IETF Logo Mail Archive

Re: I-D Action: draft-smith-6man-in-flight-eh-insertion-harmful-00.txt

Mark Smith <markzzzsmith@gmail.com> Sun, 13 October 2019 01:50 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 550DC1200F3 for <ipv6@ietfa.amsl.com>; Sat, 12 Oct 2019 18:50:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xwmjFoiMWQLb for <ipv6@ietfa.amsl.com>; Sat, 12 Oct 2019 18:50:06 -0700 (PDT)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A41EC120099 for <ipv6@ietf.org>; Sat, 12 Oct 2019 18:50:06 -0700 (PDT)
Received: by mail-ot1-x330.google.com with SMTP id o44so11079913ota.10 for <ipv6@ietf.org>; Sat, 12 Oct 2019 18:50:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=pFmwM1HkrqG52fDlLsdm6n5sb0SrchyjzOo3i258KJY=; b=FSH8eSQTEPE5RBeqiFg3q9xOVRkf8Bs7+1oDsPuVRcp/L+Vl3DaaWxsMC7pzxuKteA /N095POI76TtfNubtNbwz4IK+fZ6bcY7m7+A7Xp9AZ4pmCbSI7FfrLFO1cVIgPb8eCJQ bEguZMEKjt4Fa6hpthLCUtbMOtsZClveZMHuzTltpBrb4W/fuohyUviELala3ESl6KRe Ryo0BjD5w+pRkX8IxcHjhuujRRx4QYH0Adq16olw82vyEif3t0Cbdvn4KO07EXVqBHlg rJBN4p8lZf3QUlQD+h6p1WuwjzIz/hyOr+pNnHI6kjnxKRJg7Q6qeYKv/Tzyun1YpnBJ /tbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=pFmwM1HkrqG52fDlLsdm6n5sb0SrchyjzOo3i258KJY=; b=QjFAg8o5R0i2YnfrHO0So4zAa0LDQAYojYvSnZe+sgV0mZgrmU2+rpwCw7QzlGUAb+ qwSq3NfHXbPwhh4IKMFQW2eJvJCf9GRzbNy9cfsb8sxsL6uKUuT3NDbLCy2wRnCGxy2V G1/MO0DZ6Jjls4dwlVnZ7a+8nrA74G8uQ6AkhcTGcWDof7UOr1YHUXJ0Qg0RKUO3sy4s nOadIghP3gUYGryNbW+Gik0vO9WybecuiSi2PSjGoTPXvPbEnkyfEiulUJQLENjgInmn sprVrE9cDESLi6aEXScETqBA0In6FArmIfINTHHDxzbWSzhpue8JaLO8XkNT4TdkEXoR LapQ==
X-Gm-Message-State: APjAAAXmFziyNtv3ITlG2uYrhHeAZooUbWyvFmqtRmyoRHJjI6ZBnAAM 6Ps00YHRUNt2sB0MoNqPs+OLTyALk0eAPyQbMNc=
X-Google-Smtp-Source: APXvYqzLN8N6qh75Y6CR7/SV6+4vvTKFSRJTo1kPE01DRn0qsXVKf4P48qriTWdjJdeytC0o7HyfrGRVoEGBOhO54MY=
X-Received: by 2002:a9d:4d0d:: with SMTP id n13mr19856749otf.74.1570931405837; Sat, 12 Oct 2019 18:50:05 -0700 (PDT)
MIME-Version: 1.0
References: <157059901123.30422.11220423219059958820@ietfa.amsl.com> <362b80f7-fedc-7227-2931-0006e6b81812@gmail.com>
In-Reply-To: <362b80f7-fedc-7227-2931-0006e6b81812@gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Sun, 13 Oct 2019 12:49:39 +1100
Message-ID: <CAO42Z2yEUDt7DemYHE_vVmWx3GxHXRrVy0C-9TcV79oYOEf_8Q@mail.gmail.com>
Subject: Re: I-D Action: draft-smith-6man-in-flight-eh-insertion-harmful-00.txt
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/RQKbfFHjaYI27SWKuyeRrm_egYk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Oct 2019 01:50:09 -0000

Hi Brian,

On Sun, 13 Oct 2019 at 09:15, Brian E Carpenter
<brian.e.carpenter@gmail.com> wrote:
>
> Hi Mark,
>
> As you have no doubt seen, the active proposal for EH insertion (draft-voyer-) states that the source and destination addresses of packets subject to insertion both lie within a controlled domain.
> Now while draft-carpenter-limited-domains calls for secure mechansims for determining whether a node is inside or on the border of a domain, it seems to me that address scope (and therefore routing scope) is today the state of the art for that. Of course you're correct that configured scope is subject to human error, but that already has very serious consequences, especially BGP misconfigurations. I think that draft-voyer-6man-extension-header-insertion-07 (not the earlier versions) is resistant to your arguments. It certainly does not describe the use case you give at https://tools.ietf.org/html/draft-smith-6man-in-flight-eh-insertion-harmful-00#section-3 .
>
> EH insertion for packets that traverse the open Internet is certainly harmful and violates RFC 8200. draft-voyer-6man-extension-header-insertion-07 does not propose that.

Yes, they've mitigated leaking by enclosing in a tunnelling header
with local network addresses. However, that's now being used to ignore
problems with EH insertion when used with an outer IPv6 tunnel packet.
The processing of the IPv6 tunnel packet is now not compliant with RFC
8200. The Source Address field is a lie after the first mid-tunnel SRH
insertion.

Many of the the problems in the EH insertion considered harmful draft
occur whether or not the IPv6 packet happens to have a payload that is
also another IPv6 packet.

Regards,
Mark.

>
> Regards
>    Brian Carpenter
>
> On 09-Oct-19 18:30, internet-drafts@ietf.org wrote:
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts directories.
> >
> >
> >         Title           : In-Flight IPv6 Extension Header Insertion Considered Harmful
> >         Author          : Mark Smith
> >       Filename        : draft-smith-6man-in-flight-eh-insertion-harmful-00.txt
> >       Pages           : 10
> >       Date            : 2019-10-08
> >
> > Abstract:
> >    In the past few years, as well as currently, there have and are a
> >    number of proposals to insert IPv6 Extension Headers into existing
> >    IPv6 packets while in flight.  This contradicts explicit prohibition
> >    of this type of IPv6 packet proccessing in the IPv6 standard.  This
> >    memo describes the possible failures that can occur with EH
> >    insertion, the harm they can cause, and the existing model that is
> >    and should continue to be used to add new information to an existing
> >    IPv6 and other packets.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-smith-6man-in-flight-eh-insertion-harmful/
> >
> > There are also htmlized versions available at:
> > https://tools.ietf.org/html/draft-smith-6man-in-flight-eh-insertion-harmful-00
> > https://datatracker.ietf.org/doc/html/draft-smith-6man-in-flight-eh-insertion-harmful-00
> >
> >
> > Please note that it may take a couple of minutes from the time of submission
> > until the htmlized version and diff are available at tools.ietf.org.
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> > _______________________________________________
> > I-D-Announce mailing list
> > I-D-Announce@ietf.org
> > https://www.ietf.org/mailman/listinfo/i-d-announce
> > Internet-Draft directories: http://www.ietf.org/shadow.html
> > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> >

v2.23.0 | Report a Bug | By Email