IETF Logo Mail Archive

Re: [v6ops] WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops

otroan@employees.org Wed, 16 March 2016 10:50 UTC

Return-Path: <otroan@employees.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 319EC12D7B5 for <v6ops@ietfa.amsl.com>; Wed, 16 Mar 2016 03:50:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=employees.org; domainkeys=pass (1024-bit key) header.from=otroan@employees.org header.d=employees.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pGlHlfHjINyu for <v6ops@ietfa.amsl.com>; Wed, 16 Mar 2016 03:50:20 -0700 (PDT)
Received: from cowbell.employees.org (cowbell.employees.org [IPv6:2001:1868:a000:17::142]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03D2612D522 for <v6ops@ietf.org>; Wed, 16 Mar 2016 03:50:20 -0700 (PDT)
Received: from cowbell.employees.org (localhost [127.0.0.1]) by cowbell.employees.org (Postfix) with ESMTP id 954B8D788E; Wed, 16 Mar 2016 03:50:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=employees.org; h=subject :mime-version:content-type:from:in-reply-to:date:cc:message-id :references:to; s=selector1; bh=sC47Y5lnFuS/7QE8CAydANGzQNQ=; b= Hnrh0qYe1mWwyEp0H/DB4gbtCJ5bfkc+nz/f95WqcHW3c+LfFFL95jELz4E4L6/8 YbGa4NZsj4tLCfNdspLVgJuXrsrNCFQ0ajdsS1MGxOxFhGMfxA/lsHHYK/BX/vVB hUTkqLJqcaG6p9dF+h9glZj/0ais6LAsbdaLfwWBoIU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=employees.org; h=subject :mime-version:content-type:from:in-reply-to:date:cc:message-id :references:to; q=dns; s=selector1; b=py1iKe7IaGx3YZQk+LUxHdI7aV 26g6w9gscftxPPgHR3AMcO5RLd5VuN0IJkJTzwdY2M9XEWUZtdIG2JsnZ5o3qQiG I6ZYiWvL6rC1rKYdD4C01+EsTHdz5tmraALsfWYiaNs3OqEcVCwnjrQvUPMDASjN lGJh+4KFIgF8gT9qM=
Received: from h.hanazo.no (unknown [173.38.220.43]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: otroan) by cowbell.employees.org (Postfix) with ESMTPSA id 2BA38D7884; Wed, 16 Mar 2016 03:50:18 -0700 (PDT)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by h.hanazo.no (Postfix) with ESMTP id CF9B512A8D68; Wed, 16 Mar 2016 11:50:15 +0100 (CET)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_ACDED3EB-950D-42FF-8BB8-F227F030FB01"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: otroan@employees.org
In-Reply-To: <56E892B8.9030902@foobar.org>
Date: Wed, 16 Mar 2016 11:50:14 +0100
Message-Id: <394925FE-FAB1-4FFC-B1CF-4F64CC58F613@employees.org>
References: <A277BE71-BD70-4AFE-97DA-F224D7DBBCB8@cisco.com> <BDA56C2D-788D-421C-B44A-1A29578F0F78@employees.org> <56E318C7.5020200@gmail.com> <F57DFD38-FC99-45AE-B41D-51B0565148B1@employees.org> <CALx6S37vNXk-g=W4n_Qvd2J=7xkgydvGEUwrhu8pRQig0hoqLg@mail.gmail.com> <1BB37194-0F5B-45C1-9DFA-87B1C28264D2@employees.org> <CALx6S37vfDcchTa5Tch+BS8rQAGgPP_EeYbVz19WBchSHTqExg@mail.gmail.com> <56E60B0D.6070600@gmail.com> <CALx6S36_Vi4XZfPvCNY42zpbXy9dXeXzwE8KedxYDhne371HHA@mail.gmail.com> <56E6326B.2090303@gmail.com> <CALx6S353ognNHWnjbNSdW5hb_e6Hv3LqLa_r+e9yEW4F=cjH=A@mail.gmail.com> <56E6FC18.1060304@foobar.org> <CALx6S35pcSj_LLnDWJ68KwSYiHeu6FwrXTaR4N2xE6aY7MRO1A@mail.gmail.com> <CAHw9_iLbqEvsw0x4dDcA3Zy3SXKUROcQuy5nSynsL9Xi+xrZLg@mail.gmail.com> <566C93D0-62FF-4700-BC05-7F9AF12AF1BD@employees.org> <56E892B8.9030902@foobar.org>
To: Nick Hilliard <nick@foobar.org>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/vEcIL6u_2fAmCiuTsB72oWiOHGg>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] WG Doc? draft-gont-v6ops-ipv6-ehs-packet-drops
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2016 10:50:22 -0000

Nick,

> otroan@employees.org wrote:
>> from the perspective of a software forwarding path. parsing the
>> extension header chain is _always_ going to be slower than not doing
>> it. that in itself can be considered opening your implementation up
>> to DOS attacks, but oh well.
> 
> assuming that you're talking about routers with separate management and
> forwarding planes, and that you're referring to packets being punted
> from the regular forwarding plane to the management plane when they are
> difficult to handle (e.g. large EH chains), you can assume that on
> current large routers, this is as good as dropping the packet because
> the disparity between the capacity of the forwarding plane and the
> management plane is too large to be useful. No-one in their right mind
> will let the management plane of a high end router chew up management
> CPU by forwarding punted packets. It's pointless.

no, I'm talking about behaviour just in the data plane (in my case one that runs entirely in software).
if the requirement is to look into the L4 header, then there will be a performance penalty for processing packets with extension headers. looking deeper into packets == more memory accesses.
long EHs could be used as a DOS attack against the router.

simple solution is to not look into the L4 obviously.

>> can ingress / edge filters be done in two stages? core routers only
>> filter on SA/DA while whatever infrastructure function you need to
>> reach apply deeper filters?
> 
> Basically, no.  What might look to be legitimate traffic on core ingress
> might only become visible as a ddos attack on the egress to the edge.
> That's assuming that there is a clear-cut edge and core which there
> often isn't.
> 
>> for DOS attacks, are those filters put in place dynamically?
> 
> yes - e.g. via flowspec.
> 
>> what does a typical attack look like?
> 
> they vary extremely widely; the smarter attacks will measure the effect
> on the recipient site and vary the ddos traffic according to what
> appears to work the best.  I.e. if one style of traffic appears not to
> be having an impact, the traffic profile might change to something else
> to see if that causes more trouble.
> 
>> can you identify it without having to parse EHs?
> 
> If someone attacks with ipv6 and there is a long enough EH chain to
> cause the normal forwarding plane of a router to be unable to look far
> enough into the packet to determine the L4 info, then the only real
> option is to drop or rate limit (which is nearly equivalent to dropping
> in the case of a ddos). There is insufficient parsing granularity on any
> current equipment to be able to do much else.

why wouldn't the ddos flowspec description include the EHs in that case and not depend on only the L4 information.

can we conclude that we don't know enough about ddos attacks to determine how they can be filtered?

cheers,
Ole

v2.23.0 | Report a Bug | By Email