IETF Logo Mail Archive

Re: [v6ops] Some comments on draft-ietf-v6ops-ipv6-deployment

Paolo Volpato <paolo.volpato@huawei.com> Fri, 22 April 2022 17:13 UTC

Return-Path: <paolo.volpato@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB24B3A19B3; Fri, 22 Apr 2022 10:13:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kEHF4RzSlrBn; Fri, 22 Apr 2022 10:13:19 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE79A3A19B0; Fri, 22 Apr 2022 10:13:18 -0700 (PDT)
Received: from fraeml739-chm.china.huawei.com (unknown [172.18.147.226]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4KlLVb4J18z686pL; Sat, 23 Apr 2022 01:09:27 +0800 (CST)
Received: from fraeml740-chm.china.huawei.com (10.206.15.221) by fraeml739-chm.china.huawei.com (10.206.15.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Fri, 22 Apr 2022 19:13:15 +0200
Received: from fraeml740-chm.china.huawei.com ([10.206.15.221]) by fraeml740-chm.china.huawei.com ([10.206.15.221]) with mapi id 15.01.2375.024; Fri, 22 Apr 2022 19:13:08 +0200
From: Paolo Volpato <paolo.volpato@huawei.com>
To: Fernando Gont <fernando.gont=40edgeuno.com@dmarc.ietf.org>, V6 Ops List <v6ops@ietf.org>
CC: "draft-ietf-v6ops-ipv6-deployment@ietf.org" <draft-ietf-v6ops-ipv6-deployment@ietf.org>
Thread-Topic: [v6ops] Some comments on draft-ietf-v6ops-ipv6-deployment
Thread-Index: AQHYVj72Bu2fmQjMfkCz5GO0FYbR1az8F7cg
Date: Fri, 22 Apr 2022 17:13:08 +0000
Message-ID: <90b01b70fc1a4ac0b17b98fb15767700@huawei.com>
References: <3008655b-2af6-7df0-1302-63cf81bad8b4@edgeuno.com>
In-Reply-To: <3008655b-2af6-7df0-1302-63cf81bad8b4@edgeuno.com>
Accept-Language: it-IT, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.81.209.60]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/xN6M0tklHOrxBA9GNSKWhUJUCEY>
Subject: Re: [v6ops] Some comments on draft-ietf-v6ops-ipv6-deployment
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2022 17:13:24 -0000

Hi Fernando,
Thanks for your comments.
Definitely, you are not late. We have just started to review the draft, it shouldn't be so difficult to accommodate them.
Please find some comments inline marked as [PV].

Best regards
Paolo

-----Original Message-----
From: v6ops <v6ops-bounces@ietf.org> On Behalf Of Fernando Gont
Sent: Friday, April 22, 2022 1:48 PM
To: V6 Ops List <v6ops@ietf.org>
Cc: draft-ietf-v6ops-ipv6-deployment@ietf.org
Subject: [v6ops] Some comments on draft-ietf-v6ops-ipv6-deployment

HI, All,

Apologies for the bad timing (I guess it could still be worse... i.e., past IETF-LC ;-)  ).

I've read through the I-D, and it seems that there are a number of claims that seem to be technically inaccurate.

These are my comments:


* Section 6, page 24:

"   4.  Future Proof: IPv6 was designed from scratch to be future-proof,
        despite some incompatibilities with IPv4. "

Isn't IPv6 *fully* incompatible with IPv4?

[PV] We'll review the sentence

* Section 6, page 24:
  "     A side effect to that, this approach brings the
        connectivity model back to the end-to-end client/server
        paradigm."

It's not just NATs, but firewalls and other middle-boxes. So no, I think that ship has sailed already. (see e.g.:
https://datatracker.ietf.org/doc/html/draft-gont-v6ops-ipv6-addressing-considerations#section-4.3)

[PV] Right, but here we meant the end-to-end relationship at the network layer, not at the layers above it. This is why we focused on NATs.
We will better specify this concept in the next version.

* Section 6, page 24:
       "The introduction of new functionality is
        one of the technical benefit of IPv6 due to the flexible
        structure of the packet header.  The IETF is currently active in
        defining operational recommendations for the usage of Extension
        Headers and Options left open by the base standards."

But then Geoff Huston argues in
https://blog.apnic.net/2022/03/25/notes-from-the-iepg-meeting-at-ietf-113/
that:

"....all IPv6 extension headers are unusable in the public IPv6 Internet and proposals to carry information in such headers are completely unrealistic in this context. The conclusion is simple: If you want to deploy a robust service on the IPv6 public Internet then you should avoid any use of extension headers."

[PV] Well, this sentence intended to highlight the extensibility of IPv6 in comparison to IPv4.
Later in the document (sec. 7.5.2) we also highlighted the issues related with EHs. Anyway we'll review this sentence to make it "less optimistic" (more realistic :-)

* Section 7.5, page 31:

"  There are some concerns in terms of the security but, on the other
    hand, IPv6 offers increased efficiency.  There are measurable
    benefits to IPv6 to notice, like more transparency, improved
    mobility, and also end to end security (if implemented)."

This is wrong, or misleading at best.

First of all, you're discussing security, and you;re kind of saying
"IPv6 security is bad... but well, the protocol is fast" -- in the context of a discussion of security, who cares about the later? :-)

The statement that IPv6 offers increased efficiency is also misleading.
If you;re going to make that claim, please provide a reference. (Note:
measurements tend to argue the other way around).

"Improved mobility" probably refers to mobile-IP. But, what's the level of mobile-ip deployment/usage?  Do folks still have any hopes on mobile ip?

"End to end security" might also be misleading. You can deliver "end to end security" with IPv4 as well.

[PV] Brian also had similar comments to this point. We plan to delete these sentences

* Section 7.5, page 31:

"  However, this is turning also in the other way around, as with more
    IPv6 deployment there may be older IPv4 flaws not discovered or even
    not resolved anymore by vendors."

Are you really expecting that vendors will stop patching IPv4 vulnerabilities anytime soon?

[PV] Agree that re-reading the sentence you may have this doubt. We'll review it

* Section 7.5.1, page 31:

"Since it is used in many IPv6 related
    protocols, ICMPv6 packet with multicast address should be filtered
    carefully to avoid attacks."

Multicast packets don;t generally represent an issue, since in most networks you won't have multicast routing, anyway.

[PV] Ok, we will add more details in this section, in particular on ICMPv6 and ND threats (which was our intended target)

* Section 7.5.2, page 33:

A reference to RFC8990 is probably warranted here.

[PV] Guess it is RFC 9098 as below, right? If so, ok

* Section 7.5.2, page 33:

"   IPv6 Extension Headers imply some issues, in particular their
    flexibility also means an increased complexity, indeed security
    devices and software must process the full chain of headers while
    firewalls must be able to filter based on Extension Headers."

At the risk of sounding our own horn, a reference RFC9098 is probably warranted here.

[PV] Ok

* Section 7.5.2, page 33:

"   Additionally, packets with IPv6 Extension Headers may be dropped in
    the public Internet."

Ditto for RFC7872.

[PV] Good suggestion

* Section 7.5.2, page 33:

   "Some documents, e.g.
    [I-D.hinden-6man-hbh-processing], [I-D.bonica-6man-ext-hdr-update],
    [I-D.peng-v6ops-hbh] analyze and provide guidance regarding the
    processing procedures of IPv6 Extension Headers."

They don't really provide guidance, but rather aim at changing the standard. Please also note that all of them seem to be individual submissions, and not wg documents.

[PV] Right, we will revise the sentence to also update the references. 2 of them now have been adopted

* Section 7.5.2, page 33:

"   There are some possible attacks through EHs, for example RH0 can be
    used for traffic amplification over a remote path and it is
    deprecated. "

One should not that probably most IPv6-related vulnerabilities have been associted with implementation flaws in the processing of IPv6 extension headers.

[PV] Ok

* Section 7.5.2, page 33:
   "There are some possible attacks through EHs, for example RH0 can be
    used for traffic amplification over a remote path and it is
    deprecated.  Other attacks based on Extension Headers are based on
    IPv6 Header Chains and Fragmentation that could be used to bypass
    filtering, but to mitigate this effect, Header chain should go only
    in the first fragment and the use of the IPv6 Fragmentation Header is
    forbidden in all Neighbor Discovery messages.

    Fragment Header is used by IPv6 source node to send a packet bigger
    than path MTU and the Destination host processes fragment headers.
    There are several threats related to fragmentation to pay attention
    to e.g. overlapping fragments (not allowed) resource consumption
    while waiting for last fragment (to discard), atomic fragments (to be
    isolated)."

A reference to RFC8200 is probably warranted here. Also one to RFC6980.

[PV] Ok

* Section 7.5.2, page 33:
  " A lot of additional functionality has been added to IPv6 primarily by
    adding Extension Headers and/or using overlay encapsulation."

But then Geoff Huston argues in
https://blog.apnic.net/2022/03/25/notes-from-the-iepg-meeting-at-ietf-113/
that:

"The high order takeaway from both of these measurements is that all
IPv6 extension headers are unusable in the public IPv6 Internet and proposals to carry information in such headers are completely unrealistic in this context. The conclusion is simple: If you want to deploy a robust service on the IPv6 public Internet then you should avoid any use of extension headers."

[PV] Ok, we will review the sentence by highlighting the current trend in the IETF and the different proposals about the use and limits of the EHs 

* Section 7.5.2, page 33:
    "All of
    the these expand the packet size and this could lead to oversized
    packets that would be dropped on some links.  It is important to
    investigate the potential problems with oversized packets in the
    first place. "

In many (most?) cases, it's the presence of IPv6 EHs or the length of the EH chain that leads to drops, rather than the overall packet size itself.

[PV] Right, we'll fix this sentence

Thanks!

Cheers,
--
Fernando Gont
Director of Information Security
EdgeUno
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531




“This communication is the property of EdgeUno or one of its group companies and/or affiliates. This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and if you are not the intended recipient be aware that any non-explicitly authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, and will be considered a criminal offense. Please notify legal@edgeuno.com about the unintended receipt of this electronic message and delete it.”

_______________________________________________
v6ops mailing list
v6ops@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email