<html><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px"><div><span></span></div><br> <div style="font-family: Helvetica Neue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;" id="yui_3_16_0_1_1434429117355_7868"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;" id="yui_3_16_0_1_1434429117355_7867"> <div dir="ltr"> <hr size="1"> <font size="2" face="Arial"> <b><span style="font-weight:bold;">From:</span></b> Ca By <cb.list6@gmail.com><br> <b><span style="font-weight: bold;">To:</span></b> Eric Vyncke (evyncke) <evyncke@cisco.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "v6ops@ietf.org" <v6ops@ietf.org>; "ipv6-wg@ripe.net" <ipv6-wg@ripe.net> <br> <b><span style="font-weight: bold;">Sent:</span></b> Tuesday, 16 June 2015, 8:32<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [v6ops] Extension Headers / Impact on Security Devices<br> </font> </div> <div class="y_msg_container" id="yui_3_16_0_1_1434429117355_7866"><br><div id="yiv9611338068"><div id="yui_3_16_0_1_1434429117355_7865"><br clear="none"><br clear="none">On Monday, June 15, 2015, Eric Vyncke (evyncke) <<a rel="nofollow" shape="rect" ymailto="mailto:evyncke@cisco.com" target="_blank" href="mailto:evyncke@cisco.com">evyncke@cisco.com</a>> wrote:<br clear="none"><blockquote class="yiv9611338068gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;" id="yui_3_16_0_1_1434429117355_7870">Enno,<br clear="none">
<br clear="none">
As you probably know, Cisco handles PSIRT issues with care, so, I have no<br clear="none">
clue on this specific advisory. My own (educated) guess is that the packet<br clear="none">
causing a LC reload is fully RFC 2460 compliant but unusual, so, probably<br clear="none">
(a guess again) a combination of extension headers triggering a bug.<br clear="none">
<br clear="none">
In this specific case, I would not blame IPv6 or RFC 2460 but rather my<br clear="none">
own company (even if the affected versions were quite old as new IOS-XR<br clear="none">
versions appear to be immune to this bug). And I appreciate the humor in<br clear="none">
your rhetorical question about which FW could protect a CRS... Air gap<br clear="none">
probably :-)<br clear="none">
<br clear="none">
More generally, regarding the 'parsing of the header' and performance, my<br clear="none">
understanding (and I am NOT a HW engineer) is that there are multiple ways<br clear="none">
to parse the header chain:<br clear="none">
- purely software in low-end devices, should have a marginal performance<br clear="none">
impact<br clear="none">
- specific ASIC in middle-end devices (read high end enterprise), probably<br clear="none">
some limitations and heavy performance impact (but again within one<br clear="none">
organization, so, easier to fix the root cause)<br clear="none">
- a lot of specialized network processors in high-end devices (SP gears),<br clear="none">
which is a similar case as the 'low-end device', performance impact but<br clear="none">
marginal as parsing the chain of headers is not that hard after all _when_<br clear="none">
coded correctly<br clear="none">
<br clear="none">
As the extension headers are specific to IPv6, this is an area when we<br clear="none">
will all learn (and have learned already) a lot of things...<br clear="none">
<br clear="none">
I respectfully disagree with your last sentence. Of course, destination<br clear="none">
AS/host SHOULD only accept useful, known and legit ext headers; but, why<br clear="none">
would an ISP filter on ext headers if they do not harm their own infra or<br clear="none">
a customer infra? Do you envision an Internet where only TCP/443 and<br clear="none">
UDP/43 would be accepted?<br clear="none">
<br clear="none">
Last point, the Internet will have to use IPv6 for 10 or 20 years at<br clear="none">
least. If the IETF/ISP block all new _options_ in _existing_ extension<br clear="none">
headers, then we will be stuck in 1997 for network innovation. While I do<br clear="none">
not like taking security risks, I even fear more the lack of innovation.<br clear="none">
<br clear="none"></blockquote><div id="yui_3_16_0_1_1434429117355_7874"><br clear="none"></div><div id="yui_3_16_0_1_1434429117355_7875"><br clear="none"></div><div id="yui_3_16_0_1_1434429117355_7876">I keep hearing this and it is very bizarre to hear </div><div id="yui_3_16_0_1_1434429117355_7877"><br clear="none"></div><div id="yui_3_16_0_1_1434429117355_7878">With regards to 1997, believing that there will be innovation in the narrow waist of hour glass (network layer), that is very 1997. The network layer is stable and boring.... Hence it being narrow. Innovation is welcome everywhere except network in the e2e model</div><div id="yui_3_16_0_1_1434429117355_7878"><br></div><div id="yui_3_16_0_1_1434429117355_7878">/ Absence of evidence is not evidence of absence. <br></div><div id="yui_3_16_0_1_1434429117355_7878"><br></div><div id="yui_3_16_0_1_1434429117355_7878">/ Consider what the network and host situation was in 1997 (wired network access, desktops outselling laptops, dialup Internet for residential, corporates in total probably being the largest spenders on Internet access) to today and the near future (wireless networks, smartphones/tablets being the dominant Internet access device in some markets - and they're multi-homed, M2M/IoT considered to be place where the greatest expansion of Internet connected devices is going to occur in the near future.)</div><div id="yui_3_16_0_1_1434429117355_7878"><br></div><div id="yui_3_16_0_1_1434429117355_7878" dir="ltr">/ IPv6 has had relatively little adoption, and it is only starting to increase quite rapidly in the last few years and that is mainly because of mobile networks. There hasn't and still doesn't seem to be much thinking about how IPv6's differences from IPv4's can be taken advantage of yet - an "IPv4 first" or an "IPv4 == IPv6" mindset seems to be still very common (I think the network virtualisation space is where this is might be most prominent - I think most of the technologies they're inventing require fork lift network upgrades, so the costs of deploying IPv6 at the same time become a lot less significant. So if there is a "cheap" opportunity to deploy IPv6, and IPv6 is going to be the long term network layer 3, why not optimise for it now? That was the thinking behind my "Enhancing Virtual Network Encapsulation with IPv6" draft) </div><div id="yui_3_16_0_1_1434429117355_7878" dir="ltr"><br></div><div id="yui_3_16_0_1_1434429117355_7878" dir="ltr">/ We don't want to disable innovation opportunities that IPv6 may provide before people have arrived at an "IPv6 first" or "IPv4 != IPv6" mindset. <br></div><div class="qtdSeparateBR"><br><br></div><div class="yiv9611338068yqt4684884795" id="yiv9611338068yqtfd99827"><div id="yui_3_16_0_1_1434429117355_7879"> </div><blockquote class="yiv9611338068gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;" id="yui_3_16_0_1_1434429117355_9776">
Let's talk on Thursday at Silvia's IPv6 Conference in Zurich ;-)<br clear="none">
<br clear="none">
-éric<br clear="none">
<br clear="none">
On 11/06/15 11:58, "Enno Rey" <<a rel="nofollow" shape="rect" href="">erey@ernw.de</a>> wrote:<br clear="none">
><br clear="none">
>the problem here is the definition of "normal IP packet" as of RFC2460.<br clear="none">
>To illustrate this I just quote from today's Cisco advisory (Cisco IOS XR<br clear="none">
>Software Crafted IPv6 Packet Denial of Service Vulnerability) on packets<br clear="none">
>potentially crashing CRS-3 line cards:<br clear="none">
><br clear="none">
>"The vulnerability is due to incorrect processing of an IPv6 packet<br clear="none">
>carrying IPv6 extension headers that are valid but unlikely to be seen<br clear="none">
>during normal operation. An attacker could exploit this vulnerability by<br clear="none">
>sending such an IPv6 packet to an affected device that is configured to<br clear="none">
>process IPv6 traffic. An exploit could allow the attacker to cause a<br clear="none">
>reload of the line card, resulting in a DoS condition."<br clear="none">
><br clear="none">
>two question come to mind here:<br clear="none">
><br clear="none">
>- is a "valid but unlikely" extension header chain "normal"?<br clear="none">
>- what ("combination of FW & IPS or whatever") would you put in front of<br clear="none">
>a CRS?<br clear="none">
><br clear="none">
>my (sad) expectation is that we'll see much more of these (types of)<br clear="none">
>issues in the future. given the current level of freedom that the RFC2460<br clear="none">
>leaves (see also discussion/picture in<br clear="none">
><a rel="nofollow" shape="rect" target="_blank" href="http://www.insinuator.net/2015/06/is-ipv6-more-secure-than-ipv4-or-less/">http://www.insinuator.net/2015/06/is-ipv6-more-secure-than-ipv4-or-less/</a>)<br clear="none">
>"properly parsing an IPv6 packet, let alone in wire speed" seems a pretty<br clear="none">
>much unsolvable task to me.<br clear="none">
><br clear="none">
>That said I still fail to see any useful extension header besides AH&ESP<br clear="none">
>(not even FH) to be transported in the Internet.<br clear="none">
><br clear="none">
>best<br clear="none">
><br clear="none">
>Enno<br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
><br clear="none">
> If your firewall cannot implement this policy, then<br clear="none">
>> it is time to change or to use a combination of FW & IPS or whatever.<br clear="none">
>><br clear="none">
>> - network person: as I will live with IPv6 for the rest of my life,<br clear="none">
>>then I<br clear="none">
>> want a way to extend it and I need any packet to travel to my source to<br clear="none">
>>my<br clear="none">
>> destination. Any IPv6 packet should be able to traverse the<br clear="none">
>> Internet/private network as long as its layer-3 header is valid<br clear="none">
>> (filtering/dropping can be done exceptionally for good operational<br clear="none">
>> reason). Did we remember the IPv4 teardrop attack? It is blocked by<br clear="none">
>> default by most routers for years ;-)<br clear="none">
>><br clear="none">
>> Bugs will plague us for ever... And make our life more complex than the<br clear="none">
>> above description of course ;-)<br clear="none">
>><br clear="none">
>> -??ric<br clear="none">
>><br clear="none">
>> On 17/05/15 20:43, "Silvia Hagen" <<a rel="nofollow" shape="rect" href="">silvia.hagen@sunny.ch</a>> wrote:<br clear="none">
>><br clear="none">
>> >Hi<br clear="none">
>> ><br clear="none">
>> >I keep stumbling about that "recommendational wording" in RFC 2460<br clear="none">
>> >everytime I teach it.<br clear="none">
>> ><br clear="none">
>> >Couldn't we update RFC2460 and make this list a strict order?<br clear="none">
>> ><br clear="none">
>> >I would want my firewall to notify me if the EHs in a packet do not<br clear="none">
>> >follow the list.<br clear="none">
>> >And limiting the number of possible EHs per packet might be a good<br clear="none">
>>idea.<br clear="none">
>> ><br clear="none">
>> >Silvia<br clear="none">
>> ><br clear="none">
>> >-----Urspr??ngliche Nachricht-----<br clear="none">
>> >Von: ipv6-wg [mailto:<a rel="nofollow" shape="rect" href="">ipv6-wg-bounces@ripe.net</a>] Im Auftrag von Benedikt<br clear="none">
>> >Stockebrand<br clear="none">
>> >Gesendet: Sonntag, 17. Mai 2015 18:39<br clear="none">
>> >An: <a rel="nofollow" shape="rect" href="">ipv6-wg@ripe.net</a><br clear="none">
>> >Betreff: Re: [ipv6-wg] Extension Headers / Impact on Security Devices<br clear="none">
>> ><br clear="none">
>> >Hi Enno and list,<br clear="none">
>> ><br clear="none">
>> >Enno Rey <<a rel="nofollow" shape="rect" href="">erey@ernw.de</a>> writes:<br clear="none">
>> ><br clear="none">
>> >> hope everybody had a great #RIPE70 meeting. We did!<br clear="none">
>> >> Many thanks to the organizers and chairs!<br clear="none">
>> ><br clear="none">
>> >and thanks to the actual speakers as well the speakers we had to turn<br clear="none">
>> >down due to time constraints, too:-)<br clear="none">
>> ><br clear="none">
>> >> If the chairs consider this appropriate we will happily give a<br clear="none">
>> >> presentation on this stuff in Bucharest or at another occasion.<br clear="none">
>> ><br clear="none">
>> >Sounds good to me!<br clear="none">
>> ><br clear="none">
>> >> - looking at the "liberty" RFC2460 provides as for ext_hdrs (wrt to<br clear="none">
>> >> their number, order[...]<br clear="none">
>> ><br clear="none">
>> >Actually, as far as I'm concerned that's the real core of the problem.<br clear="none">
>> >Or more specifically, the first two lines of RFC 2460, section 4.1:<br clear="none">
>> ><br clear="none">
>> > When more than one extension header is used in the same packet, it<br clear="none">
>>is<br clear="none">
>> > recommended that those headers appear in the following order:<br clear="none">
>> ><br clear="none">
>> >followed on the next page by<br clear="none">
>> ><br clear="none">
>> > Each extension header should occur at most once, except for the<br clear="none">
>> > Destination Options header which should occur at most twice (once<br clear="none">
>> > before a Routing header and once before the upper-layer header).<br clear="none">
>> ><br clear="none">
>> >Note in particular that these are not even RFC 2119 "SHOULD" or<br clear="none">
>> >"RECOMMENDED" and such.<br clear="none">
>> ><br clear="none">
>> >The impact here is actually at least twofold:<br clear="none">
>> ><br clear="none">
>> >- It is impossible to implement this as a simple pipeline architecture<br clear="none">
>> > in hardware; at least for cases deviating from the "recommendations"<br clear="none">
>> > above this effectively becomes either excessively complex to<br clear="none">
>>implement<br clear="none">
>> > in hardware or an invitation to DoS when implemented in software on<br clear="none">
>>an<br clear="none">
>> > otherwise hardware router.<br clear="none">
>> ><br clear="none">
>> >- As I understand it, at least some of the issues you have found are<br clear="none">
>> > effectively based on violating the second paragraph quoted, making it<br clear="none">
>> > impossible to come up with a lower bound on how long the header chain<br clear="none">
>> > can actually get and therefore leading to the fragmentation related<br clear="none">
>> > attacks and similar you have discovered.<br clear="none">
>> ><br clear="none">
>> >The original idea was that the extension headers are processed strictly<br clear="none">
>> >in the order they occur, so one question to ask is if there is any<br clear="none">
>>valid<br clear="none">
>> >reason to violate these "recommendations" for other than malicious<br clear="none">
>> >purposes.<br clear="none">
>> ><br clear="none">
>> ><br clear="none">
>> >Cheers,<br clear="none">
>> ><br clear="none">
>> > Benedikt<br clear="none">
>> ><br clear="none">
>> >--<br clear="none">
>> >Benedikt Stockebrand, Stepladder IT<br clear="none">
>>Training+Consulting<br clear="none">
>> >Dipl.-Inform. <a rel="nofollow" shape="rect" target="_blank" href="http://www.stepladder-it.com/">http://www.stepladder-it.com/</a><br clear="none">
>> ><br clear="none">
>> > Business Grade IPv6 --- Consulting, Training, Projects<br clear="none">
>> ><br clear="none">
>> >BIVBlog---Benedikt's IT Video Blog:<br clear="none">
>><a rel="nofollow" shape="rect" target="_blank" href="http://www.stepladder-it.com/bivblog/">http://www.stepladder-it.com/bivblog/</a><br clear="none">
>> ><br clear="none">
>> ><br clear="none">
>><br clear="none">
><br clear="none">
>--<br clear="none">
>Enno Rey<br clear="none">
><br clear="none">
>ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - <a rel="nofollow" shape="rect" target="_blank" href="http://www.ernw.de/">www.ernw.de</a><br clear="none">
>Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902<br clear="none">
><br clear="none">
>Handelsregister Mannheim: HRB 337135<br clear="none">
>Geschaeftsfuehrer: Enno Rey<br clear="none">
><br clear="none">
>=======================================================<br clear="none">
>Blog: <a rel="nofollow" shape="rect" target="_blank" href="http://www.insinuator.net/">www.insinuator.net</a> || Conference: <a rel="nofollow" shape="rect" target="_blank" href="http://www.troopers.de/">www.troopers.de</a><br clear="none">
>Twitter: @Enno_Insinuator<br clear="none">
>=======================================================<br clear="none">
><br clear="none">
>_______________________________________________<br clear="none">
>v6ops mailing list<br clear="none">
><a rel="nofollow" shape="rect" href="">v6ops@ietf.org</a><br clear="none">
><a rel="nofollow" shape="rect" target="_blank" href="https://www.ietf.org/mailman/listinfo/v6ops">https://www.ietf.org/mailman/listinfo/v6ops</a><br clear="none">
<br clear="none">
_______________________________________________<br clear="none">
v6ops mailing list<br clear="none">
<a rel="nofollow" shape="rect" href="">v6ops@ietf.org</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="https://www.ietf.org/mailman/listinfo/v6ops">https://www.ietf.org/mailman/listinfo/v6ops</a><br clear="none">
</blockquote></div></div></div><br><div class="yqt4684884795" id="yqtfd03185">_______________________________________________<br clear="none">v6ops mailing list<br clear="none"><a shape="rect" ymailto="mailto:v6ops@ietf.org" href="mailto:v6ops@ietf.org">v6ops@ietf.org</a><br clear="none"><a shape="rect" href="https://www.ietf.org/mailman/listinfo/v6ops" target="_blank">https://www.ietf.org/mailman/listinfo/v6ops</a><br clear="none"></div><br><br></div> </div> </div> </div></body></html>