Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security Devices

Brian Haberman <brian@innovationslab.net> Wed, 17 June 2015 18:22 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 812C21A00DF for <v6ops@ietfa.amsl.com>; Wed, 17 Jun 2015 11:22:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bKAyXM-iS0cS for <v6ops@ietfa.amsl.com>; Wed, 17 Jun 2015 11:22:38 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DCC01A0075 for <v6ops@ietf.org>; Wed, 17 Jun 2015 11:22:38 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 34F22880ED for <v6ops@ietf.org>; Wed, 17 Jun 2015 11:22:38 -0700 (PDT)
Received: from brians-mbp.jhuapl.edu (swifi-nat.jhuapl.edu [128.244.87.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id E2E101368282 for <v6ops@ietf.org>; Wed, 17 Jun 2015 11:22:37 -0700 (PDT)
Message-ID: <5581BAE9.3060205@innovationslab.net>
Date: Wed, 17 Jun 2015 14:22:33 -0400
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: v6ops@ietf.org
References: <20150515105406.GA3028@ernw.de> <87siav2m6p.fsf@stepladder-it.com> <F1D4404E5E6C614EB9D3083F4D15A7E7C4A92C@hex02> <20150517191841.GA26929@ernw.de> <C07DF957-9A2D-4962-ABAA-DE61F5C5D533@cisco.com> <20150617081424.GA15514@ernw.de> <505DC30B-8ED1-4C75-A13B-FAC9D4E5348C@cisco.com> <20150617174315.GA17641@ernw.de> <5581B2DF.8040207@innovationslab.net> <20150617180409.GA17739@ernw.de>
In-Reply-To: <20150617180409.GA17739@ernw.de>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MSvkctpGcUKLwH6uEwDgERRR3TubaA62m"
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/fZVN1eDelD-TQOLU2zp8Z4TDVZ0>
Subject: Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security Devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2015 18:22:39 -0000

Enno,

On 6/17/15 2:04 PM, Enno Rey wrote:
> On Wed, Jun 17, 2015 at 01:48:15PM -0400, Brian Haberman wrote:
>> 
>>> 
>>> Let's put it slightly different: the intrusion detector is
>>> supposed to detect/block certain application layer attacks. Which
>>> it does as long as those come in/pass by without extension
>> 
>> If the device is trying to inspect application-layer data, it might
>> as well act like the destination and re-assemble the fragments.
>> Yes, this is costly processing, but it mitigates this bypass
>> mechanism.
> 
> in theory yes. Given the majority of end host operating systems
> happily wait up to 60 seconds for "that last [potentially 42th]

Yes, that is a common maximum wait time, but I doubt that it is common.
 Unfortunately, I don't see any peer-reviewed literature right off that
talks about the average wait time to perform fragment re-assembly.

> fragment" of a single datagram coming in, this is probably not an
> option for all those types of security controls (intrusion detectors,
> First Hop Security mechanisms, Infrastructure ACLs) expected to work
> mostly in wire speed. It is hence not an option for a number of
> networks using such techniques which is why they usually drop all
> extension headers except for AH, ESP and (in a few cases) FH. Doing
> so is a reasonable decision from their side and will not exactly
> encourage widespread development of new services using extension
> headers. Which then raises the question: what's the benefit of this
> thing called extension headers which do not provide much use today
> and might - given there's a growing number of networks acting as
> described - not provide much use tomorrow? This thing then seems to
> add an undesirable layer of complexity.

Hmm... The old NFR platform, which I think got purchased by Checkpoint,
performed fragmentation re-assembly prior to doing its analysis.  So, at
least some products close that hole.

Regards,
Brian