IETF Logo Mail Archive

Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice

"Joel M. Halpern" <jmh@joelhalpern.com> Thu, 31 May 2012 15:34 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF10511E808C for <v6ops@ietfa.amsl.com>; Thu, 31 May 2012 08:34:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.998
X-Spam-Level:
X-Spam-Status: No, score=-101.998 tagged_above=-999 required=5 tests=[AWL=-0.333, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_13=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vM3uzBiTQ5gA for <v6ops@ietfa.amsl.com>; Thu, 31 May 2012 08:34:00 -0700 (PDT)
Received: from morbo.mail.tigertech.net (morbo.mail.tigertech.net [67.131.251.54]) by ietfa.amsl.com (Postfix) with ESMTP id 610AB21F879F for <v6ops@ietf.org>; Thu, 31 May 2012 08:34:00 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) by morbo.tigertech.net (Postfix) with ESMTP id CF13155803C for <v6ops@ietf.org>; Thu, 31 May 2012 08:33:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 464291C08BB; Thu, 31 May 2012 08:33:59 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from [10.10.10.110] (pool-71-161-51-209.clppva.btas.verizon.net [71.161.51.209]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id D6EE41C0878; Thu, 31 May 2012 08:33:57 -0700 (PDT)
Message-ID: <4FC78F51.7070602@joelhalpern.com>
Date: Thu, 31 May 2012 11:33:37 -0400
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Ray Hunter <v6ops@globis.net>
References: <1F73F9FE-9BA5-4506-A5FB-AE09C1C18626@gmail.com> <4FC78DD7.3080901@globis.net>
In-Reply-To: <4FC78DD7.3080901@globis.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Fernando Gont <fgont@si6networks.com>, v6ops@ietf.org, RJ Atkinson <rja.lists@gmail.com>
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2012 15:34:01 -0000

Fortunately, this is a very different problem from detecting an 
exertnal->internal message with a collaborating internal partner.

For an RA to be an attack vector, it has to be parsed by the large 
majority of hosts.  Thus, it follows that we do actually know what 
encodings can be used.

Yours,
Joel

On 5/31/2012 11:27 AM, Ray Hunter wrote:
> May I humbly suggest that fragmentation headers are merely one (recently
> discovered) way of bypassing a parser (in RA Guard) that relies on
> positive identification of (RA) messages. Who says that there aren't
> others?
>
> I think you'll find it impossible to write a parsing rule today that
> guarantees catching 100% of all RA messages without any false negatives.
>> From an operational standpoint, I think false negatives in this
> particular case are far worse than false positives.
>
> IMHO Until the RA message or other control messages themselves are 100%
> guaranteed parse-able by all entities on the network in exactly the same
> way to avoid false negatives (including all RA Guard implementations,
> and all end nodes deployed in the field) we'll need a default discard
> rule. Otherwise there's always going to be someone looking for a way to
> confuse the (RA Guard) parser into giving up on its parsing and permit
> forwarding of a malformed or unusual (RA) message to some unsuspecting
> end node implementation that interprets the packet in a different way
> and which then accepts and installs the (evil) default route or other
> option, thus rendering RA Guard or other on-the-wire filter useless.
>
> I suspect, going down this path might require quite a culture change in
> 6man, removing a lot of flexibility for the future in the interests of
> allowing effective on-the-wire filtering today.
>
> It also probably wouldn't be in the spirit of the principle founded in
> RFC760 "In general, an implementation should be conservative in its
> sending behavior, and liberal in its receiving behavior. That is, it
> should be careful to send well-formed datagrams, but should accept any
> datagram that it can interpret (e.g., not object to technical errors
> where the meaning is still clear)."
>
> regards,
> RayH
>
> RJ Atkinson wrote:
>> Fernando wrote:
>>> It's not a protocol change,
>>
>> Nonsense.
>>
>>> but an operational mitigation. -- for instance, there is no change
>>> in the way the sending router or the receiving hosts process RAs.
>>
>>
>> Rule 4 mandates changes to whether certain IPv6 packets get forwarded,
>> which is a major change to the IPv6 protocol specifications.
> No. It merely continues the well established practice of on-the-wire
> filtering.
>>
>> Rule 4 is both a protocol change and (misguided) operational mitigation.
>> Rule 4 is mandatory according to this document and will cause certain
>> perfectly valid IPv6 packets to be dropped instead of forwarded. The
>> rule damages IPv6 and impairs utility of IPv6 in the real world.
> Please identify the affected false-positive packets so further
> mitigation can be added.
>>
>> The comprehensive fix is to update the hosts as Joel Halpern and Ron
>> Bonica
>> outlined earlier today. I don't think that change would be controversial,
>> so likely it could proceed quickly through 6MAN. In the meantime,
>> Rule 4 could be edited and cleaned up such that no valid IPv6
>> packets get dropped by an RA Guard.
> Not comprehensive at all. It does fix the current problem. However, the
> real problem is the natural conflict between the need for flexible
> end-node implementations versus tight inflexible security filters.
>
> Please suggest the rule clean up. I don't believe it's possible. This is
> fundamentally because of the way IPv6 is specified (without a fixed
> structure, with flexible header chains, and with loose interpretation of
> received packets).
>> Yours,
>>
>> Ran
>>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email