IETF Logo Mail Archive

Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text

sthaug@nethelp.no Wed, 22 April 2015 06:41 UTC

Return-Path: <sthaug@nethelp.no>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48FAF1B31AF for <v6ops@ietfa.amsl.com>; Tue, 21 Apr 2015 23:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Jlj1YJWPO4P for <v6ops@ietfa.amsl.com>; Tue, 21 Apr 2015 23:41:00 -0700 (PDT)
Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.33]) by ietfa.amsl.com (Postfix) with SMTP id 8C5C21B31CF for <v6ops@ietf.org>; Tue, 21 Apr 2015 23:40:58 -0700 (PDT)
Received: (qmail 82241 invoked from network); 22 Apr 2015 06:40:56 -0000
Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 22 Apr 2015 06:40:56 -0000
Date: Wed, 22 Apr 2015 08:40:56 +0200
Message-Id: <20150422.084056.74672865.sthaug@nethelp.no>
To: touch@isi.edu
From: sthaug@nethelp.no
In-Reply-To: <55369B2D.80906@isi.edu>
References: <553696EC.4060207@isi.edu> <55369855.1040101@joelhalpern.com> <55369B2D.80906@isi.edu>
X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/aOrE3mqyLm2biJUU6oH8OHYPNi4>
Cc: draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org, v6ops@ietf.org, merike@doubleshotsecurity.com, fgont@si6networks.com
Subject: Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 06:41:02 -0000

<flame retardant suit on>

> There needs to be a balance between what's expensive and inconvenient
> vs. neutering a protocol to make it easy to implement.

Here we actually agree on the basic principle - but probably not on
where that balance point is.

> Protecting the control plane can be done by the receiving host
> (destination router).

This is a fundamental disagreement. Protecting the control plane needs
to be done by *all* intermediate routers in today's somewhat hostile
Internet environment. That also includes some traffic not explicitly
addressed to the routers themselves (for instance traceroute to a
destination reached *through* the routers). Only looking at traffic
addressed to the routers themselves is not sufficient.

> Protecting the network as a whole is useful, and may involve some level
> of DPI - or may not. If the traffic is encrypted, then only the
> destination router can protect itself anyway. But dropping the packets
> because of EH use just makes the filtering router an attacker to the E2E
> communication between the routers.

We have some services that are available within our AS, and should not
be available outside the AS. One such example is DNS resolvers (there
are others). We have chosen to block such services at the border - by
having the border routers explicitly blocking UDP/TCP port 53 to the
resolver addresses. This obviously means the border routers must be
able to *find* the UDP/TCP header in that part of the IPv6 packet they
are able to inspect at line rate. This is not "DPI" in any sense of
the word - it is very basic filtering.

And here, I assume, is the next disagreement. If the UDP/TCP headers
cannot be found because IPv6 EHs have pushed them beyond what the
routers can inspect at line rate - the packet will be dropped.

If we can get improved filtering capabilities in our routers as part
of regular equipment upgrade cycles - great, everybody is happy. But
we are not likely to buy significantly more expensive routers *just*
to be able to peek further into the packets (number of customers
needing this are *many* orders of magnitude too low - if they exist
at all).

Steinar Haug, AS 2116

v2.23.0 | Report a Bug | By Email