IETF Logo Mail Archive

Re: Fwd: New Version Notification for draft-hinden-6man-hbh-processing-01.txt

Fernando Gont <fernando.gont@edgeuno.com> Thu, 10 June 2021 07:41 UTC

Return-Path: <fernando.gont@edgeuno.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 927223A38AF for <ipv6@ietfa.amsl.com>; Thu, 10 Jun 2021 00:41:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=edgeuno.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9eolS8dpG8xJ for <ipv6@ietfa.amsl.com>; Thu, 10 Jun 2021 00:40:59 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2115.outbound.protection.outlook.com [40.107.244.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B542F3A38AD for <ipv6@ietf.org>; Thu, 10 Jun 2021 00:40:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EcWDbmXqs2GnRvEv9Eaz+RmHEx3Z8EeVchVOaQcm7Wl8xDdl9j4JqrUPvmNv1jH+Jx/EV/dAv947g5U8JSOVY+gBZXgRvx8AhaFqbyQ3nBabzvJZRarOYZkK3mdUTlkHGRfmI/UuDTPgflVrqlua2wkhtg2yAqgEopRDA1SZzZwUvAIyBDwWils46umYhUn4rvQN5t08QifT70jN/cU00FfAatGsiO9zhrTe1HeaR+LJgNsiW7u/6NaKXPyh8wAih8rwkdzQaS73KKYcEX6ZGPB6NehEicJv4hx8wvfBoKIWvqYXOd8eZpums3lUcxZlOBMfUjXRtq5e2TEmPHcm9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5hGB1yJ3W5oH4z3PS7jHnqix41oCpuBZaBDw4eRdIAU=; b=JBk6av0/hxirx6JReLg99Imgjap3Ru+9qjswCMSLkBV1ntxPyQz61IZh+ZJxPS8H/HKOK56e81Z+6sqc6eWoQpdhDbeDDCrlqAeVwItNap2FMuUxDthurjZtjoCe4gqlfI6VwHkLgFJFV2oE5kwWNoJr43mC52iyHI7H/frLIF049OTXVNk6VlY1PUV7ZzRoVqAY8M246NCR/A2qLy1+blUG0jsYWYBkcfh5WRKI2SsIuXwuEftDKoxGjHnuJ+RF9CFdbPUfjPug5us8B/9PJqvcsVntPQQolmCpoTclbVI/+dFyerXL2YxkRTWNIJZ4l1bUjx9qav01gzCb6ErSug==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=edgeuno.com; dmarc=pass action=none header.from=edgeuno.com; dkim=pass header.d=edgeuno.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=edgeuno.onmicrosoft.com; s=selector1-edgeuno-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5hGB1yJ3W5oH4z3PS7jHnqix41oCpuBZaBDw4eRdIAU=; b=QqHOsXZU9odfSVrFzXvr73DQb4BWRzRuIcxDo05u1ULXHkAqHTwUH9cU5FS3gBmuFJsrO4g39nSBBB5tcko/abj7kexoXsJyVcNrE+WnplG96wXT3PSXF9EIowd43AGzFkX3xNGy6xDPAQI21E6rTfEMP6awGaQ+K0FEaN82lu8=
Received: from SJ0PR05MB7514.namprd05.prod.outlook.com (2603:10b6:a03:2eb::6) by BYAPR05MB5095.namprd05.prod.outlook.com (2603:10b6:a03:97::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.9; Thu, 10 Jun 2021 07:40:57 +0000
Received: from SJ0PR05MB7514.namprd05.prod.outlook.com ([fe80::59c9:fcf7:eeea:1148]) by SJ0PR05MB7514.namprd05.prod.outlook.com ([fe80::59c9:fcf7:eeea:1148%8]) with mapi id 15.20.4219.021; Thu, 10 Jun 2021 07:40:57 +0000
From: Fernando Gont <fernando.gont@edgeuno.com>
To: "bob.hinden@gmail.com" <bob.hinden@gmail.com>, "ipv6@ietf.org" <ipv6@ietf.org>
CC: "gorry@erg.abdn.ac.uk" <gorry@erg.abdn.ac.uk>
Subject: Re: Fwd: New Version Notification for draft-hinden-6man-hbh-processing-01.txt
Thread-Topic: Fwd: New Version Notification for draft-hinden-6man-hbh-processing-01.txt
Thread-Index: AQHXV92UuElJStBockeSEVwUcDaVkqsM6CiA
Date: Thu, 10 Jun 2021 07:40:57 +0000
Message-ID: <17adf4b21d428d051e390574e976e3f61aee33c0.camel@edgeuno.com>
References: <162265842779.4095.2393609365780372735@ietfa.amsl.com> <E5A31CCD-104D-4B92-9730-4FCFBF191F46@gmail.com>
In-Reply-To: <E5A31CCD-104D-4B92-9730-4FCFBF191F46@gmail.com>
Accept-Language: es-AR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Evolution 3.36.5-0ubuntu1
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=edgeuno.com;
x-originating-ip: [186.19.8.47]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 55744cdf-2c64-47b3-393c-08d92be31613
x-ms-traffictypediagnostic: BYAPR05MB5095:
x-microsoft-antispam-prvs: <BYAPR05MB509573ABCBBE9083BB8F74BFE5359@BYAPR05MB5095.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UtYOSlt/FAgUhPed9uKPmubd9hQ70XvVHxTylRy0NNyUxll2eFX1cocA3agfJUoOyY8ZaEcsFxKiQS6TsIPKQC/mebKKQDq5pyMmqiPHYPKoTh/61A+K2LcUOFCZP2N/YiRJIwiU0stR92G6C+ANHwwoL1UbZ7RIFF08CO9xUT7Iv5brygwVBlWC+mtO95UBY4vAu1djVb9xzxnEWKhc27BZqaGZ/OitYRxCocHm3uRxfFdckcntQZ1+cu3K1jIt7EjwDC43QmbYYoT5Y6hIW1j/7bustkOFO+HVTN67oXOYEBbDlhk7pM7z4jtOxpI03+RCAJqD82ZaoeKdvxNrQuNMU7StKDcN7zWp1krXTMe3CXsJ48JfRJiy7RNHrtMqztJlebevRUeS7tuqIabSK+o1/2dm5hnZQnNZPIKD/QdPxYuBCTsowpEY5Lyscy8lXUEZIw6rYoKnCFMDH2614FG+HJ+BrQ4GJRFp8SvsZ0y91Y2Vac42nN+3jvek7Ty33xkm2UQQ8ZEgQx100hIuTPMBCYBsCfppAiygQpKopQjp4jdodPP0Y7r5uoNI6xCf//N3Qv4OYtKQ3AA1MhsmgPnIXpnQEAHtfZpvKacV5uw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR05MB7514.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(366004)(396003)(346002)(39840400004)(376002)(8676002)(38100700002)(122000001)(110136005)(66476007)(316002)(66574015)(91956017)(26005)(64756008)(66556008)(6486002)(86362001)(2616005)(66446008)(186003)(76116006)(66946007)(36756003)(8936002)(2906002)(44832011)(71200400001)(6506007)(478600001)(83380400001)(15650500001)(4326008)(5660300002)(6512007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7wewA3ektLUoXp2j5DSYlRkAqRQzsAflBoOKFcDnaDkULiCwm9+rAWzsRkOd9EjDk4dslnKc4DDb8ovkQaRxC8p2YU5UUDtqS3hnqB7F43ZmpD0tV5c7dhfAfvr3ddrL1VUP3uWUwsCN8aNwXSkk+bKO+DAW9GrYGQEGHa4TFMzPE0bycZeqL/akRaznz3R6NAJgcT0Vnzsk2Mm3War+ld/FEdCdyS/9Jekg75jL917SqQULuQeyNuif1VtfviDryeSqgXtwuTLCh+6mlCmHZRBD6FkrSSmUuzQmrNn1aiDBOdQZY3AbLnqHbooGFAIM512REqXKdDprOgLjtkNUXwl6QaxsTtVi+0F67WYWzDntozz3qQQC8DTlk2C6JY4YuFMN0JA/t4Wgg4h98mc8REn9IkmqK8y3LZW+2givUXVEXNVz5dzliuzBBml8zM4oWf5EPYm7HDEdTOmCwBpV7RIIGCd9VQZf3O/AU0sMjPQhrJXkGW4VWPVX1FCee3cpiaT4xqg02fFjDO/MIpuHQ2DWDZ8rfQEVXLwwGx7b5iAuHMlCjV1rBUH7Zcp2hoDHZ2hG8zIuKt0WsViJG7rVJwgCG9PpvkEKi0GNGX3EtDUPGQOVUynyvcWBg3KHxo8pbGi9EfBRsXlJl0TB6ogzrTRvdS/iUuk9ZUfUFFIotZSrZ1r6BKat2RErfu5mG61pu1amNLDHmMa9VSVcJiFKc+LQD7Tef0M/JauEKj1HlGjxbJThSvtFtmw/RYFpfnKOUJQ4jmDU/AhODtunyu5xRHMqX+5QBiTtWBV01wunT2CDeGEwnUu/EnCb6uTF7whUToxcXHXQ2kdQVtgjk2lcoH7KufxYXLBWBBw1pEostMmpsc0SI+N9TT2ie/sbY0MH8O2Um2RMIrHudjMZcMftqMkdb2aT+F7vTfbHipWJk2zc0wUWf4UiV34JZNAOHDQkjV7cnouPemEiYuoByirmwWrBtuOBH60pIlBLBb88K46HErPYoZ8Np9vwhgvPoqdgUd8CTHBRTRD6RxPgGrXUswJhB/kkCFBn4C2Tq2UgNprMV4UigzkZ0bjhPRGMXxH50UpQeTvOci68fLcdNmnAblexVH9HffJoO4kg2vhNxDi4YJve+nliCn20ODP28nxbLTjdDB+D4f5cviD67ze9ZI0opQ40IGDq3MeMDAOzja4ROpkVDN8i0mv30t/4qs5a3FASCYOq60tnZENvXnrlZsdpMyz8XN9HMZhWZxcu0lDHrRSsglsU8BxW/efHq0eloRf03cjdAY1QUc13fQw4+3usQuN5Cmta/sp16LeZkcrhkL1ZGi8GCAQIfHIs+YXo
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <97152C69BD65164CB91C309F69DA2EFD@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: edgeuno.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR05MB7514.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 55744cdf-2c64-47b3-393c-08d92be31613
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jun 2021 07:40:57.6748 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 20879dba-fabf-45da-8300-60b8ce560217
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: isjTNlYU0EMBrWtKSuR/eN8DM2IdQEguWIMl19rsW50jtA5k+gBSiUHIk+4PTqQG44meboAXUMNpk7RuMn0JBVvkOvBlh34i/ypX9nL5clk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB5095
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/J-Y-MBIAFVqWXAQDK27lKWGs3go>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2021 07:41:04 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi, Bob & Gorry,

Some comments:

* Section 4, page 4:

>  The changes meant that an implementation complied with the IPv6
>  specification even if it did not process hop-by-hop options, and
> that
>  it was expected that routers would add configuration information to
>  control which hop-by-hop options they would process.

The way I interpret RFC8200 is that a router is configured whether it
needs to process the HbH header in the first place, rather than whether
to process specific options. 


* Section 4, page 5:
> 
>    There has been research that discussed the general problem with
>    dropping packets containing IPv6 extension headers, including the
>    Hop-by-Hop Options header.  For example [Hendriks] states that
>    "dropping all packets with Extension Headers, is a bad practice"

Given the number of vulnerabilities associated with the processing of
IPv6 EHs, and that it's a feature that is largely unused, the converse
is probably true.


* Section 4, page 5:

This discussion misses an important point/aspect: the lgnth of the IPv6
header chain. e.g., asking nodes to support a single HbH option if such
option is, say, 256 bytes, will still be unfeasible.


* Section 5.1, page 6:
> [RFC8200] also requires
>    that a Hop-by-Hop Options header can only appear once in a packet.
> 

This doesn't seem accurate. RFC8200 states:

   IPv6 nodes must accept and attempt to process extension headers in
   any order and occurring any number of times in the same packet,
   except for the Hop-by-Hop Options header, which is restricted to
   appear immediately after an IPv6 header only.  Nonetheless, it is
   strongly advised that sources of IPv6 packets adhere to the above
   recommended order until and unless subsequent specifications revise
   that recommendation.

i.e., there's a recommendation to send only one HbH, but still required
to process all received. (cursed by the robustness principle, if you
wish :-) )


* Section 5.2, page 6:
> 
>    If the node can not process an option in the Fast Path, it MUST
>    behave as if it does not recognize the Option Type (as described
> in
>    the next paragraph).

My take is that a router that wouldn't be able to process options in
the fast-path wouldn't even bother to parse the contents of the HbH in
the first place....


* Section 5.3, page 8:

>       The Router Alert Option is a problem since it's function is to
> do
>       what this specification is proposing to eliminate, that is,
>       process the packet in the Slow Path.  One approach would be to
>       deprecate it as it's usage appears to be limited and packets
>       containing Hop-by-Hop options are frequently dropped. 

Nore: This option is employed for MLD packets, which result from ND
using multicast. In such scenarios (MLD is link-local) packets survive
- -- cause they don't need to be forwarded in the first place.  Whether
using RAO for MLD (or whether MLD itself) is a good idea, is a
different question... ;-)


* Section 5.3, page 8:

> 
>    A Fast Path implementation SHOULD verify that a Router Alert
> contains
>    a protocol, as indicated by the Value field in the Router Alert
>    option, that is configured as a protocol of interest to that
> router.
>    A verified packet SHOULD be sent on the Slow Path for processing
>    [RFC6398]. 

If the device knows it's not using a protocol that may need to rely on
RAOs, why should the device parse, say, RAOs in the first place?


* Section 6, page 9:
>    Any new IPv6 Hop-by-Hop option designed in the future should be
>    designed to be processed in the Fast Path.  New options MUST NOT
> be
>    defined that require Slow Path processing.  New Hop-by-Hop options
>    SHOULD have the following characteristics:
> 
>    *  Straight forward to process.  That is, they should be designed
> to
>       keep the time to process low.
> 
>    *  Fixed size in 8-octet units.  Specifically any new Hop-by-Hop
>       options should not be variable size that could extend beyond
> what
>       can be executed in the Fast Path.

This is missing the overall option length. 


* Section 8, page 10:

>    Security issues with IPv6 Hop-by-Hop options are well known and
> have
>    been documented in several places, including [RFC6398], [RFC6192],
>    and [I-D.ietf-v6ops-ipv6-ehs-packet-drops].  The main issue, as
> noted
>    in Section 4, is that any mechanism that can be used to force
> packets
>    into the router's Slow Path can be exploited as a denial of
> service
>    attack on a transit router by saturating the resources need for
>    router management protocols (e.g., routing protocols, network
>    management protocols, etc.) that may cause the router to
> fail.  Due
>    to this it's common for transit routers to drop packets with Hop-
> by-
>    Hop options headers.

This discussion missess to note and acknowledge that there is a general
issue associated with IPv6 extension headers.

HbH has extra problems. But there are other general issues that apply
to all EHs, and not just HbH.


* Section 8, page 10:
> 
>    *  Limited the default number of Hop-by-Hop options that that can
> be
>       in a packet to a single Hop-by-Hop option.

If you are pursuing that path, you should also limite the overall IPv6
header chain length. That;s probably even more important than limiting
the number of EHs or number of HbH options.


Thanks!

Regards,
- -- 
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531




-----BEGIN PGP SIGNATURE-----

iQFOBAEBCgA4FiEE371j47JIrnnFmK8j667aAwZEFTEFAmDBwgcaHGZlcm5hbmRv
LmdvbnRAZWRnZXVuby5jb20ACgkQ667aAwZEFTH/qAf/Su1CoIjSBl6GeEIl0jn5
JoW+H8uqAS49aP0pjFDsOXT2La5vGlT4DNDicextT5ca9xpI7BBBxxf8VDP1pdS6
jgh/k2mp5qwGFG0UyJSIm46+hxW1+N6VbQ1RV19oKUFPk2iIcsPtimQuHIE/fa8I
1BD49ljp6WbZTR4DrqZFuKpbV8Zx5AxaOTGUuxzWEDzfOrylnmacPrT9IspbgU+R
VIW6wMtHNK75LHs9ILSUjTGlv4056KrMkk9b/1Ot01wO7dgzFG6MXEQznVO1FUHX
8K9Y3+dB9yOg6cUenzDsCEqRgcnLPIXkbQhwySHQW9dAs0VkLwE8c+aKt9O5283W
cQ==
=u+vn
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email