IETF Logo Mail Archive

Question regarding Ra-Guard evasion (ND and extensio headers)

Fernando Gont <fernando@gont.com.ar> Fri, 10 June 2011 22:08 UTC

Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0678711E81D4; Fri, 10 Jun 2011 15:08:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.778
X-Spam-Level:
X-Spam-Status: No, score=-2.778 tagged_above=-999 required=5 tests=[AWL=0.822, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VBDMongDPP5D; Fri, 10 Jun 2011 15:08:27 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 36C5411E8104; Fri, 10 Jun 2011 15:08:27 -0700 (PDT)
Received: by ywp31 with SMTP id 31so1575568ywp.31 for <multiple recipients>; Fri, 10 Jun 2011 15:08:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:message-id:date:from:user-agent :mime-version:to:subject:x-enigmail-version:content-type :content-transfer-encoding; bh=LJCWCqhfSC5IVj+XF4amDXXNRadXPhy6uZBxNmXWyMg=; b=xiYuAAAVVC6C10wdipLGs2PCgK3CiLo2CUXAl0ufAxQehXbk9zsq9Kj/xbJBrh35yV JT/hTeZlW7TH9JDllLIlA9+hJE9tR/QAMLtcEOMvyrL4e9cE0y3ji0dHqf8hOknokFCp O0kMqQvTFZ7h8l+2Iy4xChMd3vQt58F9RfkKM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:content-type:content-transfer-encoding; b=OgV8nakN1z7z7KCF4P/eNz6MetGamVjm4OdWItWgKxc1bRezqoZGb5+IKajn8LXSjI MbLZKuJewajClfgn17ZuDjeN0yoUQfF4nC90FtWzjrO1exCNJ6HbeAttDZCkMJ8k/yA2 gwVrZgStSCt6jwYwpEN94zdh7F0IlblpDdQUc=
Received: by 10.91.173.11 with SMTP id a11mr3623443agp.105.1307743706675; Fri, 10 Jun 2011 15:08:26 -0700 (PDT)
Received: from [192.168.123.103] ([190.48.244.18]) by mx.google.com with ESMTPS id x33sm2946286ana.22.2011.06.10.15.08.24 (version=SSLv3 cipher=OTHER); Fri, 10 Jun 2011 15:08:26 -0700 (PDT)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <4DF291D0.7080707@gont.com.ar>
Date: Fri, 10 Jun 2011 18:51:12 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110516 Thunderbird/3.1.10
MIME-Version: 1.0
To: IPv6 Operations <v6ops@ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: Question regarding Ra-Guard evasion (ND and extensio headers)
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2011 22:08:28 -0000

Hi,

Some folks have expressed (both on-list and off-list) that they would
prefer a less agressive solution for the RA-Guard evasion vulnerability.
So I'd like to hear comments about the possible alternatives..

The current I-Ds (draft-gont-6man-nd-extension-headers and
draft-gont-v6ops-ra-guard-evasion) basically take this approach:

* Prohibit use of extension headers in ND messages. A host
implementation must not produce these packets, and must discard them if
it receives them
* This results in a RA-Guard implementation that is as simple as
possible (it only has to look at the header following the fixed IPv6
header).


A more relaxed approach would be as follows:
* Extension headers are allowed with ND messages.
* If the packet is fragmented, the upper-layer header (ICMPv6 in this
case) must be present in the first fragment (i.e., hosts must not
generate packets that violate this requirement, and must discard them if
they receive them).
* Possibly have the RA-Guard box enforce a limit on the maximum number
of extension headers that it will process (e.g., if after jumping to
the, say 10th header the upper-layer header is not found, drop the packet)
* This approach is less aggressive than the one proposed in the
aforementioned I-Ds (i.e., more flexibility), but of course would also
mean that the RA-Guard implementation would need to follow the header
chain, thus leading to increased complexity, and possible performance
issues.

Any comments/thoughts will be very much appreciated.

Thanks!

Best regards,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

v2.23.0 | Report a Bug | By Email