[ipv6-wg] Extension Headers / Impact on Security Devices

Hi,

hope everybody had a great #RIPE70 meeting. We did!
Many thanks to the organizers and chairs!

With regard to the strong position on ext hdrs that I expressed in the session yesterday pls allow to add some material/sources:

- this is a paper laying out how we could circumvent some major (both commercial and FOSS) IDPS solutions in their at the time of testing latest versions, by various combinations of extension headers and fragmentation:
https://www.ernw.de/download/eu-14-Atlasis-Rey-Schaefer-briefings-Evasion-of-HighEnd-IPS-Devices-wp.pdf.

- here's some thoughts and preliminary results of tests performed to circumvent stateless ACLs:
http://www.insinuator.net/2015/01/evasion-of-cisco-acls-by-abusing-ipv6-discussion-of-mitigation-techniques/.
http://www.insinuator.net/2015/01/the-persistent-problem-of-state-in-ipv6-security/.

We have a (somewhat) ongoing research project looking more closely on the interaction of ACLs and extension headers. For the moment I can only state that it's not just Cisco who are "affected". More results will be available in some months.
If the chairs consider this appropriate we will happily give a presentation on this stuff in Bucharest or at another occasion. We could even bring some devices to Bucharest to do some practical testing and demos "in some side room" during #RIPE71, for those interested. We can even do the latter without any official part in a session, if there's interest.

As for the topic itself I'd like to summarize our position as follows:
- it has not happened in the past 17 yrs (since publication of RFC2460) that compelling, Internet-scale use cases of extension headers have been brought up.
- we're hence quite sceptical as for the "we might see cool use cases in 15-20 yrs" position someone expressed at the mic.
- from a security perspective they turn out to be a nightmare for (a number of) current security architectures and controls. it is hence understandable (and we actually advise to do so) that they are blocked at the _border_ of networks that have not yet managed to identify a compelling use case.
- looking at the "liberty" RFC2460 provides as for ext_hdrs (wrt to their number, order, options, fragmentable vs. unfragmentable part etc.) we do not expect that type of security issues to disappear soon (the main reason why we did not continue the IDPS research was that the involved student eventually delivered this thesis. one can probably find much more issues provided time & resources).
Adding more parsing cycles & intelligence (read: silicon) is not an option, at least not for sth that doesn't have a use case.
- the results of this (blocking) approach have been observed and documented by Jen & Fernando and others (Tim Chown).
- now that "this vicious circle" has gained sufficient ground it will be even less incentivized to develop a compelling use case. which is why we do not expect to see one in the future.

===

Everybody have a great weekend and for those still in AMS: have a safe trip home!

Best

Enno




-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================