[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-v6ops-cpe-simple-security-00



Under the heading "better late than never"...

On 5 dec 2007, at 0:56, james woodyatt wrote:

o Check all traffic to and from the public Internet for basic sanity, e.g. anti-spoofing and "martian" filters. o Allow tracking of application usage by source and destination transport addresses. o Provide a barrier against untrusted external influences on the interior network by requiring filter state to be activated by traffic originating at interior network nodes. o Allow manually configured exceptions to the stateful filtering rules according to network administration policy."

The first bullet is fairly obvious (although personally I've never felt the need to filter packets that are going to fail just fine on their own) but I'm not quite sure what the other bullets get at...

I keep hearing the phrase "attack surfaces" every time I try to run that argument past my security advisors.

Maybe a bit more text can clarify the intention of especially the second bullet?

What about packets with unknown next headers?

Indeed. What about them? I would assert that packet filters should assume they are last headers and treat them like unknown transport layer headers. Is there another option available?

Nothing that works reliable and/or makes the security people happy... I'm starting to lean towards the position that an important job of this document is also to specify what should NOT be filtered. Considering that, I think it's reasonable to say that packets with unrecognized headers should be filtered, but we need a list of headers that must be recognized so that filtering can happen on what follows that header. This list would contain at least:

- fragment header
- IPsec AH and ESP (without encryption, otherwise the next header isn't visible)
- routing headers for mobility
- shim6  :-)
- hop-by-hop headers?

The people who want to be "protected" by these packet filters are mainly concerned with keeping the innovations of malware developers from interfering with their private network resources.

Ah, yes, but these filters both apply to people who want to be protected and people who don't care much to be protected. (If they're really strongly against it they'll find out how to disable the filter, hopefully.)

So the "a few security measures is good, so a lot of them must be really good" logic that people with "security" in their jobtitle usually employ can't dictate what happens here.

PMTUD is mentioned but no language about allowing the required packet too big messages through. This is extremely important, PMTUD black holes are a big problem, and some of the IPv4 worarounds aren't available in IPv6. It may even be useful to allow the CPE to advertise a reduced MTU on the LAN side to work around upstream PMTUD breakage, although it wouldn't be a good idea to enable this by default, IMO.

I thought I included that. Do you have suggested language for improving R12, R13, R23 and R24?

(I'm looking at rev 01 now, not sure how much has changed.)

R12 and R23 only talk about unreachables. However, with IPv6 too big is no longer a subclass of unreachable, so it must be mentioned explicitly.

Perhaps, you are concerned about SCTP, DCCP and future transport layer protocols?

No... I probably should be, though.  :-)

Some other stuff that routinely cause trouble with at least some firewalls: diffserv bits in the IP header, ECN, TCP options in general and window scale in particular. Do we need to say anything about these? (Some firewalls ignore the window scale option but then block "out of window" segments.)

Hmm.  Sounds strangely familiar.

We might be getting ahead of the BEHAVE group on the subject of TCP stateful packet filtering behavior, but that's probably not a bad thing.

Can we say something useful about window scale? "Monitor the window scale option" would be good, but probably not enough: with just stateful filtering, it's possible to reestablish lost state from an outgoing packet in the middle of a session. Assuming wscale=0 in that case would be bad. Would it be harmful to skip the in-window check? If not, can we come up with a reasonable upper bound window scale that can be assumed in such cases? I'm thinking someone behind a consumer CPE would be needing a window of no more than about 256 MB (gigabit ethernet and 2000 ms RTT) but that may be a bit on the high side...