Re: IPv6 packets with HBH
Hi, Yannis, On 07/04/2014 12:05 PM, Yannis Nikolopoulos wrote: how do people handle packets with HBH present? Since their use is a potential attack vector, do people rate-limit them? I can't seem to find some sort of best practice on the issue This is the current state of affairs on the public IPv6 Internet: http://www.iepg.org/2014-07-20-ietf90/iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf Thanks! Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
AAAA records (was: Re: IPv6 packets with HBH)
Fernando Gont ferna...@gont.com.ar writes: Hi, This is the current state of affairs on the public IPv6 Internet: http://www.iepg.org/2014-07-20-ietf90/iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf After reading slide 7 I decided to take a closer look at those funny IPv6 addresses. I used host to get record for the Alexa Top 1Milion domains, and after a lot of DNS lookups I found the following: 70502 GLOBAL-UNICAST 94 IPV4MAP 50 LOOPBACK 49 LINK-LOCAL-UNICAST 30 RESERVED (including 9 RFC 3849 (2001:db8) addresses) 19 IPV4COMP 5 UNSPECIFIED 1 UNIQUE-LOCAL-UNICAST I planing to modify my script to look for 6to4 and teredo, speed up DNS lookups and maybe adding www to any Domain without a record and runs these test on a monthly base. Any more ideas? Jens -- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@jabber.quux.de | --- |
Re: IPv6 packets with HBH
Fernando, how do people handle packets with HBH present? Since their use is a potential attack vector, do people rate-limit them? I can't seem to find some sort of best practice on the issue This is the current state of affairs on the public IPv6 Internet: http://www.iepg.org/2014-07-20-ietf90/iepg-ietf90-ipv6-ehs-in-the-real-world-v2.0.pdf s/public IPv6 Internet/selected content providers/ advice with regards to HBH headers. assuming there isn't any feature enabled that uses HBH. on a platform that supports forwarding of packets with HBH without punting, forward. for platforms that do punt regardless, drop. cheers, Ole
Re: IPv6 packets with HBH
Eric, thanks for your comments On 07/09/2014 12:47 PM, Eric Vyncke (evyncke) wrote: Yannis While I cannot speak for all vendors or even for all of my employer's products, you will indeed find that control-plane policing (= rate-limiting) is either on by default or can be configured on most routers. Alternatively, you may want to use plain ACL to drop all those potentially-harmful packets with HbH. You probably know that HbH is also used on the local link for MLD and on the WAN for RSVP (and possibly for other purposes). So, be sure to understand your own use before configuring drop/rate limiting ;-) Rate-limiting is really the way to go IMHO. A platform which processes HbH without rate-limiting (and there are such platforms) should NOT be deployed on the wild Internet. maybe I should forward this last comment (with which I agree) to our local Cisco team ;) cheers, Yannis Hope that this belated reply helps -éric On 5/07/14 15:27, Yannis Nikolopoulos d...@otenet.gr wrote: On 07/04/2014 11:43 PM, Brian E Carpenter wrote: On 05/07/2014 04:05, Yannis Nikolopoulos wrote: hello, how do people handle packets with HBH present? Since their use is a potential attack vector, do people rate-limit them? I can't seem to find some sort of best practice on the issue I have the impression that they are simply ignored in many cases. That is simpler than rate-limiting. It is legal, because we reduced the requirement to processing them to a SHOULD in RFC 7045: The IPv6 Hop-by-Hop Options header SHOULD be processed by intermediate forwarding nodes as described in [RFC2460]. However, it is to be expected that high-performance routers will either ignore it or assign packets containing it to a slow processing path. Designers planning to use a hop-by-hop option need to be aware of this likely behaviour. That sounds fine and it would make our lives easier but... I'm note sure about other vendors, but it seems that Cisco boxes are processing those at each node, at least it seems that ASR9k and 7600 do (although there's the option to rate-limit them). CRS probably rate limit them by default but the info is quite scarce cheers - Brian cheers, Yannis
Re: IPv6 packets with HBH
You-all might want to hop over to IETF-land to comment on http://tools.ietf.org/html/draft-gont-opsec-ipv6-eh-filtering Regards Brian On 19/07/2014 07:45, Yannis Nikolopoulos wrote: Eric, thanks for your comments On 07/09/2014 12:47 PM, Eric Vyncke (evyncke) wrote: Yannis While I cannot speak for all vendors or even for all of my employer's products, you will indeed find that control-plane policing (= rate-limiting) is either on by default or can be configured on most routers. Alternatively, you may want to use plain ACL to drop all those potentially-harmful packets with HbH. You probably know that HbH is also used on the local link for MLD and on the WAN for RSVP (and possibly for other purposes). So, be sure to understand your own use before configuring drop/rate limiting ;-) Rate-limiting is really the way to go IMHO. A platform which processes HbH without rate-limiting (and there are such platforms) should NOT be deployed on the wild Internet. maybe I should forward this last comment (with which I agree) to our local Cisco team ;) cheers, Yannis Hope that this belated reply helps -éric On 5/07/14 15:27, Yannis Nikolopoulos d...@otenet.gr wrote: On 07/04/2014 11:43 PM, Brian E Carpenter wrote: On 05/07/2014 04:05, Yannis Nikolopoulos wrote: hello, how do people handle packets with HBH present? Since their use is a potential attack vector, do people rate-limit them? I can't seem to find some sort of best practice on the issue I have the impression that they are simply ignored in many cases. That is simpler than rate-limiting. It is legal, because we reduced the requirement to processing them to a SHOULD in RFC 7045: The IPv6 Hop-by-Hop Options header SHOULD be processed by intermediate forwarding nodes as described in [RFC2460]. However, it is to be expected that high-performance routers will either ignore it or assign packets containing it to a slow processing path. Designers planning to use a hop-by-hop option need to be aware of this likely behaviour. That sounds fine and it would make our lives easier but... I'm note sure about other vendors, but it seems that Cisco boxes are processing those at each node, at least it seems that ASR9k and 7600 do (although there's the option to rate-limit them). CRS probably rate limit them by default but the info is quite scarce cheers - Brian cheers, Yannis
Re: IPv6 packets with HBH
Yannis While I cannot speak for all vendors or even for all of my employer's products, you will indeed find that control-plane policing (= rate-limiting) is either on by default or can be configured on most routers. Alternatively, you may want to use plain ACL to drop all those potentially-harmful packets with HbH. You probably know that HbH is also used on the local link for MLD and on the WAN for RSVP (and possibly for other purposes). So, be sure to understand your own use before configuring drop/rate limiting ;-) Rate-limiting is really the way to go IMHO. A platform which processes HbH without rate-limiting (and there are such platforms) should NOT be deployed on the wild Internet. Hope that this belated reply helps -éric On 5/07/14 15:27, Yannis Nikolopoulos d...@otenet.gr wrote: On 07/04/2014 11:43 PM, Brian E Carpenter wrote: On 05/07/2014 04:05, Yannis Nikolopoulos wrote: hello, how do people handle packets with HBH present? Since their use is a potential attack vector, do people rate-limit them? I can't seem to find some sort of best practice on the issue I have the impression that they are simply ignored in many cases. That is simpler than rate-limiting. It is legal, because we reduced the requirement to processing them to a SHOULD in RFC 7045: The IPv6 Hop-by-Hop Options header SHOULD be processed by intermediate forwarding nodes as described in [RFC2460]. However, it is to be expected that high-performance routers will either ignore it or assign packets containing it to a slow processing path. Designers planning to use a hop-by-hop option need to be aware of this likely behaviour. That sounds fine and it would make our lives easier but... I'm note sure about other vendors, but it seems that Cisco boxes are processing those at each node, at least it seems that ASR9k and 7600 do (although there's the option to rate-limit them). CRS probably rate limit them by default but the info is quite scarce cheers - Brian cheers, Yannis
Re: IPv6 packets with HBH
On 06/07/2014 01:27, Yannis Nikolopoulos wrote: On 07/04/2014 11:43 PM, Brian E Carpenter wrote: On 05/07/2014 04:05, Yannis Nikolopoulos wrote: hello, how do people handle packets with HBH present? Since their use is a potential attack vector, do people rate-limit them? I can't seem to find some sort of best practice on the issue I have the impression that they are simply ignored in many cases. That is simpler than rate-limiting. It is legal, because we reduced the requirement to processing them to a SHOULD in RFC 7045: The IPv6 Hop-by-Hop Options header SHOULD be processed by intermediate forwarding nodes as described in [RFC2460]. However, it is to be expected that high-performance routers will either ignore it or assign packets containing it to a slow processing path. Designers planning to use a hop-by-hop option need to be aware of this likely behaviour. That sounds fine and it would make our lives easier but... I'm note sure about other vendors, but it seems that Cisco boxes are processing those at each node, at least it seems that ASR9k and 7600 do (although there's the option to rate-limit them). CRS probably rate limit them by default but the info is quite scarce It's for router vendors to comment, but the RFC is very recent so it will be a while before we can expect products to be changed. If everybody makes a feature request to their vendors along the lines of option to disable HBH processing as allowed by RFC 7045 something might happen. Brian
Re: IPv6 packets with HBH
On 05/07/2014 04:05, Yannis Nikolopoulos wrote: hello, how do people handle packets with HBH present? Since their use is a potential attack vector, do people rate-limit them? I can't seem to find some sort of best practice on the issue I have the impression that they are simply ignored in many cases. That is simpler than rate-limiting. It is legal, because we reduced the requirement to processing them to a SHOULD in RFC 7045: The IPv6 Hop-by-Hop Options header SHOULD be processed by intermediate forwarding nodes as described in [RFC2460]. However, it is to be expected that high-performance routers will either ignore it or assign packets containing it to a slow processing path. Designers planning to use a hop-by-hop option need to be aware of this likely behaviour. - Brian cheers, Yannis
