IETF Logo Mail Archive

Re: RFC2460 problem - error processing of Routing Header

Suresh Krishnan <suresh.krishnan@ericsson.ca> Fri, 21 May 2004 00:43 UTC

Received: from optimus.ietf.org (www.iesg.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA09002 for <ipv6-archive@odin.ietf.org>; Thu, 20 May 2004 20:43:57 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BQy66-0006oa-90 for ipv6-archive@odin.ietf.org; Thu, 20 May 2004 20:41:14 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i4L0fEBd026196 for ipv6-archive@odin.ietf.org; Thu, 20 May 2004 20:41:14 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BQy33-00067c-00 for ipv6-web-archive@optimus.ietf.org; Thu, 20 May 2004 20:38:05 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA08738 for <ipv6-web-archive@ietf.org>; Thu, 20 May 2004 20:38:02 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BQy30-0006v2-P5 for ipv6-web-archive@ietf.org; Thu, 20 May 2004 20:38:02 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BQy2I-0006qb-00 for ipv6-web-archive@ietf.org; Thu, 20 May 2004 20:37:19 -0400
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1BQy1B-0006l7-00 for ipv6-web-archive@ietf.org; Thu, 20 May 2004 20:36:09 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BQxvG-0003Y3-CZ; Thu, 20 May 2004 20:30:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BQxob-0002Qr-PG for ipv6@optimus.ietf.org; Thu, 20 May 2004 20:23:09 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA08181 for <ipv6@ietf.org>; Thu, 20 May 2004 20:23:07 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BQxoZ-0005z2-L2 for ipv6@ietf.org; Thu, 20 May 2004 20:23:07 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BQxne-0005vQ-00 for ipv6@ietf.org; Thu, 20 May 2004 20:22:11 -0400
Received: from imr1.ericy.com ([198.24.6.9]) by ietf-mx with esmtp (Exim 4.12) id 1BQxn6-0005pm-00 for ipv6@ietf.org; Thu, 20 May 2004 20:21:36 -0400
Received: from eamrcnt750.exu.ericsson.se (eamrcnt750.exu.ericsson.se [138.85.133.51]) by imr1.ericy.com (8.12.10/8.12.10) with ESMTP id i4L0L0Lc019727; Thu, 20 May 2004 19:21:00 -0500 (CDT)
Received: by eamrcnt750.exu.ericsson.se with Internet Mail Service (5.5.2657.72) id <LHB747NK>; Thu, 20 May 2004 19:20:50 -0500
Received: from [142.133.72.115] (142.133.72.115 [142.133.72.115]) by EAMMLEX034.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id LHV8QTDQ; Thu, 20 May 2004 20:20:48 -0400
Date: Thu, 20 May 2004 20:19:49 -0400
From: Suresh Krishnan <suresh.krishnan@ericsson.ca>
X-X-Sender: lmcsukr@localhost.localdomain
Reply-To: Suresh Krishnan <suresh.krishnan@ericsson.ca>
To: OOTOMO Hiroyuki <Hiroyuki.Ootomo@jp.yokogawa.com>
cc: Suresh Krishnan <suresh.krishnan@ericsson.ca>, ipv6@ietf.org
Subject: Re: RFC2460 problem - error processing of Routing Header
In-Reply-To: <ZEX001-0M9004SOc7wo0000005a@EXCHANGE04.jp.ykgw.net>
Message-ID: <Pine.LNX.4.44.0405202016180.22451-100000@localhost.localdomain>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: ipv6-admin@ietf.org
Errors-To: ipv6-admin@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Id: IP Version 6 Working Group (ipv6) <ipv6.ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.2 required=5.0 tests=AWL autolearn=no version=2.60

Hi Ootomo
	See comments inline.

Regards
Suresh

On Thu, 20 May 2004, OOTOMO Hiroyuki wrote:

>Hi Shresh.
>
>> This packet will NEVER reach host-4. Consider the packet when it 
>> reaches router-1
><<< snipped >>>
>> router-1 will follow the algorithm for RH processing. The Segments Left is 
>> greater than 0. So it will check the header ext len and find it to be odd. 
>> It will drop the packet and send an ICMP message back to host-0. I guess 
>> the general idea is that the first destination node will detect the 
>> problem with the header ext len.
>
>Of course what you said is true, but it is the case
>when the first destination node (and all intermediate nodes)
>was normal.
>
>What I said in previous mail is the case when the packet
>reached to End Node unfortunately.
>
>e.g., If all routers via which the packet goes have broken
>(although it is a very rare case) and overlook the invalid
>Hdr.Ext.Len, the trouble will happen.

Even if we check the header length before checking the segments left we 
can still have a problem.

>
>e.g., If an evil node transmit the packet with odd Hdr.Ext.Len
>and zero Segment Left suddenly, the trouble will happen.

The evil node can transmit the packet with an EVEN header ext len which is 
WRONG and the new algorithm can still not catch it. So I guess it is not 
worth it trying to change the algorithm as the cons outweigh the pros.

>
>Isn't it connected with other vulnerabilities and become
>a security hole etc.?
>
>
>

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email