IETF Logo Mail Archive

Re: Conflicting requirements for sending ICMPv6 and EH scan?

Tom Herbert <tom@herbertland.com> Tue, 28 May 2019 16:27 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDBC6120163 for <ipv6@ietfa.amsl.com>; Tue, 28 May 2019 09:27:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zlCw2m6qBxRu for <ipv6@ietfa.amsl.com>; Tue, 28 May 2019 09:27:03 -0700 (PDT)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A4DC120096 for <ipv6@ietf.org>; Tue, 28 May 2019 09:27:03 -0700 (PDT)
Received: by mail-qk1-x736.google.com with SMTP id a132so23497182qkb.13 for <ipv6@ietf.org>; Tue, 28 May 2019 09:27:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=knWB8snCWAG3H0JKcrr1J8Q8OjHMW1vhH7PXUFOzmL0=; b=AETt9KdSpuktoNRgy/b94FVR4kpNao158jRmhIJ4gJJeFKUdMV6cP7OkK+SgkGwoRj 9sp1G7vQ2vFVgt21pdeKJH1aFLXSmWlhF/OnS+8Ra+ARuI2itxIzgGAVY/hizliHFPMl EsyCZyhW9iLgF1EVbbYceODy1a2h4+PD5jRK6TcErJ65ZKKMJ8vl2miDOQgCWfmRvUDI n3PNRSNlqQQ8OhNpg4Vlk0BJo9t2+jrkKvgebt3X/mAgNmj/fDxAMYJQwHM2csuRn7oF 6tQ+gC2hd+66x2v14FBIkgdlkaaLQx9YsHZDDth7DlXZ+AI2xeCXSoiNGWRxhlKv+adn 3WJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=knWB8snCWAG3H0JKcrr1J8Q8OjHMW1vhH7PXUFOzmL0=; b=THjc0pY4bRwShqfjWoX5qmjax6NbYbKNFSYaoLsBif/y/cE7zuSbCDQhpp+HGwcjdV wa1/WXGLcpNG2nZPiNA5cwbBDVcUdxPQ0cc2XnntWGUDUAGXqEkoFU/jPFF9XjKo4AKz ReQ3uXLu2e0ZqstEoa+7wR0e0/y5Yb2YSoUnMXvLkRwFeSbRRIX/t0Cq5smEeECRQNsQ 8EPN5FCuCgRNIA/B2OEQCP4c6Kg+1Ml07BJUilBVe8ZaBZ+gVv2+xdadnTErD3rsJBKW OIpok5rDrI+tOaL7+0bnzr+4qQNdtYL09uAlASDtKM/0x/zHTrd0/elV3R/r7mkgXYPO whSg==
X-Gm-Message-State: APjAAAWtgF/MgXyyOsEhg98UjewHZwO+l2i6xEdV/DcXjcJJM14r+F+F g5iFH3gSxPCGToWHJfsmQTZOmC3q1fQboCGdkvGqhg==
X-Google-Smtp-Source: APXvYqyMQ5J80TleKXTGAze8fj3iHCo3XwbQHR9GqWITQO+zVn88X/WhCMPMiKDKua7+mcP+RSV8U5clHtHhAzKqHrM=
X-Received: by 2002:ae9:ec10:: with SMTP id h16mr55544942qkg.215.1559060822023; Tue, 28 May 2019 09:27:02 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S37wNpe=XweKh=Y6ARZ1nfjvySmK=km6+_UTDVFPujp7bA@mail.gmail.com> <C5EF34CD-8408-490F-A460-6D392495D218@employees.org> <CALx6S35M_iZpm3jhAf4s4QSWHd-kdM4+4ZW-NeVqZtNiTpK0JQ@mail.gmail.com> <50C4484A-790A-4960-966D-E947B625AF3E@employees.org>
In-Reply-To: <50C4484A-790A-4960-966D-E947B625AF3E@employees.org>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 28 May 2019 09:26:50 -0700
Message-ID: <CALx6S369+y9-MoAzjfL17p-xcFSW5c62ykgBzaJEy5UpdBz0Bg@mail.gmail.com>
Subject: Re: Conflicting requirements for sending ICMPv6 and EH scan?
To: Ole Troan <otroan@employees.org>
Cc: 6man WG <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/MNKm6NhjJKE3p3Gc2pKqH7ATsl0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2019 16:27:05 -0000

On Tue, May 28, 2019 at 3:23 AM Ole Troan <otroan@employees.org> wrote:
>
> Tom,
>
> > The rfc4443 text you are quoting is from section 2.4. That deals with processing rules for ICMP messages. That is, you already know you have received an ICMP at that point.
> >
> > If you are looking at the corner case where someone sends you an ICMP message with an unparsable extension header chain, then you have to treat that as any other packet with unknown headers.
> >
> > Ole, here is an example scenario:
> >
> > A host receives a packet with a destination option whose type is unrecognized by the host. The high order bits of the option type indicate that an ICMP error should be sent in response to receiving an unknown option. But, per the text quoted from RFC4443, we are not permitted to send the ICMP error if the received packet was itself an ICMP error packet. At this point, we're only processing the destination options, so we don't know yet whether or not the received packet is ICMP-- the only way to determine that is to parse the packet beyond the destination options EH to find the transport protocol.
>
> But in the general case you cannot. And probably shouldn't either.

Ole,

Unless there's an unknown EH or the ICMP message is in ESP, this
algorithm should work pretty well. The only downside really is the
potential for a false negative where we couldn't determine the ICMP
message and send an error contrary to RFC4443. Conceptually, we could
eliminate the false negatives by parsing to find if the packet
contains a recognizable end transport protocol (TCP, UDP, SCTP, etc.)
and if we can't find one withhold the ICMP error. That would be closer
to conformance with RF4443 at the cost of more implementation
complexity and now false positives where we could have sent the ICMP
error but didn't.

> In this case the stack cannot know that it has received an ICMP message and the provisions in RFC4443 do not apply.

Strictly reading RFC4443, if we don't know rather the packet in error
is ICMP we can't send an ICMP error. So if we can't parse beyond an
extension header to determine if the packet is ICMP, we can never send
an ICMP error because of an extension header problem!

>
> Is there any case where an ICMP error message can include extension headers before the ICMP header?

Sure. There's no restrictions for using extension header headers with
ICMP. For example, when a host sends an ICMP error to some peer the
destination address is routed and the route lookup for that
destination may provide a routing header, hop-by-hop options, etc. We
don't typically do special routing for ICMP.

>
> If we allow that, you could indeed imagine a (very constructed) case, where host A sends host B an unparsable header chain ICMP, and host B responds with a different unparsable header chain ICMP.

Yep, that is a problem and presumably why RFC4443 mandates to not send
ICMP in response to ICMP errors.

Tom

>
> Best regards,
> Ole
>

v2.23.0 | Report a Bug | By Email