Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
Fernando Gont <fernando@gont.com.ar> Tue, 29 May 2012 20:22 UTC
Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB51511E8106 for <v6ops@ietfa.amsl.com>; Tue, 29 May 2012 13:22:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dUDBIEt-qbE1 for <v6ops@ietfa.amsl.com>; Tue, 29 May 2012 13:22:05 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 97F0611E80DC for <v6ops@ietf.org>; Tue, 29 May 2012 13:22:05 -0700 (PDT)
Received: by yenq13 with SMTP id q13so2898328yen.31 for <v6ops@ietf.org>; Tue, 29 May 2012 13:22:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=j+NVwl1pSyBv2esZonvueBGA6TwE1hsokSi2NoNvPx8=; b=bkz4qC7NRVFIUTs1XfV7o8t15zu2+Xmty/rpHPBdHgIVnscKvFAFXFOLYizA0edJ1F 34siozwoe1r9lRcsEbyeXf43Q1cPDPsgAvjkW9wWCFShfVY/wrEVl8/xElKybhEUGxJl nQHbwOvgGAWbB6lRfrr9vpQWZOMUezlFISH5n8BWpufybFr37k8wtNI4GDkcSezRynZB rw7YWQA77mHE5IllACQYeAJ/RQOGNUJ6MFon58ZdhZ9+UUlH6K8GcjjNQOp3r64b+UKz awsiCxxTHooX4iwJtAumKn4GQkZc7lvwceHDxJHezcg56jTj2Ah3P2mtTAesbP+vwZNb Eo2A==
Received: by 10.236.76.233 with SMTP id b69mr12849719yhe.52.1338322925164; Tue, 29 May 2012 13:22:05 -0700 (PDT)
Received: from [192.168.123.103] ([186.134.30.55]) by mx.google.com with ESMTPS id a13sm21308546anm.5.2012.05.29.13.22.02 (version=SSLv3 cipher=OTHER); Tue, 29 May 2012 13:22:04 -0700 (PDT)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <4FC52FD3.9060206@gont.com.ar>
Date: Tue, 29 May 2012 17:21:39 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: RJ Atkinson <rja.lists@gmail.com>
References: <20120529143900.25613.76678.idtracker@ietfa.amsl.com> <3B0A71DA-8846-4FFF-9AD8-9B106EF8799B@gmail.com>
In-Reply-To: <3B0A71DA-8846-4FFF-9AD8-9B106EF8799B@gmail.com>
X-Enigmail-Version: 1.5pre
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2012 20:22:06 -0000
Hi, Ran, Thanks so much for your comments! Meta-answer: This document is a BCP on how to implement RA-Guard, *not* a BCP that RA-Guard should be deployed. -- i.e., we're not saying whether you should or should not deploy ra-guard, but rather "if you implement ra-guard, you should do it this way". -- I'm just double-checking that this is the angle from which you've read the document... More comments inline... On 05/29/2012 01:38 PM, RJ Atkinson wrote: > 1) Layer-2 Processing Rule causes valid IPv6 packets to be dropped > > MULTIPLE ISSUES: > > Rule #4 in this document is overly restrictive. Implementing > this rule has the effect of changing the IPv6 specifications > to prohibit otherwise legitimate packets that violate this new > and somewhat arbitrary rule, which is an unreasonable change. > In effect, this cure (i.e. Rule 4) is worse operationally than > the potential disease. To some extent, RA-Guard does firewalling at layer-2. This means that, as with stateless filtering, there's a point at which you need to draw a line that says what you consider acceptable, and what not... and as with layer-3 stateless firewalls, there is (at leasttheoretically speaking) a risk of false positives. If those false positives outweigh the benefits of firewalling in the first place, you simply do not deploy the firewall (or in this case, RA-Guard) (more comments below) > Further, Layer-2 only devices (e.g. Ethernet bridges/switches) are > commonly, correctly, and legitimately used to interconnect different > segments of the same IPv6 subnetwork. So a Layer-2 device cannot > know whether a particular RA Advertisement is valid or not -- that > information is simply not available at Layer-2 in a dependable way. I those scenarios, you either manually configure every layer-2 device in an appropriate way, or you simply do not deploy ra-guard. > Absent manual configuration that tells the Layer-2 device which ports > might connect to routers, the Layer-2 device separately cannot know > which "ports ... are not allowed to send ICMPv6 Router Advertisement > messages". Exactly. You should manually configure the device with this information, *and* you should manually enable ra-guard. > Separately, in a network that contains wireless elements, routers > might connect to different Layer-2 base stations at different times. > In turn, those different Layer-2 base stations are very likely to > connect to different Layer-2 ports on different Layer-2 switches/bridges. > Such Layer-2 switches/bridges generally cannot know that a wireless > aspect exists in the deployment. So this is another reason that a > Layer-2 only device is not the correct place to be trying to filter > ICMPv6 RA packets. In those scenarios, you'd simply not deploy ra-guard. As noted at the beginning of this e-mail, my take is that you assume that we're encouraging ra-guard deployment for the general case, But this document simply specifies how you should *implement* ra-guard, and doesn't argue in favor (or against) its deployment. > Removing this rule creates no new security risk as the any actual > problem packet can be detected and dropped later -- either by an > IPv6-capable router or an IPv6-capable firewall -- one that is > located at an IPv6 subnetwork boundary. How would you block malicious RAs originating from the local subnetwork? > There are existing openly specified, legitimate, IPv6 Destination > Options that can be somewhat large in size (notably: CALIPSO). My take is that if you setup employs CALIPSO, and it leads to packets with a header chain that spans multiple local MTUs, then you'd simply not deploy RA-Guard. That say, would CALIPSO packets really lead to IPv6 header chains that would span past 1500 bytes, or even past 1280 bytes? > PROPOSED ACTION: > > The current Rule #4 should be have its meaning inverted (i.e. If a > Layer-2 device is unable to identify whether the packet is an ICMPv6 > Router Advertisement, then the packet should be transmitted without > modification) and text referring to that rule also should be edited > heavily to outline the issues noted above as the reason for the > "transmit if in doubt" policy for a Layer-2 device. As noted above, this document just specifies how to implement RA-Guard, When it comes to actual deployment, there are may be trade-offs (as discussed above). But if you do decide to deploy RA-Guard, you probably do not want a "default allow" rule (because attackers would certainly use any of the evasion techniques described in the document)... Please do let me know what you think... Cheers, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
- [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-imp… The IESG
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Marc Lampo
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ray Hunter
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Washam Fan
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… George, Wes
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Joel M. Halpern
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ran Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Joel jaeggli
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Marc Blanchet
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ray Hunter
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Joel M. Halpern
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Ronald Bonica
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Nick Hilliard
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… RJ Atkinson
- Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard… Fernando Gont
- [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-imp… The IESG