Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Mark Smith <markzzzsmith@gmail.com> Tue, 26 October 2021 02:03 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FECB3A0F44 for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 19:03:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.646
X-Spam-Level:
X-Spam-Status: No, score=0.646 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ojGR65DaFILg for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 19:03:37 -0700 (PDT)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FDCF3A0F2F for <v6ops@ietf.org>; Mon, 25 Oct 2021 19:03:37 -0700 (PDT)
Received: by mail-io1-xd2c.google.com with SMTP id 188so18095074iou.12 for <v6ops@ietf.org>; Mon, 25 Oct 2021 19:03:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lGUB8F92rNH6zM3lQuv2t2O2zq/zgE5pZseV6Q1p5uc=; b=hp4rKp9TTx4BaehFaa0GNV5kKkOrOCbHpEMrf22C5fqRvp9C7hTGL3SiCN9eAt+xRJ dZWsnmY9in3D0gVaTDFWENaOiK5SzKlhtwFkNNIHw7HHWAOuhMMdlxaRGihgKMHfLTVc A5dDouXoIYX8yvQ5aJg+otfpRQEn0yAgfYKpLSCp6vardAERpGV8xwWhgE90pmatH7jm J4TkhiYsAB0FEUTa7ULPiIlkvYwwDW+V0ehFtax34sFMv4nIns7OENSrRqecWcAWNet+ El6+ZYO+aHvzxaPTwvGWkviarfbVYkS5uICeBaPboEO9kRr6rty70VAykPg7ZVKGp+2c YX2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lGUB8F92rNH6zM3lQuv2t2O2zq/zgE5pZseV6Q1p5uc=; b=mnJq5S48ws/ljivBZWFWZuaAK2ClH2Vkt48/SHfgygdccI1RHNh0L+4z5IWnm/bo08 Rqx0bzCmEpgCq6oTlsy8lpMGI98rJEVLB3ApNKYxN3EBCJtgusoikjvgKIQZqbukThjc HGpUwjs/HtiTkgvl5G+X2RGWqNU29wnO4FRrzypVCSMc2tV5DzUMUAfgNhUMCxVdlqJy N3nD3RtnTRh3I9EkkNmornGiwksRh2V1eu/lIX+BvWhk+NvGrYXihCaYrDPwk3Yu2F6Q xO4Cq4pViL389hbsvCF419OKTVu34Kh/wRrAEd7VI5RMvEWpy4yDu2dmy1vOUwZUJyYH MUkg==
X-Gm-Message-State: AOAM532uCRpNVY/4JXO9qTG1LdfRZ8W/tSgzMCB0CkB8Hf0leSjCIrJQ 8tnfN/YOb6Uy1VWM9qWB95DUWSRaTTua3F8yRgI=
X-Google-Smtp-Source: ABdhPJx3Vu7A3FXJIBL+82VfYLMfU7cHHspDLuPfkAQFHe7S8toREBMAJtfDYMgouO2w1WS/GFeYJWEhokbfbkJfnCU=
X-Received: by 2002:a5d:9c97:: with SMTP id p23mr13281165iop.194.1635213815058; Mon, 25 Oct 2021 19:03:35 -0700 (PDT)
MIME-Version: 1.0
References: <CB45220A-ECE6-492A-8A37-D189A71CDA2B@liquidtelecom.com> <CAHw9_iJy_OjSwRDRx5cbB6yhau7XzNUKTi49sHhi0CnmRARQUA@mail.gmail.com> <1F31CC6F-8471-4B50-AE3F-9E5FC76BB447@employees.org> <CAHw9_iKU5--mFq3swhSbGJHV9Y5H52cKcgeF=nBf1rqZeBMRJQ@mail.gmail.com> <YXciHYMNa6KJUohp@Space.Net> <ff55bdc4-9274-adc5-ef09-0d398b52342a@gmail.com> <YXcl2iQMvZe8ggLs@Space.Net> <0C1C8148-3D59-4C2A-A834-5B11854B3E7C@liquidtelecom.com> <CAHw9_iLm_T=F_m+Bie5ey6=PU18D610w6HsXY16f118hzmp5Kw@mail.gmail.com> <1A8239F9-2487-4514-AC32-5B3CAD71675C@liquidtelecom.com> <CAHw9_iLyrjWe+_7xctTrLiGNnJu9sDA_7e6mXuUmX4zu7+_RjQ@mail.gmail.com> <524FB34E-AAED-479E-85A3-422E334FA38A@liquidtelecom.com>
In-Reply-To: <524FB34E-AAED-479E-85A3-422E334FA38A@liquidtelecom.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Tue, 26 Oct 2021 13:03:08 +1100
Message-ID: <CAO42Z2xE8eq9m7Mbq-ZQRhtFqxjp4M97PzS85FgmGsWhmxEC_A@mail.gmail.com>
To: Andrew Alston <Andrew.Alston=40liquidtelecom.com@dmarc.ietf.org>
Cc: Warren Kumari <warren@kumari.net>, v6ops list <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000094125c05cf37e218"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/dD20z14s18Ya-c0bT05yWggoUkE>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 02:03:43 -0000

The ULA address space is designed for this.

If a single /48 isn't big enough, generate another one.

However, that doesn't, nor will a new IANA /16 solve the leaks out of a
"controlled domain" problem.

Only the following solve that:

- a default free network (networks' default routes are what makes packets
try to leave by default (leak) if there is no matching local destination).
This won't solve the unauthorised host inside the network problem.

- authenticated packets such that unauthorised or unintended nodes cannot
send or receive them and successful process them i.e. AH at a minimum. That
solves the problem, however then you have the key management issue.

- a local network only protocol such as MPLS, limited to use within the
network, rather than a general purpose host-to-host/end-to-end global
internetworking protocol like IPv6. Not as good as the authenticated packet
option, however as long as hosts don't have this protocol enabled by
default it is better than the default free network option.

For a new IANA prefix to be assured closed, it would have to be null routed
in every router by default at the factory that could conceivably be used in
an SRv6 domain. The safest thing would be for this null route to be present
by default in literally every IPv6 router.

That sort of constraint hasn't worked 100% reliably with IPv6 Link-Local
addressed packets. They're supposed to be trapped on the link if they have
either an LLA source or destination address.

However, they are known to leak off when the DA is a GUA and the SA is a
LLA because router implementations aren't doing SA filtering. That can
happen fairly easily - if a host receives a GUA DNS resolver addresses, but
for some reason doesn't have a GUA SA to use, and has a defaultIPv6  router
(i.e. the RA doesn't have PIOs in it - and I've seen a broken residential
IPv6 CPE do this in the last couple of months) default address selection
says to fall back to using an LLA SA for all DNS queries to the GUA DA.


Regards,
Mark.


On Tue, 26 Oct 2021, 11:40 Andrew Alston, <Andrew.Alston=
40liquidtelecom.com@dmarc.ietf.org> wrote:

> Thanks Warren for the clarifications – I think we’re pretty much aligned,
> just my misreading of certain things – apologies for that.
>
>
>
> The idea of a fixed prefix that is a default fail-closed in the way you
> proposed is certainly a major step in the right direction and I like that
> idea – it would address a LOT of my concerns.  By doing this we could also
> potentially avoid interface-specific filters and dependent on
> implementation not send up blowing up the tcams.
>
>
>
> I think – the other thing we could consider is saying that we get
> potentially a /16 worth of space for this – and strongly suggest that to
> make up the first 48 bits we then append the asn in the next 32 bits – if
> you did this – you open the door to inter-domain controlled srv6 between
> operators – but without the risk of duplicate addressing etc.
>
>
>
> So yeah – this is certainly worth considering
>
>
>
> Andrew
>
>
>
>
>
> *From: *Warren Kumari <warren@kumari.net>
> *Date: *Tuesday, 26 October 2021 at 02:12
> *To: *Andrew Alston <Andrew.Alston@liquidtelecom.com>
> *Cc: *Gert Doering <gert@space.net>et>, Brian E Carpenter <
> brian.e.carpenter@gmail.com>gt;, "v6ops@ietf.org" <v6ops@ietf.org>
> *Subject: *Re: [v6ops] Security issues in RFC8754 and related/subsequent
> drafts?
>
>
>
>
>
>
>
> On Mon, Oct 25, 2021 at 6:51 PM Andrew Alston <
> Andrew.Alston@liquidtelecom.com> wrote:
>
> I'm assuming that in this scenario your "Rogue host A" is one that has
> intentionally added to the SRH domain (either by allowing your new
> ether-type, or manually removing the "limited domain prefix filter")? If
> so, then yes, bad things happen. This seems largely the same as "I decided
> to add "Rogue host A" to my MPLS domain so it could MPLS", or I added
> "Rogue host A" to my IGP, because reasons...
>
> Making a host able to influence routing, whether it is part of
> something like MPLS, SR<something>, or in your IGP makes that host able to
> do bad things...
>
>
>
> See that’s the thing Warren – with MPLS – it’s a default fail-closed
>
> Nod. It sounds like you think I'm disagreeing with you, which confuses me
> some -- I think that we are both looking for a failed closed system.
>
> – with a prefix list that has to be applied to every interface – well –
> things get missed.
>
> Yes. Hence my "by default it would be applied".
>
>
>
> In the same way I manually add an interface to MPLS:
>
> protocol {
>
>    mpls {
>        interface et-0/0/0.0;
>    }
>
> }
>
>
>
> I would manually add the interface to allow SRH:
>
> protocol {
>
>    srh {
>
>    interface et-0/0/0;
>
>    }
>
> }
>
> (or perhaps something like "set interface et-0/0/0.0 family srh allow'",
> or whatever).
>
>
>
> The solution would default to fail-closed -- there is a default "deny
> $srh_prefix" on the interface and I manually permit it by telling the
> device that the interface participates in SRH (or whatever other limited
> domain protocols are defined to use space). The above example has some
> syntactic sugar, but the actual implementation is simply that the device
> allows packets from $limited_domain_prefix when you set this...
>
>
>
>
>
>   And these prefix lists would have be applied to every L3 interface – and
> again – I fear you’re going to have tcam problems if you try and apply an
> LPM filter to every interface on a massive device with thousands of
> interfaces.  You can’t apply filters in the way you would for CoPP – these
> become specific prefix filters.
>
>
>
> I don't think that it is a specific prefix filter (or I'm misunderstanding
> you) -- if you add the interface to the SRH limited domain, the filter
> blocking the (well-known) prefix is removed. It's a single, well known
> prefix.
>
>
>
>
>
> I’m just convinced that’s either practical or it’s going to really work,.
>
>
>
> I think that my proposal is largely the same as a different ether-type -
> it is implemented as a default block ACL, which is removed when you add the
> interface to the domain (instead of allowing a different ether-type).
> Depending on implementation it may burn a single TCAM slot per interface,
> but implementing it should be simple....
>
> Also – if you look at the scenario I sketched – that rogue doesn’t doesn’t
> just affect you – because if it changes the source of the inner packet and
> causes it to broadcast – the replies are going to affect things on a far
> wider basis – your routers just became amplifiers for an attack aimed
> externally.
>
>
>
> Yes, we are in full agreement.
>
>
>
> You are right – the ether-type may have sailed – but as I said – so far –
> my tests indicate that a single host would allow you to launch far more
> damaging attacks in this scenario than it would if it couldn’t inject weird
> packets
>
>
>
> Again, I fully agree.... which is why we don't want unexpected hosts to be
> able to do this :-)
>
>
>
> W
>
>
>
>
>
> Andrew
>
>
>
>
>
>
>
> Now - the inner packet is a v4 packet - it has a source set to random host
> attacker doesn’t like - and its destination is 255.255.255.255 - which
> thanks to rfc919 will not forward - when that deencap happens - does the
> packet get dropped because it can't be forwarded - or does it get treated
> as a local broadcast. This is a rather undefined scenario - if however it
> DOES get treated as a local broadcast - well - then we have a really big
> problem - that’s called smurf-v2 (and even if 255.255.255.255 doesn’t
> work - more specific broadcasts that are attached may well work). At this
> point - when the broadcast packet hits the hosts behind those broadcasts -
> they will reply to the spoofed source - this will follow stock standard
> routing outbound - and the protections we would normally use aren’t gonna
> work (the source of replies to the broadcast packets would be the hosts -
> they are permitted to send packets to the internet)
>
>
> Another scenario - sending to multicast addresses post de-encap - do we
> have a potential attack vector to poison ND?  Again - haven't had the time
> to test this.
>
> Same thing applies to a whole long list of other things - effectively - if
> you get one compromised host on the network that can inject a packet that
> will de-encap and act on the inner packet - with absolutely zero mechanisms
> for verification of what is in that inner packet or how to handle it - the
> list of possible problems is - extensive to say the last.  All I am saying
> is - we need to really step back and think - and I think this needs a
> veryyyyy close look - because in initial tests  I have done - and without
> the above additional tests - I can tell you my results are looking
> positively scary (and once I complete the full set I'll publish some
> scenarios and results with more detail)
>
> Andrew
>
>
> On 26/10/2021, 00:48, "v6ops on behalf of Gert Doering" <
> v6ops-bounces@ietf.org on behalf of gert@space.net> wrote:
>
>     Hi,
>
>     On Tue, Oct 26, 2021 at 10:44:32AM +1300, Brian E Carpenter wrote:
>     > On 26-Oct-21 10:31, Gert Doering wrote:
>     > > On Mon, Oct 25, 2021 at 05:20:51PM -0400, Warren Kumari wrote:
>     > >> I somewhat like the idea of having a well known prefix for
> "limited
>     > >> domains"
>     >
>     > fc00::/7 works well. RFC8994 is a worked example.
>
>     So how would that work for an ISP network trying to run SR6, protecting
>     its network from rogue hosts inside?  Without having GUAs on the SR6
>     routers that would happily decapsulate incoming SR6 packets, and
>     without violating lots of rules about "do not leak ULAs outside
>     your network" (traceroute and other ICMP errors)?
>
>     I lack imagination today...
>
>     Gert Doering
>             -- NetMaster
>     --
>     have you enabled IPv6 on something today...?
>
>     SpaceNet AG                      Vorstand: Sebastian v. Bomhard,
> Michael Emmer
>     Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A.
> Grundner-Culemann
>     D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
>     Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>
>
>
>
> --
>
> The computing scientist’s main challenge is not to get confused by the
> complexities of his own making.
>   -- E. W. Dijkstra
>
>
>
>
> --
>
> The computing scientist’s main challenge is not to get confused by the
> complexities of his own making.
>   -- E. W. Dijkstra
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>