IETF Logo Mail Archive

Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 09 January 2009 22:02 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1389D3A6964 for <ietfarch-v6ops-archive@core3.amsl.com>; Fri, 9 Jan 2009 14:02:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.561
X-Spam-Level:
X-Spam-Status: No, score=-1.561 tagged_above=-999 required=5 tests=[AWL=-1.066, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgmhjOkaRP9L for <ietfarch-v6ops-archive@core3.amsl.com>; Fri, 9 Jan 2009 14:02:57 -0800 (PST)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BB9623A685E for <v6ops-archive@lists.ietf.org>; Fri, 9 Jan 2009 14:02:56 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1LLPLF-00028I-Gn for v6ops-data0@psg.com; Fri, 09 Jan 2009 21:56:33 +0000
Received: from [209.85.142.190] (helo=ti-out-0910.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1LLPL9-00027r-RP for v6ops@ops.ietf.org; Fri, 09 Jan 2009 21:56:30 +0000
Received: by ti-out-0910.google.com with SMTP id b6so10775354tic.23 for <v6ops@ops.ietf.org>; Fri, 09 Jan 2009 13:56:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=MUVNBqLB1LF7qbGxKM4Zz5gdYUuEd4WRdn2UBmdixSQ=; b=LatU6DIeSfq214CHRFF97V88UDk5fhDN/cvE9bMmgQHcRAgglSFBzj5ZocUoihsO/X x+/js+MqQS7l1HVbP28KBfl832o76FJUmgacpO4vnO5xpARMZJJ4xuFA8UztEIoOqNEo DLWgPPEw6hbPou/UFW6I6GXBErd5FPesru/YI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=qVqAO8gS2hjHJ44clQ77/VRmO2uqCva2NtG75G04MA1/oGvm77MbTgs7BamTrwC5eF n6pXpkH3DElnuStyYm1fBWK8AlZjd3/xVXESR+cRBFpOMnz4LteGWh7diWSsvkevDTE5 auId3VTNH4X5GyiGlrcbHv8cj6p7UfF+vHDk0=
Received: by 10.110.86.3 with SMTP id j3mr6060090tib.32.1231538185983; Fri, 09 Jan 2009 13:56:25 -0800 (PST)
Received: from ?10.1.1.4? (118-93-185-90.dsl.dyn.ihug.co.nz [118.93.185.90]) by mx.google.com with ESMTPS id 2sm4736220tif.39.2009.01.09.13.56.21 (version=SSLv3 cipher=RC4-MD5); Fri, 09 Jan 2009 13:56:25 -0800 (PST)
Message-ID: <4967C803.7060803@gmail.com>
Date: Sat, 10 Jan 2009 10:56:19 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Nathan Ward <v6ops@daork.net>
CC: Suresh Krishnan <suresh.krishnan@ericsson.com>, Christian Huitema <huitema@windows.microsoft.com>, Kurt Zeilenga <Kurt.Zeilenga@Isode.com>, Pasi Eronen <Pasi.Eronen@nokia.com>, Tim Polk <tim.polk@nist.gov>, "secdir@mit.edu" <secdir@mit.edu>, "Jim_Hoagland@symantec.com" <Jim_Hoagland@symantec.com>, Dave Thaler <dthaler@windows.microsoft.com>, "v6ops@ops.ietf.org" <v6ops@ops.ietf.org>
Subject: Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns
References: <8B128AB2-BBD9-49B9-A837-F00DD80BF5D3@Isode.com> <48F2C29B.8090900@ericsson.com> <D6947E23-5209-4767-882A-7EBA645B3DCB@daork.net> <48F8EE0D.4060307@ericsson.com> <48FB9A79.8040407@gmail.com> <8EFB68EAE061884A8517F2A755E8B60A134A70E895@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <48FDFBCB.1090508@ericsson.com> <48FE4681.4070006@gmail.com> <5333EA69-337F-4373-A247-1852B61D96C0@daork.net> <48FF8AEC.9060708@gmail.com> <4D50A24E-E6AD-4096-895B-E4084EBEFB19@daork.net>
In-Reply-To: <4D50A24E-E6AD-4096-895B-E4084EBEFB19@daork.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

Nathan,

On 2009-01-09 17:46, Nathan Ward wrote:
> On 23/10/2008, at 9:19 AM, Brian E Carpenter wrote:
> 
>> As far as I can see, there's a general problem in attempting
>> to detect and block Teredo packets (I mean UDP/IPv4 packets
>> in Teredo format). But it seems to me that by running an
>> internal Teredo server, a site is much better placed to
>> track and trace Teredo users. This is important as Teredo
>> users really need to be running an IPv6-savvy host firewall.
> 
> Nope, as remote Teredo relays and hosts will send traffic directly. I do
> not believe that it is not possible to restrict Teredo to a certain domain.

No, and that's not what I meant to suggest. I meant that by operating
a local Teredo server, the local management can find out who is actively
using Teredo and ensure that they are adequately protected at the host
level. It certainly isn't reasonable to expect a site firewall to be
doing the necessary deep packet inspection.

> 
> Perhaps if the local Teredo server tells the local Teredo aware firewall
> what UDP ports on each IPv4 /32 are used for an address, then the
> firewall could inspect packets, but there are no such products currently.
> 
> You also have to force end hosts to use that Teredo server. It's not
> immediately clear to me how you would do that.

Quoting you out of context:

"  Alternatively, a network may force customers to use its Teredo
   servers by 'spoofing' DNS names or IPv4 addresses. "

Were you planning to follow up on draft-nward-v6ops-teredo-server-selection-00?

> 
> If you're in a position to operate a Teredo server in an end site
> organisation, you are better off doing ISATAP. That is what it is
> designed for.

Yes, but my concern was more about users who are spontaneously using
Teredo. The above type of spoofing is a way to find them,
however unpleasant it may be.

> 
>>>> I agree with you that there are real threats (or will be, once
>>>> there is enough deployment to make IPv6 tunnels an interesting
>>>> target). It's quite appropriate to document them.
>>>
>>>
>>> I need to preface these remarks by say that I haven't read the document
>>> apart from a quick skim read, so sorry if I'm saying something that's
>>> already in there, or is not relevant.
>>>
>>> I think it's important to distinguish between tunnels that end users'
>>> systems create automatically (ala 6to4, Teredo in Vista), and tunnels
>>> that end users create to work around firewalls.
>>>
>>> The former is easy to document solutions for, in fact, it seems to me
>>> that any tunnelling protocol RFC should include details as to how a
>>> network administrator can prevent these protocols passing through their
>>> network. For Teredo this means blocking port 3544/3545. For 6to4 this
>>> means blocking protocol 41 (preferably returning ICMPv6 messages
>>> encapsulated in 6to4 so the the application is told about it..). This is
>>> more about blocking things that do not work or perform poorly in a
>>> certain environment, rather than trying to secure a network.
>>>
>>> The latter is not so easy, and I think this document should simply point
>>> out that the only way to really do this is to completely control the end
>>> users' machines, and not allow any third party software or configuration
>>> changes. Anything else is instilling a false sense of security in the
>>> minds of network administrators who perhaps are not as fluent in these
>>> things as we are.
>>
>> Yes, but there are plenty of environments where that's impossible,
>> and default deny is unacceptable because it blocks legitimate usage.
>> I think the document needs to steer between the extremes, and suggest
>> scenarios that are reasonably safe.
> 
> 
> This is the security trade-off, and is up to the security people of each
> organisation I suppose. I don't think we can say what is or is not
> acceptable.
> 
> Most organisations where I have been employed have used default deny,
> and required the use of an HTTP proxy. That worked fine for 99% of
> people, and the few of us who had different requirements had special
> ethernet ports, etc.
> 
> I am very concerned about the direction we're heading in with firewall
> type stuff if we're requiring security people in organisations to
> understand (fairly) complex protocols like Teredo. I have a hard enough
> time explaining this to people who have worked in IP networking for a
> long time. An excellent example of this is Brian's comments in the first
> part of this email.
> 
> Because of this, I feel that this document should list several options,
> and state that the only way to be sure is the default deny, option
> unless you *really* understand the protocols and can prove it.

That seems very reasonable, and I would prefer it to what looks
like firm recommmendations right now.

    Brian

v2.23.0 | Report a Bug | By Email