IETF Logo Mail Archive

Re: Death by extension header

Fernando Gont <fgont@si6networks.com> Mon, 13 July 2020 20:03 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36A8C3A081D for <ipv6@ietfa.amsl.com>; Mon, 13 Jul 2020 13:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JkQExZA_Gs5c for <ipv6@ietfa.amsl.com>; Mon, 13 Jul 2020 13:02:58 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D5C13A07B6 for <6man@ietf.org>; Mon, 13 Jul 2020 13:02:58 -0700 (PDT)
Received: from [IPv6:2800:810:464:1f7:603e:8516:bae8:27ff] (unknown [IPv6:2800:810:464:1f7:603e:8516:bae8:27ff]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 8DA0E280C3D; Mon, 13 Jul 2020 20:02:18 +0000 (UTC)
Subject: Re: Death by extension header
To: Tom Herbert <tom@herbertland.com>
Cc: Fernando Gont <fernando@gont.com.ar>, "6man@ietf.org" <6man@ietf.org>
References: <DM6PR05MB6348708352E1EE4421A61D63AE650@DM6PR05MB6348.namprd05.prod.outlook.com> <CALx6S34e21BLHRfx+p7agrzzDsx-M-XxB6cZQnWc-d0wqSesRQ@mail.gmail.com> <20200710183228.GV42197@faui48f.informatik.uni-erlangen.de> <6fc66168-f04c-c23e-856c-5a61e1a28f5f@gont.com.ar> <CALx6S37T_7JYW=93iOhaHaq_Kw1CsaFc37sjT3Bo4Sx_wtbfqQ@mail.gmail.com> <c1ecb592-6e99-0dca-90c5-51a19b893af5@si6networks.com> <CALx6S36m75249_Gk33n-6ZEahfod6hi5snD0u07ZjCPhH0fj7Q@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <b512bd75-ffb7-23c8-8b87-ea1a40747616@si6networks.com>
Date: Mon, 13 Jul 2020 16:33:37 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <CALx6S36m75249_Gk33n-6ZEahfod6hi5snD0u07ZjCPhH0fj7Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/Qk1DxtjYUguRNfF-A_2HgMqOsM8>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 20:03:05 -0000

Hello, Tom,

On 13/7/20 15:53, Tom Herbert wrote:
[....]
> 
> Fernando,
> 
> draft-ietf-6man-icmp-limits-08 defines the ICMP errors for limits of
> number of options, length of extension headers, length of extension
> header chain, etc. However, I don't believe any default limits are
> suggested other than the RFC8504 limits.

Yep, that's what I meant.



> Wrt byte length, the most interesting limit with regards to routers is
> when the aggregate length of the header chain exceeds the size of the
> parsing buffer in the device. 

Indeed.


> As I understand it common lengths of
> parsing buffers are 128, 256, or 512 bytes. That might suggest the
> default minimum should be 128 bytes or maybe 256 bytes. That is, we
> would expect that routers should be able to process IP header,
> extension headers, and first four bytes of transport header (e.g. to
> get ports for ECMP) fit in the parsing buffer in the first N bytes of
> the packet. We can narrow this down if the standard is followed such
> that routers only process the IPv6 and HBH headers, intermediate
> destinations in a routing header only process headers through the
> routing header, and end hosts process all options.

Please see: 
https://tools.ietf.org/html/draft-gont-v6ops-ipv6-ehs-packet-drops-03 . 
Folks need to look deeper. SO unless the entire length of the EH chain 
is limited, this problem will be faced.

Indeed, the longer the EH-chain length, the higher the chances of 
packets being dropped -- as per RFC7872 and others.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email