Hi Warren,


From: Warren Kumari <warren@kumari.net>
To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
Cc: Enno Rey <erey@ernw.de>; Ole Troan <otroan@employees.org>; "v6ops@ietf.org" <v6ops@ietf.org>; "ipv6-wg@ripe.net" <ipv6-wg@ripe.net>
Sent: Saturday, 20 June 2015, 6:19
Subject: Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security Devices

On Fri, Jun 19, 2015 at 5:13 AM, Mark ZZZ Smith
<markzzzsmith@yahoo.com.au> wrote:
>
> ________________________________
> From: Enno Rey <erey@ernw.de>
> To: Ole Troan <otroan@employees.org>
> Cc: v6ops@ietf.org; ipv6-wg@ripe.net
> Sent: Friday, 19 June 2015, 18:34
> Subject: Re: [v6ops] [ipv6-wg] Extension Headers / Impact on Security
> Devices
>
<snip>

>
> / I think you're only expressing the view of many security engineers, not
> the many network engineers or the many more users of networks. At an ISP, if
> you block traffic your customer wants send, all you get is angry customers.

... and at an ISP if your customer calls you up because they are being
DDoSed out of existence with traffic at some port that they don't use,
and you tell them at that you cannot filter UDP port 80 because, well,
you cannot find it, you also end up with an angry customer.

/ If you can't find it, that may be because it isn't actually there.

/ Here's what I wrote in my earlier email what problem/problems being solved email about network capacity DoS:

/  "(1) I think TCP/UDP port level filtering for this purpose is certainly a nice to have but not a necessary to have, because network capacity DoSs will use some other protocol for their DoS if mitigating DoSs using TCP/UDP traffic becomes too effective. Completely dropping DoS traffic identified just by src and/or dst address, or plonking that traffic into a scavenger QoS class for a while if complete dropping is too severe is a general solution that will work regardless of the type of DoS traffic. Using TCP/UDP ports if they're easily available would allow the dropping to be more granular, but is not required to mitigate the network capacity DoS."

/ although I'd reword that last sentence and say something like "Using TCP/UDP ports if they're easily available would allow the dropping to be more granular, but cannot be relied on to mitigate all network capacity DoSes."

/ If the motivation of the DoS attacker is to exhaust network capacity, then they don't really care what type of traffic it is. Using UDP or TCP is probably convenient, but if that becomes too easy to block, they'll use something else.

/ OTOH, if their motivation is to DoS a particular application, then you're going to have to let some of it through because some of it is legitimate via something like the policed/shaped QoS class, as well as possibly by dropping traffic from a set of sources that appear to be DoS traffic origins rather than legitimate sources.

/ Perhaps wanting the TCP and UDP headers in a known location in the packet so that simple ACLs can filter them is a more specific case of being able to filter packets using a bit mask in an arbitrary specified location within the packet. I'm not aware of any routers where this is an option in ACLs (although it is ringing a very small bell), so perhaps that is what is missing from routers today (I don't know much about OpenFlow, although I'd have expected OF switches to be able to do this. However, quickly downloading and looking at the OF specs, it doesn't seem that specifying an arbitrary bit range and mask to match on is supported). Being able to do that would not only make ACLs more general purpose, but would also allow more accurate filtering on non-TCP/UDP packets too, rather than just using source and/or destination addresses for this traffic. I think that would better alleviate the desire of people to restrict transport layer protocols to only TCP/UDP.

/ A DoS attacker could overcome that by randomising packet contents, however that is more work for them, and I think would classify the DoS attack as a network capacity exhaustion attack, meaning that the methods such as dropping or policing/shaping high volume sources using just IP addresses would be more effective.


> They're paying you to deliver any and all of their packets as well as
> possible, with as minimum restrictions as possible, ideally none, rather
> than the opposite.

Perhaps. I figure they are /actually/ paying you to provide them with
good service. Sometimes that includes filtering for them, because you
have bigger pipes than them...

/ I think sanitising traffic is a different and much harder problem to solve than mitigating a DoS attack. I think mitigating DoSes is enough of a service to provide to customers as part of their Internet access, because going any "deeper" means getting involved in what protocols and therefore what applications the customer is choosing to use and may choose to use in the future. That's a separate service.

/ Regards,
/ Mark.


W

> This is why I don't think you'll ever get consensus on
> deprecating EHs, because I think you're only coming the position of trying
> to solve problem (3) I described in my last email.
>
> / I'd also observe that deprecating EHs, other than ESP, AH+FH, TCP and UDP,
> would also prevent them from being used behind the ESP EH - where you won't
> be able to see what is in them, so you won't be able to care what is in
> them. You'll also be preventing people from other transport layer protocols,
> such as SCTP and DCCP, that are feasible to deploy over the IPv6 Internet
> that couldn't be over the IPv4 network because of IPv4 NAT and other middle
> boxes.
>
> thanks
>
> Enno
>
>
>
>
>>
>> cheers,
>> Ole
>
>
>
> --
> Enno Rey
>
> ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
> Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
>
> Handelsregister Mannheim: HRB 337135
> Geschaeftsfuehrer: Enno Rey
>
> =======================================================
> Blog:  || Conference: www.troopers.de



> Twitter: @Enno_Insinuator
>
>
>
> =======================================================
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>
>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

>



--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
  ---maf