IETF Logo Mail Archive

Re: [IPv6] sendmsg() for HBH ? Re: Removing extension headers from packets (revisited)

Toerless Eckert <tte@cs.fau.de> Tue, 22 August 2023 10:14 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C28F1C14F736 for <ipv6@ietfa.amsl.com>; Tue, 22 Aug 2023 03:14:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.657
X-Spam-Level:
X-Spam-Status: No, score=-1.657 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xz8DwTeoGXrL for <ipv6@ietfa.amsl.com>; Tue, 22 Aug 2023 03:14:05 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 860F5C14CEFF for <6man@ietf.org>; Tue, 22 Aug 2023 03:14:04 -0700 (PDT)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4RVQDQ1ZCNznkyr; Tue, 22 Aug 2023 12:13:58 +0200 (CEST)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4RVQDQ0m3jzkYvt; Tue, 22 Aug 2023 12:13:58 +0200 (CEST)
Date: Tue, 22 Aug 2023 12:13:58 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Tom Herbert <tom@herbertland.com>
Cc: 6MAN <6man@ietf.org>
Message-ID: <ZOSKZgTNYRBFOZVj@faui48e.informatik.uni-erlangen.de>
References: <CALx6S36gQBgNAp-Poq3pRupGWUh0iA8M546=S=vUp5cQK_82TQ@mail.gmail.com> <ZN8g05pO83NdLN90@faui48e.informatik.uni-erlangen.de> <CALx6S35RS4uKvaQ9G5R5BdffWKsmdUxR3KuwYqf8xtAKuTtqbw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CALx6S35RS4uKvaQ9G5R5BdffWKsmdUxR3KuwYqf8xtAKuTtqbw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/253eDRi9JMg-vGpGXIIYiEFtyR0>
Subject: Re: [IPv6] sendmsg() for HBH ? Re: Removing extension headers from packets (revisited)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Aug 2023 10:14:07 -0000

On Fri, Aug 18, 2023 at 07:14:22AM -0700, Tom Herbert wrote:
> Hi Toerless,
> 
> Yes, admin privileges are need to set EH in Linux. I have patches to fix
> that and am planning to push them at some point.

Thanks, and *sigh* I was hoping that in the last 8 years where i hadn't checked this,
something would have improved.

> Yes, fortunately OS support doesn't require and standards action.

True, but i think to remember that when we asked last time, that there where
concerns from the linux kernel community that such non-privileged access to
extension headers would pose security risks and hence it was never enabled
in the linux kernel.

Think about an unprivileged application using a UDP socket to send an
SRH EH. Scary ? Network operators that use SRH might think so.

Think about an unprivileged IoT application using a UDP socket to send
a RFC6554 EH. Scary ? I would think all folks knowledgable of networking
using RPL would say it should not be scary.

Aka: One and the same fundamental scheme (traffic steering info) may likely
be seen as more or less "privileged". 

And i think we simply need to put more force behind the notion that extension headers
must NOT require special privileges. Or else, we will never get easy ubiquitous
use of them. 

Privile can and should be tied to protocol if anything (ICMP(v6)) for example,
raw IP sockets etc. But not to any TCP, SCTP, UDP, QUICK or other correctly
per-application demultiplexable transport protocol sockets.

In return, the question is what level of security requirements do extension
headers have to have to permit such unprivileged use ?

To me, its practically, that extension headers MUST NOT impact / be impacted
by traffic not matching their 5-tuple transport connection/transaction.

This is a simple security requirement, but i am not sure it was written down anywhere.
Is it (i don't know all relevant text).

Do all our EH meet this security requirement ? aka: no traffic monitoring
extension heaeder collection more than 5-tuple info ? I hope we do...

Cheers
    Toerless

> 
> Tom
> 
> 
> > Cheers
> >     Toerless
> >
> > On Mon, Aug 14, 2023 at 01:12:40PM -0700, Tom Herbert wrote:
> > > Hi 6man,
> > >
> > > I know this topic of removing extension headers has been brought up
> > > before, but I think in light of some emerging use cases it might be
> > > worth revisiting.
> > >
> > > draft-herbert-fast and draft-media-hdr-wireless describe host to
> > > network signaling. Both of these use Hop-by-Hop extension headers
> > > (draft-media-hdr-wireless currently specifies using UDP options, but
> > > could be HBH). A common attribute of these is that the information in
> > > Hop-by-Hop options is only relevant in the local network of the
> > > source. More specifically, it might only be relevant to the first hop
> > > router in a provider network to process the options. After processing
> > > by that router, the Hop-by-Hop option just along for the ride, no
> > > other nodes in the path care about it and the end node probably
> > > doesn't care either.
> > >
> > > Segment routing has a similar property. Once the final segment is set
> > > in the Destination Address, the segment routing header contains no
> > > useful information to downstream nodes.
> > >
> > > In both these cases, as long as the destination is in the same domain
> > > as the sender, we expect things to work. For EH it's a statement of
> > > practicality because of perceived drop rates on the Internet, for
> > > segment routing it's inherent in the design for segment routing
> > > domains. So this raises the question, what happens if a sender sends
> > > to a destination out of its local domain and still wants services
> > > applied to packets while they're in the local domain, or what if
> > > segment routing is used to route a packet to an egress point in the
> > > segment routing domain that then traverses the Internet.
> > >
> > > Could it be acceptable for routers to remove HBH EH or routing header
> > > EH when a packet exits a limited domain? I realize this is contrary to
> > > RFC8200 and might be considered an architectural abomination, but on
> > > the other hand this might be a practical way to improve the
> > > deployability of extension headers without any material adverse side
> > > effects (other than packets being dropped which might happen anyway if
> > > packets with EH escaped the limited domain).
> > >
> > > Comments?
> > >
> > > Thanks,
> > > Tom
> > >
> > > --------------------------------------------------------------------
> > > IETF IPv6 working group mailing list
> > > ipv6@ietf.org
> > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > > --------------------------------------------------------------------
> >
> > --
> > ---
> > tte@cs.fau.de
> >

-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email