Re: Fwd: New Version Notification for draft-hinden-6man-hbh-processing-01.txt
Fernando Gont <fernando.gont@edgeuno.com> Thu, 10 June 2021 07:41 UTC
Return-Path: <fernando.gont@edgeuno.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 927223A38AF for <ipv6@ietfa.amsl.com>; Thu, 10 Jun 2021 00:41:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=edgeuno.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9eolS8dpG8xJ for <ipv6@ietfa.amsl.com>; Thu, 10 Jun 2021 00:40:59 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2115.outbound.protection.outlook.com [40.107.244.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B542F3A38AD for <ipv6@ietf.org>; Thu, 10 Jun 2021 00:40:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EcWDbmXqs2GnRvEv9Eaz+RmHEx3Z8EeVchVOaQcm7Wl8xDdl9j4JqrUPvmNv1jH+Jx/EV/dAv947g5U8JSOVY+gBZXgRvx8AhaFqbyQ3nBabzvJZRarOYZkK3mdUTlkHGRfmI/UuDTPgflVrqlua2wkhtg2yAqgEopRDA1SZzZwUvAIyBDwWils46umYhUn4rvQN5t08QifT70jN/cU00FfAatGsiO9zhrTe1HeaR+LJgNsiW7u/6NaKXPyh8wAih8rwkdzQaS73KKYcEX6ZGPB6NehEicJv4hx8wvfBoKIWvqYXOd8eZpums3lUcxZlOBMfUjXRtq5e2TEmPHcm9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5hGB1yJ3W5oH4z3PS7jHnqix41oCpuBZaBDw4eRdIAU=; b=JBk6av0/hxirx6JReLg99Imgjap3Ru+9qjswCMSLkBV1ntxPyQz61IZh+ZJxPS8H/HKOK56e81Z+6sqc6eWoQpdhDbeDDCrlqAeVwItNap2FMuUxDthurjZtjoCe4gqlfI6VwHkLgFJFV2oE5kwWNoJr43mC52iyHI7H/frLIF049OTXVNk6VlY1PUV7ZzRoVqAY8M246NCR/A2qLy1+blUG0jsYWYBkcfh5WRKI2SsIuXwuEftDKoxGjHnuJ+RF9CFdbPUfjPug5us8B/9PJqvcsVntPQQolmCpoTclbVI/+dFyerXL2YxkRTWNIJZ4l1bUjx9qav01gzCb6ErSug==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=edgeuno.com; dmarc=pass action=none header.from=edgeuno.com; dkim=pass header.d=edgeuno.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=edgeuno.onmicrosoft.com; s=selector1-edgeuno-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5hGB1yJ3W5oH4z3PS7jHnqix41oCpuBZaBDw4eRdIAU=; b=QqHOsXZU9odfSVrFzXvr73DQb4BWRzRuIcxDo05u1ULXHkAqHTwUH9cU5FS3gBmuFJsrO4g39nSBBB5tcko/abj7kexoXsJyVcNrE+WnplG96wXT3PSXF9EIowd43AGzFkX3xNGy6xDPAQI21E6rTfEMP6awGaQ+K0FEaN82lu8=
Received: from SJ0PR05MB7514.namprd05.prod.outlook.com (2603:10b6:a03:2eb::6) by BYAPR05MB5095.namprd05.prod.outlook.com (2603:10b6:a03:97::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.9; Thu, 10 Jun 2021 07:40:57 +0000
Received: from SJ0PR05MB7514.namprd05.prod.outlook.com ([fe80::59c9:fcf7:eeea:1148]) by SJ0PR05MB7514.namprd05.prod.outlook.com ([fe80::59c9:fcf7:eeea:1148%8]) with mapi id 15.20.4219.021; Thu, 10 Jun 2021 07:40:57 +0000
From: Fernando Gont <fernando.gont@edgeuno.com>
To: "bob.hinden@gmail.com" <bob.hinden@gmail.com>, "ipv6@ietf.org" <ipv6@ietf.org>
CC: "gorry@erg.abdn.ac.uk" <gorry@erg.abdn.ac.uk>
Subject: Re: Fwd: New Version Notification for draft-hinden-6man-hbh-processing-01.txt
Thread-Topic: Fwd: New Version Notification for draft-hinden-6man-hbh-processing-01.txt
Thread-Index: AQHXV92UuElJStBockeSEVwUcDaVkqsM6CiA
Date: Thu, 10 Jun 2021 07:40:57 +0000
Message-ID: <17adf4b21d428d051e390574e976e3f61aee33c0.camel@edgeuno.com>
References: <162265842779.4095.2393609365780372735@ietfa.amsl.com> <E5A31CCD-104D-4B92-9730-4FCFBF191F46@gmail.com>
In-Reply-To: <E5A31CCD-104D-4B92-9730-4FCFBF191F46@gmail.com>
Accept-Language: es-AR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Evolution 3.36.5-0ubuntu1
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=edgeuno.com;
x-originating-ip: [186.19.8.47]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 55744cdf-2c64-47b3-393c-08d92be31613
x-ms-traffictypediagnostic: BYAPR05MB5095:
x-microsoft-antispam-prvs: <BYAPR05MB509573ABCBBE9083BB8F74BFE5359@BYAPR05MB5095.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UtYOSlt/FAgUhPed9uKPmubd9hQ70XvVHxTylRy0NNyUxll2eFX1cocA3agfJUoOyY8ZaEcsFxKiQS6TsIPKQC/mebKKQDq5pyMmqiPHYPKoTh/61A+K2LcUOFCZP2N/YiRJIwiU0stR92G6C+ANHwwoL1UbZ7RIFF08CO9xUT7Iv5brygwVBlWC+mtO95UBY4vAu1djVb9xzxnEWKhc27BZqaGZ/OitYRxCocHm3uRxfFdckcntQZ1+cu3K1jIt7EjwDC43QmbYYoT5Y6hIW1j/7bustkOFO+HVTN67oXOYEBbDlhk7pM7z4jtOxpI03+RCAJqD82ZaoeKdvxNrQuNMU7StKDcN7zWp1krXTMe3CXsJ48JfRJiy7RNHrtMqztJlebevRUeS7tuqIabSK+o1/2dm5hnZQnNZPIKD/QdPxYuBCTsowpEY5Lyscy8lXUEZIw6rYoKnCFMDH2614FG+HJ+BrQ4GJRFp8SvsZ0y91Y2Vac42nN+3jvek7Ty33xkm2UQQ8ZEgQx100hIuTPMBCYBsCfppAiygQpKopQjp4jdodPP0Y7r5uoNI6xCf//N3Qv4OYtKQ3AA1MhsmgPnIXpnQEAHtfZpvKacV5uw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR05MB7514.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(366004)(396003)(346002)(39840400004)(376002)(8676002)(38100700002)(122000001)(110136005)(66476007)(316002)(66574015)(91956017)(26005)(64756008)(66556008)(6486002)(86362001)(2616005)(66446008)(186003)(76116006)(66946007)(36756003)(8936002)(2906002)(44832011)(71200400001)(6506007)(478600001)(83380400001)(15650500001)(4326008)(5660300002)(6512007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7wewA3ektLUoXp2j5DSYlRkAqRQzsAflBoOKFcDnaDkULiCwm9+rAWzsRkOd9EjDk4dslnKc4DDb8ovkQaRxC8p2YU5UUDtqS3hnqB7F43ZmpD0tV5c7dhfAfvr3ddrL1VUP3uWUwsCN8aNwXSkk+bKO+DAW9GrYGQEGHa4TFMzPE0bycZeqL/akRaznz3R6NAJgcT0Vnzsk2Mm3War+ld/FEdCdyS/9Jekg75jL917SqQULuQeyNuif1VtfviDryeSqgXtwuTLCh+6mlCmHZRBD6FkrSSmUuzQmrNn1aiDBOdQZY3AbLnqHbooGFAIM512REqXKdDprOgLjtkNUXwl6QaxsTtVi+0F67WYWzDntozz3qQQC8DTlk2C6JY4YuFMN0JA/t4Wgg4h98mc8REn9IkmqK8y3LZW+2givUXVEXNVz5dzliuzBBml8zM4oWf5EPYm7HDEdTOmCwBpV7RIIGCd9VQZf3O/AU0sMjPQhrJXkGW4VWPVX1FCee3cpiaT4xqg02fFjDO/MIpuHQ2DWDZ8rfQEVXLwwGx7b5iAuHMlCjV1rBUH7Zcp2hoDHZ2hG8zIuKt0WsViJG7rVJwgCG9PpvkEKi0GNGX3EtDUPGQOVUynyvcWBg3KHxo8pbGi9EfBRsXlJl0TB6ogzrTRvdS/iUuk9ZUfUFFIotZSrZ1r6BKat2RErfu5mG61pu1amNLDHmMa9VSVcJiFKc+LQD7Tef0M/JauEKj1HlGjxbJThSvtFtmw/RYFpfnKOUJQ4jmDU/AhODtunyu5xRHMqX+5QBiTtWBV01wunT2CDeGEwnUu/EnCb6uTF7whUToxcXHXQ2kdQVtgjk2lcoH7KufxYXLBWBBw1pEostMmpsc0SI+N9TT2ie/sbY0MH8O2Um2RMIrHudjMZcMftqMkdb2aT+F7vTfbHipWJk2zc0wUWf4UiV34JZNAOHDQkjV7cnouPemEiYuoByirmwWrBtuOBH60pIlBLBb88K46HErPYoZ8Np9vwhgvPoqdgUd8CTHBRTRD6RxPgGrXUswJhB/kkCFBn4C2Tq2UgNprMV4UigzkZ0bjhPRGMXxH50UpQeTvOci68fLcdNmnAblexVH9HffJoO4kg2vhNxDi4YJve+nliCn20ODP28nxbLTjdDB+D4f5cviD67ze9ZI0opQ40IGDq3MeMDAOzja4ROpkVDN8i0mv30t/4qs5a3FASCYOq60tnZENvXnrlZsdpMyz8XN9HMZhWZxcu0lDHrRSsglsU8BxW/efHq0eloRf03cjdAY1QUc13fQw4+3usQuN5Cmta/sp16LeZkcrhkL1ZGi8GCAQIfHIs+YXo
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <97152C69BD65164CB91C309F69DA2EFD@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: edgeuno.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR05MB7514.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 55744cdf-2c64-47b3-393c-08d92be31613
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jun 2021 07:40:57.6748 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 20879dba-fabf-45da-8300-60b8ce560217
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: isjTNlYU0EMBrWtKSuR/eN8DM2IdQEguWIMl19rsW50jtA5k+gBSiUHIk+4PTqQG44meboAXUMNpk7RuMn0JBVvkOvBlh34i/ypX9nL5clk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB5095
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/J-Y-MBIAFVqWXAQDK27lKWGs3go>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2021 07:41:04 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, Bob & Gorry, Some comments: * Section 4, page 4: > The changes meant that an implementation complied with the IPv6 > specification even if it did not process hop-by-hop options, and > that > it was expected that routers would add configuration information to > control which hop-by-hop options they would process. The way I interpret RFC8200 is that a router is configured whether it needs to process the HbH header in the first place, rather than whether to process specific options. * Section 4, page 5: > > There has been research that discussed the general problem with > dropping packets containing IPv6 extension headers, including the > Hop-by-Hop Options header. For example [Hendriks] states that > "dropping all packets with Extension Headers, is a bad practice" Given the number of vulnerabilities associated with the processing of IPv6 EHs, and that it's a feature that is largely unused, the converse is probably true. * Section 4, page 5: This discussion misses an important point/aspect: the lgnth of the IPv6 header chain. e.g., asking nodes to support a single HbH option if such option is, say, 256 bytes, will still be unfeasible. * Section 5.1, page 6: > [RFC8200] also requires > that a Hop-by-Hop Options header can only appear once in a packet. > This doesn't seem accurate. RFC8200 states: IPv6 nodes must accept and attempt to process extension headers in any order and occurring any number of times in the same packet, except for the Hop-by-Hop Options header, which is restricted to appear immediately after an IPv6 header only. Nonetheless, it is strongly advised that sources of IPv6 packets adhere to the above recommended order until and unless subsequent specifications revise that recommendation. i.e., there's a recommendation to send only one HbH, but still required to process all received. (cursed by the robustness principle, if you wish :-) ) * Section 5.2, page 6: > > If the node can not process an option in the Fast Path, it MUST > behave as if it does not recognize the Option Type (as described > in > the next paragraph). My take is that a router that wouldn't be able to process options in the fast-path wouldn't even bother to parse the contents of the HbH in the first place.... * Section 5.3, page 8: > The Router Alert Option is a problem since it's function is to > do > what this specification is proposing to eliminate, that is, > process the packet in the Slow Path. One approach would be to > deprecate it as it's usage appears to be limited and packets > containing Hop-by-Hop options are frequently dropped. Nore: This option is employed for MLD packets, which result from ND using multicast. In such scenarios (MLD is link-local) packets survive - -- cause they don't need to be forwarded in the first place. Whether using RAO for MLD (or whether MLD itself) is a good idea, is a different question... ;-) * Section 5.3, page 8: > > A Fast Path implementation SHOULD verify that a Router Alert > contains > a protocol, as indicated by the Value field in the Router Alert > option, that is configured as a protocol of interest to that > router. > A verified packet SHOULD be sent on the Slow Path for processing > [RFC6398]. If the device knows it's not using a protocol that may need to rely on RAOs, why should the device parse, say, RAOs in the first place? * Section 6, page 9: > Any new IPv6 Hop-by-Hop option designed in the future should be > designed to be processed in the Fast Path. New options MUST NOT > be > defined that require Slow Path processing. New Hop-by-Hop options > SHOULD have the following characteristics: > > * Straight forward to process. That is, they should be designed > to > keep the time to process low. > > * Fixed size in 8-octet units. Specifically any new Hop-by-Hop > options should not be variable size that could extend beyond > what > can be executed in the Fast Path. This is missing the overall option length. * Section 8, page 10: > Security issues with IPv6 Hop-by-Hop options are well known and > have > been documented in several places, including [RFC6398], [RFC6192], > and [I-D.ietf-v6ops-ipv6-ehs-packet-drops]. The main issue, as > noted > in Section 4, is that any mechanism that can be used to force > packets > into the router's Slow Path can be exploited as a denial of > service > attack on a transit router by saturating the resources need for > router management protocols (e.g., routing protocols, network > management protocols, etc.) that may cause the router to > fail. Due > to this it's common for transit routers to drop packets with Hop- > by- > Hop options headers. This discussion missess to note and acknowledge that there is a general issue associated with IPv6 extension headers. HbH has extra problems. But there are other general issues that apply to all EHs, and not just HbH. * Section 8, page 10: > > * Limited the default number of Hop-by-Hop options that that can > be > in a packet to a single Hop-by-Hop option. If you are pursuing that path, you should also limite the overall IPv6 header chain length. That;s probably even more important than limiting the number of EHs or number of HbH options. Thanks! Regards, - -- Fernando Gont Director of Information Security EdgeUno, Inc. PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531 -----BEGIN PGP SIGNATURE----- iQFOBAEBCgA4FiEE371j47JIrnnFmK8j667aAwZEFTEFAmDBwgcaHGZlcm5hbmRv LmdvbnRAZWRnZXVuby5jb20ACgkQ667aAwZEFTH/qAf/Su1CoIjSBl6GeEIl0jn5 JoW+H8uqAS49aP0pjFDsOXT2La5vGlT4DNDicextT5ca9xpI7BBBxxf8VDP1pdS6 jgh/k2mp5qwGFG0UyJSIm46+hxW1+N6VbQ1RV19oKUFPk2iIcsPtimQuHIE/fa8I 1BD49ljp6WbZTR4DrqZFuKpbV8Zx5AxaOTGUuxzWEDzfOrylnmacPrT9IspbgU+R VIW6wMtHNK75LHs9ILSUjTGlv4056KrMkk9b/1Ot01wO7dgzFG6MXEQznVO1FUHX 8K9Y3+dB9yOg6cUenzDsCEqRgcnLPIXkbQhwySHQW9dAs0VkLwE8c+aKt9O5283W cQ== =u+vn -----END PGP SIGNATURE-----
- Fwd: New Version Notification for draft-hinden-6m… Bob Hinden
- Re: New Version Notification for draft-hinden-6ma… Eric Vyncke (evyncke)
- Re: Fwd: New Version Notification for draft-hinde… Nick Hilliard
- Re: Fwd: New Version Notification for draft-hinde… Tom Herbert
- Re: New Version Notification for draft-hinden-6ma… Tom Herbert
- Re: Fwd: New Version Notification for draft-hinde… Brian E Carpenter
- Re: Re: New Version Notification for draft-hinden… li_zhenqiang@hotmail.com
- RE: New Version Notification for draft-hinden-6ma… Pengshuping (Peng Shuping)
- Re: Fwd: New Version Notification for draft-hinde… Fernando Gont
- Re: Fwd: New Version Notification for draft-hinde… Fernando Gont
- Re: Fwd: New Version Notification for draft-hinde… Gorry Fairhurst
- Re: Fwd: New Version Notification for draft-hinde… Fernando Gont
- Re: Fwd: New Version Notification for draft-hinde… Gorry Fairhurst
- Re: Fwd: New Version Notification for draft-hinde… Tom Herbert
- Re: Fwd: New Version Notification for draft-hinde… Brian E Carpenter
- Re: Fwd: New Version Notification for draft-hinde… Tom Herbert
- Re: Fwd: New Version Notification for draft-hinde… Brian E Carpenter
- Re: Fwd: New Version Notification for draft-hinde… Fernando Gont
- Re: Fwd: New Version Notification for draft-hinde… Fernando Gont
- Re: Fwd: New Version Notification for draft-hinde… Tom Herbert
- Re: Fwd: New Version Notification for draft-hinde… Fernando Gont
- Re: New Version Notification for draft-hinden-6ma… Pascal Thubert (pthubert)
- Re: New Version Notification for draft-hinden-6ma… Fernando Gont
- Re: New Version Notification for draft-hinden-6ma… Tom Herbert
- Re: New Version Notification for draft-hinden-6ma… Fernando Gont
- RE: New Version Notification for draft-hinden-6ma… Pascal Thubert (pthubert)
- RE: New Version Notification for draft-hinden-6ma… Vasilenko Eduard
- Re: New Version Notification for draft-hinden-6ma… Tom Herbert
- Re: New Version Notification for draft-hinden-6ma… Nick Hilliard
- Re: New Version Notification for draft-hinden-6ma… Tom Herbert
- RE: New Version Notification for draft-hinden-6ma… Vasilenko Eduard
- Re: New Version Notification for draft-hinden-6ma… Tom Herbert
- Re: New Version Notification for draft-hinden-6ma… Fernando Gont
- RE: New Version Notification for draft-hinden-6ma… Vasilenko Eduard
- Re: New Version Notification for draft-hinden-6ma… Fred Baker