IETF Logo Mail Archive

[IPv6]Re: Fwd: New Version Notification for draft-iurman-6man-eh-occurrences-00.txt

Justin Iurman <justin.iurman@gmail.com> Tue, 23 December 2025 21:33 UTC

Return-Path: <justin.iurman@gmail.com>
X-Original-To: ipv6@mail2.ietf.org
Delivered-To: ipv6@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9B10A9E87633 for <ipv6@mail2.ietf.org>; Tue, 23 Dec 2025 13:33:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jn_Yi1l24ife for <ipv6@mail2.ietf.org>; Tue, 23 Dec 2025 13:33:33 -0800 (PST)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 034A99E8762E for <6man@ietf.org>; Tue, 23 Dec 2025 13:33:33 -0800 (PST)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-64daeb28c56so1634313a12.2 for <6man@ietf.org>; Tue, 23 Dec 2025 13:33:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766525612; x=1767130412; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=ds/KGO1UeE8HZfe0Pv2tOl65hZoMjqokLuGXAWwXf/w=; b=P1yOw8ibvWP9cHaodl2n24cliFohCcjH2XEakrf2r8O1xSjLPtTzZzJvXw1w6389lY W7raNend6WPDK063frPYvGNjb8enGWsVqjSi6Wi2OVb2bclrxIobwanlMxx5Uf/58JX7 kNG8JmhfLYfdbz0Ga4JTuQ4T2+o1t1RZSOWsi3N6WDJurNCpUMoG3cj9MITObrz1j6nh jTY2OsSRgqOS706PvXyY7/CpfXRiO23sM+5pswOBYFKnhpth99fsdEJRir0T9DJsTjRt fVAo9NbGM9MQZaqzf3WRlO1iqx2egw1qYbtG/lOCbBdvgNbhS1g1YzCg8qhyRDvkfypX fkjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766525612; x=1767130412; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ds/KGO1UeE8HZfe0Pv2tOl65hZoMjqokLuGXAWwXf/w=; b=NUTMWxUy3hNUylQ1G4yq74sPf/4BrHjuiADb15RDVoL9iLVAAUrbNyV0UOVsyCrGsR wxT7YiPAlf1kfozsLAdwE38x0j7e1ZXzsHbeZB1HPsBlD/R/CeFTgzvWWujgOPKlztV4 Vx/uQO/66VqDG65e4kmU7V/BkxCoAbFnGYSIzzxBtRQlymQNW0YfyQlw7PH05FIqt9I7 YDGfVO+Nrjy6OAveIAnt2wCl0ASoydI0HcxPZ4OKP+5VkTDusOcyRtOnP5JRYvGRAp3b 1nF9TsQ1yIH1iqWBCKQmdJtIvUxQY8ongSE2jNVgBf6dQaWAbXS2/Gi3yFAE3DLGyyca OCnA==
X-Forwarded-Encrypted: i=1; AJvYcCWPQ/p55TbytOoAp6RJNMtTujylD329FY7u/vpNpGgYyjIfkzYyiz2zEB0uUyr3cryv/O0b@ietf.org
X-Gm-Message-State: AOJu0YyXqUnwU4MOt4tKXSLGnmgVmCCk513bSL/Aik4WDbTV7shULZEz BoNgzfLZ/+58iZbJbkxICVpajb2V11g7LmFq1z9nKf5ChaWDu5lbbIB81p5TEc4n
X-Gm-Gg: AY/fxX5ZYIfERdBh9jWRLctwu3UZKnTBRnQWtLUU6ODHpV0hYxFxqOg4kJYGWe2zZZ4 yAVjM/m2EJ7FnHenmCKAS/qezDgrT8ljBgx0zyKb4xJy8mzP2RT0F7S+8zRCJeajJjO4Fla/vxa mG22HxbYFdfnrpZSC2isxTu/k/+Ia1lLddoxwj9gl6xFCLN/AfnBQwEOxtWUBdRzW7lerc2wwAk 6kSOE3JNXgsTPMoYe1lGKnAgGLthD4P3R8mwAv9MMIjS86VoIx1pLq+bcwxUFSbg0Laip3MZjaZ amP7tFF4yjN3ln9lzHJjnW19sVims8VJ2BkALjTA2Q28kaB0lRbBfAIpLKsZJB9VmxQYBUFIPSG rFhyw4bXdnjYtjpMtEtw5uYpTjMK3nuntbYdl31eps/x0VLTODWJO8zk4ikFvYkm8dt2r0pgC1G qj2XWT5F1lV/zOg9Sy+yATJOT/HOdk+j5I9TQVj2oNnfYcr3vM4AEy7cMbfY0uZOX8jQ==
X-Google-Smtp-Source: AGHT+IEId7FFUM07ugki0IlqbbFiryVfduOV8o0FEg9zajTsI2r3L4XNnJVZFNKyTzsFQ7SEEI+waA==
X-Received: by 2002:a17:907:2d0e:b0:b73:80de:e6b2 with SMTP id a640c23a62f3a-b803705dbd1mr1875569866b.31.1766525611795; Tue, 23 Dec 2025 13:33:31 -0800 (PST)
Received: from ?IPV6:2a02:a03f:a75e:9a00:4071:9dfd:8d91:6722? ([2a02:a03f:a75e:9a00:4071:9dfd:8d91:6722]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b8037f0b7bcsm1575655566b.49.2025.12.23.13.33.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 23 Dec 2025 13:33:31 -0800 (PST)
Message-ID: <d123e415-7b4b-4eae-a0b6-e3c576d691d3@gmail.com>
Date: Tue, 23 Dec 2025 22:33:31 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Tom Herbert <tom@herbertland.com>
References: <176651727681.861963.1665571528282296202@dt-datatracker-5656579b89-p6k4r> <af5fd42c-fbb9-4606-a8c6-208a7ff6bc6f@gmail.com> <C6D81618-1EE3-411B-A33B-08DA13D97615@gmail.com> <9da3faac-479d-4638-ba91-bd81f6d38692@gmail.com> <CALx6S37OGUD_ysrd6AvMa13SVMv8SiWYs5F_RR_i3rzcMXMrEw@mail.gmail.com> <26504d91-3c61-4a0c-8943-d82e3acedd89@gmail.com> <CALx6S378CDW3TC2zz=NFpw+dtms8fokbVOzW0aCAYRuOC_G3Tw@mail.gmail.com>
Content-Language: en-US
From: Justin Iurman <justin.iurman@gmail.com>
In-Reply-To: <CALx6S378CDW3TC2zz=NFpw+dtms8fokbVOzW0aCAYRuOC_G3Tw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: JFFY6M44KGUAY34YP4ADLOY4US3JVC6I
X-Message-ID-Hash: JFFY6M44KGUAY34YP4ADLOY4US3JVC6I
X-MailFrom: justin.iurman@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipv6.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Bob Hinden <bob.hinden@gmail.com>, 6man@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [IPv6]Re: Fwd: New Version Notification for draft-iurman-6man-eh-occurrences-00.txt
List-Id: "IPv6 Maintenance Working Group (6man)" <ipv6.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/1iwPNdFqxOikgkmF1W9yYOxwUmI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Owner: <mailto:ipv6-owner@ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Subscribe: <mailto:ipv6-join@ietf.org>
List-Unsubscribe: <mailto:ipv6-leave@ietf.org>

Tom,

On 12/23/25 22:21, Tom Herbert wrote:
> On Tue, Dec 23, 2025 at 1:05 PM Justin Iurman <justin.iurman@gmail.com> wrote:
>>
>> Tom,
>>
>> On 12/23/25 21:55, Tom Herbert wrote:
>>> On Tue, Dec 23, 2025 at 12:31 PM Justin Iurman <justin.iurman@gmail.com> wrote:
>>>>
>>>> Bob,
>>>>
>>>> I don't think it does, but I may be wrong. Could you point me to the
>>>> text you have in mind?
>>>>
>>>> This draft enforces the number of occurrences of all Extension Headers,
>>>> not the number of options inside a Hop-by-Hop or Destination Options
>>>> header nor the processing of Hbh/options. Which is, IMHO, different from
>>>> RFC 9673. The idea came after a discussion with Tom on the mailing list
>>>> (regarding draft-ietf-6man-eh-limits), and his concern about DoS attacks
>>>> on hosts, mainly for the Destination Options header which could appear
>>>> many times (i.e., at least more than two). I believe this draft solves
>>>> that concern and at the same time avoids the need to publish
>>>> draft-ietf-6man-eh-limits, which by the way may also require changes in
>>>> rfc8504-bis Section 5.3 (e.g., maybe a smaller limit on the number of
>>>> options, current is 8). Other concerns about the size of EHs and/or
>>>> options in draft-ietf-6man-eh-limits don't need to be addressed IMHO, as
>>>> already discussed and explained previously on the mailing list. Overall,
>>>> I see this draft + rfc8504-bis + RFC 9673 as an acceptable solution,
>>>> compared to draft-ietf-6man-eh-limits.
>>>
>>> Justin,
>>>
>>> This was already addressed in eh-limits draft:
>>>
>>> "
>>> A host or intermediate MAY enforce the recommended extension
>>> header ordering and number of occurrences of extension headers
>>> described in Section 4.1 of [RFC8200].  Per the ordering
>>> recommendations, each extension header can occur at most once in a
>>> packet with the exception of Destination Options header which can
>>> occur twice.  The recommended extension header ordering per
>>> [RFC8200] is:
>>>
>>>         -  IPv6 header
>>>         -  Hop-by-Hop Options header
>>>         -  Destination Options header
>>>         -  Routing header
>>>         -  Fragment header
>>>         -  Authentication header
>>>         -  Encapsulating Security Payload header
>>>         -  Destination Options header
>>>         -  Upper-Layer header
>>>
>>>    If a host or intermediate node enforces extension header ordering
>>>    and a packet is received with extension headers out of order or
>>>    the number of occurrences of an extension header is greater than
>>>    one, or two for the Destination Options header, then the receiving
>>>    node MUST discard the packet and MAY send an ICMP Parameter
>>>    Problem message with code 0 (Erroneous Header Field Encountered)
>>>    [RFC4443] to the packet's source address.
>>> "
>>>
>>> Also, this draft is only for one tiny part of the problem and I don't
>>> believe it is really addressing the core issue which is the high drop
>>> rates of packets with extension headers.
>>
>> Correct. However, we already discussed why draft-ietf-6man-eh-limits was
>> trying to do too much by specifying limits on the size of EHs and Hbh/Do
>> options (feedback from WG members and the IESG). And since you did not
>> want to remove these problematic parts in the draft, I see this draft as
>> a good trade-off and the only way forward.
> 
> Justin,
> 
> I don't see how this is a good trade-off nor the only way forward for
> solving the undepoyability of extension headers. IMO, if we're not
> going to address the real issues with extension headers then the best
> way forward is to deprecate them.

Right, I'll do it again and repeat what was already discussed. Why is it 
a good trade-off? Because it mitigates DoS attacks, especially for Hbh 
and DO (which was one of the concerns in draft-ietf-6man-eh-limits). 
Because rfc8504-bis can specify new limits on the number of Hbh/DO 
options (although the current default of 8 could reasonably remain, 
thanks to this draft). Because RFC 9673 already handles the processing 
of Hbh and its options. And, above all, because what you're trying to 
solve cannot be solved the way you did. Specifying limits on the size of 
EHs and options would be useless (at best) or dangerous. Why? Well, if 
you look at the reasons of such drops, there are two: (i) policies 
applied by operators, and (ii) hardware limitation. For the first one, 
you can't do much except trying to educate people. For the second one, 
specifying "limits" won't solve anything. There are proofs that recent 
hardware do not have such low limitation (i.e., small parsing buffers). 
The solution is therefore to not have a solution, i.e., situation will 
improve over time (old hardware will be replaced at some point).

Justin

> Tom
> 
>>
>> Justin
>>
>>> Tom
>>>
>>>>
>>>> Justin
>>>>
>>>> On 12/23/25 20:57, Bob Hinden wrote:
>>>>> Justin,
>>>>>
>>>>> I suggest you take a look at RFC 9673 "IPv6 Hop-by-Hop Options Processing Procedures”.   I believe it covers this topic for hop-by-hop options.
>>>>>
>>>>> Bob
>>>>>
>>>>>
>>>>>> On Dec 23, 2025, at 11:26 AM, Justin Iurman <justin.iurman@gmail.com> wrote:
>>>>>>
>>>>>> Hi everyone,
>>>>>>
>>>>>> Happy holidays!
>>>>>>
>>>>>> This new draft aims to mitigate the risk of DoS attacks due to an abusive use of IPv6 Extension Headers. This problem is related to non-normative language combined with ambiguous wording in RFC 8200. This is one of the concerns raised in draft-ietf-6man-eh-limits. Feedback welcome!
>>>>>>
>>>>>> Cheers,
>>>>>> Justin
>>>>>>
>>>>>> -------- Forwarded Message --------
>>>>>> Subject: New Version Notification for draft-iurman-6man-eh-occurrences-00.txt
>>>>>> Date: Tue, 23 Dec 2025 11:14:36 -0800
>>>>>> From: internet-drafts@ietf.org
>>>>>> To: Justin Iurman <justin.iurman@uliege.be>
>>>>>>
>>>>>> A new version of Internet-Draft draft-iurman-6man-eh-occurrences-00.txt has
>>>>>> been successfully submitted by Justin Iurman and posted to the
>>>>>> IETF repository.
>>>>>>
>>>>>> Name:     draft-iurman-6man-eh-occurrences
>>>>>> Revision: 00
>>>>>> Title:    Mitigating DoS attacks in IPv6 by clarifying the number of occurrences of Extension Headers
>>>>>> Date:     2025-12-23
>>>>>> Group:    Individual Submission
>>>>>> Pages:    5
>>>>>> URL: https://www.ietf.org/archive/id/draft-iurman-6man-eh-occurrences-00.txt
>>>>>> Status:   https://datatracker.ietf.org/doc/draft-iurman-6man-eh-occurrences/
>>>>>> HTMLized: https://datatracker.ietf.org/doc/html/draft-iurman-6man-eh-occurrences
>>>>>>
>>>>>>
>>>>>> Abstract:
>>>>>>
>>>>>>      This document updates RFC 8200 by specifying normative requirements
>>>>>>      on the number of occurrences of IPv6 Extension Headers.  Operational
>>>>>>      experience has demonstrated that permitting multiple occurrences of
>>>>>>      the same Extension Header can create parsing ambiguity, increase
>>>>>>      attack surface, and complicate packet processing in general.  This is
>>>>>>      especially true for both the Hop-by-Hop Options Header and the
>>>>>>      Destination Options Header, which can contain a number of options.
>>>>>>      This document restricts IPv6 packets to carry at most one instance of
>>>>>>      each Extension Header, with the exception of the Destination Options
>>>>>>      Header, which is permitted to appear twice as specified in RFC 8200.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The IETF Secretariat
>>>>>>
>>>>>>
>>>>>> --------------------------------------------------------------------
>>>>>> IETF IPv6 working group mailing list
>>>>>> ipv6@ietf.org
>>>>>> List Info: https://mailman3.ietf.org/mailman3/lists/ipv6@ietf.org/
>>>>>> --------------------------------------------------------------------
>>>>>
>>>>
>>>> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list
>>>> ipv6@ietf.org
>>>> List Info: https://mailman3.ietf.org/mailman3/lists/ipv6@ietf.org/
>>>> --------------------------------------------------------------------
>>

v2.38.3 | Report a Bug | By Email | System Status