Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

Sun, 08 Feb 2015 10:05:34 -0800 

On 02/07/2015 09:00 PM, Brian E Carpenter wrote:
> On 08/02/2015 09:37, Ted Lemon wrote:
>> On Feb 7, 2015, at 1:25 PM, Joel Jaeggli <[email protected]> wrote:
>>> Right one would expect future extension headers to match the TLV
>>> expectations of 6564. I can live with the removal of filtering
>>> advice but I'd like to see that run past the working group at the
>>> very least.
>> 
>> Sounds like a good plan.   Thanks!
> 
> However, I don't think you should remove this sentence and the
> normative reference to RFC 7045:
> 
> [RFC7045] requires that nodes be configurable with respect to whether
> packets with unrecognized headers are forwarded, and allows the
> default behavior to be that such packets be dropped.

Well, IMO, what Ted is essentially saying is that we cannot take the
advice from RFC7045 (!).

When this document says that DHCPv6 shield should (by default) filter
packets with unrecognized IPv6 extension headers, t does so by backing
the requirement with RFC7045. Namely, it says:

---- cut here ----
   3.  When parsing the IPv6 header chain, if the packet is identified
       to be a DHCPv6 packet meant for a DHCPv6 client or the packet
       contains an unrecognized Next Header value, DHCPv6-Shield MUST
       drop the packet, and SHOULD log the packet drop event in an
       implementation-specific manner as a security alert.
       DHCPv6-Shield MUST provide a configuration knob that controls
       whether packets with unrecognized Next Header values are dropped;
       this configuration knob MUST default to "drop".

          RATIONALE: An unrecognized Next Header value could possibly
          identify an IPv6 Extension Header, and thus be leveraged to
          conceal a DHCPv6-server packet (since there is no way for
          DHCPv6-Shield to parse past unrecognized Next Header values
          [I-D.gont-6man-rfc6564bis]).  [RFC7045] requires that nodes be
          configurable with respect to whether packets with unrecognized
          headers are forwarded, and allows the default behavior to be
          that such packets be dropped.
---- cut here ----

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: [email protected]
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492




_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec

Reply via email to