Joe Touch wrote on 05/12/2018 14:30:
So every SNMP packet is an attack as well? As is every routing packet?
snmp packets are either directed at a router or else directed through a router. If they are directed at a router, then they will be filtered / rate-limited on the data plane before they ever hit the management plane because no-one with half a brain cell is going to let their dfz core router open to snmp abuse. If they're pure data plane packets, then the management plane will never hear about them in the first place.
Routing protocol packets are considered to be a potential attack vector, but again are subject to the limitation that if they are generated by third parties (i.e. unrelated parties, as compared to directly connected second parties who might have a legitimate reason for sending specific types of routing protocol packets - and not others), then they are routinely filtered out and/or rate limited before being forwarded to any router management plane. In any event, they are also subject to policers / shapers before hitting the management planes, regardless of source.
Packets with HBH EHs are fundamentally different in this regard because they are data plane packets which are mandated by protocol to be processed on the management plane on every forwarding plane that they hit, even if this isn't their destination point. This is what's different and what is so dangerous about HBH packets, and why they need the sort of specific consideration that doesn't apply to most other types of packets.
Thankfully rfc8200 recategorised them so that intermediate nodes are no longer required to process them.
A security issue is created when a packet can cause*disproportionate* load. Otherwise it’s just called load.
This is exactly what we are talking about: terabits of data-plane traffic hitting a management plane because the protocol says that that's what needs to happen.
Terabits of data-plane traffic hitting a management plane which can only handle kilobits or megabits of data is disproportionate. You can trivially assess the level of disproportionality by noting the orders of magnitude in the numbers. Is 6 orders of magnitude disproportionate enough? One order of magnitude is enough for me. Trashed control planes are trashed, regardless of the scale of the trashing.
The security issue is the implementation not throttling such packets to avoid having 10G of them shutting down the control plane. Yes, that’s a security issue, but it’s not the fault of the HBH packets.
It's a direct consequence of what the defining protocol used to say, except that vendors had more sense than to take protocols literally, and operations people have more sense than to leave their networks open to catastrophic abuse vectors just because it was written in a formal specification.
Common sense is, thankfully, one of the optimisation considerations applied when dealing with the conflicting standpoints presented by protocols and reality.
Nick
