Re: [v6ops] Security Considerations for draft-gont-v6ops-ipv6-ehs-in-real-world

Fernando Gont <fgont@si6networks.com> Thu, 04 September 2014 23:23 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15BE51A02A3 for <v6ops@ietfa.amsl.com>; Thu, 4 Sep 2014 16:23:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wr62JSKycs70 for <v6ops@ietfa.amsl.com>; Thu, 4 Sep 2014 16:23:33 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EAE21A02A0 for <v6ops@ietf.org>; Thu, 4 Sep 2014 16:23:33 -0700 (PDT)
Received: from [181.46.190.53] (helo=[172.16.5.35]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <fgont@si6networks.com>) id 1XPgNF-0004zm-4C; Fri, 05 Sep 2014 01:23:29 +0200
Message-ID: <5408F464.6010705@si6networks.com>
Date: Thu, 04 Sep 2014 20:23:16 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Mark Andrews <marka@isc.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
References: <54074E9B.5030007@si6networks.com> <20140903235529.C08031E5282B@rock.dv.isc.org> <5407B564.7060003@gmail.com> <20140904005937.397471E53E95@rock.dv.isc.org>
In-Reply-To: <20140904005937.397471E53E95@rock.dv.isc.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/VU_EVfnwEoF-bv-gMBfXVRF2ZuI
Cc: draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org, IPv6 Operations <v6ops@ietf.org>
Subject: Re: [v6ops] Security Considerations for draft-gont-v6ops-ipv6-ehs-in-real-world
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 23:23:35 -0000

On 09/03/2014 09:59 PM, Mark Andrews wrote:
>>
>> I think the problem is that isn't painful at all to the people who
>> configure the blocking device. It's only painful to actual users.
> 
> Which in 99% of case work for the same people that orded the firewall
> to be installed.  If fragments aren't getting to your device take
> the issue up with your management.  It's almost always a problem
> at the receiving end.

Brian already commented on this issue. That said, for the case we are
describing, your assessment does not really apply: the filtering is
happening in transit rather than at the edge.

e.g., I was able to attack my own connection against www.kernel.org, and
there wasn't any firewall on my access.

Whether firewalls at the edge are predominant when it comes to filtering
of IPv6 packets with Ehs between peers (i.e., peer to peer) is something
worth exploring... but for the time being is rather orthogonal to our
discussion (although it might help to exacerbate the problem when
there's no filtering on the network, but the border firewall does filter
IPv6 packets with EHs).

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492