Re: Comments on draft-nakibly-v6ops-tunnel-loops
Gabi Nakibly <gnakibly@yahoo.com> Tue, 24 August 2010 20:19 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 04B713A6A0A for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 24 Aug 2010 13:19:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.895
X-Spam-Level:
X-Spam-Status: No, score=-0.895 tagged_above=-999 required=5 tests=[AWL=1.104, BAYES_00=-2.599, J_CHICKENPOX_46=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8xlBZOnNMzn6 for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 24 Aug 2010 13:19:09 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BF1903A694C for <v6ops-archive@lists.ietf.org>; Tue, 24 Aug 2010 13:19:06 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Onzs6-0006hr-Jk for v6ops-data0@psg.com; Tue, 24 Aug 2010 20:13:26 +0000
Received: from n62.bullet.mail.sp1.yahoo.com ([98.136.44.35]) by psg.com with smtp (Exim 4.72 (FreeBSD)) (envelope-from <gnakibly@yahoo.com>) id 1Onzrv-0006O9-Fd for v6ops@ops.ietf.org; Tue, 24 Aug 2010 20:13:17 +0000
Received: from [216.252.122.217] by n62.bullet.mail.sp1.yahoo.com with NNFMP; 24 Aug 2010 20:13:14 -0000
Received: from [98.136.44.161] by t2.bullet.sp1.yahoo.com with NNFMP; 24 Aug 2010 20:13:14 -0000
Received: from [127.0.0.1] by omp602.mail.sp1.yahoo.com with NNFMP; 24 Aug 2010 20:13:14 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 881661.54022.bm@omp602.mail.sp1.yahoo.com
Received: (qmail 69427 invoked by uid 60001); 24 Aug 2010 20:13:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1282680793; bh=cSmNTUKpIwKcQaNQtp+WTEUWC0fQxsbUNwLSFMAt5t4=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=imQ6k4TdZ5hKojRBJ2YRLeQb7oiGX9k7GzkxhrulYj0EPU4EqQYUGbFDc3Oor4V4QNid9qQagMp2CguvfQ3lR+lis5emsMnnH5me/Z7xR2CWPXW/cVbmsy0sEkxQQ8Xtm/25QPpFXS5C8z3oPSTQOwt6Qy7QSrs3oj9kImhw2u8=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Pc5sofFi9Tf17HT2Z08nr8hkp81zID2/Vk/QqgZbU6NOoIxzNTWEKjJHdsA1u4Q2KhSmz5mJVW9XICVByRRYrN+Z/Q6tZEuAXDhgWBUfTDKxzNhO6UJD6kOTH3AlogcP/jCPqhULfopMZ1T18gdPsU3E86qYgOFQERrs3VYOJts=;
Message-ID: <586778.68736.qm@web45501.mail.sp1.yahoo.com>
X-YMail-OSG: 4dHA9bIVM1muZSdsOekfhcWzVJqjU_vIFa7E5Y.cVy.EFmo iGuZ.hVkCu6mDPbjSdxJpBoSWjkbo59.a86Zd4WxADDxj1YbxLzrWWBRAWYX _AuHRWwqS6.QBHA7QlHtXN4QCn1cBrrZfPDSAEmvLuJMruNQHBwyI4IMVg0s 5lGk2OqUCwJJ5GhOplSrHb0SO3NvxW.LPn7ZZohjIu47PxjhLu6prfn.4CQK 23hFScd1f.qm6WqqSs42pQF3v598AGbKlcEphEcS4IkfgK7FkH3tzV92dbYe buW4IKy.UBAYr0IAet3jp1nY-
Received: from [85.64.216.89] by web45501.mail.sp1.yahoo.com via HTTP; Tue, 24 Aug 2010 13:13:13 PDT
X-Mailer: YahooMailRC/470 YahooMailWebService/0.8.105.279950
References: <4C71E8DC.7020005@gont.com.ar>
Date: Tue, 24 Aug 2010 13:13:13 -0700
From: Gabi Nakibly <gnakibly@yahoo.com>
Subject: Re: Comments on draft-nakibly-v6ops-tunnel-loops
To: Fernando Gont <fernando@gont.com.ar>, "v6ops@ops.ietf.org" <v6ops@ops.ietf.org>
Cc: fltemplin@acm.org
In-Reply-To: <4C71E8DC.7020005@gont.com.ar>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
Hi Fernando, Thanks for your valuable input. Please see our response inline. Fred & Gabi ----- Original Message ---- > From: Fernando Gont <fernando@gont.com.ar> > To: "v6ops@ops.ietf.org" <v6ops@ops.ietf.org> > Cc: fltemplin@acm.org; gnakibly@yahoo.com > Sent: Mon, August 23, 2010 6:19:56 AM > Subject: Comments on draft-nakibly-v6ops-tunnel-loops > > Hi Gabi & Fred, > > Some comments/questions on/about the aforementioned I-D: > > **** 1) Page 3. The I-D states: > > " Ref. [USENIX09] pointed out the existence of a > vulnerability in the design of IPv6 automatic tunnels." > > I've read the aforementioned reference ([USENIX09]), and while it is an > interesting read, it seems misleading in some aspects. First of all, I'd > argue that the vulnerabilities that it discusses may be real, they do > not really have to do with "vulnerabilities in the design of IPv6 > automatic tunnels". I'd argue that they have to do either with poor > operations practices, or with dumb implementation practices (although > possibly still IETF-spec-compliant). > > Please let me exemplify (these a)-e) comments are really about the > Nakibly & Arov paper, but clearly related to this I-D) : > > a) "Attack #1: 6to4 Relay to ISATAP Router" discussed in [USENIX09] > implies that an ISATAP router will receive an encapsulated IPv6 packet > on its *external* interface, destined to an IPv6 address that does not > belong to that site, but nevertheless forward it on the native IPv6 network. > > The rule here should be simple: tunneled packets should only be received > on the internal interface. Furthermore, ingress filtering should prevent > processing a packet with an *internal* src addr that was received on an > *external* interface. > We agree with your observation. However, please note that the ISATAP router will not always receive the attack packet (packet #0) on its external interface. The packet may enter the inside network through a border router which is not the ISATAP router. Let's take for example a network with two border routers. The first border router is an ISATAP router that borders with a native IPv6 network and a second border router that borders with an IPv4 network. The attack packet may enter the network through the second router and the ISATAP router may receive it on its *internal* interface. The rule you propose can not mitigate the attack in this case. > > b) "Attack #2: ISATAP Router to 6to4 Relay" > > This one implies that the ISATAP router will send a tunneled packet on > its *external* interface. Being ISATAP an *Intra-site* tunneling > protocol, this clearly shouldn't happen (but Fred Templin is certainly > in a much better position than me to correct me if I'm wrong). > > Both in this case and in Attack #1 above, there should never be a case > in which a packet is received on the external physical interface, and > forwarded back on that external physical interface. > Similarly to the case we described above, the packet will indeed be forwarded by the ISATAP router over its internal interface, but the packet will find its way out through the second border router and loop will continue. > > c) Attack #3: ISATAP Router to ISATAP Router > > Same as above. > Same as above. > > d) "Attack #4: Teredo Client to NAT" > > This not only implies that a Teredo client will accept packets on its > Teredo interface, but also that it will forward them. Both behaviors > seem to be ill-advised (despite the fact that Windows allegedly > implements them). > > The countermeasure here is straightforward: drop packets received on the > Teredo interface that are not received to your nodes. Never forward > packets on the Teredo interface that have not originated in your own node. > > e) "E. Attack #5: Teredo Server" > > This one is probably trickier. Although one should probably argue that > packets received on a physical interface for a unicast address, with a > src addr that belongs to the host should be dropped. (such packets would > typically be forwarded internally). > > Regarding the last two Teredo attacks, please note that the draft does NOT address them. The nature of these two attacks are different from the previous ones, hence to make the draft more coherent and simple it only addresses protocol-41 tunnel-based loops. As to the countermeasure you proposed for attack #4, I think that it may not be suitable for Teredo clients that do need to forward packets. For example, a router that serves as a gateway to an internal IPv6 network while the router's external IPv6 connectivity is achieved via Teredo. However, we do agree that a simple countermeasure similar to the one you proposed can be devised. But, again, this is not related to the draft. If the list feels that these attacks should be addressed, suitable updates to Teredo can be proposed. If yes, I welcome any comments. > **** 2) Section 1: > "This assumption poses a > security vulnerability since it may result in an inconsistency > between a tunnel's overlay IPv6 routing state and the native IPv6 > routing state there by allowing a routing loop to be formed." > > I'm not sure this terminology is clear. i.e., overlay IPv6 routing state > vs. native IPv6 routing state. > The text will be revised to make this clearer. > > **** 3) Section 1 (nit): > "The loop terminates only when > the Hop Limit field in the IPv6 header of the packet is zeroed out." > > s/zeroed out/is decremented to zero/ (sounds better to me) > Yes, this change will be made. > > **** 4) Section 1 (nit): > "SP network" > > s/SP/Service Provider (SP)/ > We will change this. > > **** 5) Section 2, first para: > " In this section we shall denote an IPv6 address of a node reached via > a given tunnel by the prefix of the tunnel and the IPv4 address of > the node, i.e., Addr(Prefix, IPv4)." > > This seems misleading. the IPv4 address (IPv4) corresponds to the tunnel > end-point, and not to the node that is reachable by the given tunnel. > Good point, but to be more precise the IPv4 address corresponds to an (IPv4) interface associated with the tunnel endpoint. The tunnel endpoint may associate multiple such interfaces with the tunnel endpoint, however, so the proposed resolution is to change "the IPv4 address" to "an IPv4 address". We will change this to make it clearer. > > **** 6) Section 2, page 4 (nit): > > ".... they are either both public or both private and belong to the > same internal network." > > It might make snse to insert a comma between "public" and "or". > Yes, this change will be made. > > **** 7) Section 2 (nit): > " The source address of the packet is a T1 > address with Prf1 as the prefix and IP2 as the embedded IPv4 address, > i.e., Addr(Prf1, IP2)." > > While I do understand what you're talking about, this is the first time > you mention that of "embedded address". Therefore, that of "embedded > addresses" should be clarified/explained. > OK. By way of clarification, the third sentence of Section 1 will be changed to the following: "Automatic tunnels form a category of tunnels in which a packet's egress node's IPv4 address is embedded within the destination IPv6 address of the packet." > > **** 8) Section 2, Figure 1: > > It would be of much help to have a network diagram. I read this document > before reading [USENIX09], and needed to draw a network diagram myself > to better understand the issues you're discussing. Providing such a > diagram in the I-D would be a plus. (native IPv6 network, IPv4 network > over which packets are tunneled, etc.) > OK. The next version will provide a network diagram. > > **** 9) Section 3.1 (meta-comment): > > See the "counter-measures" I suggested when discussing each of the > attack vectors above. They seem to be simpler than the ones you're > proposing here.... > Yes, but only if it can be operationally assured that the case we described above is avoided. We will add these countermeasures in the draft with this reservation. > > **** 10) Sections 3.1/3.1.1 > > It's not clear to me if the advice in Section 3.1 is supposed to be > different from that in Section 3.1.1. Is Section 3.1.1. simply being > more detailed than Section 3.1? > The final two paragraphs of Section 3.1 describe a sub-case that must be addressed in more detail and provide a lead-in to Section 3.1.1 which provides the details. Hence, we would prefer to retain the existing text and section organization. > > **** 11) Section 3.2.1 > > This section talks about the "Neighbor Cache Check". Does such a thing > necessarily exist for, e.g., ISATAP? > > I guess that in the case of Teredo, you're really talking about the > "List of recent Teredo peers"? > As mentioned above, Teredo is not addressed by the draft. > > Thanks! Thank you. > > Kind regards, > -- > Fernando Gont > e-mail: fernando@gont.com.ar || fgont@acm.org > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > > > >
- Comments on draft-nakibly-v6ops-tunnel-loops Fernando Gont
- Re: Comments on draft-nakibly-v6ops-tunnel-loops Gabi Nakibly
- Re: Comments on draft-nakibly-v6ops-tunnel-loops Fernando Gont
- Re: Comments on draft-nakibly-v6ops-tunnel-loops Gabi Nakibly
- Re: Comments on draft-nakibly-v6ops-tunnel-loops Fernando Gont
- RE: Comments on draft-nakibly-v6ops-tunnel-loops Templin, Fred L
- Re: Comments on draft-nakibly-v6ops-tunnel-loops Fernando Gont