Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt
Nick Hilliard <nick@foobar.org> Mon, 27 May 2019 19:58 UTC
Return-Path: <nick@foobar.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 557851200F4 for <ipv6@ietfa.amsl.com>; Mon, 27 May 2019 12:58:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rDPvAA9YTNhR for <ipv6@ietfa.amsl.com>; Mon, 27 May 2019 12:58:56 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FE691200FE for <ipv6@ietf.org>; Mon, 27 May 2019 12:58:55 -0700 (PDT)
X-Envelope-To: ipv6@ietf.org
Received: from crumpet.local (089-101-070074.ntlworld.ie [89.101.70.74] (may be forged)) (authenticated bits=0) by mail.netability.ie (8.15.2/8.15.2) with ESMTPSA id x4RJwq1J096900 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 27 May 2019 20:58:53 +0100 (IST) (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host 089-101-070074.ntlworld.ie [89.101.70.74] (may be forged) claimed to be crumpet.local
Subject: Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt
To: Tom Herbert <tom@herbertland.com>
Cc: 6man <ipv6@ietf.org>
References: <155864405637.8647.14887579664730161506@ietfa.amsl.com> <CALx6S35yGHr+Hh0xB8EKZbJZxbP39MeeFH1_veWPOGiR=bXi4w@mail.gmail.com>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <de5b23e5-d960-f722-6636-1c1ebc1194cf@foobar.org>
Date: Mon, 27 May 2019 20:58:51 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 PostboxApp/6.1.18
MIME-Version: 1.0
In-Reply-To: <CALx6S35yGHr+Hh0xB8EKZbJZxbP39MeeFH1_veWPOGiR=bXi4w@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/-w-9Qij8YwuCr_oSRaV0Q4NLFq8>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 May 2019 19:58:59 -0000
Tom,
Overall this looks useful.
Minor nits:
> options in Type-length-value (TLV) format. Each option includes a
> length of the data field in octets, and the minimum size of an option
> (non-pad type) is two bytes and the maximum length is 257 bytes.
rephrase as:
> options in Type-length-value (TLV) format. Each option includes a
> length of the data field in octets: the minimum size of an option
> (non-pad type) is two octets and the maximum length is 257 octets.
s/extensions headers/extension headers/
s/attack of extension headers-- many/attack of extension headers, many/
s/may be applied on the number/may be applied to the number/
s/hosts may institute limits on/hosts may implement limits for/
s/of a fixed sized/of a fixed size/
s/for Parameter Problem type/for Parameter Problem types/
s/chain exceeds it processing/chain exceeds its processing/
Can I suggest the following for the security consideration section?
--
5 Security Considerations
The security considerations for ICMPv6 described in [RFC4443] apply
to this document.
A malicious actor could use crafted packets to trigger ICMPv6 error
replies described in this document, thereby allowing them to
discover configuration or hardware characteristics of an
intermediate node. If the intermediate node processes packets which
trigger extension header limit ICMPv6 error replies by processing
them in a slow path, then an attacker may be able to selectively
flood the slow-path packet processor or the specific slow-path
processing ingress queue, thereby affecting the packet processor's
ability to handle legitimate ICMPv6 error replies.
--
Nick
Tom Herbert wrote on 24/05/2019 18:57:
> Hello,
>
> This is an update to ICMPv6 errors for processing limits. The material
> change is to add an "Option too big" Parameter Problem code. This is
> used used if a HBH or DO option length exceeds a limit, or the length
> consecutive padding in HBH or DO options list exceeds a limit. The
> recommended priority for reporting errors was also update accordingly.
>
> Thanks,
> Tom
>
> On Thu, May 23, 2019 at 1:42 PM <internet-drafts@ietf.org> wrote:
>>
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the IPv6 Maintenance WG of the IETF.
>>
>> Title : ICMPv6 errors for discarding packets due to processing limits
>> Author : Tom Herbert
>> Filename : draft-ietf-6man-icmp-limits-02.txt
>> Pages : 12
>> Date : 2019-05-23
>>
>> Abstract:
>> Network nodes may discard packets if they are unable to process
>> protocol headers of packets due to processing constraints or limits.
>> When such packets are dropped, the sender receives no indication so
>> it cannot take action to address the cause of discarded packets. This
>> document defines ICMPv6 errors that can be sent by a node that
>> discards packets because it is unable to process the protocol
>> headers. A node that receives such an ICMPv6 error may be able to
>> modify what it sends in future packets to avoid subsequent packet
>> discards.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-6man-icmp-limits/
>>
>> There are also htmlized versions available at:
>> https://tools.ietf.org/html/draft-ietf-6man-icmp-limits-02
>> https://datatracker.ietf.org/doc/html/draft-ietf-6man-icmp-limits-02
>>
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-icmp-limits-02
>>
>>
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
- I-D Action: draft-ietf-6man-icmp-limits-02.txt internet-drafts
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Tom Herbert
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Nick Hilliard
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Tom Herbert
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Mark Smith
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Nick Hilliard
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Tom Herbert
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Nick Hilliard
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Tom Herbert