IETF Logo Mail Archive

Re: Death by extension header (was:RE: New Version Notification for draft-li-6man-hbh-fwd-hdr-00.txt)

Toerless Eckert <tte@cs.fau.de> Fri, 10 July 2020 21:02 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B94B53A098A for <ipv6@ietfa.amsl.com>; Fri, 10 Jul 2020 14:02:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.87
X-Spam-Level:
X-Spam-Status: No, score=-0.87 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WTRn9mVWUaWU for <ipv6@ietfa.amsl.com>; Fri, 10 Jul 2020 14:02:11 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 902E93A0989 for <6man@ietf.org>; Fri, 10 Jul 2020 14:02:10 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 3D5F4548045; Fri, 10 Jul 2020 23:02:04 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 35F11440043; Fri, 10 Jul 2020 23:02:04 +0200 (CEST)
Date: Fri, 10 Jul 2020 23:02:04 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org>
Cc: Tom Herbert <tom@herbertland.com>, "6man@ietf.org" <6man@ietf.org>
Subject: Re: Death by extension header (was:RE: New Version Notification for draft-li-6man-hbh-fwd-hdr-00.txt)
Message-ID: <20200710210204.GW42197@faui48f.informatik.uni-erlangen.de>
References: <DM6PR05MB6348708352E1EE4421A61D63AE650@DM6PR05MB6348.namprd05.prod.outlook.com> <CALx6S34e21BLHRfx+p7agrzzDsx-M-XxB6cZQnWc-d0wqSesRQ@mail.gmail.com> <DM6PR05MB6348BCE5DDB6A8AF52D04FFAAE650@DM6PR05MB6348.namprd05.prod.outlook.com> <CALx6S35H5G+czLhLTJD2tm1m3beYCQ+=u8D7v5YmNGG3YE9Nng@mail.gmail.com> <DM6PR05MB6348AFFC9330DB1BA34DB54CAE650@DM6PR05MB6348.namprd05.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DM6PR05MB6348AFFC9330DB1BA34DB54CAE650@DM6PR05MB6348.namprd05.prod.outlook.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/FZ9pwJhxDNXykWqINMfgol90sxk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 21:02:19 -0000

Ron,

IMHO, we just need to agree on a "tagging" of options that we feel confident
can be supported by all platforms that WANT to support an option in the fast
path. And that does not increase overhead in processing for those nodes
that DO NOT WANT to support the option. The existing extension header structure
may not be that tagging. Maybe we need something else than the IPv6 packet header
structure (gee, so sorry for surprising everybody here by saying that ;-)

The MALICE draft evolved from using STUN cookie DPI to solve this problem.
Not creating any overhead for routers who do not care, and still easy enough
to extract for routers that do care. Of course this is the reactive solution
when you can not proactive build  an appropriate network header. If would
be great if IETF would finally conclde that we should open up the discussion
how to build better network headers to solve problem like this

I am happy to concede that this may be beyond something to directly go to
6man, e.g.: maybe a stage of IRTF work needed on this. But ultimately:
If we do not do this, than any on-path processing will be done long term
solely through application level gateways by proprietary siloed distributed
applications, and the network layer is completely commoditized, if not
eliminated. We alreadyy had this in industrial networks in the 80th/90th
in europe, when TP4 was run directly on top of ethernet without Ethernet
instead of TP4. And the same trend is visible in todays manufacturing/
industrial networks.

Just saying

Cheers
    Toerless


i don't know if there will be a 
On Fri, Jul 10, 2020 at 08:37:34PM +0000, Ron Bonica wrote:
> Tom,
> 
> There is no uniformity regarding which options can be processed on the fast path. It is very likely that one implementation will be able to process Option X on the fast path while and another implementation will not.
> 
> Given that, when people specify new options, they should probably observe the following guidelines:
> 
> 1) Make the option as simple as possible, increasing the likelihood that nodes along the delivery path can support it on  their fast path
> 2) Set the ACT bits to 00, unless ignoring this particular option would somehow be harmful
> 
>                                                                                                                            Ron
> 
> 
> Juniper Business Use Only
> 
> -----Original Message-----
> From: Tom Herbert <tom@herbertland.com> 
> Sent: Friday, July 10, 2020 3:35 PM
> To: Ron Bonica <rbonica@juniper.net>
> Cc: Pengshuping (Peng Shuping) <pengshuping@huawei.com>; 6man@ietf.org
> Subject: Re: Death by extension header (was:RE: New Version Notification for draft-li-6man-hbh-fwd-hdr-00.txt)
> 
> [External Email. Be cautious of content]
> 
> 
> On Fri, Jul 10, 2020 at 11:44 AM Ron Bonica <rbonica@juniper.net> wrote:
> >
> > Tom,
> >
> > Given that you parse the extension header chain on the fast path, HBH and destination options can be categorized as follows:
> >
> > 1) unrecognized (ACT 00, 01, 10, and 11)
> 
> Anything other than ACT 00 behavior is probably unnecessary at a router. In the same way that RFC8200 allows ignoring the HBH EH, it makes sense they can ignore individual options and never send an ICMP error for unrecognized options regardless of the ACT bits. The end host can take care of sending the ICMP error if the option is unrecognized by everyone.
> 
> > 2) recognized and processed on the fast path
> > 3) recognized and processed on the slow path
> >
> > Types 1 and 2 cannot be used in a DoS attack, because they are never sent to the slow path. Type 3 is the dangerous one.
> >
> > I think that an implementation is safe if it only recognizes options that it can process on the fast path. It may also be safe if it severely rate limits packets as it sends them to the slow path.
> >
> 
> Then that goes back to the question of what options _require_ slow path processing. It's unclear which ones do and which ones don't and I suspect there's no uniformity across implementations here. What if routers just ignore those options that they think need to be processed in the slow path? What would that break given that they can already ignore all the HBH options anyway per RFC8200?
> 
> Tom
> 
> >                                                                                       
> > Ron
> >
> >
> >
> >
> >
> > Juniper Business Use Only
> >
> > -----Original Message-----
> > From: Tom Herbert <tom@herbertland.com>
> > Sent: Friday, July 10, 2020 2:29 PM
> > To: Ron Bonica <rbonica@juniper.net>
> > Cc: Pengshuping (Peng Shuping) <pengshuping@huawei.com>; 6man@ietf.org
> > Subject: Re: Death by extension header (was:RE: New Version 
> > Notification for draft-li-6man-hbh-fwd-hdr-00.txt)
> >
> > [External Email. Be cautious of content]
> >
> >
> > On Fri, Jul 10, 2020 at 11:18 AM Ron Bonica <rbonica@juniper.net> wrote:
> > >
> > > Tom,
> > >
> > > I am forking a new thread since this is not directly related to Shuping's draft.
> > >
> > > Any variable length extension header can be used in a DoS attack. So, if a node encounters a packet that satisfies any of the following criteria, it should discard the packet and send an ICMP message as described in https://urldefense.com/v3/__https://tools.ietf.org/html/draft-herbert-6man-icmp-limits-03__;!!NEt6yMaO-gk!XnKPvkz9vBtVNlSCx0SqcojVpo2uBgeSDJzZEJa2fLd1NTKb53H0w3Ue2Xxv7iGB$ .
> > >
> > > - The extension header chain is longer than the node can process
> > > - An individual extension header is longer than the node can process
> > > - The total number of options contained by all instances of the HBH and Destination Options header exceeds the number or options that the node can process.
> > >
> >
> > Ron,
> >
> > Right, those are the ICMP errors for the allowance to drop or ignore extension headers in section 5.3 of RFC8504, there's also default limits suggested in that doc. Do you think this is sufficient in routers to get past the DOS concern?
> >
> > Tom
> >
> > >
> > > Ron
> > >
> > >
> > >
> > > Juniper Business Use Only
> > >
> > > -----Original Message-----
> > > From: Tom Herbert <tom@herbertland.com>
> > > Sent: Friday, July 10, 2020 1:13 PM
> > > To: Ron Bonica <rbonica@juniper.net>
> > > Cc: Pengshuping (Peng Shuping) <pengshuping@huawei.com>; 
> > > 6man@ietf.org
> > > Subject: Re: New Version Notification for 
> > > draft-li-6man-hbh-fwd-hdr-00.txt
> > >
> > > [External Email. Be cautious of content]
> > >
> > >
> > > On Fri, Jul 10, 2020 at 7:59 AM Ron Bonica <rbonica=40juniper.net@dmarc.ietf.org> wrote:
> > > >
> > > > Peng,
> > > >
> > > > While your solution may require refinement, I think that you have latched on to a problem that needs to be solved. HBH Options, as they were originally conceived in RFC 1883, are very useful.
> > > >
> > > > When IPv6 was first implemented on high-speed routers (circa 2000), HBH options were not yet well-understood and ASICs were not so capable as they are today. So, early IPv6 implementation dispatched all packet that contain HBH options to their slow path. In these implementations, a large flow of IPv6 packets could congest the slow path, causing other critical functions that are executed on the slow path to fail. These critical functions include routing and network management.
> > > >
> > > > To mitigate this DoS vulnerability, many operators deployed Access Control Lists (ACLs) that discard all packets containing HBH Options. This introduced a circular problem:
> > > >
> > > > - An implementation problem caused HBH to become a DoS vector
> > > > - Because HBH was a DoS vector, network operators deployed ACLs 
> > > > that discard packets containing HBH
> > > > - Because network operators deployed ACLs that discard packets 
> > > > containing HBH, network designers stopped defining new HBH Options
> > > > - Because network designers stopped defining new HBH Options, the 
> > > > community was not motivated to fix the implementation problem that 
> > > > cause HBH to become a DoS vector
> > > >
> > > > If we can fix the implementation problem that caused HBH to become a DoS vector, we can break this cycle and start using HBH Options.
> > > >
> > > Ron,
> > >
> > > I think there were "protocol problems" in the original design of HBH.
> > > The requirement that _all_ routers in the path process Hop-by-Hop options was in retrospect too austere, and the possibility that an attacker could stuff a packet with hundreds of bogus options, only limited by MTU, was, again in retrospect, a pretty obvious DOS vector.
> > > I believe these problems have been addressed in RFC8200 and RFC8504.
> > > We certainly welcome the feedback from router vendors whether these mitigations are sufficient to make HBH options deployable.
> > >
> > > Tom
> > >
> > > > Let's continue to work on a solution.
> > > >
> > > >                                                          Ron
> > > >
> > > >
> > > >
> > > > Juniper Business Use Only
> > > >
> > > > -----Original Message-----
> > > > From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Pengshuping (Peng
> > > > Shuping)
> > > > Sent: Thursday, July 2, 2020 12:07 PM
> > > > To: 6man@ietf.org
> > > > Subject: FW: New Version Notification for 
> > > > draft-li-6man-hbh-fwd-hdr-00.txt
> > > >
> > > > [External Email. Be cautious of content]
> > > >
> > > >
> > > > Hi Folks,
> > > >
> > > > We have just uploaded a new draft aiming to analyze and tackle the issues faced by the Hop-by-Hop Options Header, which has been sparsely used without any form of large scale deployment.
> > > >
> > > > However, as IPv6 is being rapidly and widely deployed worldwide, more and more new services that requires hop-by-hop forwarding process behavior are emerging, and also the already defined over ten HBH Options are going to be used widely in practice.
> > > >
> > > > We look forward to hearing your feedback and comments, and try to release the benefits that could be provided by HBH Options header altogether.
> > > >
> > > > Best regards,
> > > > Shuping
> > > >
> > > > -----Original Message-----
> > > > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
> > > > Sent: Thursday, July 2, 2020 11:31 PM
> > > > To: Lizhenbin <lizhenbin@huawei.com>; Pengshuping (Peng Shuping) 
> > > > <pengshuping@huawei.com>
> > > > Subject: New Version Notification for 
> > > > draft-li-6man-hbh-fwd-hdr-00.txt
> > > >
> > > >
> > > > A new version of I-D, draft-li-6man-hbh-fwd-hdr-00.txt has been successfully submitted by Shuping Peng and posted to the IETF repository.
> > > >
> > > > Name:           draft-li-6man-hbh-fwd-hdr
> > > > Revision:       00
> > > > Title:          Hop-by-Hop Forwarding Options Header
> > > > Document date:  2020-07-03
> > > > Group:          Individual Submission
> > > > Pages:          10
> > > > URL:            https://urldefense.com/v3/__https://www.ietf.org/internet-drafts/draft-li-6man-hbh-fwd-hdr-00.txt__;!!NEt6yMaO-gk!QoInpMGHwaC7LsKAVISa9A00dbzuCmO7S4CG2fZYHGYeOXYwVmtNTFnzgB-bqLrg$
> > > > Status:         https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-li-6man-hbh-fwd-hdr/__;!!NEt6yMaO-gk!QoInpMGHwaC7LsKAVISa9A00dbzuCmO7S4CG2fZYHGYeOXYwVmtNTFnzgM5iPE22$
> > > > Htmlized:       https://urldefense.com/v3/__https://tools.ietf.org/html/draft-li-6man-hbh-fwd-hdr-00__;!!NEt6yMaO-gk!QoInpMGHwaC7LsKAVISa9A00dbzuCmO7S4CG2fZYHGYeOXYwVmtNTFnzgPvsH43l$
> > > > Htmlized:       https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-li-6man-hbh-fwd-hdr__;!!NEt6yMaO-gk!QoInpMGHwaC7LsKAVISa9A00dbzuCmO7S4CG2fZYHGYeOXYwVmtNTFnzgBQxbwZb$
> > > >
> > > >
> > > > Abstract:
> > > >    RFC8200 specifies the HBH header that is assumed to be processed by
> > > >    each hop in the delivery path of the packet.  However, RFC8200 also
> > > >    expects that nodes processing the HBH header have been explicitly
> > > >    configured to do so.  Therefore, it cannot be assumed that a HBH
> > > >    header present in the packet is processed.  It all depends on the
> > > >    configuration of each node across the path.  Moreover, in most of
> > > >    networks today, the processing of the HBH header is done in the
> > > >    control plane (slow processing path) which incurs several limitations
> > > >    among which resources consumption and security risk.
> > > >
> > > >    For these reasons, over time, the Hop-by-Hop Options header has been
> > > >    sparsely used without any form of large scale deployment.  Also, most
> > > >    of already defined HBH options are forwarding options which contain
> > > >    forwarding plane information that needs not to be sent to the control
> > > >    plane.
> > > >
> > > >    This document proposes a new Hop-by-Hop Forwarding Options Header in
> > > >    order to carry Hop-by-Hop options that are solely intended to and
> > > >    processed by the forwarding plane.  This new HBH header is confined
> > > >    in and dedicated to the forwarding plane while the current HBH header
> > > >    can still be used for control plane options.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.
> > > >
> > > > The IETF Secretariat
> > > >
> > > >
> > > > ------------------------------------------------------------------
> > > > -- IETF IPv6 working group mailing list ipv6@ietf.org 
> > > > Administrative
> > > > Requests:
> > > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/
> > > > ip
> > > > v6
> > > > __;!!NEt6yMaO-gk!QoInpMGHwaC7LsKAVISa9A00dbzuCmO7S4CG2fZYHGYeOXYwV
> > > > mt
> > > > NT
> > > > FnzgEBbFhyl$
> > > > ------------------------------------------------------------------
> > > > --
> > > >
> > > > ------------------------------------------------------------------
> > > > -- IETF IPv6 working group mailing list ipv6@ietf.org 
> > > > Administrative
> > > > Requests:
> > > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/
> > > > ip
> > > > v6
> > > > __;!!NEt6yMaO-gk!Qu9y9Ou2SvlYIZjMQa3hBXcu08HG3W4BBIcFoOHCfp41HtkdI
> > > > Yu
> > > > Ds
> > > > XM8uyxPWt9N$
> > > > ------------------------------------------------------------------
> > > > --
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email