IETF Logo Mail Archive

Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text

Mark ZZZ Smith <markzzzsmith@yahoo.com.au> Tue, 21 April 2015 08:06 UTC

Return-Path: <markzzzsmith@yahoo.com.au>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01DB71B372C for <v6ops@ietfa.amsl.com>; Tue, 21 Apr 2015 01:06:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.502
X-Spam-Level:
X-Spam-Status: No, score=0.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, HK_RANDOM_REPLYTO=0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K9HLjlJV0kJP for <v6ops@ietfa.amsl.com>; Tue, 21 Apr 2015 01:06:44 -0700 (PDT)
Received: from nm32-vm0.bullet.mail.bf1.yahoo.com (nm32-vm0.bullet.mail.bf1.yahoo.com [72.30.239.136]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA7DE1B372B for <v6ops@ietf.org>; Tue, 21 Apr 2015 01:06:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.au; s=s2048; t=1429603603; bh=G/VDR7vzLpmcwLAKrcD/02vMBJ5WZUT2GRVl5iLNdMA=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=FBLg0IG+mHBO2yn3wOnNmUqtwf5H8DLWcbp3Yitcc597zxgoR2fhVurTxHv9BG9SUQHuV6tcpIrucMH0utI4WgbU1zsNkITieXdhQRuHBWXStQQIR1BPw4TeYtlrGV65BgH1t+st5tTNw1W+JrrN77htwqEtd13KE9Jbh/sRboaxJeO/8flPeLQNoF10ER3TpyKVbUc+ldR87Kbk0vopdL+PHgLQFFyEuIAnydlCvoZS4qGojeaxRJina1/yTE4aLrUhu2GVIIroP7bXduNoXkNfMoQeilUck1g+ZS8d4+a0sngA+j9rGxNNv4NWlpPlgc5Uf5lgL3ocJ2/s2EwG6g==
Received: from [66.196.81.171] by nm32.bullet.mail.bf1.yahoo.com with NNFMP; 21 Apr 2015 08:06:43 -0000
Received: from [98.139.212.195] by tm17.bullet.mail.bf1.yahoo.com with NNFMP; 21 Apr 2015 08:06:42 -0000
Received: from [127.0.0.1] by omp1004.mail.bf1.yahoo.com with NNFMP; 21 Apr 2015 08:06:42 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 929426.13252.bm@omp1004.mail.bf1.yahoo.com
X-YMail-OSG: b0.OnA8VM1ncZ8gUSiPRGb19GuASqoTZQvG0VmKrwFaIXz.MRc_YMMBdjubi8d_ Mj0npG7kco_yJ374FhLqZmXf4I6MPsz1D_9bZKrLOaKLOAXvOmLDBcfv4XU34atK_UTevjEkZWX6 OiGTxizgbAjOP3hnj5CY0Onz5lImLv11X.IsnysFD9UFLjSDJ3dzS3OtcFC6Y9.K_oBG9zANMyBu TnC4PJy7m7vUkJEK6tFjfjtSUhtPQ7IhKKI1TWngT9KoQCOrdP7b5emAfWYQlwXu6PJq0IAjRFPA fZdODWArNFM0VV96fmFH0k4qnA1WcfFF_GVRKm9A7tWKFcklZCNVfJ7sVnkbYFWaij1P0ZdXnOB7 .LLooBy93118wurqhNpq8D_ML4d2889UhyulXxmQufppBulYuMZOuo9Xi4mBU6UI_RffWcsjG0V3 _HexWrOvvw21SEPorgl3vLLtaJ7bFw1JYKCgFZ1iF.GLgvA96sEeVbLTx4zycdjT8Slw5VTIujfY rZrnwJGMPM5y.q6UC7lMf9j93tiAIphWk0mOmsxCTKg--
Received: by 66.196.80.115; Tue, 21 Apr 2015 08:06:42 +0000
Date: Tue, 21 Apr 2015 08:06:41 +0000
From: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
To: Gert Doering <gert@space.net>, Joe Touch <touch@isi.edu>
Message-ID: <226821730.1251109.1429603601339.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <20150421064811.GG54385@Space.Net>
References: <20150421064811.GG54385@Space.Net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1251108_1511727950.1429603601331"
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/qx1TZ3nWLdS4i59HQDnLJingySg>
Cc: "draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org" <draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>, Merike Kaeo <merike@doubleshotsecurity.com>, Fernando Gont <fgont@si6networks.com>
Subject: Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2015 08:06:46 -0000

      From: Gert Doering <gert@space.net>
 To: Joe Touch <touch@isi.edu> 
Cc: "v6ops@ietf.org" <v6ops@ietf.org>; Merike Kaeo <merike@doubleshotsecurity.com>; "draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org" <draft-gont-v6ops-ipv6-ehs-in-real-world@tools.ietf.org>; Fernando Gont <fgont@si6networks.com> 
 Sent: Tuesday, 21 April 2015, 16:48
 Subject: Re: [v6ops] draft-gont-v6ops-ipv6-ehs-in-real-world: clarification text
   
Hi,

On Mon, Apr 20, 2015 at 02:28:08PM -0700, Joe Touch wrote:
> On 4/20/2015 2:21 PM, Gert Doering wrote:
> > On Mon, Apr 20, 2015 at 08:43:28AM -0700, Joe Touch wrote:
> >>> If for some reasons, a router in the middle needs access to layer-4
> >>                                              ^^^^^
> >>> information (IPFIX? DDoS mitigation? ... ?), then the EH chain must be
> >>> parsed which can cause a performance impact.
> > [..]
> >>     1) this is the router vendor's decision, not a requirement
> >>     of Internet routers
> > 
> > So, please tell me how you build an Internet router that is able to
> > defend itself against control plane abuse and does not need to look into
> > L4 to do so?
> 
> A router can protect its own control plane by looking at the packet
> contents, but then it is acting as a host at that point and should be
> looking there only for packets addressed to interfaces of that router.
> That's not a forwarding function and thus doesn't limit the forwarding
> plane.

Of course, but real world requires that this filter function needs to be
implemented in the forwarding plane, because otherwise packets would just
saturate the link between forwarding and control plane if you would only 
filter on "the other side".
/ So it should be easily possible to identify trusted IPv6 source and/or destination addresses for control plane processes/protocols, and drop packets that don't match them those on ingress to that control plane link, filtering them at egress of the forwarding plane. Host firewalling at the ingress of the control plane would then be able to perform further level of filtering if necessary. With the processing power of control plane CPUs these days, they shouldn't have trouble doing that.
/Furthermore, network cards these days perform large receive offload (concatenation of multiple UDP or TCP packets to be able to form a single large one to hand up to the operating system.) Because of their level of UDP or TCP understanding, It may be possible to push TCP or UDP port level filtering down into one of those if the control plane link is actually an ethernet link (or you could put one at the forwarding plane egress of the link to the control plane, and perform TCP/UDP port level filtering there.)
/ Regards,
Mark.



>From a purely academic point of view, I totally agree with you.  

Unfortunately, the Internet is not.



Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                  HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444          USt-IdNr.: DE813185279
_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email