IETF Logo Mail Archive

[IPsec] Regarding max limit of payloads to avoid unwanted processing.

Sandeep Kampati <sandeepkampati@huawei.com> Wed, 22 February 2017 05:10 UTC

Return-Path: <sandeepkampati@huawei.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 254DB1295E9 for <ipsec@ietfa.amsl.com>; Tue, 21 Feb 2017 21:10:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Level:
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BHdDAds59u6k for <ipsec@ietfa.amsl.com>; Tue, 21 Feb 2017 21:10:36 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28D921295E4 for <ipsec@ietf.org>; Tue, 21 Feb 2017 21:10:36 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml704-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DBM54648; Wed, 22 Feb 2017 05:10:34 +0000 (GMT)
Received: from NKGEML413-HUB.china.huawei.com (10.98.56.74) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.301.0; Wed, 22 Feb 2017 05:10:32 +0000
Received: from DGGEMM404-HUB.china.huawei.com (10.3.20.212) by NKGEML413-HUB.china.huawei.com (10.98.56.74) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 22 Feb 2017 13:10:30 +0800
Received: from DGGEMM506-MBS.china.huawei.com ([169.254.4.95]) by DGGEMM404-HUB.china.huawei.com ([10.3.20.212]) with mapi id 14.03.0301.000; Wed, 22 Feb 2017 13:10:21 +0800
From: Sandeep Kampati <sandeepkampati@huawei.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: [IPsec] Regarding max limit of payloads to avoid unwanted processing.
Thread-Index: AQHSjMn3cqwouRlWyECVJ83F0SMVQA==
Date: Wed, 22 Feb 2017 05:10:20 +0000
Message-ID: <2DA788A5A7D91747AEA54B502558D738269FA622@DGGEMM506-MBS.china.huawei.com>
References: <CAHbuEH4K1MW8BitnOtmpoHwU6ZseqwNkYQTJ_YUE6cYxH9cshg@mail.gmail.com> <alpine.LRH.2.20.1702171211350.17106@bofh.nohats.ca> <CAHbuEH4f_67DKywJNL=POTu-dF8Ewb7T0aYO6U=uxAd6ocxGKA@mail.gmail.com>
In-Reply-To: <CAHbuEH4f_67DKywJNL=POTu-dF8Ewb7T0aYO6U=uxAd6ocxGKA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.244.89]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020204.58AD1D4A.0170, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.4.95, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 10468aeab4737b451d6261d0c17f8a25
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/pQSqS0zIeoDQiFKtqlc8BSuj40U>
Cc: "kivinen@iki.fi" <kivinen@iki.fi>, "ynir.ietf@gmail.com" <ynir.ietf@gmail.com>
Subject: [IPsec] Regarding max limit of payloads to avoid unwanted processing.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 05:10:38 -0000

RFC 7296

3.5.  Identification Payloads

ID_IPV4_ADDR                        1
      A single four (4) octet IPv4 address.

Questions:  do we need to consider "single four (4) octet IPv4 address"  as MUST point and reject the packet if we receive more length for it.

For security reason we want to add restriction the payloads what we received, and reject packet if we receive more length 

Ex:  Identification Payloads ID Type : 1) ID_IPV4_ADDR ->A single four (4) octet  2) ID_IPV6_ADDR-> A single sixteen (16) octet


It will be good if have some MAX limit for number of Proposal, CERT, So on ...,  So that we can avoid unwanted processing 


Best regards,
Sandeep kampati

v2.23.0 | Report a Bug | By Email