On 02/09/2015 11:41 AM, Ted Lemon wrote: > On Feb 9, 2015, at 1:02 AM, C. M. Heard <[email protected]> wrote: >> - A new extension header is defined that make sense to sandwich in >> front of a DHCPv6 packet (not all do; some extension headers are >> required to have a next header value of "no next header") >> >> - This extension header is unknowm to a DHCPv6-Shield >> implementation >> >> - This is extension header is known and considered valid by a host >> that DHCPv6-Shield implementation is trying to protect > > In addition to being known by the host, the extension header would > have to be a standard extension header that does not conform to RFC > 6564. Otherwise, the switch can just skip over it even though it's > nominally "unknown." Having skipped over it, it would correctly > reach the UDP protocol header, and notice that the packet was a DHCP > packet. > > I think it's safe to assume that no future extension header that is > standardized will fail to conform to RFC 6564.
It is not. As noted, RFC6564 doesn't buy you anything. And if we decide to fix the problem in question (e.g., as described in draft-gont-6man-rfc6564bis-00.txt), then I can guarantee that new IPv6 EHs will *not* follow the format in RFC6564. (And I'd say that "assumptions" have been the source of most security flaws in protocols and implementations I've seen). > Hence, we do not > need to worry that the host will be able to parse a new extension > header, but that the DHCPv6-shield device will not. Hence, there is > no need to drop packets with unknown extension headers. > > This is particularly important, because in dropping packets with > unknown extension headers, we are _also_ dropping packets with > unknown protocol headers. That is the real harm of the language of > the document as it is currently written. You can't be worried about new transport protocols and at the same time support RFC6564. If you assume that new EHs will follow RFC6564, then you're banning *from scratch* deployment of new transport protocols (!). Thanks, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
