IETF Logo Mail Archive

Re: Errata for RFC4862

otroan@employees.org Mon, 09 January 2017 08:53 UTC

Return-Path: <otroan@employees.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 065B8129BDE for <ipv6@ietfa.amsl.com>; Mon, 9 Jan 2017 00:53:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.335
X-Spam-Level:
X-Spam-Status: No, score=-1.335 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=employees.org; domainkeys=pass (1024-bit key) header.from=otroan@employees.org header.d=employees.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KAcGc7Lwv8jh for <ipv6@ietfa.amsl.com>; Mon, 9 Jan 2017 00:53:31 -0800 (PST)
Received: from inbound03.kjsl.com (inbound03.kjsl.com [IPv6:2001:1868:a100:131::62]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0728129BDD for <ipv6@ietf.org>; Mon, 9 Jan 2017 00:53:31 -0800 (PST)
Received: from cowbell.employees.org ([IPv6:2001:1868:a000:17::142]) by ironport03.kjsl.com with ESMTP; 09 Jan 2017 08:53:19 +0000
Received: from cowbell.employees.org (localhost [127.0.0.1]) by cowbell.employees.org (Postfix) with ESMTP id 94D159CC80; Mon, 9 Jan 2017 00:53:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=employees.org; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s= selector1; bh=acPVI0IHLq9CY9Uq1m2zva5ub0w=; b=o2mCCtz/ZIMx6w9981 pLlJKobs+W2j7roaVljQo0LE9jz7IVCu2L6v2eBxlpwCl+H5IAuHPsbsK15hMaOC MP5z+IQ/JFSxbJL6buaTz5snjCDYdxfgAySYExZ+TLTSZj5jAHArn3aEyd/ommxt SGRfogOmNjk8bexeWSFxRo7TA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=employees.org; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; q=dns; s= selector1; b=Leiw5mPf/t1MHpTJqRxCnS4JGNqzhWL5GFCKTyBNQhRH5GFJsWa 3YbRJ/OwSYRb/m6MOeBI0QcWQSQAWYRl9JVSk1nr1EzVii4qsVD6Ugh33foYhm7a L2bc8PBnM9NAystiE7/BAIpFrapYF9y/IkLHlFdGy005Zkh5uXjhkq4Y=
Received: from h.hanazo.no (unknown [51.175.103.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: otroan) by cowbell.employees.org (Postfix) with ESMTPSA id 104039CC7E; Mon, 9 Jan 2017 00:53:10 -0800 (PST)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by h.hanazo.no (Postfix) with ESMTP id 8B3E6725431C; Mon, 9 Jan 2017 09:53:20 +0100 (CET)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Subject: Re: Errata for RFC4862
From: otroan@employees.org
In-Reply-To: <CAO42Z2xH9wqXKFjtAbv6isQ3cG1=FNUmkNFq2DGJdqj9BFDVaQ@mail.gmail.com>
Date: Mon, 09 Jan 2017 09:53:20 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <E459F5B0-D088-4D74-B92A-9A8671249716@employees.org>
References: <CAO42Z2xH9wqXKFjtAbv6isQ3cG1=FNUmkNFq2DGJdqj9BFDVaQ@mail.gmail.com>
To: Mark Smith <markzzzsmith@gmail.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/5Cux3z4yEI1uB2XEgSkDjRjYAcA>
Cc: 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2017 08:53:33 -0000

Mark,

The current text is crafted both to allow renumbering and to support scenarios where the RA lifetimes are short. I.e. under two hours.
Your proposed changes appear to lock the lifetimes to no less than two hours. Is that correctly understood?

Btw, this might not be appropriate for an erratum, but I do also think we should revisit this behaviour. For the IPv6 core specifications to Internet standards work, I think the tentative conclusion was that we needed to do 4861/4862bis documents in-place before considering an advancement.

O.

> On 8 Jan 2017, at 06:30, Mark Smith <markzzzsmith@gmail.com> wrote:
> 
> Hi,
> 
> I've struggled with the Errata tool complaining about not having line
> breaks at 72 characters for the last 15 or so minutes, and after
> making number of failed attempts to fix that, that's enough!
> 
> Section:
> 
> 5.5.3 RouterAdvertisement Processing
> 
> 
> Original Text:
> 
>      1.  If the received Valid Lifetime is greater than 2 hours or
>          greater than RemainingLifetime, set the valid lifetime of the
>          corresponding address to the advertised Valid Lifetime.
> 
>      2.  If RemainingLifetime is less than or equal to 2 hours, ignore
>          the Prefix Information option with regards to the valid
>          lifetime, unless the Router Advertisement from which this
>          option was obtained has been authenticated (e.g., via Secure
>          Neighbor Discovery [RFC3971]).  If the Router Advertisement
>          was authenticated, the valid lifetime of the corresponding
>          address should be set to the Valid Lifetime in the received
>          option.
> 
>      3.  Otherwise, reset the valid lifetime of the corresponding
>          address to 2 hours.
> 
> 
> Corrected Text:
> 
> 1. If the Router Advertisement is not authenticated (e.g., via Secure
> Neighbor Discovery [RFC3971]), and if the received Valid Lifetime is greater
> than 2 hours, set the valid lifetime of the corresponding address to the
> advertised Valid Lifetime.
> 
> 2. If the Router Advertisement has been authenticated (e.g., via Secure
> Neighbor Discovery [RFC3971]), the valid lifetime of the corresponding
> address should be set to the Valid Lifetime in the received option
> (regardless of whether it is greater than 2 hours or not).
> 
> 3.  Otherwise, reset the valid lifetime of the corresponding address to 2
> hours.
> 
> In other words, unless an RA is authenticated, Valid Lifetimes in RA PIOs
> MUST be greater than 2 hours.
> 
> 
> Notes:
> 
> For unauthenticated RAs, throughout the text there are numerous checks
> to prevent a possible DoS attack described in the subsequent
> paragraph:
> 
> "The above rules address a specific denial-of-service attack in
>      which a bogus advertisement could contain prefixes with very small
>      Valid Lifetimes."
> 
> Check 1 above would seem to allow a Valid Lifetime in an RA PIO that
> is much less than 2 hours, as long as the value is greater than the
> RemainingLifetime. For example, if a host's RemainingLifetime for an
> address is 60 seconds, an RA PIO ValidLifetime of 61 seconds would be
> acceptable. This would seem to contradict the DoS protection goal.
> 
> Check 2 does check to ensure that RemainingLifetime is greater than 2
> hours, however Check 1 has
> already accepted the RA PIO VL <2 hours (if greater than
> RemainingLifetime) and set the address's Valid
> Lifetime to a value possibly much less than 2 hours.
> 
> An attacker could take advantage of this by doing the following:
> 
> 1. Send an initial RA with a ValidLifetime of 2 hours, which would pass Check 1.
> 2. Wait until around 1 hour and 59.5 minutes, and then send an RA with
> a ValidLifetime of 61 seconds.
> 3. Send RAs every 30 or so seconds with a ValidLifetime of 61 seconds,
> holding all of the victim hosts'
> ValidLifetimes at a low value. These RAs would also pass Check 1 as
> long as the VL in the RA was
> greater than the hosts' current VL for the addresses.
> 4. When it could cause the most significant denial of service, stop
> sending the RAs, causing the hosts'
> address VLs and therefore the addresses to expire within 60 seconds or so.
> 
> 
> Regards,
> Mark.
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email