Re: [v6ops] Extension Headers / Impact on Security Devices

Mark ZZZ Smith <markzzzsmith@yahoo.com.au> Sat, 16 May 2015 01:22 UTC

Return-Path: <markzzzsmith@yahoo.com.au>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E7C91ACD61 for <v6ops@ietfa.amsl.com>; Fri, 15 May 2015 18:22:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.502
X-Spam-Level:
X-Spam-Status: No, score=0.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, HK_RANDOM_REPLYTO=0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eu3mVviAA9CY for <v6ops@ietfa.amsl.com>; Fri, 15 May 2015 18:22:29 -0700 (PDT)
Received: from nm21.bullet.mail.bf1.yahoo.com (nm21.bullet.mail.bf1.yahoo.com [98.139.212.180]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A64FE1ACCE4 for <v6ops@ietf.org>; Fri, 15 May 2015 18:22:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.au; s=s2048; t=1431739347; bh=inFLHciXv4sK3Ze9lw/h1RRh7ugX1hG6/gzz1ANQHRM=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=VUGEWHE4xrA7As2wFz/YA5gjVDQoLmQJZ9qQ55MOAm+CjI8h6LoHxOQEnCSJSYS2peWEy36SNMu6W7Yzqf5Vz9vAxLEalpQfKcThJ/TaNBHDNuI+WDvxwhqCaOP8q1RvA/5KaSTNdaygFujm/yDljsWHDdk6A7P7AgnNvOayf2CwksMTId6LPe6nXTZa6JpnQYbj94GLHAEfmGcsrvfRh3ApeFuglrqFHTYx/Oh3fA7htelSn9E97IhxVVKRa3Zhre7KVlRmh8u/6Q8fg59XdMlE+eFGU+K0jwLEsCWsSgnnrFVFBIu0AcRzbGsicWZkrd/YyzuyPO349Zb/3rwmLA==
Received: from [98.139.170.181] by nm21.bullet.mail.bf1.yahoo.com with NNFMP; 16 May 2015 01:22:27 -0000
Received: from [98.139.212.249] by tm24.bullet.mail.bf1.yahoo.com with NNFMP; 16 May 2015 01:22:27 -0000
Received: from [127.0.0.1] by omp1058.mail.bf1.yahoo.com with NNFMP; 16 May 2015 01:22:27 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 718393.38234.bm@omp1058.mail.bf1.yahoo.com
X-YMail-OSG: JAct0FcVM1n5QcF5Yyps.J22tMYzms5AK592DFEMc8GeHy.pWSQwZeMaEiGhjMd YMk0NmLBD2OJvEkX2A.UPsf3zkoAP47PbONX.OxUdXAvIo8X67UdhIgF2L0CjQEik06ov7PlrW9P ak.MDocXZNfz4ahRIpC9aJLOMwD7vOnT51xwf9hl98i_aiM8F11h_LJmSVVVXoh34ymV5bYjbow. EezVKu6zy6Z5XuD2OX.aduVegh3l7Xx5I3P3pTdxbZTov9fiTTHrIvpMU2XDv3R3jUP9YNHqcheu .sMEtZ6fEKyktFGJO_HYrpu0_BWpuE2xbIwnBwNNqYPJdSMC5hrNi_lrpHD7yjRHH_9bzTXqCIEa bBKVGitxyKWFUbe5s2E_t9qozzEhk_DKKgJ9gpREFvTSXHYYur8138PWMrhi5UmKM7u.r7d09G2d kUWgrIZ2655DxO1Pphkeykp1iy7aK3XyEBDkaurXQOQMdqY1ozCCgKJgpRwbvZ.fINkSx.kU7Yzl 67c1_VBR4xabj0QVdKoa_bj2Ra.MMilC4Uqfli5yVGVFRgH8wuw--
Received: by 76.13.27.69; Sat, 16 May 2015 01:22:27 +0000
Date: Sat, 16 May 2015 01:22:26 +0000 (UTC)
From: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
To: Enno Rey <erey@ernw.de>, "v6ops@ietf.org" <v6ops@ietf.org>
Message-ID: <878002773.794.1431739346723.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <20150515113728.GH3028@ernw.de>
References: <20150515113728.GH3028@ernw.de>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_793_1722314160.1431739346718"
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/g1B9ANSahtSjQSpm7-hLGRetkMI>
Subject: Re: [v6ops] Extension Headers / Impact on Security Devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 May 2015 01:22:31 -0000

So quickly, how have IPv4 options been handled? They too can vary the location of the TCP/UDP etc. headers in an IPv4 packet. How have the variety and variable number of TCP options been handled? They too can vary the location of the TCP segment payload.
IOW, I don't think is a new problem exclusive to IPv6, so I think the IPv4 methods used to overcome packet header location variations should be reviewed/considered for applicability to IPv6.
How are you going to handle encryption of payloads and techniques such as multipath TCP when trying to do host and application security in the network rather than on the hosts?
      From: Enno Rey <erey@ernw.de>
 To: v6ops@ietf.org 
 Sent: Friday, 15 May 2015, 21:37
 Subject: [v6ops] Extension Headers / Impact on Security Devices
   
All,

yesterday's IPv6 WG session at the RIPE meeting saw another debate on extension headers.
Pls allow to submit our contribution to v6ops as well. Let me know if you think that the 6man mailing list would be the more appropriate place.

Here's some material/sources we'd like to bring up:

- this is a paper laying out how we could circumvent some major (both commercial and FOSS) IDPS solutions in their at the time of testing latest versions, by various combinations of extension headers and fragmentation:
https://www.ernw.de/download/eu-14-Atlasis-Rey-Schaefer-briefings-Evasion-of-HighEnd-IPS-Devices-wp.pdf.

- here's some thoughts and preliminary results of tests performed to circumvent stateless ACLs:
http://www.insinuator.net/2015/01/evasion-of-cisco-acls-by-abusing-ipv6-discussion-of-mitigation-techniques/.
http://www.insinuator.net/2015/01/the-persistent-problem-of-state-in-ipv6-security/.

We have a (somewhat) ongoing research project looking more closely on the interaction of ACLs and extension headers. For the moment I can only state that it's not just Cisco who are "affected". More results will be available in some months.

As for the topic itself I'd like to summarize our position as follows:
- it has not happened in the past 17 yrs (since publication of RFC2460) that compelling, Internet-scale use cases of extension headers have been brought up.
- we're hence quite sceptical as for the "we might see cool use cases in 15-20 yrs" position someone expressed at the mic.
- from a security perspective they turn out to be a nightmare for (a number of) current security architectures and controls. it is hence understandable (and we actually advise to do so) that they are blocked at the _border_ of networks that have not yet managed to identify a compelling use case.
- looking at the "liberty" RFC2460 provides as for ext_hdrs (wrt to their number, order, options, fragmentable vs. unfragmentable part etc.) we do not expect that type of security issues to disappear soon (the main reason why we did not continue the IDPS research was that the involved student eventually delivered his thesis. one can probably find much more issues provided time & resources. following LANGSEC it might be impossible to "fix" all of them either).
Adding more parsing cycles & intelligence (read: silicon) is not an option, at least not for sth that doesn't have a use case.
- the results of this (blocking) approach have been observed and documented by Jen & Fernando and others (Tim Chown).
- now that "this vicious circle" has gained sufficient ground it will be even less incentivized to develop a compelling use case. which is why we do not expect to see one in the future.

===

Everybody have a great weekend

Best

Enno




-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================

----- End forwarded message -----

-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops