IETF Logo Mail Archive

Re: Last Call: <draft-ietf-6man-rfc1981bis-04.txt> (Path MTU Discovery for IP version 6) to Internet Standard

Joe Touch <touch@isi.edu> Thu, 16 February 2017 17:06 UTC

Return-Path: <touch@isi.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DFCC129660; Thu, 16 Feb 2017 09:06:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V5-U7WdArfPf; Thu, 16 Feb 2017 09:06:41 -0800 (PST)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91832129633; Thu, 16 Feb 2017 09:06:41 -0800 (PST)
Received: from [192.168.1.189] (cpe-172-250-240-132.socal.res.rr.com [172.250.240.132]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id v1GH5e5V027851 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 16 Feb 2017 09:05:42 -0800 (PST)
Subject: Re: Last Call: <draft-ietf-6man-rfc1981bis-04.txt> (Path MTU Discovery for IP version 6) to Internet Standard
To: gorry@erg.abdn.ac.uk
References: <148599312602.18643.4886733052828400859.idtracker@ietfa.amsl.com> <63eaf82e-b6d5-bff5-4d48-479e80ed4698@gmail.com> <2d36e28c-ee7d-20fc-3fec-54561e520691@si6networks.com> <C0A114C1-5E4A-4B8E-A408-55AF1E30873F@netapp.com> <3A5429F6-0EA6-436A-AF30-E55C9026F456@employees.org> <8cf1fe7d-bdfd-5e81-e61f-55d9ecd5d28a@isi.edu> <7E9AB9E8-3FCB-4475-BEEB-F18CFC4BC752@employees.org> <8076a1ea-182d-9cbe-f954-3e50f0fc53d9@isi.edu> <E11F9A4D-DE9E-4BFD-8D0D-252842719FC5@employees.org> <619f0dc52a514f07a70b44126aeb66f3@XCH15-06-08.nw.nos.boeing.com> <da3de0a5-fe7f-c874-db1d-da2684619213@si6networks.com> <706163b815ef439bbd9e0a17eba83512@XCH15-06-08.nw.nos.boeing.com> <e201c72e-b7c1-5a5f-eacb-93896cd7a7bb@si6networks.com> <58A33D08.4090505@erg.abdn.ac.uk> <ed4e3ab5-e93e-d9ca-28c0-43f8bf22039a@isi.edu> <2fc3beb1-86d1-2436-71e1-a90c525cb0d6@erg.abdn.ac.uk> <2eb7f087-571e-d2be-2c57-1d287f443ad7@isi.edu> <f4050249-f606-c38b-2081-0303f5fa85b9@erg.abdn.ac.uk>
From: Joe Touch <touch@isi.edu>
Message-ID: <68d2bffb-825a-5eee-e6c8-2c4241c98ae9@isi.edu>
Date: Thu, 16 Feb 2017 09:05:39 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <f4050249-f606-c38b-2081-0303f5fa85b9@erg.abdn.ac.uk>
Content-Type: multipart/alternative; boundary="------------62D4C9D76F496C70E419C0C7"
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/kvgqBwfM1Qrn5dO_BQ4CJ_5qyS0>
Cc: "tsv-area@ietf.org" <tsv-area@ietf.org>, "6man-chairs@ietf.org" <6man-chairs@ietf.org>, 6man WG <ipv6@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "draft-ietf-6man-rfc1981bis@ietf.org" <draft-ietf-6man-rfc1981bis@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2017 17:06:44 -0000

Hi, Gorry,


On 2/16/2017 8:47 AM, Gorry Fairhurst wrote:
>>
> The point was that according to this spec (as currently written), an
> off-path attacker can trivially inject an ICMPv6 message into the
> traffic, which then causes a host to accept a different PathMTU.
> Normally a transport design would expect ICMP messages to be at least
> checked against the list of known connections, so that successfully
> mounting this attack required the  packet to correspond to ports that
> are in use. (Usually unknown to an off-path attacker).

Agreed - but IMO this has nothing to do with "encapsulation" or
tunneling, AFAICT.

>
>>>>>
>>>>> Moreover, other layers view ICMP messages with suspicion and have
>>>>> long
>>>>> noted the need to check ICMP payload and match only packets that
>>>>> relate to actual 5-tuples in use (effectively reducing vulnerability
>>>>> to off-path attacks). For example, the Guidelines for UDP,
>>>>> rfc5405bis,
>>>>> state:
>>>>>
>>>>> " Applications SHOULD appropriately validate the payload of ICMP
>>>>>    messages to ensure these are received in response to transmitted
>>>>>    traffic (i.e., a reported error condition that corresponds to a
>>>>> UDP
>>>>>    datagram actually sent by the application). …“
>>>
>>> The comment below could easily be handled by something that clearly
>>> indicates the problem and points to the tunnel draft for guidance, I
>>> agree no need to go into algorithms/methods here.
>>
>> The problem isn't unique to tunnels - it happens on any link whose MTU
>> can vary, and IMO the solution is the same. React to the change in
>> subsequent traffic, rather than attempting to rely in ICMP relaying from
>> signaling inside the link layer -- regardless of that link layer.
>>
>> Joe
>>
> I'd be fine with recommending that way of working - but if the host
> reacts to ICMP, it is important to try to verify ICMPv6 messages
> before accepting them. 

I think that's a fine punchline. The key is what "verification" means -
as you note, a transport connection might not want to react to
conflicting information and no entity (transport, OS, etc.) ought to
react to nonsensical info (attempts to push MTU below required minimums).

Joe

v2.23.0 | Report a Bug | By Email