IETF Logo Mail Archive

Re: A problem with RFC 6465's Uniform Format for Extension Headers

"C. M. Heard" <heard@pobox.com> Sun, 09 February 2014 19:35 UTC

Return-Path: <heard@pobox.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86E461A0545 for <ipv6@ietfa.amsl.com>; Sun, 9 Feb 2014 11:35:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IZUfcjl8FSsC for <ipv6@ietfa.amsl.com>; Sun, 9 Feb 2014 11:35:39 -0800 (PST)
Received: from shell4.bayarea.net (shell4.bayarea.net [209.128.82.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D6801A0443 for <6man@ietf.org>; Sun, 9 Feb 2014 11:35:39 -0800 (PST)
Received: (qmail 16082 invoked from network); 9 Feb 2014 11:35:37 -0800
Received: from shell4.bayarea.net (209.128.82.1) by shell4.bayarea.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 9 Feb 2014 11:35:37 -0800
Date: Sun, 09 Feb 2014 11:35:37 -0800
From: "C. M. Heard" <heard@pobox.com>
X-X-Sender: heard@shell4.bayarea.net
To: 6MAN <6man@ietf.org>
Subject: Re: A problem with RFC 6465's Uniform Format for Extension Headers
In-Reply-To: <52F13D1D.9050800@gont.com.ar>
Message-ID: <Pine.LNX.4.64.1402090915000.27591@shell4.bayarea.net>
References: <20140130230740.25350.9524.idtracker@ietfa.amsl.com> <52EAF63A.7050108@si6networks.com> <CAFU7BATrYRsNJ7D4AJSy62XobNaGDgW-zTvX=yrqZea-Q67YPA@mail.gmail.com> <52F13D1D.9050800@gont.com.ar>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: Fernando Gont <fgont@si6networks.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Feb 2014 19:35:41 -0000

On Tue, 4 Feb 2014, Fernando Gont wrote:
> On 02/04/2014 11:20 AM, Jen Linkova wrote:
> > Somehow that proposed Universal Extension Header looks exactly like an
> > Options Extension Header to me.
> > Am I missing something? I'm trying to use my imagination but couldn't
> > see any possible scenario when UEH would work and Options header would
> > not.

In an offline discussion with Fernando before his draft was submitted
I made the following comments:

| This seems technically sound and is probably what RFC 6564 should 
| have said in the first place.  However, playing devil's advocate, 
| let me ask if there is a reason why the Destination Options header 
| would not serve the same purpose as the universal extension header 
| [...], so long as that header is allowed to appear multiple times at 
| any position in between the Hop-By-Hop options header (if present) 
| and the Fragment Header or the upper layer header.

In the absence of a strong argument to the contrary, it seems to me 
that the existing Destination Options header can be used to do 
exactly the same thing as the proposed UEH.  In other words, I agree 
with Jen's comments.

Fernando went on to write:
> Not sure what you mean.
> 
> But please let me provide an example:
> 
> Let's say that, tomorrow, the IETF standardizes the GTP (Google
> Transport Protocol :-)), and it is assigned the Next Header value 0xFF
> (I'm assuming this one is not currently assigned, bbut I'm not checking
> the IANA registry right now).
> 
> Say a middle-box receives a packet that simply encapsulates GTP in IPv6,
> and that middlebox does not yet support GTP. If the middle-box tries to
> interpret the GTP header as in RFC6465, it will certainly fail.
> 
> The reason? -- RFC 6465 implicitly assumes that every new Next Header
> will employ the RFC6465 format. This may be sensible for new *extension
> headers*, but certainly not for new transport protocols.
> 
> And since transport protocols and extension headers share the same
> namespace (see RFC7045), this is a problem.

All this is true.  The implication is that the middlebox must stop 
parsing the header chain when it encounters an unknown Next Header.

In more detail, I see the three cases:

1.) The middlebox encounters an ESP Next Header, signalling that an 
    encrypted payload follows.  In that case it stops parsing the 
    header chain and applies its policy for encrypted payloads.

2.) The middlebox encounters a Next Header corresponding to a known 
    transport protocol.  In that case it may perform filtering 
    actions specific to that transport protocol (and of course may 
    continue parsing into the transport header in order to do so).

3.) The middlebox encounters an unknown Next Header value.  In that 
    case it stops parsing the header chain and applies its policy 
    for packets with unknown Next Header values.  In order to comply 
    with RFC 7045, it MUST be possible to configure the policy to 
    allow such packets, but the default MAY be to drop them.  A 
    high-quality implementation would allow the policy to be 
    configured individually for each unknown Next Header value.

I agree that there are use cases where it is important for a middlebox 
to clearly distinguish between an unknown extension header and an 
unknown transport protocol.  One is RA Guard: see

https://datatracker.ietf.org/doc/draft-ietf-v6ops-ra-guard-implementation/

> What we did in our I-D is specify a new Extension Header, that is
> assigned a Next-Header value. Let us assume that our proposal moves
> forward, and the UEH is assigned the next header value 0xfe.
> 
> If a middle-box supports UEH but does not support our (fictitious) GTP
> protocol above, then, if a GTP packet encapsulated in IPv6 is received,
> GTP will be identified as an "upper-layer protocol", rather than as UEH
> (since the Next Header value will be 0xff, rather than UEH's 0xfe).
> 
> Clearly, another way to go is to reserve part of the IANA's Next Header
> namespace for RFC6465, and leave the rest for transport protocols -- as
> suggested by Hagen.
> 
> What's clear is that the only way in which RFC6465 can possibly work is
> if the middle-box has some a-priori knowledge that what is being
> encapsulated follows RFC6465 -- whether as a result of a reserved range
> (as originally proposed by Hagen) or by specifying a single UEH, and
> then encoding all possible future "extension headers" as subtypes of UEH.

A third possibility would be to go a step further than RFC 6564 and 
ban new extension headers outright, insisting that a Destination 
Option be used instead.  RFC 6564 already says that a new extension 
header may be defined only as a last resort, requiring proof that a 
Destination Option will not work.

Can anyone offer up a scenario where a Destination Option will not 
work?

Mike Heard

v2.23.0 | Report a Bug | By Email