Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.txt
JINMEI Tatuya / 神明達哉 <jinmei@isl.rdc.toshiba.co.jp> Fri, 11 May 2007 02:17 UTC
Return-path: <ipv6-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HmKhU-0001au-8e; Thu, 10 May 2007 22:17:44 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HmKhS-0001WI-KV for ipv6@ietf.org; Thu, 10 May 2007 22:17:42 -0400
Received: from shuttle.wide.toshiba.co.jp ([2001:200:1b1::35]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HmKhQ-0001IZ-SQ for ipv6@ietf.org; Thu, 10 May 2007 22:17:42 -0400
Received: from jmb.local (t050096.ppp.asahi-net.or.jp [203.189.50.96]) by shuttle.wide.toshiba.co.jp (Postfix) with ESMTP id 36E6273020; Fri, 11 May 2007 11:17:39 +0900 (JST)
Date: Fri, 11 May 2007 11:16:49 +0900
Message-ID: <m1irb0umsu.wl%jinmei@isl.rdc.toshiba.co.jp>
From: JINMEI Tatuya / 神明達哉 <jinmei@isl.rdc.toshiba.co.jp>
To: Joe Abley <jabley@ca.afilias.info>
In-Reply-To: <ED9B698C-6892-4FE8-87FD-02372C4DA338@ca.afilias.info>
References: <31D43DED-5BEE-4730-8FCB-476FA9EE1A97@eads.net> <46432309.1020902@innovationslab.net> <m2tzukn0xp.wl%gnn@neville-neil.com> <ED9B698C-6892-4FE8-87FD-02372C4DA338@ca.afilias.info>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/22.0 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
X-Spam-Score: 0.5 (/)
X-Scan-Signature: 0fa76816851382eb71b0a882ccdc29ac
Cc: IETF IPv6 Mailing List <ipv6@ietf.org>, Brian Haberman <brian@innovationslab.net>
Subject: Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.txt
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Errors-To: ipv6-bounces@ietf.org
At Thu, 10 May 2007 17:09:31 -0400, Joe Abley <jabley@ca.afilias.info> wrote: > >>> "Compliant IPv6 hosts and routers MUST NOT process RH0 in packets > >>> addressed to them. Those packets MUST be dropped without further > >>> processing. In particular, the value of the Segments Left field > >>> MUST not be considered." > >> > >> This is much clearer and easier to implement. > > > > Though I am not a router vendor I am the person who has to handle this > > on FreeBSD. I like the above sentence as well. > > The above sentences far more closely resemble what I meant to write, > compared to the text that actually appeared in the draft :-) "packets addressed to them" still sounds a little ambiguous to me; it could be interpreted as including intermediate hops specified in the routing header or as only meaning the final destination. The intent should obviously be the former, so I'd rephrase it further: "Compliant IPv6 hosts and routers MUST NOT process RH0 in packets whose destination address in the IPv6 header is an address assigned to them." BTW, I agree we shouldn't require routers to inspect every IPv6 packet and drop it when it contains RH0 (even if whose IPv6 dst is NOT a routers' address). It should leave to FWs, not ordinary routers. > I note that KAME's response to this is similar, but it's not clear to > me that it's precisely identical: a patched KAME implementation > treats the type 0 routing header as an unknown routing header > (according to <http://www.kame.net/newsletter/20070502/>). This > suggests to me that a patched KAME implementation will process a > datagram containing RH0, but that RH0 header(s) in the datagram will > not be acted upon. I would welcome corrections to my feeble > assumptions in this area (I have done no tests, nor read any source > code to confirm). I guess you're talking about whether the node returns an ICMPv6 error when receiving a packet that contains an RH0 whose IPv6 dst is one of its own addresses. KAME's implementation treats it as an "unknown type" of routing header as you guessed and it returns an ICMPv6 parameter problem error as a result. This is an intentional behavior: http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/route6.c.diff?r1=1.62;r2=1.63 (Which type of error is appropriate is a different question) > A packet containing RH0 presumably is intended not to be processed on > the system identified by the destination address field; if it was, no > RH0 would be present. This suggests to me that "MUST drop" is the > right thing, rather than "process as if RH0 was not there"; in > addition, if we assume that today any packet with RH0 is likely to be > malicious, any processing of a packet containing RH0 which has the > potential to result in backscatter seems like it should properly be > avoided. I believe we should rather return an ICMPv6 error. Even if we decide to deprecate type0 RH, there will be many non-updated systems for a certain period of time. Since there is at least one know popular (but non-attacking) usage of RH0, i.e., probing 'return path' by traceroute, we'll still see non-attacking packets containing RH0. It would be better to notice such innocent but not just well-informed users explicitly, rather than simply dropping the packet. Regarding 'backscatter', if you mean a DoS for the ICMPv6 recipient with a source-spoofed packets containing RH0, I don't think it's a big concern in this context; that's not different from other type of backscatter' attacks with a forged source address, so simply prohibiting this case wouldn't help much; and I believe returning an error is actually helpful as I stated above. Also, ICMPv6 errors are rate limited, so the backscatter effect is limited accordingly. JINMEI, Tatuya Communication Platform Lab. Corporate R&D Center, Toshiba Corp. jinmei@isl.rdc.toshiba.co.jp -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.txt Jeroen Massar
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Joe Abley
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Pekka Savola
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Brian Haberman
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jari Arkko
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jeroen Massar
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Pekka Savola
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jeroen Massar
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… George V. Neville-Neil
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Joe Abley
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… gnn
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… JINMEI Tatuya / 神明達哉
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… JINMEI Tatuya / 神明達哉
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jun-ichiro itojun Hagino 2.0
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jun-ichiro itojun Hagino 2.0
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Guillaume Valadon / ギョーム バラドン
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jun-ichiro itojun Hagino 2.0
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Guillaume Valadon / ギョーム バラドン
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… JINMEI Tatuya / 神明達哉
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… George V. Neville-Neil
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Tim Enos
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jun-ichiro itojun Hagino 2.0
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Joe Abley
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Joe Abley
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Guillaume Valadon / ギョーム バラドン
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Routing Header Type 0 way forward Brian Haberman