Re: [v6ops] Security Considerations for draft-gont-v6ops-ipv6-ehs-in-real-world

Fernando Gont <fgont@si6networks.com> Thu, 04 September 2014 23:17 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA751A0298 for <v6ops@ietfa.amsl.com>; Thu, 4 Sep 2014 16:17:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Level:
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pzdmpdwjuOaO for <v6ops@ietfa.amsl.com>; Thu, 4 Sep 2014 16:17:06 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B58C1A02A0 for <v6ops@ietf.org>; Thu, 4 Sep 2014 16:16:57 -0700 (PDT)
Received: from [2001:5c0:1000:a::1201] by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <fgont@si6networks.com>) id 1XPgGg-0004ua-JI; Fri, 05 Sep 2014 01:16:44 +0200
Message-ID: <5408F090.7030503@si6networks.com>
Date: Thu, 04 Sep 2014 20:06:56 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Mark Andrews <marka@isc.org>
References: <54074E9B.5030007@si6networks.com> <20140903235529.C08031E5282B@rock.dv.isc.org>
In-Reply-To: <20140903235529.C08031E5282B@rock.dv.isc.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/aYu71u5UrUqBz0AhPRIZRV1U6Xw
Cc: draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org, IPv6 Operations <v6ops@ietf.org>
Subject: Re: [v6ops] Security Considerations for draft-gont-v6ops-ipv6-ehs-in-real-world
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 23:17:09 -0000

Hi, Mark,

On 09/03/2014 08:55 PM, Mark Andrews wrote:
>>
>> Based on the recent discussions, we're planning to update Section 5.2
>> (which contains all the discussion about the ICMP-based attack vector)
>> of the aforementioned I-D as follows. Please let us know if you have any
>> comments:
>>
>> ---- cut here ----
>> 5.2.  A possible attack vector
>>
>>    The widespread filtering of IPv6 packets
> 
> 	with Extension Headers by enterprise firewalls

EH filtering is simply widespread... not just by enterprise firewalls.
For instance, please check the measurement results we have included in
our I-D.



> 
>>                                               employing IPv6 Extension
>>    Headers can, in some scenarios, be exploited for malicious purposes:
>>    if packets employing IPv6 EHs are known to be filtered on the path
>>    from one system (say, "A") to another (say, "B"), an attacker could
>>    cause packets sent from A to B to be dropped by sending a forged
>>    ICMPv6 Packet Too Big (PTB) [RFC4443] error message to A (with a
>>    Next-Hop MTU smaller than 1280), such that subsequent packets from A
>>    to B include a fragment header (i.e., they result in atomic fragments
>>    [RFC6946]).
> 
> IPv6 packets with fragmentation headers get through if you don't
> stuff a device with deliberately blocks them in the path.  This is
> self inflicted pain.

Again, not necessarily "self inflicted". Please check the percentage of
packet drops by ASes other than the destination AS (in our I-D).


Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492