> On Dec 4, 2018, at 12:17 PM, Christopher Morrow <[email protected]>
> wrote:
>
>
>
>
>
> On Tue, Nov 27, 2018 at 5:40 AM Joe Touch <[email protected]
> <mailto:[email protected]>> wrote:
> Take that to the standards wg. Don’t stick your head in the sand and try to
> do an end run in ops. And don’t call any of this a security issue that it
> isn’t.
>
>
>
> Joe, I think one of the 3 pillars of security is: "Availability" (the other
> two are 'Confidentiality' and 'Integrity’)
It is...
>
> I think the point that Nick and Gert are outlining is that if the case is
> that the hardware available will have no fast-path processing for packets
> with obtuse patterns or sets of extension headers those packets will get sent
> to the control-plane (slow-path). That slow-path being congested will cause
> availability problems.
If that happens, the packets with these headers can easily be throttled - thus
avoiding a security issue.
However, what you’re basically saying is that “it is a security risk to send
packets to a router because it might have to do work”. Yeah, big surprise.
Either do the work or limit the impact. But that’s not the kind of security
risk we associate with availability - a good example of which would be that
sending a single packet would cause the work of 1000.
But none of that is happening here.
>
> Actually, whether or not the control-plane fails under such load may not even
> matter, if the rate-limiting of the packets here is such that (as gert said)
> all but a trickle of the interesting packets are forwarded.
But then that’s not a security problem.
>
> A solution might be to have a mode where a router may just ignore all
> headers except the src/dst-ip and simply forward all packets, trusting that
> the conversing adults will sort out problems with unknown/new/experimental
> headers or with a tortured ordering of headers (for instance). This will also
> cause some operational headaches: "Please drop all traffic toward ipX with
> protoY and dst-port Z" but perhaps it's still acceptable to some folk to
> operate like this?
That works only for HBH options of type 00. Others require particular actions
when not supported.
Joe
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
