Re: [v6ops] Reminder: draft-ietf-v6ops-tunnel-loops WGLC
Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 11 April 2011 16:06 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@core3.amsl.com
Delivered-To: v6ops@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 37A3328C135 for <v6ops@core3.amsl.com>; Mon, 11 Apr 2011 09:06:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.249
X-Spam-Level:
X-Spam-Status: No, score=-103.249 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XyyuDbf2wKeS for <v6ops@core3.amsl.com>; Mon, 11 Apr 2011 09:06:00 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id F13A528C12F for <v6ops@ietf.org>; Mon, 11 Apr 2011 09:05:59 -0700 (PDT)
Received: by wyb29 with SMTP id 29so5444399wyb.31 for <v6ops@ietf.org>; Mon, 11 Apr 2011 09:05:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:organization:user-agent :mime-version:to:cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=sXnlXHK213HJYNoBTMnNv1zxfqGHYQuy+iBoR94XCbw=; b=cUZrkcELHTUCBAX+6/HwYFVUtHT2AIYyzfI+fQ2ivTrvtLYAA0VqcT66/syjg2V4Ye L+UEVXWivz1QOc0y7kw9DDUGTYNsvPEjp9Y45c9o93Q1zT9JZpPHUmhsmzO9rF5DjDIC JM9H4rfZuTWpIupiKwimAdImJ+jW+zD5TNgJ0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=QJ8kLtZpWC2FrbqWexZF9aCasYoLrFNUeFpxIbCE7KiaByAGDS6NJGIY4IqO7L+S2P GSUsG3DFbVizYmCtSoDxDn7PwjuFIaCTnnuwpKT2iQ9fyRC2aA+/VfZ1BBQaxleGB7cd w3wzlQa+fntP4LG/prBk8ti+j3MNv76tvFCE0=
Received: by 10.216.254.39 with SMTP id g39mr2133449wes.108.1302537959677; Mon, 11 Apr 2011 09:05:59 -0700 (PDT)
Received: from [192.168.1.65] (host81-159-213-38.range81-159.btcentralplus.com [81.159.213.38]) by mx.google.com with ESMTPS id g32sm2740874wej.27.2011.04.11.09.05.57 (version=SSLv3 cipher=OTHER); Mon, 11 Apr 2011 09:05:58 -0700 (PDT)
Message-ID: <4DA326E0.3060808@gmail.com>
Date: Tue, 12 Apr 2011 04:05:52 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Mark Townsley <mark@townsley.net>
References: <EA2927DA-41EB-44D6-9494-80150863AD15@cisco.com> <F4D36B5E-C481-4CA0-8140-EAEF6B947685@cisco.com> <76A1027D-4F9E-49A6-9EA9-AE018C545B6A@townsley.net>
In-Reply-To: <76A1027D-4F9E-49A6-9EA9-AE018C545B6A@townsley.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: IPv6 Ops WG <v6ops@ietf.org>, Ron Bonica <ron@bonica.org>
Subject: Re: [v6ops] Reminder: draft-ietf-v6ops-tunnel-loops WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2011 16:06:01 -0000
On 2011-04-11 22:30, Mark Townsley wrote:
>
> I think we should have much stronger language here that filtering of protocol 41 packets breaks 6to4, along with pointers to the relevant documents discussed in v6ops as to why this causes problems. It's more than "may not be suitable for scenarios where IPv4 connectivity is essential on all interfaces" as this action can have real adverse affects on unsuspecting users.
>
+1
In fact this issue is specifically mentioned in several places
in draft-ietf-v6ops-6to4-advisory, and is summarized in the Security
Considerations as:
A blanket recommendation to block Protocol 41 is not compatible with
mitigating the 6to4 problems described in this document.
This is part of a balanced recommendation; elsewhere the draft says:
The strategic
solution is to deploy native IPv6, making Protocol 41 redundant.
Brian
>
> 3.2.1.1. Filtering IPv4 Protocol-41 Packets
>
> In this measure a tunnel router may drop all IPv4 protocol-41 packets
> received or sent over interfaces that are attached to an untrusted
> IPv4 network. This will cut-off any IPv4 network as a shared link.
> This measure has the advantage of simplicity. However, such a
> measure may not always be suitable for scenarios where IPv4
> connectivity is essential on all interfaces.
>
>
> Further, I believe we should be very clear in the abstract that this is an attack vector for which there are (at the time of writing) no known reports of any malicious attacks utilizing said vector.
>
> - Mark
>
>
> On Apr 6, 2011, at 7:59 AM, Fred Baker wrote:
>
>> On Mar 31, 2011, at 11:30 AM, Fred Baker wrote:
>>
>>> This is to initiate a one week working group last call of draft-ietf-v6ops-tunnel-loops; it will close a week from Friday. The IESG reviewed the document and asked for changes; we need to be sure we are comfortable with the changes. The diff from the version sent to the IESG last November is at http://tinyurl.com/6dhowhf
>>>
>>> Please read it now. If you find nits (spelling errors, minor suggested wording changes, etc), comment to the authors; if you find greater issues, such as disagreeing with a statement or finding additional issues that need to be addressed, please post your comments to the list.
>> WGLC closing Sunday. Any comments on the draft?
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] draft-ietf-v6ops-tunnel-loops WGLC Fred Baker
- [v6ops] Reminder: draft-ietf-v6ops-tunnel-loops W… Joel Jaeggli
- [v6ops] draft-ietf-v6ops-tunnel-loops WGLC Fred Baker
- Re: [v6ops] draft-ietf-v6ops-tunnel-loops WGLC Templin, Fred L
- Re: [v6ops] draft-ietf-v6ops-tunnel-loops WGLC Fred Baker
- Re: [v6ops] draft-ietf-v6ops-tunnel-loops WGLC Templin, Fred L
- Re: [v6ops] draft-ietf-v6ops-tunnel-loops WGLC Joel Jaeggli
- Re: [v6ops] draft-ietf-v6ops-tunnel-loops WGLC Templin, Fred L
- [v6ops] Reminder: draft-ietf-v6ops-tunnel-loops W… Fred Baker
- Re: [v6ops] Reminder: draft-ietf-v6ops-tunnel-loo… Brian E Carpenter
- Re: [v6ops] Reminder: draft-ietf-v6ops-tunnel-loo… Mark Townsley