From nobody Wed Aug 6 06:18:29 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D08881B2D2F; Wed, 6 Aug 2014 06:18:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tVyejYA7BfAF; Wed, 6 Aug 2014 06:18:20 -0700 (PDT) Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74BA01B2D2D; Wed, 6 Aug 2014 06:18:20 -0700 (PDT) Received: by mail-qg0-f50.google.com with SMTP id q108so2584787qgd.23 for ; Wed, 06 Aug 2014 06:18:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version; bh=BwG9skkJXMqHqTnmo6hZUyuPSH3LjVfQB36zKgWGqAU=; b=zkU7nT3AUimNP/YQEIz3rXScYTyUdt+gMG44vRTEkon7Gj57OGa8TsQsvOH0lBQ8HL BLgO5eQS/PN1BhvXycgkN+aMyWJ5X0j7tscJJDi6MjtMMpK596j+trPXrIfCqm9TCCg+ rlY/G+iE3kVg6UeaaCU6Q6Z1+STPVQs7S+fu9ePcV7jtxl/jhQI942RZu8ezqmFg+NYr cd2i3vJgHF6tC1GCBS5kf35ubaxHGP2mddpxqBIgur2E5eElE/qvDkoMlu+KpWvuxsUZ 06L+JzK7vOuS0Igxou7LPiaG5J5f7krdWAHdtiDOsUpYiac9G8g/Z/FPmEbVgvdnh4UG 1OfQ== X-Received: by 10.224.67.2 with SMTP id p2mr16865407qai.37.1407331099671; Wed, 06 Aug 2014 06:18:19 -0700 (PDT) Received: from [10.30.20.8] (pool-173-79-6-58.washdc.fios.verizon.net. [173.79.6.58]) by mx.google.com with ESMTPSA id m42sm979341qga.21.2014.08.06.06.18.18 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 06 Aug 2014 06:18:19 -0700 (PDT) From: RJ Atkinson Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Wed, 6 Aug 2014 09:18:19 -0400 Message-Id: <2678F1EB-D3D1-4CD8-B243-F500F474E61F@gmail.com> To: opsec@ietf.org, v6ops@ietf.org Mime-Version: 1.0 (Apple Message framework v1283) X-Mailer: Apple Mail (2.1283) Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/pyrgga4W7tkTRcgg6ojsS7mZxUE Subject: Re: [OPSEC] [v6ops] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2014 13:18:23 -0000 Earlier, on 18th July 2014, Warren Kumari wrote: > Related to this is >=20 > http://tools.ietf.org/html/draft-taylor-v6ops-fragdrop-02 > -- Why > Operators Filter Fragments and What It Implies >=20 > This expired, but I suspect we may need to revive it... >=20 > W (ASIDE: I've trimmed off the int-area list to reduce list cross-posting. My sense is that between v6ops and opsec,=20 the applicable audience will be covered adequately.) I agree that the above draft ought to be revived. As a community, it would be very helpful to have an Informational status RFC describing "Why Operators Filter Fragments and What it Implies". =46rom my point of view, this need not be an IETF-track document. It would serve the purpose equally well as an ISE-track document with Informational status. =20 (Just to be clear, I don't object to it being IETF-track, but the ISE-track has a faster time-to-RFC and generally is a lower-overhead process.) Yours, Ran Atkinson From nobody Tue Aug 12 02:55:48 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 900801A0395; Tue, 12 Aug 2014 02:55:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.003 X-Spam-Level: X-Spam-Status: No, score=-0.003 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sae6n3tOOUA1; Tue, 12 Aug 2014 02:55:38 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BBF71A081B; Tue, 12 Aug 2014 02:55:34 -0700 (PDT) Received: from [2001:5c0:1400:a::63f] by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.83) (envelope-from ) id 1XH8ni-0003bI-6c; Tue, 12 Aug 2014 11:55:32 +0200 Message-ID: <53E9E42F.50102@si6networks.com> Date: Tue, 12 Aug 2014 05:53:51 -0400 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Mikael Abrahamsson , draft-gont-opsec-ipv6-eh-filtering@tools.ietf.org References: <20140704235122.9794.84948.idtracker@ietfa.amsl.com> <53C35CC4.2070304@gmail.com> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/LVnBsFKNqqt6Nr4zTALwzb4GRrQ Cc: opsec@ietf.org, IPv6 Operations Subject: Re: [OPSEC] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2014 09:55:43 -0000 Hi, Mikael, Thanks so much for your feedback! Comments in-line... On 07/14/2014 02:55 AM, Mikael Abrahamsson wrote: > > I find this document advocates dropping things way too much. Actually, of the top of my head, the only EH that we were advocated dropping (from the standard set) is/was HBH (this is to be changed in the upcoming rev of the document). > It uses the > term "intermediate" devices. I would like this split up into two types > of devices, a "pure packet forwarding device" (=core router), and a > "security inspection device" (=device that might have ACLs or being a > stateful firewall). Me, I'd probably stick to intermmediate device, or maybe "forwarding node" or "router". If you bring "firewalls" into the game, reality is that a firewall will typically be "default deny". > I believe a core router which just forwards packets, should not drop > packets because of options it can't handle very well. If it can't handle > a lot of hop-by-hop header packets, then don't inspect these hop-by-hop > header packets, just forward the packets without looking at them. We're trying to provide advice to the same sort of devices that are dropping packets in draft-gont-v6ops-ipv6-ehs-in-real-world.... > The thought of our core networks limiting what we can and can't do in > the future with IPv6, makes me a sad panda. I can understand devices > that enforce some kind of security to drop packets they don't > understand, but generally recommending blanket dropping of some packets > in the core because of potential edge problems, that just doesn't make > sense to me. That's not what we're doing (modulo HBH, as noted above). Please let us know if there are specific portions of the document that you're objecting to or that you'd like to be clarified. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Tue Aug 12 03:32:15 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEDC41A0832; Tue, 12 Aug 2014 03:32:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.319 X-Spam-Level: X-Spam-Status: No, score=-2.319 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vdeGp8ExASQK; Tue, 12 Aug 2014 03:32:12 -0700 (PDT) Received: from uplift.swm.pp.se (ipv6.swm.pp.se [IPv6:2a00:801::f]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC9301A03A5; Tue, 12 Aug 2014 03:32:11 -0700 (PDT) Received: by uplift.swm.pp.se (Postfix, from userid 501) id 372E9A1; Tue, 12 Aug 2014 12:32:10 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail; t=1407839530; bh=iQHWV8O0aXxJwgTZL/5lf7X0PHbFmfinGsy1w5xpaS4=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=x8A6Jd8dY6yzUCEMmZ5BJUKCFVQ/2/AN4imVa+n32YmJnaK8OFkIszK8SYUwlQOwb gnvkwsUAKcxG7q0Y9fTQHtTzinYg9tRH569k+Kiu8z4mQa/NWIiwpnAKSWYySH4BCa 2g0qzs6jbCAGuBQoV9JDlPhfHjLmCtSBie331B38= Received: from localhost (localhost [127.0.0.1]) by uplift.swm.pp.se (Postfix) with ESMTP id 2C2B79F; Tue, 12 Aug 2014 12:32:10 +0200 (CEST) Date: Tue, 12 Aug 2014 12:32:10 +0200 (CEST) From: Mikael Abrahamsson To: Fernando Gont In-Reply-To: <53E9E42F.50102@si6networks.com> Message-ID: References: <20140704235122.9794.84948.idtracker@ietfa.amsl.com> <53C35CC4.2070304@gmail.com> <53E9E42F.50102@si6networks.com> User-Agent: Alpine 2.02 (DEB 1266 2009-07-14) Organization: People's Front Against WWW MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/gIXT1muL7vGE-PGWWmLgad36CCM Cc: opsec@ietf.org, draft-gont-opsec-ipv6-eh-filtering@tools.ietf.org, IPv6 Operations Subject: Re: [OPSEC] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2014 10:32:13 -0000 On Tue, 12 Aug 2014, Fernando Gont wrote: > Hi, Mikael, > > Thanks so much for your feedback! Comments in-line... > > On 07/14/2014 02:55 AM, Mikael Abrahamsson wrote: >> >> I find this document advocates dropping things way too much. > > Actually, of the top of my head, the only EH that we were advocated > dropping (from the standard set) is/was HBH (this is to be changed in > the upcoming rev of the document). Ok, good! Another thing I don't know if I mentioned, is that there is a mix of different ways of saying the same thing in the advice section, sometimes it's "pass", sometimes it's "do not drop". Are you fixing that as well? Anyhow, I'll wait until the next rev and give it a complete read-through. -- Mikael Abrahamsson email: swmike@swm.pp.se From nobody Tue Aug 12 03:42:39 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09DA91A03A5; Tue, 12 Aug 2014 03:42:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i5q2W-4mm9Cg; Tue, 12 Aug 2014 03:42:34 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC70F1A03A6; Tue, 12 Aug 2014 03:42:34 -0700 (PDT) Received: from [2001:5c0:1400:a::63f] by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.83) (envelope-from ) id 1XH9XE-0003iQ-Fl; Tue, 12 Aug 2014 12:42:32 +0200 Message-ID: <53E9EF24.4020100@si6networks.com> Date: Tue, 12 Aug 2014 06:40:36 -0400 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Mikael Abrahamsson References: <20140704235122.9794.84948.idtracker@ietfa.amsl.com> <53C35CC4.2070304@gmail.com> <53E9E42F.50102@si6networks.com> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/I_kyXfxuhtAfR9-svJ23QmebErI Cc: opsec@ietf.org, draft-gont-opsec-ipv6-eh-filtering@tools.ietf.org, IPv6 Operations Subject: Re: [OPSEC] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2014 10:42:37 -0000 Hi, Mikael, On 08/12/2014 06:32 AM, Mikael Abrahamsson wrote: >>> I find this document advocates dropping things way too much. >> >> Actually, of the top of my head, the only EH that we were advocated >> dropping (from the standard set) is/was HBH (this is to be changed in >> the upcoming rev of the document). > > Ok, good! Another thing I don't know if I mentioned, is that there is a > mix of different ways of saying the same thing in the advice section, > sometimes it's "pass", sometimes it's "do not drop". Are you fixing that > as well? I wasn't... but now I will. > Anyhow, I'll wait until the next rev and give it a complete read-through. Thanks so much! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Tue Aug 12 04:49:20 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4891A0842 for ; Tue, 12 Aug 2014 04:49:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14R97mvijVb8 for ; Tue, 12 Aug 2014 04:49:14 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D13B1A078B for ; Tue, 12 Aug 2014 04:49:14 -0700 (PDT) Received: from [2001:5c0:1400:a::575] by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.83) (envelope-from ) id 1XHAZk-0003qy-20; Tue, 12 Aug 2014 13:49:12 +0200 Message-ID: <53E9FE53.5030907@gont.com.ar> Date: Tue, 12 Aug 2014 07:45:23 -0400 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Brian E Carpenter References: <20140704235122.9794.84948.idtracker@ietfa.amsl.com> <53C35CC4.2070304@gmail.com> In-Reply-To: <53C35CC4.2070304@gmail.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/MIZSbvDSfYB8kdtkghb_0k9k21k Cc: opsec@ietf.org, draft-gont-opsec-ipv6-eh-filtering@tools.ietf.org Subject: Re: [OPSEC] [v6ops] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2014 11:49:17 -0000 Hi, Brian, On 07/14/2014 12:29 AM, Brian E Carpenter wrote: >> 2.3.1.5. Advice >> >> >> Intermediate systems should, by default, drop packets containing a >> IPv6 Hop-by-Hop Option Extension Header. > > You can't say that! Firstly, RFC 7045 makes it permissible to > simply ignore them. That's the simplest DoS defence. Secondly, > well, dropping them is the wrong default because it breaks stuff. > You could discuss whether to inspect them for valid contents, and > you could discuss rate-limiting, which I understand some vendors > support already. Does this look reasonable: ---- cut here ---- The recommended configuration for the processing of these packets depends on the features and capabilities of the underlying platform. On platforms that allow forwarding of packets with HBH Options on the fast path, we recommend that packets with HBH be forwarded as normal (for instance, [RFC7045] allows for implementations to ignore the HBH Options extension header when forwarding packets). Otherwise, on platforms where processing of packets with IPv6 HBH Options is carried out in the slow path, and an option is provided to rate-limit these packets, we recommend that this option is selected. Finally, when packets with HBH Options are processed in the slow-path, and the underlying platform does not have any mitigation options available for attacks based on these packets, we recommend that such platforms drop packets containing IPv6 HBH Options. Those intermediate systems processing the contents of this extension header should drop packets that contain more than one instance of the Router Alert option (see [RFC2711]). Finally, we note that, for obvious reasons, RPL routers must not drop packets based on the presence of an IPv6 Hop-by-Hop Option Extension Header. ---- cut here ---- ? Thanks! Best regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 From nobody Tue Aug 12 07:44:50 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DED41A0764; Tue, 12 Aug 2014 07:44:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TDnf5or7eGHk; Tue, 12 Aug 2014 07:44:38 -0700 (PDT) Received: from suomp64i.qwest.com (suomp64i.qwest.com [155.70.16.237]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46BC71A08F5; Tue, 12 Aug 2014 07:44:38 -0700 (PDT) Received: from lxdenvmpc030.qintra.com (emailout.qintra.com [10.1.51.30]) by suomp64i.qwest.com (8.14.4/8.14.4) with ESMTP id s7CEiYIV020114 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 12 Aug 2014 09:44:34 -0500 (CDT) Received: from lxdenvmpc030.qintra.com (unknown [127.0.0.1]) by IMSA (Postfix) with ESMTP id 3F6FD1E006B; Tue, 12 Aug 2014 08:44:29 -0600 (MDT) Received: from sudnp796.qintra.com (unknown [151.119.91.93]) by lxdenvmpc030.qintra.com (Postfix) with ESMTP id 2251A1E0067; Tue, 12 Aug 2014 08:44:29 -0600 (MDT) Received: from sudnp796.qintra.com (localhost [127.0.0.1]) by sudnp796.qintra.com (8.14.4/8.14.4) with ESMTP id s7CEiSqs028800; Tue, 12 Aug 2014 08:44:28 -0600 (MDT) Received: from vddcwhubex502.ctl.intranet (vddcwhubex502.ctl.intranet [151.119.128.29]) by sudnp796.qintra.com (8.14.4/8.14.4) with ESMTP id s7CEiSFG028787 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 12 Aug 2014 08:44:28 -0600 (MDT) Received: from PDDCWMBXEX503.ctl.intranet ([fe80::9033:ef22:df02:32a9]) by vddcwhubex502.ctl.intranet ([2002:9777:801d::9777:801d]) with mapi id 14.03.0158.001; Tue, 12 Aug 2014 08:44:28 -0600 From: "Smith, Donald" To: Fernando Gont , Mikael Abrahamsson Thread-Topic: [OPSEC] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt Thread-Index: AQHPnxxKV3vKyI8r0kmDCuWMZ5DgUZufh4CAgC3FgICAAAq0AIAAAlwA///dN7c= Date: Tue, 12 Aug 2014 14:44:27 +0000 Message-ID: <68EFACB32CF4464298EA2779B058889D24BD339A@PDDCWMBXEX503.ctl.intranet> References: <20140704235122.9794.84948.idtracker@ietfa.amsl.com> <53C35CC4.2070304@gmail.com> <53E9E42F.50102@si6networks.com> , <53E9EF24.4020100@si6networks.com> In-Reply-To: <53E9EF24.4020100@si6networks.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [151.117.206.34] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Reflected Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/4TZW7xmXxStnu1PodVJI58bppaU Cc: "opsec@ietf.org" , "draft-gont-opsec-ipv6-eh-filtering@tools.ietf.org" , IPv6 Operations Subject: Re: [OPSEC] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2014 14:44:44 -0000 We have language for that in other rfcs. Drop usually means silent drop. So is drop a silent drop or a reject? http://tools.ietf.org/html/rfc3871 "Ability to Specify Filter Actions Requirement. The device MUST provide a mechanism to allow the specification of the action to be taken when a filter rule matches. Actions MUST include "permit" (allow the traffic), "reject" (drop with appropriate notification to sender), and "drop" (drop with no notification to sender). Also see Section 2.7.7 and Section 2.9" Are there cases where reject (with notification) makes more sense then drop= ? Or where the end user should get to choose one over the other? (coffee !=3D sleep) & (!coffee =3D=3D sleep) Donald.Smith@centurylink.com From: OPSEC [opsec-bounces@ietf.org] on behalf of Fernando Gont [fgont@si6n= etworks.com] Sent: Tuesday, August 12, 2014 4:40 AM To: Mikael Abrahamsson Cc: opsec@ietf.org; draft-gont-opsec-ipv6-eh-filtering@tools.ietf.org; IPv6= Operations Subject: Re: [OPSEC] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt Hi, Mikael, On 08/12/2014 06:32 AM, Mikael Abrahamsson wrote: >>> I find this document advocates dropping things way too much. >> >> Actually, of the top of my head, the only EH that we were advocated >> dropping (from the standard set) is/was HBH (this is to be changed in >> the upcoming rev of the document). >=20 > Ok, good! Another thing I don't know if I mentioned, is that there is a > mix of different ways of saying the same thing in the advice section, > sometimes it's "pass", sometimes it's "do not drop". Are you fixing that > as well? I wasn't... but now I will. > Anyhow, I'll wait until the next rev and give it a complete read-through. Thanks so much! Best regards, --=20 Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec= From nobody Tue Aug 12 16:42:43 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 052BB1A6EE6 for ; Tue, 12 Aug 2014 16:42:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id extTChm8rao4 for ; Tue, 12 Aug 2014 16:42:40 -0700 (PDT) Received: from mail-ob0-x235.google.com (mail-ob0-x235.google.com [IPv6:2607:f8b0:4003:c01::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E1131A0ADE for ; Tue, 12 Aug 2014 16:42:40 -0700 (PDT) Received: by mail-ob0-f181.google.com with SMTP id va2so7873949obc.12 for ; Tue, 12 Aug 2014 16:42:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=CBuJLhpO4+4Ph9CZd/tp9ymgkULBhZY7n6oPVqAfMb0=; b=IK4sDYQCgLo7nCSv9RZ9ECWBGYwUNXMrf+uQZ4SWeypjqjoMxTj7DV9eWdInzUcZDg nmfX6vwF19nGpII8HaoVE93tlLjDax0UwwifPyE9/jskxVUDivKQmmDQqQ+nV1SarTJj WMlFht+FIY0OYQwYgN7mdF1y7KFFkDR2Fp1YJVpe0AXOze0wy6qSmB9kEATA/RaByRZf AytDrpHpIWOUxJ+pwuHTh+6jkikWJ3CIezcsc89R3LTt7nv2egt3WOP6uKrG4qZApF2x /oH6PYKbM/BgE/ChFu2TAyQf0GLXEAhK6bpAhSw+DkgSGXDU3KnY9EA0kHXEvVmQnjWc o/vw== X-Received: by 10.182.33.33 with SMTP id o1mr1160143obi.24.1407886960124; Tue, 12 Aug 2014 16:42:40 -0700 (PDT) Received: from [172.24.60.8] (wireless-nat-21.auckland.ac.nz. [130.216.30.132]) by mx.google.com with ESMTPSA id v5sm301145oek.15.2014.08.12.16.42.38 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 12 Aug 2014 16:42:39 -0700 (PDT) Message-ID: <53EAA672.8000208@gmail.com> Date: Wed, 13 Aug 2014 11:42:42 +1200 From: Brian E Carpenter Organization: University of Auckland User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Fernando Gont References: <20140704235122.9794.84948.idtracker@ietfa.amsl.com> <53C35CC4.2070304@gmail.com> <53E9FE53.5030907@gont.com.ar> In-Reply-To: <53E9FE53.5030907@gont.com.ar> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/PrvJGHmlhUv09cQTv96zpA9Yj-g Cc: opsec@ietf.org, draft-gont-opsec-ipv6-eh-filtering@tools.ietf.org Subject: Re: [OPSEC] [v6ops] I-D Action: draft-gont-opsec-ipv6-eh-filtering-00.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2014 23:42:42 -0000 Hi Fernando, Yes, that works for me. Maybe you need a reference for the RPL exception. Thanks Brian On 12/08/2014 23:45, Fernando Gont wrote: > Hi, Brian, > > On 07/14/2014 12:29 AM, Brian E Carpenter wrote: >>> 2.3.1.5. Advice >>> >>> >>> Intermediate systems should, by default, drop packets containing a >>> IPv6 Hop-by-Hop Option Extension Header. >> You can't say that! Firstly, RFC 7045 makes it permissible to >> simply ignore them. That's the simplest DoS defence. Secondly, >> well, dropping them is the wrong default because it breaks stuff. >> You could discuss whether to inspect them for valid contents, and >> you could discuss rate-limiting, which I understand some vendors >> support already. > > Does this look reasonable: > > ---- cut here ---- > The recommended configuration for the processing of these packets > depends on the features and capabilities of the underlying platform. On > platforms that allow forwarding of packets with HBH Options on the fast > path, we recommend that packets with HBH be forwarded as normal (for > instance, [RFC7045] allows for implementations to ignore the HBH Options > extension header when forwarding packets). Otherwise, on platforms where > processing of packets with IPv6 HBH Options is carried out in the slow > path, and an option is provided to rate-limit these packets, we > recommend that this option is selected. Finally, when packets with HBH > Options are processed in the slow-path, and the underlying platform does > not have any mitigation options available for attacks based on these > packets, we recommend that such platforms drop packets containing IPv6 > HBH Options. > > Those intermediate systems processing the contents of this extension > header should drop packets that contain more than one instance of the > Router Alert option (see [RFC2711]). > > Finally, we note that, for obvious reasons, RPL routers must not drop > packets based on the presence of an IPv6 Hop-by-Hop Option Extension Header. > ---- cut here ---- > > ? > > Thanks! > > Best regards, From nobody Sat Aug 16 11:49:35 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEC251A014E for ; Sat, 16 Aug 2014 11:49:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PleVhV7JM4E2 for ; Sat, 16 Aug 2014 11:49:26 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B93CA1A0146 for ; Sat, 16 Aug 2014 11:49:25 -0700 (PDT) Received: from 18-132-17-190.fibertel.com.ar ([190.17.132.18] helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.83) (envelope-from ) id 1XIj2V-0003z0-1m; Sat, 16 Aug 2014 20:49:19 +0200 Message-ID: <53EF9103.2000900@si6networks.com> Date: Sat, 16 Aug 2014 14:12:35 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Brian E Carpenter , Mikael Abrahamsson , "Smith, Donald" , "C. M. Heard" References: <20140816170731.13620.5804.idtracker@ietfa.amsl.com> In-Reply-To: <20140816170731.13620.5804.idtracker@ietfa.amsl.com> X-Forwarded-Message-Id: <20140816170731.13620.5804.idtracker@ietfa.amsl.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/zjlszBw-CgM4UYd7uPExi9Qvvtc Cc: "'opsec@ietf.org'" , draft-gont-opsec-ipv6-eh-filtering@tools.ietf.org Subject: [OPSEC] Fwd: New Version Notification for draft-gont-opsec-ipv6-eh-filtering-01.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Aug 2014 18:49:33 -0000 Folks, This revision () of the I-D should address the comments that you have sent so far. Please do let us know if this is the case. Thanks! Best regards, Fernando (& co-authors) -------- Forwarded Message -------- Subject: New Version Notification for draft-gont-opsec-ipv6-eh-filtering-01.txt Date: Sat, 16 Aug 2014 10:07:31 -0700 From: internet-drafts@ietf.org To: Will(Shucheng) Liu , Shucheng LIU (Will) , Fernando Gont , Ron Bonica , Fernando Gont , Ronald P. Bonica A new version of I-D, draft-gont-opsec-ipv6-eh-filtering-01.txt has been successfully submitted by Fernando Gont and posted to the IETF repository. Name: draft-gont-opsec-ipv6-eh-filtering Revision: 01 Title: Recommendations on Filtering of IPv6 Packets Containing IPv6 Extension Headers Document date: 2014-08-16 Group: Individual Submission Pages: 28 URL: http://www.ietf.org/internet-drafts/draft-gont-opsec-ipv6-eh-filtering-01.txt Status: https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-eh-filtering/ Htmlized: http://tools.ietf.org/html/draft-gont-opsec-ipv6-eh-filtering-01 Diff: http://www.ietf.org/rfcdiff?url2=draft-gont-opsec-ipv6-eh-filtering-01 Abstract: This document provides advice on the filtering of IPv6 packets based on the IPv6 Extension Headers and the IPv6 options they contain. Additionally, it discusses the operational and interoperability implications of discarding packets based on the IPv6 Extension Headers and IPv6 options they contain. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat From nobody Tue Aug 19 02:44:27 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C9021A0394; Tue, 19 Aug 2014 02:44:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zkJyq8rm31sd; Tue, 19 Aug 2014 02:44:22 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C31061A0398; Tue, 19 Aug 2014 02:44:21 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.6.2.p5 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140819094421.18719.29261.idtracker@ietfa.amsl.com> Date: Tue, 19 Aug 2014 02:44:21 -0700 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/cwS8Bm1UoOKf3KkCzTGwfpccctg Cc: opsec@ietf.org Subject: [OPSEC] I-D Action: draft-ietf-opsec-bgp-security-05.txt X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 09:44:23 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Operational Security Capabilities for IP Network Infrastructure Working Group of the IETF. Title : BGP operations and security Authors : Jerome Durand Ivan Pepelnjak Gert Doering Filename : draft-ietf-opsec-bgp-security-05.txt Pages : 29 Date : 2014-08-19 Abstract: BGP (Border Gateway Protocol) is the protocol almost exclusively used in the Internet to exchange routing information between network domains. Due to this central nature, it is important to understand the security measures that can and should be deployed to prevent accidental or intentional routing disturbances. This document describes measures to protect the BGP sessions itself (like TTL, TCP-AO, control plane filtering) and to better control the flow of routing information, using prefix filtering and automatization of prefix filters, max-prefix filtering, AS path filtering, route flap dampening and BGP community scrubbing. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-opsec-bgp-security/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-opsec-bgp-security-05 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-opsec-bgp-security-05 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Aug 19 05:00:36 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E71261A03E1; Tue, 19 Aug 2014 05:00:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w2-m8TlU2dJO; Tue, 19 Aug 2014 05:00:30 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10EF51A03D7; Tue, 19 Aug 2014 05:00:29 -0700 (PDT) Received: from 18-132-17-190.fibertel.com.ar ([190.17.132.18] helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.83) (envelope-from ) id 1XJi5T-0003v9-1p; Tue, 19 Aug 2014 14:00:27 +0200 Message-ID: <53F33C4F.2070807@si6networks.com> Date: Tue, 19 Aug 2014 09:00:15 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: IPv6 Operations Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/ynyAKZ8QU-SsNdihI7tTQmxz8Bs Cc: "'opsec@ietf.org'" Subject: [OPSEC] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 12:00:34 -0000 Folks, Ten days ago or so we published this I-D: Section 5.2 of the I-D discusses a possible attack vector based on a combination of "forged" ICMPv6 PTB messages and IPv6 frag drops by operators, along with proposed countermeasures -- on which we'd like to hear your comments. Since Section 5.2 is in the draft, let me offer a more informal and practical explanation: 1) It is known that filtering of packets containing IPv6 Extension Headers (including the Fragment Header) is widespread (see our I-D above) 2) Let us assume that Host A is communicating with Server B, and that some node filters fragments between Host A and Server B. 3) An attacker sends a spoofed ICMPv6 PTB to server B, with a "Next Hop MTU<1280), in the hopes of eliciting "atomic fragments" (see ) from now on. 4) Now server B starts sending IPv6 atomic fragments... And since they include a frag header (and in '2)' above we noted that frags are dropped on that path), these packets get dropped (i.e., DoS). "Demo" with the icmp6 tool () -- (some addresses have been changed (anonimized), but it is trivial to pick a victim server...) "2001:db8:1:10:0:1991:8:25" is the server, and "2001:5c0:1000:a::e7d" is my own address): ---- cut here ---- ***** First of all, I telnet to port 80 of the server, and everything works as expected **** fgont@satellite:~$ telnet 2001:db8:1:10:0:1991:8:25 80 Trying 2001:db8:1:10:0:1991:8:25... Connected to 2001:db8:1:10:0:1991:8:25. Escape character is '^]'. ^CConnection closed by foreign host. **** Now I send the forget ICMPv6 PTB **** fgont@satellite:~$ sudo icmp6 --icmp6-packet-too-big -d 2001:db8:1:10:0:1991:8:25 --peer-addr 2001:5c0:1000:a::e7d --mtu 1000 -o 80 -v icmp6: Security assessment tool for attack vectors based on ICMPv6 error messages IPv6 Source Address: 2001:5c0:1000:a::e7d (automatically selected) IPv6 Destination Address: 2001:db8:1:10:0:1991:8:25 IPv6 Hop Limit: 227 (randomized) ICMPv6 Packet Too Big (Type 2), Code 0 Next-Hop MTU: 1000 Payload Type: IPv6/TCP (default) Source Address: 2001:db8:1:10:0:1991:8:25 (automatically-selected) Destination Address: 2001:5c0:1000:a::e7d Hop Limit: 237 (randomized) Source Port: 80 Destination Port: 38189 (randomized) SEQ Number: 734463213 (randomized) ACK Number: 866605720 (randomized) Flags: A (default) Window: 18944 (randomized) URG Pointer: 0 (default) Initial attack packet(s) sent successfully. ***** And now I try the same telnet command as above... but it fails, because the frags from the server to me are getting dropped somewhere **** fgont@satellite:~$ telnet 2001:db8:1:10:0:1991:8:25 80 Trying 2001:db8:1:10:0:1991:8:25... [timeout] ---- cut here ---- Of course, in this particular case I just "shot myself". But one could do this to DoS connections between mailservers, etc. A nice question is: what if e.g.... 1) some BGP servers accept ICMPv6 PTB that claim an MTU < 1280, and react (as expected) by generating atomic fragments, *and*, 2) These same BGP servers deem fragmentation as "harmful", and hence drop such fragments you could essentially DoS traffic between them As noted in the I-D, the mitigations seem to be: 1) Artificially limit your packets to 1280, and drop all incoming ICMPv6 PTB, or, 2) Have your device just drop ICMPv6 PTB that claim a Next-Hop MTU smaller than 1280. Thoughts? -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Tue Aug 19 05:31:55 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B65641A040E; Tue, 19 Aug 2014 05:31:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kK2d7kjB1gkQ; Tue, 19 Aug 2014 05:31:49 -0700 (PDT) Received: from bastion.ch.unfix.org (bastion.ch.unfix.org [IPv6:2a02:2528:503:2::4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A00D01A0416; Tue, 19 Aug 2014 05:31:49 -0700 (PDT) Received: from yomi.ch.unfix.org (84-73-144-213.dclient.hispeed.ch [84.73.144.213]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jeroen) by bastion.ch.unfix.org (Postfix) with ESMTPSA id C6A9B10034AC6; Tue, 19 Aug 2014 12:31:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=massar.ch; s=DKIM2009; t=1408451506; bh=/wHsniLtZHm+RYSYa6XIbbJQ50oxkzApF+gYyHsNtAI=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=CTm0FGPulxxUT0eem+H2gqaafb3HR7Bimvj/DvMj9M+A33P1lFxip39x4kmgN8X1v WkQzUiDE0QswbstWA4hWLwiD9USV7eceOkVn5S9CEyRcQBSRQ6tugz72yR6bOF4MoE iXIbV9m8LpOQVZT4iWrBI3mItCMQqKuOIfdx0ij+ccdVpvCLkYxmn2ei9KCJGkEyT0 qry98QHJZRjN4Tr1Noi4NCPk7Zb86AuxyFhuwLhyvmx3BTLwUSM0eREO/TVBYhs7vM Gvvpjc0foJmSlCivqcqqUYnCyexCJbnKFfeGS03rEwXL4me8KA0xdT8K58KEzkDwWh 6yV5Tlf9Uai3g== Message-ID: <53F343A3.1070505@massar.ch> Date: Tue, 19 Aug 2014 14:31:31 +0200 From: Jeroen Massar Organization: Massar MIME-Version: 1.0 To: Fernando Gont , IPv6 Operations References: <53F33C4F.2070807@si6networks.com> In-Reply-To: <53F33C4F.2070807@si6networks.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/SxY7et-Y6JCLOgLcD9xW2BCuXW8 Cc: "'opsec@ietf.org'" Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 12:31:51 -0000 On 2014-08-19 14:00, Fernando Gont wrote: [..] > 1) some BGP servers accept ICMPv6 PTB that claim an MTU < 1280, and > react (as expected) by generating atomic fragments, *and*, Anything accepting an MTU < 1280 does not belong on the Interwebs. Hence, it would be good that kind of broken code can't send anything. [..] > As noted in the I-D, the mitigations seem to be: > > 1) Artificially limit your packets to 1280, and drop all incoming ICMPv6 > PTB, or, > > 2) Have your device just drop ICMPv6 PTB that claim a Next-Hop MTU > smaller than 1280. Don't forget: 0) BCP38. Though, one would have to inspect the ICMPv6 packet too then.... Hmm, maybe time to test that out in sixxsd... Greets, Jeroen From nobody Tue Aug 19 05:35:34 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E01191A0416; Tue, 19 Aug 2014 05:35:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WFB4mi00OZ8t; Tue, 19 Aug 2014 05:35:31 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D85E31A040A; Tue, 19 Aug 2014 05:35:30 -0700 (PDT) Received: from 18-132-17-190.fibertel.com.ar ([190.17.132.18] helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.83) (envelope-from ) id 1XJidM-00041q-5J; Tue, 19 Aug 2014 14:35:28 +0200 Message-ID: <53F34486.7010903@si6networks.com> Date: Tue, 19 Aug 2014 09:35:18 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Jeroen Massar , IPv6 Operations References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> In-Reply-To: <53F343A3.1070505@massar.ch> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/QHA13dMwz8POsyKlwiD_z6tVEcg Cc: "'opsec@ietf.org'" Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 12:35:33 -0000 On 08/19/2014 09:31 AM, Jeroen Massar wrote: > On 2014-08-19 14:00, Fernando Gont wrote: > [..] >> 1) some BGP servers accept ICMPv6 PTB that claim an MTU < 1280, and >> react (as expected) by generating atomic fragments, *and*, > > Anything accepting an MTU < 1280 does not belong on the Interwebs. > > Hence, it would be good that kind of broken code can't send anything. Well, RFC2460 requires so.... > [..] >> As noted in the I-D, the mitigations seem to be: >> >> 1) Artificially limit your packets to 1280, and drop all incoming ICMPv6 >> PTB, or, >> >> 2) Have your device just drop ICMPv6 PTB that claim a Next-Hop MTU >> smaller than 1280. > > Don't forget: > 0) BCP38. > > Though, one would have to inspect the ICMPv6 packet too then.... Agreed. You need to apply ICMPv6 to the embedded payload... > Hmm, maybe time to test that out in sixxsd... Just taking my chance to thank you for sixxsd! ;-) Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Tue Aug 19 06:19:20 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2C4A1A88E7; Tue, 19 Aug 2014 06:19:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1VD6ncwIMCwX; Tue, 19 Aug 2014 06:19:14 -0700 (PDT) Received: from bastion.ch.unfix.org (bastion.ch.unfix.org [46.20.246.101]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46C581A88C9; Tue, 19 Aug 2014 06:19:13 -0700 (PDT) Received: from yomi.ch.unfix.org (84-73-144-213.dclient.hispeed.ch [84.73.144.213]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jeroen) by bastion.ch.unfix.org (Postfix) with ESMTPSA id 97F3A10034B7C; Tue, 19 Aug 2014 13:19:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=massar.ch; s=DKIM2009; t=1408454350; bh=dgWWg6GkoIrtrhD8/H3YFd6mKsCCWtvTW8nxbYT0DGA=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=jzj/m5CoHnmxHbfvQlm8olDmqtrXtbNC+0PLDM5NJRcmluiveLwDY1fPwQtgo2SHA TsZgrofZ4AB116lg0bi2VmAxAgwQg7FQEPCVzcSkcbzlKiKyRS/97r+jjFReg4dNOz Bq/nynGSA2WRbR026wfXmOqzGi4PFZUMs/4mPXCHkzJyywhRyOGteWiM81tq8v3ej9 QfUhb9dk1OHtDAmyE3p7n6gn25qXkVeDMR5rlyj1+YLQlUYt0n8SSle2Vr9S5Ckuhk x3O+QlKmlbEVEAnQjD4iNyTXG2y0Q+8NQ/79ntmeuyVHEevPyqO4e+9ZveXn1jH7sE 5fGwDTfZDStgg== Message-ID: <53F34EC0.30400@massar.ch> Date: Tue, 19 Aug 2014 15:18:56 +0200 From: Jeroen Massar Organization: Massar MIME-Version: 1.0 To: Fernando Gont , IPv6 Operations References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> In-Reply-To: <53F34486.7010903@si6networks.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/7nS87igsrlAgWPLn8Xzi4rtKOEY Cc: "'opsec@ietf.org'" Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 13:19:15 -0000 On 2014-08-19 14:35, Fernando Gont wrote: [..] >> Though, one would have to inspect the ICMPv6 packet too then.... > > Agreed. You need to apply ICMPv6 to the embedded payload... But also for ICMPv4, which has similar attacks. Hence we should formulate text a bit like: 8<------------------------ When forwarding or receiving an ICMP error packet: - The IP destination of the packet MUST match the source address represented in the ICMP error packet. - The ICMP error packet's destination address must qualify uRPF rules for the same interface as the source address.[1] As the verified packets are ICMP errors, when the verification fails the packet MUST be dropped, logging is recommended. Due to the checking inside the ICMP portion of a packet: Access-routers, firewalls and hosts MUST perform these checks. Core-routers SHOULD perform these checks [1] When ICMP-dst address matches IP-src the check should already have been performed by the standard uRPF check. ------------------------>8 But then in better wording to avoid dis-ambiguity of which src/dst is which (the one in IP or ICMP) >> Hmm, maybe time to test that out in sixxsd... > > Just taking my chance to thank you for sixxsd! ;-) Unfortunately that is only usable for a very small base of connectivity and hopefully one day will stop to be needed. The big brands needs to implement it. And it much more difficult to push out updates to devices which are not under one's control and where one has a very large deployed base. Greets, Jeroen From nobody Tue Aug 19 06:24:48 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D7911A88EB for ; Tue, 19 Aug 2014 06:24:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T9y7SRE_IE_l for ; Tue, 19 Aug 2014 06:24:33 -0700 (PDT) Received: from mail-ig0-f170.google.com (mail-ig0-f170.google.com [209.85.213.170]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85BB01A03F8 for ; Tue, 19 Aug 2014 06:24:33 -0700 (PDT) Received: by mail-ig0-f170.google.com with SMTP id h3so9641574igd.5 for ; Tue, 19 Aug 2014 06:24:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=BDZrqShWjWHRB5brkxDIHXf6xhS0rY8fWlIzLCWkxts=; b=TenrbSQ6OhqcfwqcEwI4XkXm43l5L6pxhGfE1b0hOWv8PeGUj3fKlyUFoZIgRfk+wa A5QS/Hb4bUEzKoUFiexYgV94HiyilVzTW23mXp3MiPy+NaiAn4IwnSy7o0gyAPoe3kgC 3flQjRmAGOOjVaoc6/n7TDWLfU1HiwXclJMJyBGbnnthVqQMreVn9GMrfzQHPzKL3iN5 V5BKeBpm7alv18KbkP9FOTchtcA1lxs/d8FA85wNGjMn199a84DzeQuCn+uYIaUNKtDk fA/6EpA3RzwuQnHn8SyEypQgolxwdRcrxwz0DZpksQ17FSPWh0ci6R8M1xfn4FnJ6Avk Cahg== X-Gm-Message-State: ALoCoQly7lHzF9smRoUHKwc9/puPzLYc3EPP2ivQZQnOEkTRLIXJT9fiHaTQ++6V6CU84z8sADob X-Received: by 10.50.124.102 with SMTP id mh6mr5698625igb.27.1408454672856; Tue, 19 Aug 2014 06:24:32 -0700 (PDT) Received: from [172.19.254.114] (202-176-81-112.static.asianet.co.th. [202.176.81.112]) by mx.google.com with ESMTPSA id l4sm56582049igt.20.2014.08.19.06.24.30 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 19 Aug 2014 06:24:32 -0700 (PDT) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 7.3 $1878.6$) From: Roland Dobbins In-Reply-To: <53F34EC0.30400@massar.ch> Date: Tue, 19 Aug 2014 20:23:54 +0700 Content-Transfer-Encoding: quoted-printable Message-Id: <8E7C5F3E-F9E2-468B-AA0E-D6FAE3CA5A6A@arbor.net> References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> <53F34EC0.30400@massar.ch> To: "opsec@ietf.org" X-Mailer: Apple Mail (2.1878.6) Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/11vvYai0bfTzQjHwbrnutbswbT4 Cc: IPv6 Operations Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 13:24:38 -0000 On Aug 19, 2014, at 8:18 PM, Jeroen Massar wrote: > - The ICMP error packet's destination address must qualify uRPF rules = for the same interface as the source address.[1] Should this language be limited to uRPF, or should it include other = anti-spoofing mechanisms, as well? ---------------------------------------------------------------------- Roland Dobbins // Equo ne credite, Teucri. -- Laoco=F6n From nobody Tue Aug 19 06:29:55 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A78C1A041D; Tue, 19 Aug 2014 06:29:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bauy2YLctQz8; Tue, 19 Aug 2014 06:29:52 -0700 (PDT) Received: from bastion.ch.unfix.org (bastion.ch.unfix.org [46.20.246.101]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D3471A02C1; Tue, 19 Aug 2014 06:29:52 -0700 (PDT) Received: from yomi.ch.unfix.org (84-73-144-213.dclient.hispeed.ch [84.73.144.213]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jeroen) by bastion.ch.unfix.org (Postfix) with ESMTPSA id B90A310034A9D; Tue, 19 Aug 2014 13:29:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=massar.ch; s=DKIM2009; t=1408454990; bh=Iwji1cC8RoZoIlx+LfwnxAsQ+wQnU5V3V2GV4CbwMPY=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=VshfIMmAcsVwVGC6sDM4GtLMdt8iZBmSdrCrz3uoAVmJyUO9YSvtu0yjCnIzvXgPU 5qvgg4Gn0o9IkxbT6NZd3r3E2ECEnNp56vlCGSbx3YmN6TmrbD96V1vrjHon5YY1Im ke8LXNTwj8JUj1Lf4eAfq0QxFqA+PKWPOBDMzWZg3OGeB65C6G2xZ1OzmLiaOTbaYa BfaSPo4oJP8XFXhPGsVocPd+eVkpZE9+Td2hdsSy4KymlFRm0W77NjiJ6z8isO0z/i SksRM5fm2AKA1ruBrH/5UjoWHAklaJuylzMR3SaTYM2FeEKdwquts6A/BHYauIiTx/ 8sai51E1WVB+g== Message-ID: <53F35140.7040007@massar.ch> Date: Tue, 19 Aug 2014 15:29:36 +0200 From: Jeroen Massar Organization: Massar MIME-Version: 1.0 To: Roland Dobbins , "opsec@ietf.org" References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> <53F34EC0.30400@massar.ch> <8E7C5F3E-F9E2-468B-AA0E-D6FAE3CA5A6A@arbor.net> In-Reply-To: <8E7C5F3E-F9E2-468B-AA0E-D6FAE3CA5A6A@arbor.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/x34fHBxV7QOIRtBoBjizCRMYKzY Cc: IPv6 Operations Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 13:29:54 -0000 On 2014-08-19 15:23, Roland Dobbins wrote: > > On Aug 19, 2014, at 8:18 PM, Jeroen Massar wrote: > >> - The ICMP error packet's destination address must qualify uRPF rules for the same interface as the source address.[1] > > Should this language be limited to uRPF, or should it include other anti-spoofing mechanisms, as well? Any kind of mechanism that can check: "is this source address supposed to come from that interface" would qualify IMHO (as long as it does a proper job ;). Greets, Jeroen From nobody Tue Aug 19 07:59:15 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FE421A03DF; Tue, 19 Aug 2014 07:59:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8jxV3cYY6Uxw; Tue, 19 Aug 2014 07:59:04 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 149391A03C8; Tue, 19 Aug 2014 07:59:04 -0700 (PDT) Received: from 18-132-17-190.fibertel.com.ar ([190.17.132.18] helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.83) (envelope-from ) id 1XJks8-0004jE-JT; Tue, 19 Aug 2014 16:58:54 +0200 Message-ID: <53F36622.1000503@si6networks.com> Date: Tue, 19 Aug 2014 11:58:42 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Philip Homburg , Roland Dobbins References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> <53F34EC0.30400@massar.ch> <8E7C5F3E-F9E2-468B-AA0E-D6FAE3CA5A6A@arbor.net> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/_BfrqWO9F_g5Zj2K00wCj3mWCSM Cc: "opsec@ietf.org" , IPv6 Operations Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 14:59:09 -0000 On 08/19/2014 11:37 AM, Philip Homburg wrote: >> >>> - The ICMP error packet's destination address must qualify uRPF rules for= >> the same interface as the source address.[1] >> >> Should this language be limited to uRPF, or should it include other anti-spoofing >> mechanisms, as well? > > At least for TCP it is relatively easy for the host to check whether the sequence > numbers make sense. If they don't, discard the error ICMP. mmm.. not really... check this (from ): o Many implementations fail to perform validation checks on the received ICMPv6 error messages, as recommended in Section 5.2 of [RFC4443] and documented in [RFC5927]. It should be noted that in some cases, such as when an ICMPv6 error message has (supposedly) been elicited by a connection-less transport protocol (or some other connection-less protocol being encapsulated in IPv6), it may be virtually impossible to perform validation checks on the received ICMPv6 error messages. And, because of IPv6 extension headers, the ICMPv6 payload might not even contain any useful information on which to perform validation checks. o Upon receipt of one of the aforementioned ICMPv6 "Packet Too Big" error messages, the Destination Cache [RFC4861] is usually updated to reflect that any subsequent packets to such destination should include a Fragment Header. This means that a single ICMPv6 "Packet Too Big" error message might affect multiple communication instances (e.g., TCP connections) with such destination. Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Tue Aug 19 08:01:01 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7015F1A0376; Tue, 19 Aug 2014 07:11:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TwMWjYS4QQbX; Tue, 19 Aug 2014 07:11:23 -0700 (PDT) Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 591AB1A8906; Tue, 19 Aug 2014 07:11:13 -0700 (PDT) X-Envelope-To: opsec@ietf.org Received: from cupcake.foobar.org (xe-0-0-2.transit07.phb1.foobar.org [87.192.56.84]) (authenticated bits=0) by mail.netability.ie (8.14.9/8.14.5) with ESMTP id s7JEAeHV012392 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 19 Aug 2014 15:11:04 +0100 (IST) (envelope-from nick@foobar.org) X-Authentication-Warning: cheesecake.netability.ie: Host xe-0-0-2.transit07.phb1.foobar.org [87.192.56.84] claimed to be cupcake.foobar.org Message-ID: <53F35AE0.2040304@foobar.org> Date: Tue, 19 Aug 2014 15:10:40 +0100 From: Nick Hilliard User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Jeroen Massar , Fernando Gont , IPv6 Operations References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> <53F34EC0.30400@massar.ch> In-Reply-To: <53F34EC0.30400@massar.ch> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/nWkaEnDAF8_3Vr7zicTaTCgfJoU X-Mailman-Approved-At: Tue, 19 Aug 2014 08:00:54 -0700 Cc: "'opsec@ietf.org'" Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 14:11:25 -0000 On 19/08/2014 14:18, Jeroen Massar wrote: > But also for ICMPv4, which has similar attacks. no, it doesn't because in general ipv4 fragments are not dropped. Also, ipv4 handles this by fragmenting en-route rather than sending PTB packets to the source. Nick From nobody Tue Aug 19 08:01:03 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E02A51A890C; Tue, 19 Aug 2014 07:37:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.9 X-Spam-Level: X-Spam-Status: No, score=-3.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iv0d5NRxN_4w; Tue, 19 Aug 2014 07:37:15 -0700 (PDT) Received: from stereo.hq.phicoh.net (stereo6.hq.phicoh.net [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9]) by ietfa.amsl.com (Postfix) with ESMTP id E3ACE1A0382; Tue, 19 Aug 2014 07:37:14 -0700 (PDT) Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (Smail #91) id m1XJkXA-0000SGC; Tue, 19 Aug 2014 16:37:12 +0200 Message-Id: To: Roland Dobbins From: Philip Homburg Sender: pch-bBB316E3E@u-1.phicoh.com References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> <53F34EC0.30400@massar.ch> <8E7C5F3E-F9E2-468B-AA0E-D6FAE3CA5A6A@arbor.net> In-reply-to: Your message of "Tue, 19 Aug 2014 20:23:54 +0700 ." <8E7C5F3E-F9E2-468B-AA0E-D6FAE3CA5A6A@arbor.net> Date: Tue, 19 Aug 2014 16:37:11 +0200 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/SdqAlNLMba6UcMPtQGcGBd1B1f4 X-Mailman-Approved-At: Tue, 19 Aug 2014 08:00:51 -0700 Cc: "opsec@ietf.org" , IPv6 Operations Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 14:37:17 -0000 In your letter dated Tue, 19 Aug 2014 20:23:54 +0700 you wrote: >On Aug 19, 2014, at 8:18 PM, Jeroen Massar wrote: > >> - The ICMP error packet's destination address must qualify uRPF rules for= > the same interface as the source address.[1] > >Should this language be limited to uRPF, or should it include other anti-spoofing >mechanisms, as well? At least for TCP it is relatively easy for the host to check whether the sequence numbers make sense. If they don't, discard the error ICMP. From nobody Tue Aug 19 09:17:32 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56E6E1A0645; Tue, 19 Aug 2014 09:17:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 561sFjRQGxB9; Tue, 19 Aug 2014 09:17:29 -0700 (PDT) Received: from bastion.ch.unfix.org (bastion.ch.unfix.org [IPv6:2a02:2528:503:2::4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8F231A063E; Tue, 19 Aug 2014 09:17:28 -0700 (PDT) Received: from yomi.ch.unfix.org (84-73-144-213.dclient.hispeed.ch [84.73.144.213]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jeroen) by bastion.ch.unfix.org (Postfix) with ESMTPSA id D213310038DA0; Tue, 19 Aug 2014 16:17:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=massar.ch; s=DKIM2009; t=1408465046; bh=YpedaDIl0LGDhDO4gIXOej0pxTSbA4PM4WBmMZYj9gI=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=RVcwhEqiM+tDx+oc7tVEIFkxI4SM+CABoKGMRJc0r4W9pUxz21pSuL7UzDf5CuCmw DFd8RlLMi/RVmhD1AlAOmj7FdMmEa6mR+WD5hFLsq84CBwm/aG/G25YgNwyARC0Gzo n/2x78f05hl7QfqBaPlRb+g/ToCABO2vXcGgHrxZNOeA6FwiDZTiavH5OSwjZZ/Zrg QTlHMoz1GwbTogaAe33MXsakAQCg9ZYZQDGDDZtRXyZ848q58Gzp+4fZsj9IEjcHVF jqN1Ft3/SdYk4tdrO9Rc5WBWYz2Zw3abmPbsJmPBMI163Bi8/3YI3zkd7PlyLaGbuj MToTDqB0FXPKA== Message-ID: <53F37885.9040903@massar.ch> Date: Tue, 19 Aug 2014 18:17:09 +0200 From: Jeroen Massar Organization: Massar MIME-Version: 1.0 To: Nick Hilliard , Fernando Gont , IPv6 Operations References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> <53F34EC0.30400@massar.ch> <53F35AE0.2040304@foobar.org> In-Reply-To: <53F35AE0.2040304@foobar.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/HsQG83HZppZeoeNux4zTpoRRkhk Cc: "'opsec@ietf.org'" Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 16:17:31 -0000 On 2014-08-19 16:10, Nick Hilliard wrote: > On 19/08/2014 14:18, Jeroen Massar wrote: >> But also for ICMPv4, which has similar attacks. > > no, it doesn't because in general ipv4 fragments are not dropped. Also, > ipv4 handles this by fragmenting en-route rather than sending PTB packets > to the source. Note the word 'similar' in that sentence. While that specific fragmented attack won't work, one can still spoof return ICMPs and give wrong answers. Anyone remember Rotorouter[1] ? :) Hence, why it is a good idea to do the same checks for IPv4 too and why I avoid mentioning what kind of attack it was solving. It is just good hygiene to check validity of things. Greets, Jeroen [1] http://www.shmoo.com/mail/bugtraq/aug98/msg00110.html From nobody Tue Aug 19 09:30:19 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D3321A066A; Tue, 19 Aug 2014 09:30:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jx6fIQSTu5WE; Tue, 19 Aug 2014 09:30:12 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C9901A0640; Tue, 19 Aug 2014 09:30:12 -0700 (PDT) Received: from 18-132-17-190.fibertel.com.ar ([190.17.132.18] helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.83) (envelope-from ) id 1XJmIT-00054V-30; Tue, 19 Aug 2014 18:30:09 +0200 Message-ID: <53F37A7F.8020708@si6networks.com> Date: Tue, 19 Aug 2014 13:25:35 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Jeroen Massar , Nick Hilliard , IPv6 Operations References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> <53F34EC0.30400@massar.ch> <53F35AE0.2040304@foobar.org> <53F37885.9040903@massar.ch> In-Reply-To: <53F37885.9040903@massar.ch> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/hDYgLf48iiSv7ZEtnRYk6Y7eYJg Cc: "'opsec@ietf.org'" Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 16:30:15 -0000 On 08/19/2014 01:17 PM, Jeroen Massar wrote: > > While that specific fragmented attack won't work, one can still spoof > return ICMPs and give wrong answers. > > Anyone remember Rotorouter[1] ? :) > > Hence, why it is a good idea to do the same checks for IPv4 too and why > I avoid mentioning what kind of attack it was solving. It is just good > hygiene to check validity of things. FWIW, I had posted this thingy a while ago: -- essentially BCP38 on the ICMPv4 payload.. Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Tue Aug 19 09:34:22 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA111A05F5; Tue, 19 Aug 2014 09:34:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JHNF5InF8zhE; Tue, 19 Aug 2014 09:34:20 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A37F51A6FCF; Tue, 19 Aug 2014 09:34:20 -0700 (PDT) Received: from 18-132-17-190.fibertel.com.ar ([190.17.132.18] helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.83) (envelope-from ) id 1XJmMV-00056N-1j; Tue, 19 Aug 2014 18:34:19 +0200 Message-ID: <53F37C72.6040406@si6networks.com> Date: Tue, 19 Aug 2014 13:33:54 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Jeroen Massar , IPv6 Operations References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> <53F34EC0.30400@massar.ch> In-Reply-To: <53F34EC0.30400@massar.ch> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/ZY6i8rz9i9A701I7vAz7SwEDX_w Cc: "'opsec@ietf.org'" Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 16:34:21 -0000 Hello, Jeroen, On 08/19/2014 10:18 AM, Jeroen Massar wrote: > Hence we should formulate text a bit like: > > 8<------------------------ > When forwarding or receiving an ICMP error packet: > - The IP destination of the packet MUST match the source address > represented in the ICMP error packet. > > - The ICMP error packet's destination address must qualify uRPF rules > for the same interface as the source address.[1] > > As the verified packets are ICMP errors, when the verification fails the > packet MUST be dropped, logging is recommended. > > Due to the checking inside the ICMP portion of a packet: > Access-routers, firewalls and hosts MUST perform these checks. > Core-routers SHOULD perform these checks > > [1] When ICMP-dst address matches IP-src the check should already have > been performed by the standard uRPF check. > ------------------------>8 Should we include something alng this lines to the countermeasures listed in draft-gont-v6ops-ipv6-ehs-in-real-world, or were you thinking about something else? Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Tue Aug 19 09:49:03 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FC221A04F1; Tue, 19 Aug 2014 09:48:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAnihqUR5A0D; Tue, 19 Aug 2014 09:48:57 -0700 (PDT) Received: from bastion.ch.unfix.org (bastion.ch.unfix.org [IPv6:2a02:2528:503:2::4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A5C01A0650; Tue, 19 Aug 2014 09:48:56 -0700 (PDT) Received: from yomi.ch.unfix.org (84-73-144-213.dclient.hispeed.ch [84.73.144.213]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jeroen) by bastion.ch.unfix.org (Postfix) with ESMTPSA id 09FC810034BE7; Tue, 19 Aug 2014 16:48:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=massar.ch; s=DKIM2009; t=1408466933; bh=2Y7S/GVTibKjrrPfWqWxatouUSki6OGtN8+4knEk414=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=fsZY1T0DG1StynpMHM0iO9Ti/2tcWD1Jl9wabtyX9eoJUKk3duAdqno9iL/CsemOS Z3NLEBvWQumPJKNWEPydTmj4mWMGIWbT4/u1dfIH9cEC5jbj9v16NSNi4H5216QsqZ FCOyEF5ffYV+0pG3eMvyCTAEOv7uD0kcumC6PmtI6ebcR3ctJtQxtkp4/q6GFdhdjS Po7IXzI34GcPnipGWYv/LnQ9opUzz8LtOWHiHc96p3djBhcA96hme6TZLp6qsLdk2u GRdAIgeHsOxgmxurgXXOkNWLhFd3LLQLzCwYWRpMjluGZtB2d83FTCf5PaXydY6fKi 8qvC/uKr5SQGQ== Message-ID: <53F37FE6.6080306@massar.ch> Date: Tue, 19 Aug 2014 18:48:38 +0200 From: Jeroen Massar Organization: Massar MIME-Version: 1.0 To: Fernando Gont , IPv6 Operations References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> <53F34EC0.30400@massar.ch> <53F37C72.6040406@si6networks.com> In-Reply-To: <53F37C72.6040406@si6networks.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/jUrTK1M6fG2UcTV629SmPaJzjlw Cc: "'opsec@ietf.org'" , Nick Hilliard Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 16:48:58 -0000 [merging two different replies back into one] On 2014-08-19 18:33, Fernando Gont wrote: > Hello, Jeroen, > > On 08/19/2014 10:18 AM, Jeroen Massar wrote: >> Hence we should formulate text a bit like: >> >> 8<------------------------ >> When forwarding or receiving an ICMP error packet: >> - The IP destination of the packet MUST match the source address >> represented in the ICMP error packet. >> >> - The ICMP error packet's destination address must qualify uRPF rules >> for the same interface as the source address.[1] >> >> As the verified packets are ICMP errors, when the verification fails the >> packet MUST be dropped, logging is recommended. >> >> Due to the checking inside the ICMP portion of a packet: >> Access-routers, firewalls and hosts MUST perform these checks. >> Core-routers SHOULD perform these checks >> >> [1] When ICMP-dst address matches IP-src the check should already have >> been performed by the standard uRPF check. >> ------------------------>8 > > Should we include something alng this lines to the countermeasures > listed in draft-gont-v6ops-ipv6-ehs-in-real-world, or were you thinking > about something else? While it kind-of has a place there, (ipv6-ehs-in-real-world) is a "current state of the Internet" regarding this problem, it thus introduces the problem. Hence, a short, separate document which updates ICMPv4 + ICMPv6 referencing that draft would be more appropriate IMHO. Especially as then it is quicker for implementers to see what they need to get done to solve the issue. Hence, a short intro with "this is the problem: ....; for more detail see draft-X + RFC5927" + "do this in your ICMPv4/v6 stacks" would be a good start. Then we might be able to get it quickly into at least Linux and BSD kernels which is what most access-router/firewalls are being built upon. On 2014-08-19 18:25, Fernando Gont wrote: > On 08/19/2014 01:17 PM, Jeroen Massar wrote: >> >> While that specific fragmented attack won't work, one can still spoof >> return ICMPs and give wrong answers. >> >> Anyone remember Rotorouter[1] ? :) >> >> Hence, why it is a good idea to do the same checks for IPv4 too >> and why I avoid mentioning what kind of attack it was solving. >> It is just good hygiene to check validity of things. > > FWIW, I had posted this thingy a while ago: > > -- essentially BCP38 on the ICMPv4 payload.. aka RFC 5927, though only informational even though it went through WG review it seems. That indeed touches upon the subject quite a bit too, and would be a good thing to reference from a draft dubbed: "ICMPv4 + ICMPv6 Address Verification" Greets, Jeroen From nobody Tue Aug 19 10:19:49 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C49E31A04E9; Tue, 19 Aug 2014 10:19:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJX9yc70ZEZf; Tue, 19 Aug 2014 10:19:43 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C57D1A048D; Tue, 19 Aug 2014 10:19:43 -0700 (PDT) Received: from 18-132-17-190.fibertel.com.ar ([190.17.132.18] helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.83) (envelope-from ) id 1XJn4N-0005F5-QH; Tue, 19 Aug 2014 19:19:40 +0200 Message-ID: <53F386F2.2060900@si6networks.com> Date: Tue, 19 Aug 2014 14:18:42 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Jeroen Massar , IPv6 Operations References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> <53F34EC0.30400@massar.ch> <53F37C72.6040406@si6networks.com> <53F37FE6.6080306@massar.ch> In-Reply-To: <53F37FE6.6080306@massar.ch> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/RimQwB_x7N0H8ZJ308aL6T2kl4k Cc: "'opsec@ietf.org'" , Nick Hilliard Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 17:19:45 -0000 On 08/19/2014 01:48 PM, Jeroen Massar wrote: >> Should we include something alng this lines to the countermeasures >> listed in draft-gont-v6ops-ipv6-ehs-in-real-world, or were you thinking >> about something else? > > While it kind-of has a place there, (ipv6-ehs-in-real-world) is a > "current state of the Internet" regarding this problem, it thus > introduces the problem. > > Hence, a short, separate document which updates ICMPv4 + ICMPv6 > referencing that draft would be more appropriate IMHO. Ok, makes sense. >>> Hence, why it is a good idea to do the same checks for IPv4 too >>> and why I avoid mentioning what kind of attack it was solving. >>> It is just good hygiene to check validity of things. >> >> FWIW, I had posted this thingy a while ago: >> >> -- essentially BCP38 on the ICMPv4 payload.. > > aka RFC 5927, though only informational even though it went through WG > review it seems. It took 7 years to publish... and not because of slacking. It was insane. :-) Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Tue Aug 19 11:11:32 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4D3F1A0684; Tue, 19 Aug 2014 11:11:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.602 X-Spam-Level: X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9KfcaTPn4Ysh; Tue, 19 Aug 2014 11:11:14 -0700 (PDT) Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F34AB1A066D; Tue, 19 Aug 2014 11:11:13 -0700 (PDT) Received: from 18-132-17-190.fibertel.com.ar ([190.17.132.18] helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.83) (envelope-from ) id 1XJnsE-0005PR-EB; Tue, 19 Aug 2014 20:11:10 +0200 Message-ID: <53F3931F.9050601@si6networks.com> Date: Tue, 19 Aug 2014 15:10:39 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: =?UTF-8?B?56We5piO6YGU5ZOJ?= References: <53F33C4F.2070807@si6networks.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/MzuRjmwB8uY5jdyI9TlRSSTLVaw Cc: IPv6 Operations , "opsec@ietf.org" Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 18:11:18 -0000 Hi, Jinmei, On 08/19/2014 02:58 PM, 神明達哉 wrote: >> As noted in the I-D, the mitigations seem to be: >> >> 1) Artificially limit your packets to 1280, and drop all incoming ICMPv6 >> PTB, or, >> >> 2) Have your device just drop ICMPv6 PTB that claim a Next-Hop MTU >> smaller than 1280. >> >> Thoughts? > > In my general understanding, ICMPv6 PTB with the MTU < 1280 could be > only (at least in practice) used for the "stateless" type of IPv4/v6 > translators so that the IPv6-only host can give the translator a hint > for the 16-bit IPv4 header ID value. Am I correct? Yes. (That's the theory, at least. Me, I'd say that the host is really in no better position than the translator to pick a Frag ID... actually, it's in a much worse position). > If so, one possible alternative would be to drop such ICMPv6 PTB > unless the source IPv6 address is one of those reserved for such use > (as defined in RFC 6052). Source of the ICMPv6 message? If so, I'd say that while that's certainly better than the current situation, unless there's widespread deployment of BCP38, an attacker could still forge an ICMPv6 with one of such addresses and still perform the attack.. > Then we can at least reduce the problem to > source address spoofing. And, unless/until we heavily rely on such > types of translators, this may be actually sufficient in practice, > since in the vast majority of legitimate cases we should use different > addresses than those special ones. I must say that I fail to see the need for generating IPv6 atomic fragments 8packets with a frag header, which are not really fragmented). See e.g. what we wrote in . Thoughts? Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Tue Aug 19 11:42:17 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 617721A0665; Tue, 19 Aug 2014 10:58:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.978 X-Spam-Level: X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmarFEBdiCZ3; Tue, 19 Aug 2014 10:58:03 -0700 (PDT) Received: from mail-we0-x236.google.com (mail-we0-x236.google.com [IPv6:2a00:1450:400c:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD99F1A065F; Tue, 19 Aug 2014 10:58:02 -0700 (PDT) Received: by mail-we0-f182.google.com with SMTP id k48so6819062wev.13 for ; Tue, 19 Aug 2014 10:58:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=OEJe297rAinQyx6hjtS3gYSrxW5i18ysPS+q8oxDjww=; b=dBTiE8W2XaG0rZV24Akw4F0k+KsUQMydUM25nVd24OzezMcbnzYPCTuFEgq92dG43O PUj89DyBRvUQucDBguW93Z5XHIHcYOUedB/UUmera8bqazjpngwHjLH1xO/yGAiWJEPO GNTOaRjpLMngp1Qaxsm09VTnuvHZSnW8ADKhL7G81QXt5xk3pFoLOslJWFXV3Lsutaoc MhXofD3Neq4HoQ9QOPV5SAA0FPhcTPUnnXZnpNvsRJkoFhlFBaGhiebdoFOP32N4kuzr v+WNt5E9wDMgu1UC+yoE7t0Cv6uDu4C6wLiIKlGs41uehD/U6RhPzyJT/twb4+y+yqb8 9KOw== MIME-Version: 1.0 X-Received: by 10.180.80.133 with SMTP id r5mr8548105wix.62.1408471081403; Tue, 19 Aug 2014 10:58:01 -0700 (PDT) Sender: jinmei.tatuya@gmail.com Received: by 10.194.123.164 with HTTP; Tue, 19 Aug 2014 10:58:01 -0700 (PDT) In-Reply-To: <53F33C4F.2070807@si6networks.com> References: <53F33C4F.2070807@si6networks.com> Date: Tue, 19 Aug 2014 10:58:01 -0700 X-Google-Sender-Auth: QFtG_KIiw0MDqLS6Z27ZyGjwiXM Message-ID: From: =?UTF-8?B?56We5piO6YGU5ZOJ?= To: Fernando Gont Content-Type: text/plain; charset=UTF-8 Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/SLCUs536k-orDH7Hc3NvMW0MyNo X-Mailman-Approved-At: Tue, 19 Aug 2014 11:42:15 -0700 Cc: IPv6 Operations , "opsec@ietf.org" Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2014 17:58:04 -0000 At Tue, 19 Aug 2014 09:00:15 -0300, Fernando Gont wrote: > you could essentially DoS traffic between them > > As noted in the I-D, the mitigations seem to be: > > 1) Artificially limit your packets to 1280, and drop all incoming ICMPv6 > PTB, or, > > 2) Have your device just drop ICMPv6 PTB that claim a Next-Hop MTU > smaller than 1280. > > Thoughts? In my general understanding, ICMPv6 PTB with the MTU < 1280 could be only (at least in practice) used for the "stateless" type of IPv4/v6 translators so that the IPv6-only host can give the translator a hint for the 16-bit IPv4 header ID value. Am I correct? If so, one possible alternative would be to drop such ICMPv6 PTB unless the source IPv6 address is one of those reserved for such use (as defined in RFC 6052). Then we can at least reduce the problem to source address spoofing. And, unless/until we heavily rely on such types of translators, this may be actually sufficient in practice, since in the vast majority of legitimate cases we should use different addresses than those special ones. -- JINMEI, Tatuya From nobody Tue Aug 19 15:58:57 2014 Return-Path: X-Original-To: opsec@ietfa.amsl.com Delivered-To: opsec@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A7101A6FA1; Tue, 19 Aug 2014 15:58:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NFJk4r2myWSu; Tue, 19 Aug 2014 15:58:50 -0700 (PDT) Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 814101A6F9B; Tue, 19 Aug 2014 15:58:50 -0700 (PDT) Received: by mail-oi0-f53.google.com with SMTP id e131so5162342oig.12 for ; Tue, 19 Aug 2014 15:58:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=l9RBnPfkuZBxk7mV4kLWvR1v+NKWxA//psxP1OIJvsY=; b=04bD3LDorcKfkkCk8uICX5Kp/npzlyzMWe4Lrq/nF+KAW9b/KfVjSd7/P34BZOk6B3 y2Fzq3DTh3qqTbcjXOQOtDppx9rvjbLIQDxIFtDYvhSjuCAQLak5VKgSmKUURZtGDb42 TxZ4sCfQSid8nl43biuFHjgM9q1gLSJIzru1ZQ9x800rPyzVU+DjfPabzlGNGzjake05 HXPu2sA5khCdHcfr9EUJz28gYRsJjm6ZWgOydr2KPJ80ciwbES1hI18yRnD4z+CgBEKY BfGe2S3UqDZ+ixi5FS74KxL8TvBCL6PnwLlNymZnBXj3W7WxFi3KeMVutNVB5eRHr1M7 v2FQ== X-Received: by 10.60.103.195 with SMTP id fy3mr46704274oeb.35.1408489129979; Tue, 19 Aug 2014 15:58:49 -0700 (PDT) Received: from [130.216.38.108] (sc-cs-567-laptop.cs.auckland.ac.nz. [130.216.38.108]) by mx.google.com with ESMTPSA id bz3sm30570557oec.10.2014.08.19.15.58.47 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 19 Aug 2014 15:58:49 -0700 (PDT) Message-ID: <53F3D6AB.4090505@gmail.com> Date: Wed, 20 Aug 2014 10:58:51 +1200 From: Brian E Carpenter Organization: University of Auckland User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Lorenzo Colitti References: <53F33C4F.2070807@si6networks.com> <53F3931F.9050601@si6networks.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/opsec/Y1o9eZlZ1VK-nL8JFD7aFolSJ9U Cc: Fernando Gont , IPv6 Operations , "opsec@ietf.org" , =?UTF-8?B?56We5piO6YGU5ZOJ?= Subject: Re: [OPSEC] [v6ops] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops X-BeenThere: opsec@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: opsec wg mailing list List-Unsubscribe: , List-Archive: