IETF Logo Mail Archive

Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text

Joe Touch <touch@isi.edu> Wed, 22 April 2015 17:18 UTC

Return-Path: <touch@isi.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED44F1B3895 for <v6ops@ietfa.amsl.com>; Wed, 22 Apr 2015 10:18:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RzebUwr3YRhD for <v6ops@ietfa.amsl.com>; Wed, 22 Apr 2015 10:18:30 -0700 (PDT)
Received: from webspace.isi.edu (webspace.isi.edu [128.9.64.65]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B438B1B376B for <v6ops@ietf.org>; Wed, 22 Apr 2015 10:18:30 -0700 (PDT)
Received: from [128.9.160.252] (pen.isi.edu [128.9.160.252]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id t3MHHRhf023913 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 22 Apr 2015 10:17:27 -0700 (PDT)
Message-ID: <5537D7A6.4020106@isi.edu>
Date: Wed, 22 Apr 2015 10:17:26 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: sthaug@nethelp.no
References: <553696EC.4060207@isi.edu> <55369855.1040101@joelhalpern.com> <55369B2D.80906@isi.edu> <20150422.084056.74672865.sthaug@nethelp.no>
In-Reply-To: <20150422.084056.74672865.sthaug@nethelp.no>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/pgjuJID3cPhh7RbsyZhs-FWiz-o>
Cc: draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org, v6ops@ietf.org, merike@doubleshotsecurity.com, fgont@si6networks.com
Subject: Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 17:18:32 -0000


On 4/21/2015 11:40 PM, sthaug@nethelp.no wrote:
> <flame retardant suit on>
...
> 
>> Protecting the control plane can be done by the receiving host
>> (destination router).
> 
> This is a fundamental disagreement. Protecting the control plane needs
> to be done by *all* intermediate routers in today's somewhat hostile
> Internet environment. That also includes some traffic not explicitly
> addressed to the routers themselves (for instance traceroute to a
> destination reached *through* the routers). Only looking at traffic
> addressed to the routers themselves is not sufficient.

Sure - so here's the solution:

1) declare that your routers won't accept "host" packets (i.e., to their
interface addresses) that use EHs

	if you want to try, extend that to any AS whose routing
	packets you want to DDOS filter (but they need to think this
	is acceptable)

2) if you want to do DDOS filtering, do so on IP addresses for the
specific routers you are trying to protect

	either rate-limit everything to that address, drop
	anything with an EH, rate-limit/drop based on TCP/UDP
	ports, or any combination thereof

I.e., not using EHs is your prerogative, and not forwarding EHs to
others is *their* prerogative, but castrating IPv6 for the entire
Internet is not necessary.

Joe



> 
>> Protecting the network as a whole is useful, and may involve some level
>> of DPI - or may not. If the traffic is encrypted, then only the
>> destination router can protect itself anyway. But dropping the packets
>> because of EH use just makes the filtering router an attacker to the E2E
>> communication between the routers.
> 
> We have some services that are available within our AS, and should not
> be available outside the AS. One such example is DNS resolvers (there
> are others). We have chosen to block such services at the border - by
> having the border routers explicitly blocking UDP/TCP port 53 to the
> resolver addresses. This obviously means the border routers must be
> able to *find* the UDP/TCP header in that part of the IPv6 packet they
> are able to inspect at line rate. This is not "DPI" in any sense of
> the word - it is very basic filtering.
> 
> And here, I assume, is the next disagreement. If the UDP/TCP headers
> cannot be found because IPv6 EHs have pushed them beyond what the
> routers can inspect at line rate - the packet will be dropped.
> 
> If we can get improved filtering capabilities in our routers as part
> of regular equipment upgrade cycles - great, everybody is happy. But
> we are not likely to buy significantly more expensive routers *just*
> to be able to peek further into the packets (number of customers
> needing this are *many* orders of magnitude too low - if they exist
> at all).
> 
> Steinar Haug, AS 2116
>

v2.23.0 | Report a Bug | By Email