Mailing List Archive

On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
> hello,
>
> how do people handle packets with HBH present? Since their use is a
> potential attack vector, do people rate-limit them? I can't seem to find
> some sort of "best practice" on the issue

I have the impression that they are simply ignored in many cases.
That is simpler than rate-limiting. It is legal, because we reduced
the requirement to processing them to a SHOULD in RFC 7045:

The IPv6 Hop-by-Hop Options header SHOULD be processed by
intermediate forwarding nodes as described in [RFC2460]. However, it
is to be expected that high-performance routers will either ignore it
or assign packets containing it to a slow processing path. Designers
planning to use a hop-by-hop option need to be aware of this likely
behaviour.

- Brian

> cheers,
> Yannis
>

On 07/04/2014 11:43 PM, Brian E Carpenter wrote:
> On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
>> hello,
>>
>> how do people handle packets with HBH present? Since their use is a
>> potential attack vector, do people rate-limit them? I can't seem to find
>> some sort of "best practice" on the issue
> I have the impression that they are simply ignored in many cases.
> That is simpler than rate-limiting. It is legal, because we reduced
> the requirement to processing them to a SHOULD in RFC 7045:
>
> The IPv6 Hop-by-Hop Options header SHOULD be processed by
> intermediate forwarding nodes as described in [RFC2460]. However, it
> is to be expected that high-performance routers will either ignore it
> or assign packets containing it to a slow processing path. Designers
> planning to use a hop-by-hop option need to be aware of this likely
> behaviour.
That sounds fine and it would make our lives easier but...

I'm note sure about other vendors, but it seems that Cisco boxes are
processing those at each node, at least it seems that ASR9k and 7600 do
(although there's the option to rate-limit them). CRS probably rate
limit them by default but the info is quite scarce

cheers

>
> - Brian
>
>> cheers,
>> Yannis
>>

On 06/07/2014 01:27, Yannis Nikolopoulos wrote:
> On 07/04/2014 11:43 PM, Brian E Carpenter wrote:
>> On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
>>> hello,
>>>
>>> how do people handle packets with HBH present? Since their use is a
>>> potential attack vector, do people rate-limit them? I can't seem to find
>>> some sort of "best practice" on the issue
>> I have the impression that they are simply ignored in many cases.
>> That is simpler than rate-limiting. It is legal, because we reduced
>> the requirement to processing them to a SHOULD in RFC 7045:
>>
>> The IPv6 Hop-by-Hop Options header SHOULD be processed by
>> intermediate forwarding nodes as described in [RFC2460]. However, it
>> is to be expected that high-performance routers will either ignore it
>> or assign packets containing it to a slow processing path. Designers
>> planning to use a hop-by-hop option need to be aware of this likely
>> behaviour.
> That sounds fine and it would make our lives easier but...
>
> I'm note sure about other vendors, but it seems that Cisco boxes are
> processing those at each node, at least it seems that ASR9k and 7600 do
> (although there's the option to rate-limit them). CRS probably rate
> limit them by default but the info is quite scarce

It's for router vendors to comment, but the RFC is very recent so
it will be a while before we can expect products to be changed.
If everybody makes a feature request to their vendors along the
lines of "option to disable HBH processing as allowed by RFC 7045"
something might happen.

Brian

Yannis

While I cannot speak for all vendors or even for all of my employer's
products, you will indeed find that control-plane policing (=
rate-limiting) is either on by default or can be configured on most
routers.

Alternatively, you may want to use plain ACL to drop all those
potentially-harmful packets with HbH.

You probably know that HbH is also used on the local link for MLD and on
the WAN for RSVP (and possibly for other purposes). So, be sure to
understand your own use before configuring drop/rate limiting ;-)

Rate-limiting is really the way to go IMHO. A platform which processes HbH
without rate-limiting (and there are such platforms) should NOT be
deployed on the wild Internet.

Hope that this belated reply helps

-éric


On 5/07/14 15:27, "Yannis Nikolopoulos" <dez@otenet.gr> wrote:

>On 07/04/2014 11:43 PM, Brian E Carpenter wrote:
>> On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
>>> hello,
>>>
>>> how do people handle packets with HBH present? Since their use is a
>>> potential attack vector, do people rate-limit them? I can't seem to
>>>find
>>> some sort of "best practice" on the issue
>> I have the impression that they are simply ignored in many cases.
>> That is simpler than rate-limiting. It is legal, because we reduced
>> the requirement to processing them to a SHOULD in RFC 7045:
>>
>> The IPv6 Hop-by-Hop Options header SHOULD be processed by
>> intermediate forwarding nodes as described in [RFC2460]. However,
>>it
>> is to be expected that high-performance routers will either ignore
>>it
>> or assign packets containing it to a slow processing path.
>>Designers
>> planning to use a hop-by-hop option need to be aware of this likely
>> behaviour.
>That sounds fine and it would make our lives easier but...
>
>I'm note sure about other vendors, but it seems that Cisco boxes are
>processing those at each node, at least it seems that ASR9k and 7600 do
>(although there's the option to rate-limit them). CRS probably rate
>limit them by default but the info is quite scarce
>
>cheers
>
>>
>> - Brian
>>
>>> cheers,
>>> Yannis
>>>
>

Eric,

thanks for your comments

On 07/09/2014 12:47 PM, Eric Vyncke (evyncke) wrote:
> Yannis
>
> While I cannot speak for all vendors or even for all of my employer's
> products, you will indeed find that control-plane policing (=
> rate-limiting) is either on by default or can be configured on most
> routers.
>
> Alternatively, you may want to use plain ACL to drop all those
> potentially-harmful packets with HbH.
>
> You probably know that HbH is also used on the local link for MLD and on
> the WAN for RSVP (and possibly for other purposes). So, be sure to
> understand your own use before configuring drop/rate limiting ;-)
>
> Rate-limiting is really the way to go IMHO. A platform which processes HbH
> without rate-limiting (and there are such platforms) should NOT be
> deployed on the wild Internet.

maybe I should forward this last comment (with which I agree) to our
local Cisco team ;)

cheers,
Yannis

> Hope that this belated reply helps
>
> -éric
>
>
> On 5/07/14 15:27, "Yannis Nikolopoulos" <dez@otenet.gr> wrote:
>
>> On 07/04/2014 11:43 PM, Brian E Carpenter wrote:
>>> On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
>>>> hello,
>>>>
>>>> how do people handle packets with HBH present? Since their use is a
>>>> potential attack vector, do people rate-limit them? I can't seem to
>>>> find
>>>> some sort of "best practice" on the issue
>>> I have the impression that they are simply ignored in many cases.
>>> That is simpler than rate-limiting. It is legal, because we reduced
>>> the requirement to processing them to a SHOULD in RFC 7045:
>>>
>>> The IPv6 Hop-by-Hop Options header SHOULD be processed by
>>> intermediate forwarding nodes as described in [RFC2460]. However,
>>> it
>>> is to be expected that high-performance routers will either ignore
>>> it
>>> or assign packets containing it to a slow processing path.
>>> Designers
>>> planning to use a hop-by-hop option need to be aware of this likely
>>> behaviour.
>> That sounds fine and it would make our lives easier but...
>>
>> I'm note sure about other vendors, but it seems that Cisco boxes are
>> processing those at each node, at least it seems that ASR9k and 7600 do
>> (although there's the option to rate-limit them). CRS probably rate
>> limit them by default but the info is quite scarce
>>
>> cheers
>>
>>> - Brian
>>>
>>>> cheers,
>>>> Yannis
>>>>

You-all might want to hop over to IETF-land to comment on
http://tools.ietf.org/html/draft-gont-opsec-ipv6-eh-filtering

Regards
Brian

On 19/07/2014 07:45, Yannis Nikolopoulos wrote:
> Eric,
>
> thanks for your comments
>
> On 07/09/2014 12:47 PM, Eric Vyncke (evyncke) wrote:
>> Yannis
>>
>> While I cannot speak for all vendors or even for all of my employer's
>> products, you will indeed find that control-plane policing (=
>> rate-limiting) is either on by default or can be configured on most
>> routers.
>>
>> Alternatively, you may want to use plain ACL to drop all those
>> potentially-harmful packets with HbH.
>>
>> You probably know that HbH is also used on the local link for MLD and on
>> the WAN for RSVP (and possibly for other purposes). So, be sure to
>> understand your own use before configuring drop/rate limiting ;-)
>>
>> Rate-limiting is really the way to go IMHO. A platform which processes
>> HbH
>> without rate-limiting (and there are such platforms) should NOT be
>> deployed on the wild Internet.
>
> maybe I should forward this last comment (with which I agree) to our
> local Cisco team ;)
>
> cheers,
> Yannis
>
>> Hope that this belated reply helps
>>
>> -éric
>>
>>
>> On 5/07/14 15:27, "Yannis Nikolopoulos" <dez@otenet.gr> wrote:
>>
>>> On 07/04/2014 11:43 PM, Brian E Carpenter wrote:
>>>> On 05/07/2014 04:05, Yannis Nikolopoulos wrote:
>>>>> hello,
>>>>>
>>>>> how do people handle packets with HBH present? Since their use is a
>>>>> potential attack vector, do people rate-limit them? I can't seem to
>>>>> find
>>>>> some sort of "best practice" on the issue
>>>> I have the impression that they are simply ignored in many cases.
>>>> That is simpler than rate-limiting. It is legal, because we reduced
>>>> the requirement to processing them to a SHOULD in RFC 7045:
>>>>
>>>> The IPv6 Hop-by-Hop Options header SHOULD be processed by
>>>> intermediate forwarding nodes as described in [RFC2460]. However,
>>>> it
>>>> is to be expected that high-performance routers will either ignore
>>>> it
>>>> or assign packets containing it to a slow processing path.
>>>> Designers
>>>> planning to use a hop-by-hop option need to be aware of this
>>>> likely
>>>> behaviour.
>>> That sounds fine and it would make our lives easier but...
>>>
>>> I'm note sure about other vendors, but it seems that Cisco boxes are
>>> processing those at each node, at least it seems that ASR9k and 7600 do
>>> (although there's the option to rate-limit them). CRS probably rate
>>> limit them by default but the info is quite scarce
>>>
>>> cheers
>>>
>>>> - Brian
>>>>
>>>>> cheers,
>>>>> Yannis
>>>>>
>
>

Hi, Yannis,

On 07/04/2014 12:05 PM, Yannis Nikolopoulos wrote:
>
> how do people handle packets with HBH present? Since their use is a
> potential attack vector, do people rate-limit them? I can't seem to find
> some sort of "best practice" on the issue

This is the current state of affairs on the public IPv6 Internet:
<http://www.iepg.org/2014-07-20-ietf90/iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf>

Thanks!

Cheers,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Fernando,

>> how do people handle packets with HBH present? Since their use is a
>> potential attack vector, do people rate-limit them? I can't seem to find
>> some sort of "best practice" on the issue
>
> This is the current state of affairs on the public IPv6 Internet:
> <http://www.iepg.org/2014-07-20-ietf90/iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf>

s/public IPv6 Internet/selected content providers/

advice with regards to HBH headers. assuming there isn't any feature enabled that uses HBH. on a platform that supports forwarding of packets with HBH without punting, forward. for platforms that do punt regardless, drop.

cheers,
Ole

On 08/07/2014 08:05 AM, Ole Troan wrote:
>
>>> how do people handle packets with HBH present? Since their use is
>>> a potential attack vector, do people rate-limit them? I can't
>>> seem to find some sort of "best practice" on the issue
>>
>> This is the current state of affairs on the public IPv6 Internet:
>> <http://www.iepg.org/2014-07-20-ietf90/iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf>
>
>>
> s/public IPv6 Internet/selected content providers/

Well... with did our measurements over Alexa's top-1m sites... that's a
bit more than "selected content providers"....



> advice with regards to HBH headers. assuming there isn't any feature
> enabled that uses HBH. on a platform that supports forwarding of
> packets with HBH without punting, forward. for platforms that do punt
> regardless, drop.

Agreed.

Cheers,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

On 08/07/2014 03:05 PM, Ole Troan wrote:
> advice with regards to HBH headers. assuming there isn't any feature
> enabled that uses HBH. on a platform that supports forwarding of
> packets with HBH without punting, forward. for platforms that do punt
> regardless, drop. cheers, Ole

sound advice, cheers :)

Yannis

On 11 August 2014 18:33, Yannis Nikolopoulos <dez@otenet.gr> wrote:

> On 08/07/2014 03:05 PM, Ole Troan wrote:
>
>> advice with regards to HBH headers. assuming there isn't any feature
>> enabled that uses HBH. on a platform that supports forwarding of packets
>> with HBH without punting, forward. for platforms that do punt regardless,
>> drop. cheers, Ole
>>
>
> sound advice, cheers :)


It's there a 3rd case missing?

If it's a router alert option for use with MLD, process accordingly.

Or for use with RSVP :-), rate-limit the packets, then process them :-)

From: Erik Kline <ek@google.com<mailto:ek@google.com>>
Date: lundi 11 août 2014 12:18
To: Yannis Nikolopoulos <dez@otenet.gr<mailto:dez@otenet.gr>>
Cc: Ole Troan <ot@cisco.com<mailto:ot@cisco.com>>, Fernando Gont <fernando@gont.com.ar<mailto:fernando@gont.com.ar>>, IPv6 Ops list <ipv6-ops@lists.cluenet.de<mailto:ipv6-ops@lists.cluenet.de>>
Subject: Re: IPv6 packets with HBH

On 11 August 2014 18:33, Yannis Nikolopoulos <dez@otenet.gr<mailto:dez@otenet.gr>> wrote:
On 08/07/2014 03:05 PM, Ole Troan wrote:
advice with regards to HBH headers. assuming there isn't any feature enabled that uses HBH. on a platform that supports forwarding of packets with HBH without punting, forward. for platforms that do punt regardless, drop. cheers, Ole

sound advice, cheers :)

It's there a 3rd case missing?

If it's a router alert option for use with MLD, process accordingly.

Erik,

> On 11 August 2014 18:33, Yannis Nikolopoulos <dez@otenet.gr> wrote:
> On 08/07/2014 03:05 PM, Ole Troan wrote:
> advice with regards to HBH headers. assuming there isn't any feature enabled that uses HBH. on a platform that supports forwarding of packets with HBH without punting, forward. for platforms that do punt regardless, drop. cheers, Ole
>
> sound advice, cheers :)
>
> It's there a 3rd case missing?

nah, see above. "assuming there isn't any feature enabled that uses HBH".

> If it's a router alert option for use with MLD, process accordingly.

if any feature enabled on the box uses HBH for anything, then sure, rate-limit and process.
MLD isn't so bad anyway since it is already on the exception path, with a hop limit of 1 and a link-local SA.

cheers,
Ole