Re: [v6ops] Security Considerations for draft-gont-v6ops-ipv6-ehs-in-real-world

Mark Andrews <marka@isc.org> Thu, 04 September 2014 00:59 UTC

Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF6F81A8788 for <v6ops@ietfa.amsl.com>; Wed, 3 Sep 2014 17:59:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.569
X-Spam-Level:
X-Spam-Status: No, score=-2.569 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJZ2xRijMdfY for <v6ops@ietfa.amsl.com>; Wed, 3 Sep 2014 17:59:45 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BFE41A8785 for <v6ops@ietf.org>; Wed, 3 Sep 2014 17:59:45 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 123851FCB39; Thu, 4 Sep 2014 00:59:41 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 7005E160068; Thu, 4 Sep 2014 01:02:22 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 38C8F160064; Thu, 4 Sep 2014 01:02:22 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 397471E53E95; Thu, 4 Sep 2014 10:59:37 +1000 (EST)
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <54074E9B.5030007@si6networks.com> <20140903235529.C08031E5282B@rock.dv.isc.org> <5407B564.7060003@gmail.com>
In-reply-to: Your message of "Thu, 04 Sep 2014 12:42:12 +1200." <5407B564.7060003@gmail.com>
Date: Thu, 04 Sep 2014 10:59:37 +1000
Message-Id: <20140904005937.397471E53E95@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/oO5d5h66Z42X-Cp-UjLuvDYa71M
Cc: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>, draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org
Subject: Re: [v6ops] Security Considerations for draft-gont-v6ops-ipv6-ehs-in-real-world
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 00:59:48 -0000

In message <5407B564.7060003@gmail.com>, Brian E Carpenter writes:
> On 04/09/2014 11:55, Mark Andrews wrote:
> > In message <54074E9B.5030007@si6networks.com>, Fernando Gont writes:
> >> Folks,
> >>
> >> Based on the recent discussions, we're planning to update Section 5.2
> >> (which contains all the discussion about the ICMP-based attack vector)
> >> of the aforementioned I-D as follows. Please let us know if you have any
> >> comments:
> >>
> >> ---- cut here ----
> >> 5.2.  A possible attack vector
> >>
> >>    The widespread filtering of IPv6 packets
> > 
> > 	with Extension Headers by enterprise firewalls
> > 
> >>                                               employing IPv6 Extension
> >>    Headers can, in some scenarios, be exploited for malicious purposes:
> >>    if packets employing IPv6 EHs are known to be filtered on the path
> >>    from one system (say, "A") to another (say, "B"), an attacker could
> >>    cause packets sent from A to B to be dropped by sending a forged
> >>    ICMPv6 Packet Too Big (PTB) [RFC4443] error message to A (with a
> >>    Next-Hop MTU smaller than 1280), such that subsequent packets from A
> >>    to B include a fragment header (i.e., they result in atomic fragments
> >>    [RFC6946]).
> > 
> > IPv6 packets with fragmentation headers get through if you don't
> > stuff a device with deliberately blocks them in the path.  This is
> > self inflicted pain.
> 
> I think the problem is that isn't painful at all to the people who
> configure the blocking device. It's only painful to actual users.

Which in 99% of case work for the same people that orded the firewall
to be installed.  If fragments aren't getting to your device take
the issue up with your management.  It's almost always a problem
at the receiving end.

If you are a home user with a broken firewall that does this replace
it.

Mark

>    Brian
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org