Re: Last Call: <draft-ietf-6man-rfc1981bis-04.txt> (Path MTU Discovery for IP version 6) to Internet Standard

Fernando Gont <fgont@si6networks.com> Wed, 08 February 2017 00:56 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA3241296F0; Tue, 7 Feb 2017 16:56:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nX10ZA7xyeG8; Tue, 7 Feb 2017 16:56:40 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67C7C12971E; Tue, 7 Feb 2017 16:56:38 -0800 (PST)
Received: from [192.168.3.83] (142-135-17-190.fibertel.com.ar [190.17.135.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id EDD39828F9; Wed, 8 Feb 2017 01:56:33 +0100 (CET)
Subject: Re: Last Call: <draft-ietf-6man-rfc1981bis-04.txt> (Path MTU Discovery for IP version 6) to Internet Standard
To: Joe Touch <touch@isi.edu>, otroan@employees.org
References: <148599312602.18643.4886733052828400859.idtracker@ietfa.amsl.com> <1859B1D9-9E42-4D65-98A8-7A326EDDE560@netapp.com> <f8291774-409e-2948-3b29-83dbb09d39d9@si6networks.com> <63eaf82e-b6d5-bff5-4d48-479e80ed4698@gmail.com> <2d36e28c-ee7d-20fc-3fec-54561e520691@si6networks.com> <C0A114C1-5E4A-4B8E-A408-55AF1E30873F@netapp.com> <3A5429F6-0EA6-436A-AF30-E55C9026F456@employees.org> <8cf1fe7d-bdfd-5e81-e61f-55d9ecd5d28a@isi.edu> <7E9AB9E8-3FCB-4475-BEEB-F18CFC4BC752@employees.org> <8076a1ea-182d-9cbe-f954-3e50f0fc53d9@isi.edu> <E11F9A4D-DE9E-4BFD-8D0D-252842719FC5@employees.org> <a479d81e-42f9-0695-f31a-c494c02de9af@isi.edu> <4118C6CE-7649-436B-9598-78A034AFFE50@employees.org> <1d3c4a88-8c50-a0e2-f852-798d671c8750@isi.edu> <931F16A4-BF00-4695-857E-F90703A09D32@employees.org> <4673f71e-11d9-699e-7a15-1d1fd095a6e8@isi.edu>
From: Fernando Gont <fgont@si6networks.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <e3129449-f9cd-a427-2abb-fa48127a3547@si6networks.com>
Date: Tue, 7 Feb 2017 21:52:32 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <4673f71e-11d9-699e-7a15-1d1fd095a6e8@isi.edu>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/6D1ht_NBLrlRAGSV9SwZAK2Waf8>
Cc: "tsv-area@ietf.org" <tsv-area@ietf.org>, "6man-chairs@ietf.org" <6man-chairs@ietf.org>, 6man WG <ipv6@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "draft-ietf-6man-rfc1981bis@ietf.org" <draft-ietf-6man-rfc1981bis@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 00:56:42 -0000

Hi, Joe,

On 02/07/2017 06:35 PM, Joe Touch wrote:
> IMO it's worth including a sentence that highlights these things
> elsewhere in the doc.
> 
> But if others disagree, the existing text is sufficient.

The text is actually incorrect (see below).



>>> I'd add one sentence about Fred's observation too:
>>>
>>> In addition, spoofed ICMP messages can also affect the correct operation
>>> of PMTUD.
>> You don't think that's covered by the existing security considerations:
>>
>>    This Path MTU Discovery mechanism makes possible two denial-of-
>>    service attacks, both based on a malicious party sending false Packet
>>    Too Big messages to a node.
>>
>>    In the first attack, the false message indicates a PMTU much smaller
>>    than reality.  This should not entirely stop data flow, since the
>>    victim node should never set its PMTU estimate below the IPv6 minimum
>>    link MTU.  It will, however, result in suboptimal performance.

If you are employing EHs this could indeed stop the data flow.



>>    In the second attack, the false message indicates a PMTU larger than
>>    reality.  If believed, this could cause temporary blockage as the
>>    victim sends packets that will be dropped by some router.  Within one
>>    round-trip time, the node would discover its mistake (receiving
>>    Packet Too Big messages from that router), but frequent repetition of
>>    this attack could cause lots of packets to be dropped.  A node,
>>    however, should never raise its estimate of the PMTU based on a
>>    Packet Too Big message, so should not be vulnerable to this attack.

This one is probably not worth elaborating: at the end of the day, it
doesn't work.


There are many other things to note here, e.g.:
*  many stacks don't even check that the ICMPv6 PTB referes to e.g. an
ongoing TCP connection

* Some stacks cache the PMTU for all packets sent to the target IPv6
address (i.e., the attack might affect multiple flows)

etc.

Much of this is covered in RFC5927.

-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492