Re: RFC6434bis open issue - IPv6 EH protection
Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 07 November 2017 19:20 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D4CB13301D for <ipv6@ietfa.amsl.com>; Tue, 7 Nov 2017 11:20:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6OkiFODytNk for <ipv6@ietfa.amsl.com>; Tue, 7 Nov 2017 11:20:51 -0800 (PST)
Received: from mail-pf0-x22b.google.com (mail-pf0-x22b.google.com [IPv6:2607:f8b0:400e:c00::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BD82132FB9 for <ipv6@ietf.org>; Tue, 7 Nov 2017 11:20:50 -0800 (PST)
Received: by mail-pf0-x22b.google.com with SMTP id 17so189236pfn.12 for <ipv6@ietf.org>; Tue, 07 Nov 2017 11:20:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:organization:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=QxyDBZ0eWX0IjDm1JvkQlTUt93EQ1DL+x6MqxnT0wSE=; b=eMV9YwEI4VN51CRCF9/uHiZNquHrsgCG9P8UEyHXU1HhTNPWqGVPY6kruXMA6HGe+k R/pkO5KjSUDgguKo6Kpvsgipc3Z1rTDnmXR85RQZviqqcYKouvAfodbjJJJ8hLKssTi4 xFDLr8X2XLWvCfa3yHlx7BaZqgt/6iDseASmEcWMUz4SIwCJ5Jqb/WzEpYaGhnUyNcPg Uszz28A2F2T5pUEtI5K9zKbM6Uo2OjeC9qc4gAWJauQPR8d+HpGDbAD/PzDIeN48+7EQ L8R7gFVGBEm2IR8AoM4bN5xPWTrmuaOlmBekOwNNYVKjabn9blNhV6hHhCX9nRQZM86g CE2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=QxyDBZ0eWX0IjDm1JvkQlTUt93EQ1DL+x6MqxnT0wSE=; b=feIXr07AWMli0i5lFbAlKrRGXfJ0sdhXOeYwtmicY/2eYwGOsreZHMyxmn7BqQ/Lky v0LDUwcrIQjss0/uwcYK0hyJ9us9Fv1O872v3kk0tv23VAQ9W9SO0474XYEvKgb7cy/m jQivafIRrdEhIzA/HTXe3TbyCE6KjyBnfCRkbNuiM1/Exaqmd7sIbCXcA/Jv+0DF0ZpL 3ZfpltlbFdZesj7Hul47mnNrKI9MMf1O5cAGHxob2ezmq72WbyZEbDTVDmpJUH7KjOUr YYuUM4G0Nbe6uB1Os3G/pIMhJ515myyh+Gbf70ekPQY/ROaziMgqOcdr/8h2T9buub/s hJsA==
X-Gm-Message-State: AMCzsaW0MHQJ2Sg1XbzTj+L+ITpGVHC+zYV/+GPFOJ665epCUhKbwiFk 5G2fr7FCcMPb1BphehSJrIEROQ==
X-Google-Smtp-Source: ABhQp+QZGc+UaRwBYOh4a5CiJgCo8FH2CE5esGllgp51JxCnDMKuOpZhmjNOY4woFZOWke2Pg8F22Q==
X-Received: by 10.159.197.67 with SMTP id d3mr19260411plo.433.1510082449579; Tue, 07 Nov 2017 11:20:49 -0800 (PST)
Received: from ?IPv6:2406:e001:3d21:1:28cc:dc4c:9703:6781? ([2406:e001:3d21:1:28cc:dc4c:9703:6781]) by smtp.gmail.com with ESMTPSA id q69sm4611668pfg.127.2017.11.07.11.20.47 for <ipv6@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Nov 2017 11:20:48 -0800 (PST)
Subject: Re: RFC6434bis open issue - IPv6 EH protection
To: ipv6@ietf.org
References: <4E35047B-BB4A-4ED2-BB1D-535EC54C6502@jisc.ac.uk>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <a9b8dea1-f099-1f9f-4116-ea2e6ce04cc8@gmail.com>
Date: Wed, 08 Nov 2017 08:20:48 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <4E35047B-BB4A-4ED2-BB1D-535EC54C6502@jisc.ac.uk>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/Jp1xVoEZTRn3aeD08GgWNOYRpvs>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2017 19:20:53 -0000
On 08/11/2017 00:59, Tim Chown wrote:
> Hi,
>
> Here is a second open issue in the draft for which the authors would like comments.
>
> In response to previous discussions, Tom Herbert kindly supplied some text on how nodes may protect themselves from excessive EH options.
>
> There are two issues here.
> 1. Does the text look reasonable?
> 2. The text is quite long, and is not published elsewhere; is a separate draft more appropriate with just briefer text in 6434bis?
>
> In general, we have minimised new text in 6434bis, and pointed at material published in RFCs elsewhere.
Right. And this text is getting close to BCP or even BIP (Best Implementation Practice).
But I think it's reasonable to include it.
Brian
> — snip —
>
> 5.3. Protecting a node from excessive EH options
>
> Per RFC 8200, end hosts are expected to process all extension
> headers, destination options, and hop-by-hop options in a packet.
> Given that the only limit on the number and size of extension headers
> is the MTU, the processing of received packets could be considerable.
> It is also conceivable that a long chain of extension headers might
> be used as a form of denial-of-service attack. Accordingly, a host
> may place limits on the number and sizes of extension headers and
> options it is willing to process.
>
> A host MAY limit the number of consecutive PAD1 options in
> destination options or hop-by-hop options to seven. In this case, if
> the more than seven consecutive PAD1 options are present the the
> packet should be silently discarded. The rationale is that if
> padding of eight or more bytes is required than the PADN option
> should be used.
>
> A host MAY limit number of bytes in a PADN option to be less than
> eight. In such a case, if a PADN option is present that has a length
> greater than seven then the packet should be silently discarded. The
> rationale for this guideline is that the purpose of padding is for
> alignment and eight bytes is the maximum alignment used in IPv6.
>
> A host MAY disallow unknown options in destination options or hob-by-
> hop options. This should be configurable where the default is to
> accept unknown options and process them per RFC2460. If a packet
> with unknown options is received and the host is configured to
> disallow them, then the packet should be silently discarded.
>
> A host MAY impose a limit on the maximum number of non-padding
> options allowed in a destination options and hop-by-hop extension
> headers. If this feature is supported the maximum number should be
> configurable and the default value SHOULD be set to eight. The
> limits for destination options and hop-by-hop options may be
> separately configurable. If a packet is received and the number of
> destination or hop-by-hop optines exceeds the limit, then the packet
> should be silently discarded.
>
> A host MAY impose a limit on the maximum length of destination
> options or hop-by-hop options extension header. This value should be
> configurable and the default is to accept options of any length. If
> a packet is received and the length of destination or hop-by-hop
> options extension header exceeds the length limit, then the packet
> should be silently discarded.
>
> — snip —
>
> For the full document, see
> https://tools.ietf.org/html/draft-ietf-6man-rfc6434-bis-02#section-5.3
>
> Tim
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
- RFC6434bis open issue - IPv6 EH protection Tim Chown
- Re: RFC6434bis open issue - IPv6 EH protection Fernando Gont
- Re: RFC6434bis open issue - IPv6 EH protection Brian E Carpenter