Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security Devices

sthaug@nethelp.no Wed, 17 June 2015 20:26 UTC

Return-Path: <sthaug@nethelp.no>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DAA81A0092 for <v6ops@ietfa.amsl.com>; Wed, 17 Jun 2015 13:26:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A4uJSgRU1csb for <v6ops@ietfa.amsl.com>; Wed, 17 Jun 2015 13:26:05 -0700 (PDT)
Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.33]) by ietfa.amsl.com (Postfix) with SMTP id BE4C71A007E for <v6ops@ietf.org>; Wed, 17 Jun 2015 13:26:04 -0700 (PDT)
Received: (qmail 52782 invoked from network); 17 Jun 2015 20:26:02 -0000
Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 17 Jun 2015 20:26:02 -0000
Date: Wed, 17 Jun 2015 22:26:02 +0200 (CEST)
Message-Id: <20150617.222602.74710250.sthaug@nethelp.no>
To: tore@fud.no
From: sthaug@nethelp.no
In-Reply-To: <20150617211218.677e5a88@envy.fud.no>
References: <20150617201809.54a31cd2@envy.fud.no> <20150617184026.GA17859@ernw.de> <20150617211218.677e5a88@envy.fud.no>
X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/pYMzkoLYsONIBuX5w36-9rOaJE4>
Cc: v6ops@ietf.org, ipv6-wg@ripe.net
Subject: Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security Devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2015 20:26:07 -0000

> > Taking into account that stateless ACLs of all router vendors we
> > tested (results tb published soon) can be avoided/evaded by adding ~5
> > extension headers to datagrams I fully understand any operator who
> > does not want SSH on its devices to be reachable from the Internet
> > (over v6 with extension headers) and hence acts in a way similar to
> > the one Steinar described.
> 
> There is a big difference between an operator dropping all packets with
> EHs that are destined for *his own devices/routers* (I have no problem
> with that - your devices, your rules), and an operator that drops
> *transit* traffic destined for his customers because his routers cannot
> understand/parse/filter its L4/EH payload.

I certainly appreciate this distinction. However, problems arise in
practice when customers *ask* for various types of protection - which
are most sensibly implemented on border routers.

Just to be clear - we don't drop IPsec traffic today (neither IPv6
nor IPv4). 

> In my opinion, an ISP/IP transit network shouldn't even attempt to
> parse the L4/EH payload in customer traffic (except if the customer
> asks for it of course), it should just deliver the packets.

The problem is - the customer *does* ask for it, in many cases.

> > I doubt Steinar loses many customers (due to "application breakage")
> > by taking that path. In contrary I expect many of his customers
> > valueing the increased level of device & network availability gained
> > by eliminating an entire class of attacks.
> 
> The first operator I mentioned above won't lose any customers because
> his filtering activities doesn't impact customer traffic. The second
> operator would lose my business, at least. And probably others' too, as
> business customers might want their site2site IPSEC tunnels to work,
> residental customers might want their Xbox One online gaming to work,
> and so on.

I agree - IPSEC tunnels and Xbox One online gaming need to work. That
doesn't mean *all* extension header combinations should be expected
to work - and it appears that they often don't.

I expect we'll see much more of these discussions in the coming years,
as IPv6 traffic grows. And I certainly also expect significant size
IPv6 DDoS attacks - at least some of which will probably be based on
extension header manipulation.

Steinar Haug, AS 2116