Re: hop-by-hop and router alert options
Pekka Savola <pekkas@netcore.fi> Fri, 27 August 2004 06:16 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA00658; Fri, 27 Aug 2004 02:16:26 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1C0a3L-0001H6-EF; Fri, 27 Aug 2004 02:17:35 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1C0Zxc-00071M-OM; Fri, 27 Aug 2004 02:11:40 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1C0Zt6-0005A3-46 for ietf@megatron.ietf.org; Fri, 27 Aug 2004 02:07:00 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA23253 for <ietf@ietf.org>; Fri, 27 Aug 2004 02:06:58 -0400 (EDT)
Received: from netcore.fi ([193.94.160.1]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1C0ZuA-00015Q-63 for ietf@ietf.org; Fri, 27 Aug 2004 02:08:07 -0400
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id i7R66OS09280; Fri, 27 Aug 2004 09:06:24 +0300
Date: Fri, 27 Aug 2004 09:06:24 +0300
From: Pekka Savola <pekkas@netcore.fi>
To: Iljitsch van Beijnum <iljitsch@muada.com>
In-Reply-To: <93A6B402-F7A9-11D8-82BA-000A95CD987A@muada.com>
Message-ID: <Pine.LNX.4.44.0408270856450.8336-100000@netcore.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Cc: ietf@ietf.org
Subject: Re: hop-by-hop and router alert options
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
On Thu, 26 Aug 2004, Iljitsch van Beijnum wrote: > On 26-aug-04, at 8:13, Pekka Savola wrote: > > But what > > I'm really worried about is that IP router alert -like options are > > options which a hardware implementation cannot process. An attacker > > can just specify an undefined router alert option which forces the > > processing to go to the slow path (instead of ASICs etc., it must be > > put on the CPU), and overload the processing of the router that way. > > That's not good. That can naturally be mitigated by rate-limiting the > > IP options to some small value, but such would effectively disable the > > processing of options, and require that you're able to match on those > > options. In other words, anything which has to be forwarded that > > requires CPU processing seems bad to me.. > > Pekka, please don't worry about this. There are very many things that > can happen that require that the CPU look at packets: the hop limit may > reach zero, the packet may be addressed to one of the addresses of the > router, the packet may be too big for the next hop link... > > Router vendors are able to cope with this with rate limiting. Really. All of these, except "packet may be addressed to one of the addresses of the router" (obviously) are already situations which can be handled (and AFAIK, are already handled in some equipment) on hardware. That's good. The situation where the packet is aimed at one of the addresses is also OK because you can actually set up filters for such packets whether at the router or at your borders: it might not be possible to check the "magic" packets which we're discussing. Obviously, a specific kind of router alert option could be checked in hardware as well, if the semantics were simple enough, there was suffiicient customer demand, etc. (which there apparently isn't). But the real problem is that out of 16 bits of Router Alert option codes, only about 3 values have been specified. What does the router do with an unspecified option code? Even if it wanted, it couldn't implement processing for the rest of the option codes, which are unspecified, because it doesn't know how. So either they need to be ignored (which would lead to long introduction curve, if it would require replacing hardware), or would need to be put on the CPU. But the latter provides an attack vector. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- RE: hop-by-hop and router alert options Tschofenig Hannes
- RE: hop-by-hop and router alert options Pekka Savola
- Re: hop-by-hop and router alert options Simon Leinen
- Re: hop-by-hop and router alert options Michael Welzl
- Re: hop-by-hop and router alert options Iljitsch van Beijnum
- Re: hop-by-hop and router alert options Pekka Savola
- RE: hop-by-hop and router alert options Tschofenig Hannes