4 in this document is overly restrictive.  Implementing
  this rule has the effect of changing the IPv6 specifications
  to prohibit otherwise legitimate packets that violate this new
  and somewhat arbitrary rule, which is an unreasonable change.  
  In effect, this cure (i.e. Rule 4) is worse operationally than 
  the potential disease.

  This rule can cause entirely legitimate IPv6 packets to be dropped,
  neither because they are invalid, nor because those packets 
  violate IPv6 specifications, nor because their header chain is
  too long (from a specification & legitimacy perspective),
  nor because they are security risks.  Instead, such packets are
  dropped because a Layer-2 device lacks sufficient information
  to perform a Layer-3 function (i.e. packet parsing/inspection).

  Further, Layer-2 only devices (e.g. Ethernet bridges/switches) are 
  commonly, correctly, and legitimately used to interconnect different 
  segments of the same IPv6 subnetwork.  So a Layer-2 device cannot 
  know whether a particular RA Advertisement is valid or not -- that 
  information is simply not available at Layer-2 in a dependable way.
  Absent manual configuration that tells the Layer-2 device which ports
  might connect to routers, the Layer-2 device separately cannot know
  which "ports ... are not allowed to send ICMPv6 Router Advertisement
  messages".  

  Separately, in a network that contains wireless elements, routers
  might connect to different Layer-2 base stations at different times.
  In turn, those different Layer-2 base stations are very likely to 
  connect to different Layer-2 ports on different Layer-2 switches/bridges.
  Such Layer-2 switches/bridges generally cannot know that a wireless
  aspect exists in the deployment.  So this is another reason that a
  Layer-2 only device is not the correct place to be trying to filter
  ICMPv6 RA packets.

  Removing this rule creates no new security risk as the any actual
  problem packet can be detected and dropped later -- either by an 
  IPv6-capable router or an IPv6-capable firewall -- one that is 
  located at an IPv6 subnetwork boundary.

  There are existing openly specified, legitimate, IPv6 Destination
  Options that can be somewhat large in size (notably: CALIPSO).
  While such packets are not common, they are entirely legitimate
  and valid.  A BCP from an operationally focused WG ought not
  be recommending that valid IPv6 packets be dropped, as this will
  impede deployment of IPv6.


  PROPOSED ACTION:

  The current Rule #4 should be have its meaning inverted (i.e. If a
  Layer-2 device is unable to identify whether the packet is an ICMPv6
  Router Advertisement, then the packet should be transmitted without
  modification) and text referring to that rule also should be edited 
  heavily to outline the issues noted above as the reason for the
  "transmit if in doubt" policy for a Layer-2 device.


OBSERVATION:
  The only fully secure networks are those that move no packets at all.
  So our goal ought not be a "fully secure" network.  Instead, the goal
  should be taking reasonable, practical steps to reduce operational
  risks to an acceptable level -- while allowing all valid IPv6 packets
  to use the network.


Yours,

Ran