IETF Logo Mail Archive

Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Warren Kumari <warren@kumari.net> Mon, 25 October 2021 22:44 UTC

Return-Path: <warren@kumari.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1AFB3A0BB0 for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 15:44:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3j83FlKRmp4e for <v6ops@ietfa.amsl.com>; Mon, 25 Oct 2021 15:44:46 -0700 (PDT)
Received: from mail-ua1-x935.google.com (mail-ua1-x935.google.com [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D1193A08C4 for <v6ops@ietf.org>; Mon, 25 Oct 2021 15:44:31 -0700 (PDT)
Received: by mail-ua1-x935.google.com with SMTP id s4so1167419uaq.0 for <v6ops@ietf.org>; Mon, 25 Oct 2021 15:44:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qeIOtwOGriY6Jrw5Wq3hFQ6QWtLKCXWlP3xCegsSn1Q=; b=W+/5V9qWRv7Sjxg+W9jkw099UIjGbTRU4LSrnGvmFu67r55nyRpejncuy6NZu8HnZs JMTqqzXa/5MveQXkwEOIZj5TwWttAOHv8y6BvGNTk+h7elLT8H7icPpVp3Zq1IXIBKzG hTylmvXmqLbi4+y1IchsAI55veNJcq/lpX0tSbzebzmJlC/Mu3kAa9+wzC1R2ni57RYL 404UN/rXFBUiyN2mH7SYrDorjdJsarMqGV+94oMUj9dNc0tnfWOpSYa44G9aMFB0LFi6 Y49wwnbaVhy1VtDJPPl9ioMVNZP8BMd4+uDjaTxVqMta4gt3jf5L1U4l5OMfoQfoi4t9 uQhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qeIOtwOGriY6Jrw5Wq3hFQ6QWtLKCXWlP3xCegsSn1Q=; b=MQovt/UBTPuq9316r2tybd2Q5GDbK3DesmrkV5ROg0G40CkhMm+uvgfcuzyRKS1286 4yAFfY9ExjppPrTWLZBDOOVlJzBGAT7fTlBa2cxv5Y+9mDdOfdo2RQ6TmXu7gAAGbPeU R54a7rbkWHS4SltyGLsIwPPhuVEMiqlDvqgKGhadXVsRdzi/6HJriFLNvDNYJUTNyv2Q eSYEVBpikE+baxa/aPsOhPmc+UddsH/rJ4Fvlb/16rfN1hyBoTFfSGbv6mE9cxvDLOyL BzYuLM2UBo3ltgqZ6PfcJfRrZAzhUWEUZXLYElveob6gLTkL2oLQ76v2hoVUen/n4VJ3 6shA==
X-Gm-Message-State: AOAM5321ElkurV46AvluY2WVV1lk8ucg6qiQ9cPERjZrawBZzt5lS4Zq I43hGDkPGS7SukheC+WKAIMne/0sFTJbvecNUOEuUg==
X-Google-Smtp-Source: ABdhPJyThhHrqTj6AA5CiLQMgZtEGSejMYCp4Pn4iUJQVJS/+mwwvzwq2uteorh4xwjnx81W3u4P3ItM89/9OwaS/Rc=
X-Received: by 2002:a05:6102:115b:: with SMTP id j27mr9113480vsg.7.1635201868928; Mon, 25 Oct 2021 15:44:28 -0700 (PDT)
MIME-Version: 1.0
References: <CB45220A-ECE6-492A-8A37-D189A71CDA2B@liquidtelecom.com> <CAHw9_iJy_OjSwRDRx5cbB6yhau7XzNUKTi49sHhi0CnmRARQUA@mail.gmail.com> <1F31CC6F-8471-4B50-AE3F-9E5FC76BB447@employees.org> <CAHw9_iKU5--mFq3swhSbGJHV9Y5H52cKcgeF=nBf1rqZeBMRJQ@mail.gmail.com> <YXciHYMNa6KJUohp@Space.Net> <ff55bdc4-9274-adc5-ef09-0d398b52342a@gmail.com> <YXcl2iQMvZe8ggLs@Space.Net> <0C1C8148-3D59-4C2A-A834-5B11854B3E7C@liquidtelecom.com>
In-Reply-To: <0C1C8148-3D59-4C2A-A834-5B11854B3E7C@liquidtelecom.com>
From: Warren Kumari <warren@kumari.net>
Date: Mon, 25 Oct 2021 18:43:52 -0400
Message-ID: <CAHw9_iLm_T=F_m+Bie5ey6=PU18D610w6HsXY16f118hzmp5Kw@mail.gmail.com>
To: Andrew Alston <Andrew.Alston=40liquidtelecom.com@dmarc.ietf.org>
Cc: Gert Doering <gert@space.net>, Brian E Carpenter <brian.e.carpenter@gmail.com>, "v6ops@ietf.org" <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000088ac3a05cf351a7e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/uQoKVoBxNE9SokxMiaBb-ePiqnM>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2021 22:44:52 -0000

On Mon, Oct 25, 2021 at 6:18 PM Andrew Alston <Andrew.Alston=
40liquidtelecom.com@dmarc.ietf.org> wrote:

> It would help to have a dedicated prefix - as a start - does it really
> solve the issue though.
>

That depends on what we are meaning by "the issue" -- I think that it is
more "issues" :-)

What it does do is allow me to filter out *your* SRH traffic at my border
ingress (and also makes it easier for you to filter at egress) - this gets
us something that looks and behaves much more like an MPLS edge.

I fully agree that it doesn't protect against a compromised host that is
participating in the limited domain itself -- but, hopefully it does limit
some of the fallout from that to just within the domain itself. Sorry to
sound uncaring, but if you end up with a compromised server creating
malicious packets within your SRH domain, I'd much rather that they
only affect you and not me :-)
Having a crunchy edge may also help with determining what should actually
participate in the limited domain -- if you include a stack of cloud
servers participating in SRH, yes, they are now able send SRH packets. This
is a conscious decision that you've made -- it might be a perfectly fine
one, but you've intentionally extended the edge of the domain to include
this. In my ideal scenario, this prefix is by default filtered, and you'd
need to explicitly allow it on a per interface basis.


>
> Imagine a device with a stack of cloud servers behind it - each server
> terminates on a separate sub-interface - and now you're trying to apply
> what is in effect an LPM filter to each and every interface (as compared to
> host based firewalling or other security mechanisms) - my question is then
> - how far will your tcam go - how practical is this in reality.
>
> This is as opposed to if there is a separate ether-type where an interface
> is either configured to process it or drop it on the floor.


I much much prefer a separate ether-type -- but I suspect that that ship
has sailed.


> So yes - the prefix filtering will help - but I suspect that you're gonna
> find many many scenarios where this actually doesn’t work - and all you
> need is *one* filter miss that has a compromised server behind it to have
> real problems.
>
> Something I haven't got around to fully testing yet - but let me throw out
> an interesting scenario on my list of tests to do.
>
> Rogue host A takes an IPv4 packet and encapsulates it in an SRH - the
> First sid in there is any v6 router you like on the path - the packet gets
> there - it get de-encapped - same as everything I've said before.


I'm assuming that in this scenario your "Rogue host A" is one that has
intentionally added to the SRH domain (either by allowing your new
ether-type, or manually removing the "limited domain prefix filter")? If
so, then yes, bad things happen. This seems largely the same as "I decided
to add "Rogue host A" to my MPLS domain so it could MPLS", or I added
"Rogue host A" to my IGP, because reasons...
Making a host able to influence routing, whether it is part of
something like MPLS, SR<something>, or in your IGP makes that host able to
do bad things...

W


Now - the inner packet is a v4 packet - it has a source set to random host
> attacker doesn’t like - and its destination is 255.255.255.255  - which
> thanks to rfc919 will not forward - when that deencap happens - does the
> packet get dropped because it can't be forwarded - or does it get treated
> as a local broadcast.  This is a rather undefined scenario - if however it
> DOES get treated as a local broadcast - well - then we have a really big
> problem - that’s called smurf-v2 (and even if 255.255.255.255 doesn’t work
> - more specific broadcasts that are attached may well work). At this point
> - when the broadcast packet hits the hosts behind those broadcasts - they
> will reply to the spoofed source - this will follow stock standard routing
> outbound - and the protections we would normally use aren’t gonna work (the
> source of replies to the broadcast packets would be the hosts - they are
> permitted to send packets to the internet)


> Another scenario - sending to multicast addresses post de-encap - do we
> have a potential attack vector to poison ND?  Again - haven't had the time
> to test this.
>
> Same thing applies to a whole long list of other things - effectively - if
> you get one compromised host on the network that can inject a packet that
> will de-encap and act on the inner packet - with absolutely zero mechanisms
> for verification of what is in that inner packet or how to handle it - the
> list of possible problems is - extensive to say the last.  All I am saying
> is - we need to really step back and think - and I think this needs a
> veryyyyy close look - because in initial tests  I have done - and without
> the above additional tests - I can tell you my results are looking
> positively scary (and once I complete the full set I'll publish some
> scenarios and results with more detail)
>
> Andrew
>
>
> On 26/10/2021, 00:48, "v6ops on behalf of Gert Doering" <
> v6ops-bounces@ietf.org on behalf of gert@space.net> wrote:
>
>     Hi,
>
>     On Tue, Oct 26, 2021 at 10:44:32AM +1300, Brian E Carpenter wrote:
>     > On 26-Oct-21 10:31, Gert Doering wrote:
>     > > On Mon, Oct 25, 2021 at 05:20:51PM -0400, Warren Kumari wrote:
>     > >> I somewhat like the idea of having a well known prefix for
> "limited
>     > >> domains"
>     >
>     > fc00::/7 works well. RFC8994 is a worked example.
>
>     So how would that work for an ISP network trying to run SR6, protecting
>     its network from rogue hosts inside?  Without having GUAs on the SR6
>     routers that would happily decapsulate incoming SR6 packets, and
>     without violating lots of rules about "do not leak ULAs outside
>     your network" (traceroute and other ICMP errors)?
>
>     I lack imagination today...
>
>     Gert Doering
>             -- NetMaster
>     --
>     have you enabled IPv6 on something today...?
>
>     SpaceNet AG                      Vorstand: Sebastian v. Bomhard,
> Michael Emmer
>     Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A.
> Grundner-Culemann
>     D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
>     Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>


-- 
The computing scientist’s main challenge is not to get confused by the
complexities of his own making.
  -- E. W. Dijkstra

v2.30.2 | Report a Bug | By Email | System Status