IETF Logo Mail Archive

Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Andrew Alston <Andrew.Alston@liquidtelecom.com> Tue, 26 October 2021 00:40 UTC

Return-Path: <andrew.alston@liquidtelecom.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0300F3A077E for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 17:40:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.875
X-Spam-Level:
X-Spam-Status: No, score=-0.875 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=liquidtelecom.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4oNnO1fEZfB for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 17:40:00 -0700 (PDT)
Received: from eu-smtp-delivery-182.mimecast.com (eu-smtp-delivery-182.mimecast.com [185.58.85.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A6FD3A0762 for <v6ops@ietf.org>; Mon, 25 Oct 2021 17:39:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=liquidtelecom.com; s=mimecast20210406; t=1635208797; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=2+UiTTPs55hunl+FIx/cUyn9vO7/ogaomx3BeN+ADoY=; b=IyrfnWRGkf7tVd/2V5w19uAVE2pDpC5+g4P4Vfd7mnZMmYGu79/z2MQcJgtnUigJe9lyBI r8zvuYlkLT+/pE/WBxxvMb8j1qyRPeOYoueopOA0fAxaVGl1Ba5+DOi6P9I/niGECDNifG F5iqcijGJuDg/XbOu/ZxCXBSMM0+o/o=
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05lp2104.outbound.protection.outlook.com [104.47.18.104]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-50-oeUJNgeVMYmnqKhN1ECMyg-1; Tue, 26 Oct 2021 01:39:52 +0100
X-MC-Unique: oeUJNgeVMYmnqKhN1ECMyg-1
Received: from AS8PR03MB7622.eurprd03.prod.outlook.com (2603:10a6:20b:346::6) by AS8PR03MB7670.eurprd03.prod.outlook.com (2603:10a6:20b:400::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.16; Tue, 26 Oct 2021 00:39:51 +0000
Received: from AS8PR03MB7622.eurprd03.prod.outlook.com ([fe80::90ec:90d5:59c4:fef9]) by AS8PR03MB7622.eurprd03.prod.outlook.com ([fe80::90ec:90d5:59c4:fef9%6]) with mapi id 15.20.4628.020; Tue, 26 Oct 2021 00:39:51 +0000
From: Andrew Alston <Andrew.Alston@liquidtelecom.com>
To: Warren Kumari <warren@kumari.net>
CC: Gert Doering <gert@space.net>, Brian E Carpenter <brian.e.carpenter@gmail.com>, "v6ops@ietf.org" <v6ops@ietf.org>
Thread-Topic: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
Thread-Index: AQHXxp4zP+qugBEUYEKpNlrZT9uUPqvfT9WAgAQhrYCAAM2ggIAAAuGAgAADvQCAAAC4AIAAOW6A///WbgCAADRFgP//03YAgABK9gA=
Date: Tue, 26 Oct 2021 00:39:51 +0000
Message-ID: <524FB34E-AAED-479E-85A3-422E334FA38A@liquidtelecom.com>
References: <CB45220A-ECE6-492A-8A37-D189A71CDA2B@liquidtelecom.com> <CAHw9_iJy_OjSwRDRx5cbB6yhau7XzNUKTi49sHhi0CnmRARQUA@mail.gmail.com> <1F31CC6F-8471-4B50-AE3F-9E5FC76BB447@employees.org> <CAHw9_iKU5--mFq3swhSbGJHV9Y5H52cKcgeF=nBf1rqZeBMRJQ@mail.gmail.com> <YXciHYMNa6KJUohp@Space.Net> <ff55bdc4-9274-adc5-ef09-0d398b52342a@gmail.com> <YXcl2iQMvZe8ggLs@Space.Net> <0C1C8148-3D59-4C2A-A834-5B11854B3E7C@liquidtelecom.com> <CAHw9_iLm_T=F_m+Bie5ey6=PU18D610w6HsXY16f118hzmp5Kw@mail.gmail.com> <1A8239F9-2487-4514-AC32-5B3CAD71675C@liquidtelecom.com> <CAHw9_iLyrjWe+_7xctTrLiGNnJu9sDA_7e6mXuUmX4zu7+_RjQ@mail.gmail.com>
In-Reply-To: <CAHw9_iLyrjWe+_7xctTrLiGNnJu9sDA_7e6mXuUmX4zu7+_RjQ@mail.gmail.com>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.53.21091200
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3f084da5-d322-4d57-ef5a-08d998191f53
x-ms-traffictypediagnostic: AS8PR03MB7670:
x-microsoft-antispam-prvs: <AS8PR03MB7670BE897C360CC5C6E4E71DEE849@AS8PR03MB7670.eurprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: k2tAJIpO8hvc2fpuAZ60CiqLS2jQhWG0B26yX3K/puBKEY3zDYYAgvKgLct5tZTxDxN8HjYR1zmxJ6bM7Drm9NCXtJcPB0sGGf94g5+64zzAU0hEGpHlhD2E6Z0NLcZsiILPJUCF6cZtY+SdqwRHFlhiEDF2kYeHGF2KZCkQADcpagsZQBPZ3LEsHY4oJs5vH4J1k9DHhNhZDZ6kqCf07QhNxKiHxdD2Fjw2FyticVucra138tQNHljD8myy3bVTTWz/30QDPESlSyl8EG7FAwq6vbG93o0llxuEbwW8g0kdttx1LlmbbV33D2lY+QxKDvY5+gLT9xJGZ+bDEg7RyHaglq/OxFoIA+3TPzVUtTHj3VpMafeOxOrramRFbJrjk0nNkaHW3tnSI2IVB/u01y3N9KL9oRlnfJVYCeLEJgARGJ3nm4p2jHOHOv9dPBUtox2t5nM5LYe03EGu1ZR86xXcDhoi6L/f4Ge+72w0ZoniZ8ZTsNj0Q9YLfCLalhRnLcdbMmIFimQHXdevI/jOi10FaBQzgdf4Vm28oKKk3cGlUDqeLgh6iwk5XUXtKHQInWtBE8OT0N0NYKNPKcHp3CsjXxsAbxnPRIVRyS5u3iuEepzpDorFwBkzsUx8PZdTZ6/GbeuOvIn2GvnTkOpKD4t3JA0W6n1dmKQnQDpPp4hHRquLKIRkuCEc3ZXfbpurTGd8R3TQrFZPDxdpI23E2mNm9Lzd01IqDs1xCO+RIPOI9TmSJ5PAOTHRQFdFtk6wQYkCfCndIicPADd9lYY5iJNngGQYk4w/EL3qVKAOG4lo4Xqhons0Tn//TYV4eWkU0DUpJDJtrYZ709uu7FUIY8YVCjjobPh12sa55e4uvZA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8PR03MB7622.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(38070700005)(66446008)(8676002)(6486002)(66556008)(2906002)(66476007)(66574015)(91956017)(76116006)(64756008)(66946007)(71200400001)(36756003)(6916009)(316002)(2616005)(166002)(86362001)(33656002)(6512007)(8936002)(53546011)(38100700002)(5660300002)(83380400001)(966005)(122000001)(54906003)(4326008)(186003)(15650500001)(6506007)(508600001)(45980500001); DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +OQ99e/4dW3lOwuL8J7jPsEWw2G1dIbocktbxXg7RV73odJysCChD2SjvCaaUg2Hf1ITnX207kI3no1zrqvw4uR37xbfurruF3z0iYxhs5wAM5Iit/OlzVvFx8pX3OJRZ+6gAO/fbNOyuzNVbiv7V2/adW0kx6RRlzpvL6X9kHpQIrrN+QBV9XbuANCKyr6JUyKv2NZxDbGTpUOyY/jVMYtnlDv9XnqPddyC0zTcLhI3b+JejUNY5nRfGFVlrkbJrrqMT8HF1sQKEDrRO27N1IvPKARXiiiK/wxKjLga8Tp6GR+sAfRtxSA8AnwKKKkbQYrg+E0rpDbumyxTijFpO1a1EZUPQ4Bm/ZgJebHy3hzvDb/OprRhHf3j2eQOhsM2Qg3irVGRz9AbooNuYOTZx9TTx34tTe/Tnf5S4z4EJKINveAKgejNBFyfncE9NidztzXff7RUoqVoSZnCXWsg9ntztEBBY/+uIlgO/pkaZr7WUfmJd/cMoYkad2NrGfQpydmClaDTuYJlLdDyQtSFnbuOoPEN3ksaHXVUtrzwDE4wWJmwHVFT9TFGhqoNPGK6tYgMtsTcLLkMibdKBhoHSMFMD5/2ate9Bv6o8LOh2bOZht+BkzX1GblzRh9RCMBXCHIrOxxdm1upIT0kQRKFYC5P9/5+KSw2IJPOvDBlkpEvc6he5Pvur4UVhBgFvduYSwCfQ47y5o2G3B/2g809qfgRAU2ZoHJJCGupf0kJ1VCQfRKva22I5zvzZDaoIAmh/vaWFPaXXchhVIp/QnFtbVXvCqbh8xW8LwGiqlSMsPQlWhdXbP98mVZXGIL++3TTQyvaFXhJBVB3Pfh9Tbcnmp+1kQdkdmAo4MVk+9PRwi4QNRWceFFy9IX+FtST4lu6FX6YxdzKRisG7gs7qD/yhhMi+0Ij1hQoLi9z9w0SWH2+ebymqTPexfb36k2+Zh3AVU3YjtrqjChGHCNvdxiAWOIdUAhjQow0A8+wLF3jq9Wa0RRURv5oS4BX5NXaNispGEZ6yn2jWLbZ+SE28bafR2QneDhDJY7jin/daYf+1LfeVlWYOA8nEIOA2MHAj3N+k+lzUaqQBE0GB2sqV74SULXNVDpoUWy++0RC6CYXrjIS2RY3rALnMX5alnH7FblozHtNUc/KD+eWrWuDgzvVGMEG/Os90mxSYSARfFNO6w9NgK8RYkSt2BGuA7kQFvk8NiiOnIyTtUImS6l7NmN5NjOh0sgkxY3pBx8ESpF1tI1zID0r0oRdU1ArIkcSpjgeW5RXtRlS/ZYq2zLXnNgMCNPTh91F7vIarep7IWnByZ8x3l4QzLUnxgcJ2V8EluOwi4+KnVKOW0Pj70V3w/UDC/ExkEhWVd2yfq/tjwDoqdLhs4OuHHNCFGAZvD1Z1gt7Y8hWD2/ovvDVKecqJHBwygIAz6xKove2FfM1oqXZQK3Wka1gU0weDFSqoosHAlfCDx67MxXgSq/W4H+twuNDCZxuo/9YjyUTWtrNL52QrtosyQSi1cMWjH8dAJ/94Mt1QxtKwxBKGczDG+ijalWVhrg/2tfC0TkzD3Am5X99wLh2GSZTOEiTrSCmGibzpW/f0Hfun1pRRN35Vu72OfkS+CB1iFDbojR0P2x3Y7YsvO/jjHvoOexKauWrRKqTkvMSmzdlXM4MtygNM6loYNBy4kIj3IazJ3Pi4H9gUqcBrzgoGXvsfeN3oTbwd9/6+VMqKje0HQNqZ6HWkSXrBYVt5w==
MIME-Version: 1.0
X-OriginatorOrg: liquidtelecom.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8PR03MB7622.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3f084da5-d322-4d57-ef5a-08d998191f53
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Oct 2021 00:39:51.5590 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68792612-0f0e-46cb-b16a-fcb82fd80cb1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 96+88AfbM4SSjFQhLe+z1TPExwk5O6QlusSosURTPiAnkUxbcIXAEn3li4Lkt0NzXyCV0IHdmNthnN4neBWowiiFMDHEH/vp4ZQYe3SvLQQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR03MB7670
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=C82A168 smtp.mailfrom=andrew.alston@liquidtelecom.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: liquidtelecom.com
Content-Language: en-GB
Content-Type: multipart/alternative; boundary="_000_524FB34EAAED479E85A3422E334FA38Aliquidtelecomcom_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/lt94JT-E5DeZTCidwzW_B_TkwwE>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 00:40:06 -0000

Thanks Warren for the clarifications – I think we’re pretty much aligned, just my misreading of certain things – apologies for that.

The idea of a fixed prefix that is a default fail-closed in the way you proposed is certainly a major step in the right direction and I like that idea – it would address a LOT of my concerns.  By doing this we could also potentially avoid interface-specific filters and dependent on implementation not send up blowing up the tcams.

I think – the other thing we could consider is saying that we get potentially a /16 worth of space for this – and strongly suggest that to make up the first 48 bits we then append the asn in the next 32 bits – if you did this – you open the door to inter-domain controlled srv6 between operators – but without the risk of duplicate addressing etc.

So yeah – this is certainly worth considering

Andrew


From: Warren Kumari <warren@kumari.net>
Date: Tuesday, 26 October 2021 at 02:12
To: Andrew Alston <Andrew.Alston@liquidtelecom.com>
Cc: Gert Doering <gert@space.net>, Brian E Carpenter <brian.e.carpenter@gmail.com>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?



On Mon, Oct 25, 2021 at 6:51 PM Andrew Alston <Andrew.Alston@liquidtelecom.com<mailto:Andrew.Alston@liquidtelecom.com>> wrote:
I'm assuming that in this scenario your "Rogue host A" is one that has intentionally added to the SRH domain (either by allowing your new ether-type, or manually removing the "limited domain prefix filter")? If so, then yes, bad things happen. This seems largely the same as "I decided to add "Rogue host A" to my MPLS domain so it could MPLS", or I added "Rogue host A" to my IGP, because reasons...
Making a host able to influence routing, whether it is part of something like MPLS, SR<something>, or in your IGP makes that host able to do bad things...


See that’s the thing Warren – with MPLS – it’s a default fail-closed
Nod. It sounds like you think I'm disagreeing with you, which confuses me some -- I think that we are both looking for a failed closed system.

– with a prefix list that has to be applied to every interface – well – things get missed.
Yes. Hence my "by default it would be applied".

In the same way I manually add an interface to MPLS:
protocol {
   mpls {
       interface et-0/0/0.0;
   }
}

I would manually add the interface to allow SRH:
protocol {
   srh {
   interface et-0/0/0;
   }
}
(or perhaps something like "set interface et-0/0/0.0 family srh allow'", or whatever).

The solution would default to fail-closed -- there is a default "deny $srh_prefix" on the interface and I manually permit it by telling the device that the interface participates in SRH (or whatever other limited domain protocols are defined to use space). The above example has some syntactic sugar, but the actual implementation is simply that the device allows packets from $limited_domain_prefix when you set this...



  And these prefix lists would have be applied to every L3 interface – and again – I fear you’re going to have tcam problems if you try and apply an LPM filter to every interface on a massive device with thousands of interfaces.  You can’t apply filters in the way you would for CoPP – these become specific prefix filters.

I don't think that it is a specific prefix filter (or I'm misunderstanding you) -- if you add the interface to the SRH limited domain, the filter blocking the (well-known) prefix is removed. It's a single, well known prefix.



I’m just convinced that’s either practical or it’s going to really work,.

I think that my proposal is largely the same as a different ether-type - it is implemented as a default block ACL, which is removed when you add the interface to the domain (instead of allowing a different ether-type). Depending on implementation it may burn a single TCAM slot per interface, but implementing it should be simple....

Also – if you look at the scenario I sketched – that rogue doesn’t doesn’t just affect you – because if it changes the source of the inner packet and causes it to broadcast – the replies are going to affect things on a far wider basis – your routers just became amplifiers for an attack aimed externally.

Yes, we are in full agreement.



You are right – the ether-type may have sailed – but as I said – so far – my tests indicate that a single host would allow you to launch far more damaging attacks in this scenario than it would if it couldn’t inject weird packets

Again, I fully agree.... which is why we don't want unexpected hosts to be able to do this :-)

W




Andrew




Now - the inner packet is a v4 packet - it has a source set to random host attacker doesn’t like - and its destination is 255.255.255.255<http://255.255.255.255> - which thanks to rfc919 will not forward - when that deencap happens - does the packet get dropped because it can't be forwarded - or does it get treated as a local broadcast. This is a rather undefined scenario - if however it DOES get treated as a local broadcast - well - then we have a really big problem - that’s called smurf-v2 (and even if 255.255.255.255<http://255.255.255.255> doesn’t work - more specific broadcasts that are attached may well work). At this point - when the broadcast packet hits the hosts behind those broadcasts - they will reply to the spoofed source - this will follow stock standard routing outbound - and the protections we would normally use aren’t gonna work (the source of replies to the broadcast packets would be the hosts - they are permitted to send packets to the internet)

Another scenario - sending to multicast addresses post de-encap - do we have a potential attack vector to poison ND?  Again - haven't had the time to test this.

Same thing applies to a whole long list of other things - effectively - if you get one compromised host on the network that can inject a packet that will de-encap and act on the inner packet - with absolutely zero mechanisms for verification of what is in that inner packet or how to handle it - the list of possible problems is - extensive to say the last.  All I am saying is - we need to really step back and think - and I think this needs a veryyyyy close look - because in initial tests  I have done - and without the above additional tests - I can tell you my results are looking positively scary (and once I complete the full set I'll publish some scenarios and results with more detail)

Andrew


On 26/10/2021, 00:48, "v6ops on behalf of Gert Doering" <v6ops-bounces@ietf.org<mailto:v6ops-bounces@ietf.org> on behalf of gert@space.net<mailto:gert@space.net>> wrote:

    Hi,

    On Tue, Oct 26, 2021 at 10:44:32AM +1300, Brian E Carpenter wrote:
    > On 26-Oct-21 10:31, Gert Doering wrote:
    > > On Mon, Oct 25, 2021 at 05:20:51PM -0400, Warren Kumari wrote:
    > >> I somewhat like the idea of having a well known prefix for "limited
    > >> domains"
    >
    > fc00::/7 works well. RFC8994 is a worked example.

    So how would that work for an ISP network trying to run SR6, protecting
    its network from rogue hosts inside?  Without having GUAs on the SR6
    routers that would happily decapsulate incoming SR6 packets, and
    without violating lots of rules about "do not leak ULAs outside
    your network" (traceroute and other ICMP errors)?

    I lack imagination today...

    Gert Doering
            -- NetMaster
    --
    have you enabled IPv6 on something today...?

    SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
    Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
    D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
    Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279

_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops<https://www.ietf.org/mailman/listinfo/v6ops>


--
The computing scientist’s main challenge is not to get confused by the
complexities of his own making.
  -- E. W. Dijkstra


--
The computing scientist’s main challenge is not to get confused by the
complexities of his own making.
  -- E. W. Dijkstra

v2.23.0 | Report a Bug | By Email