Re: [v6ops] Security Considerations for draft-gont-v6ops-ipv6-ehs-in-real-world
Mark Andrews <marka@isc.org> Thu, 04 September 2014 00:59 UTC
Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF6F81A8788 for <v6ops@ietfa.amsl.com>; Wed, 3 Sep 2014 17:59:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.569
X-Spam-Level:
X-Spam-Status: No, score=-2.569 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJZ2xRijMdfY for <v6ops@ietfa.amsl.com>; Wed, 3 Sep 2014 17:59:45 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BFE41A8785 for <v6ops@ietf.org>; Wed, 3 Sep 2014 17:59:45 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 123851FCB39; Thu, 4 Sep 2014 00:59:41 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 7005E160068; Thu, 4 Sep 2014 01:02:22 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 38C8F160064; Thu, 4 Sep 2014 01:02:22 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 397471E53E95; Thu, 4 Sep 2014 10:59:37 +1000 (EST)
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <54074E9B.5030007@si6networks.com> <20140903235529.C08031E5282B@rock.dv.isc.org> <5407B564.7060003@gmail.com>
In-reply-to: Your message of "Thu, 04 Sep 2014 12:42:12 +1200." <5407B564.7060003@gmail.com>
Date: Thu, 04 Sep 2014 10:59:37 +1000
Message-Id: <20140904005937.397471E53E95@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/oO5d5h66Z42X-Cp-UjLuvDYa71M
Cc: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>, draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org
Subject: Re: [v6ops] Security Considerations for draft-gont-v6ops-ipv6-ehs-in-real-world
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 00:59:48 -0000
In message <5407B564.7060003@gmail.com>, Brian E Carpenter writes: > On 04/09/2014 11:55, Mark Andrews wrote: > > In message <54074E9B.5030007@si6networks.com>, Fernando Gont writes: > >> Folks, > >> > >> Based on the recent discussions, we're planning to update Section 5.2 > >> (which contains all the discussion about the ICMP-based attack vector) > >> of the aforementioned I-D as follows. Please let us know if you have any > >> comments: > >> > >> ---- cut here ---- > >> 5.2. A possible attack vector > >> > >> The widespread filtering of IPv6 packets > > > > with Extension Headers by enterprise firewalls > > > >> employing IPv6 Extension > >> Headers can, in some scenarios, be exploited for malicious purposes: > >> if packets employing IPv6 EHs are known to be filtered on the path > >> from one system (say, "A") to another (say, "B"), an attacker could > >> cause packets sent from A to B to be dropped by sending a forged > >> ICMPv6 Packet Too Big (PTB) [RFC4443] error message to A (with a > >> Next-Hop MTU smaller than 1280), such that subsequent packets from A > >> to B include a fragment header (i.e., they result in atomic fragments > >> [RFC6946]). > > > > IPv6 packets with fragmentation headers get through if you don't > > stuff a device with deliberately blocks them in the path. This is > > self inflicted pain. > > I think the problem is that isn't painful at all to the people who > configure the blocking device. It's only painful to actual users. Which in 99% of case work for the same people that orded the firewall to be installed. If fragments aren't getting to your device take the issue up with your management. It's almost always a problem at the receiving end. If you are a home user with a broken firewall that does this replace it. Mark > Brian -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [v6ops] Security Considerations for draft-gont-v6… Fernando Gont
- Re: [v6ops] Security Considerations for draft-gon… Mark Andrews
- Re: [v6ops] Security Considerations for draft-gon… Brian E Carpenter
- Re: [v6ops] Security Considerations for draft-gon… Mark Andrews
- Re: [v6ops] Security Considerations for draft-gon… Brian E Carpenter
- Re: [v6ops] Security Considerations for draft-gon… Fernando Gont
- Re: [v6ops] Security Considerations for draft-gon… Fernando Gont