[IPv6]Re: Fwd: New Version Notification for draft-iurman-6man-eh-occurrences-00.txt

Nick Hilliard <nick@foobar.org> Tue, 23 December 2025 22:29 UTC

Return-Path: <nick@foobar.org>
X-Original-To: ipv6@mail2.ietf.org
Delivered-To: ipv6@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0A5C19E8EF1C for <ipv6@mail2.ietf.org>; Tue, 23 Dec 2025 14:29:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -6.382
X-Spam-Level:
X-Spam-Status: No, score=-6.382 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-2.182, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HDXZGqO8kGgQ for <ipv6@mail2.ietf.org>; Tue, 23 Dec 2025 14:29:22 -0800 (PST)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 622149E8EF17 for <6man@ietf.org>; Tue, 23 Dec 2025 14:29:22 -0800 (PST)
Received: from crumpet.local (unknown [89.101.70.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netability.ie (Postfix) with ESMTPSA id 67FD99CFF0; Tue, 23 Dec 2025 22:29:14 +0000 (GMT)
To: Justin Iurman <justin.iurman@gmail.com>
References: <176651727681.861963.1665571528282296202@dt-datatracker-5656579b89-p6k4r> <af5fd42c-fbb9-4606-a8c6-208a7ff6bc6f@gmail.com> <188944cc-7d9e-b305-d55a-4ff6b20bf639@foobar.org> <72123110-66aa-4881-a0e3-280b7db8eef6@gmail.com>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <c8dcb888-b905-884a-c18b-6186b917e551@foobar.org>
Date: Tue, 23 Dec 2025 22:29:13 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 26.2; rv:52.0) Gecko/20100101 PostboxApp/7.0.65
MIME-Version: 1.0
In-Reply-To: <72123110-66aa-4881-a0e3-280b7db8eef6@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Message-ID-Hash: HVDSRODBPLNG65RQTISZZLIVKWUB4NKQ
X-Message-ID-Hash: HVDSRODBPLNG65RQTISZZLIVKWUB4NKQ
X-MailFrom: nick@foobar.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipv6.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: 6man@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [IPv6]Re: Fwd: New Version Notification for draft-iurman-6man-eh-occurrences-00.txt
List-Id: "IPv6 Maintenance Working Group (6man)" <ipv6.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/GuKX0uWKNcD6fN6Mt_bhlOazkp4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Owner: <mailto:ipv6-owner@ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Subscribe: <mailto:ipv6-join@ietf.org>
List-Unsubscribe: <mailto:ipv6-leave@ietf.org>

Hi Justin,

Justin Iurman wrote on 23/12/2025 21:10:
> The change proposed in the draft not only enforces the rule for senders, 
> but is also allows receivers to discard packets with extension headers 
> exceeding their number of occurrences. Right now, RFC 8200 assumes that 
> a receiving node should process EHs regardless of the number of 
> occurrences.

yes, but this misses the point.

Your draft allows a receiving node to drop multiple occurrences of the 
same type (nb: at the cost of maintaining a count or index for each 
type, which is a significant state overhead when handling packet 
forwarding), but the point is that in order to do this, the receiving - 
or intermediate node - needs to parse the entire header chain to find 
out which EHs to drop. The requirement to parse excessively long EH 
chains is the root cause of the problems identified in rfc9098.

You can't address the problems in rfc9098 by setting rules of engagement 
at the sending side. You can only deal with them on receiving / 
intermediate nodes by putting an upper bound on the "overall quantity" 
of EHs in the packet.

I'm using the vague term "overall quantity" because some hardware craps 
out on parsing due to fixed buffer lengths and other hardware craps out 
after a specific number of headers.  So any draft aimed at addressing 
this problem needs to acknowledge both situations when specifying what 
limits a receiving or intermediate node should implement in order to 
protect itself against ddos threat incidents.

Nick