IETF Logo Mail Archive

RE: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard

"Templin, Fred L" <Fred.L.Templin@boeing.com> Mon, 07 October 2013 18:13 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B94111E8109; Mon, 7 Oct 2013 11:13:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZ6HgwJ1BXjV; Mon, 7 Oct 2013 11:13:36 -0700 (PDT)
Received: from slb-mbsout-01.boeing.com (slb-mbsout-01.boeing.com [130.76.64.128]) by ietfa.amsl.com (Postfix) with ESMTP id D592521F9FEE; Mon, 7 Oct 2013 11:13:28 -0700 (PDT)
Received: from slb-mbsout-01.boeing.com (localhost.localdomain [127.0.0.1]) by slb-mbsout-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with ESMTP id r97IDSkk027794; Mon, 7 Oct 2013 11:13:28 -0700
Received: from XCH-NWHT-01.nw.nos.boeing.com (xch-nwht-01.nw.nos.boeing.com [130.247.70.222]) by slb-mbsout-01.boeing.com (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id r97IDRNQ027784 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Mon, 7 Oct 2013 11:13:28 -0700
Received: from XCH-BLV-303.nw.nos.boeing.com (130.247.25.215) by XCH-NWHT-01.nw.nos.boeing.com (130.247.70.222) with Microsoft SMTP Server (TLS) id 8.3.327.1; Mon, 7 Oct 2013 11:13:27 -0700
Received: from XCH-BLV-504.nw.nos.boeing.com ([169.254.4.29]) by XCH-BLV-303.nw.nos.boeing.com ([169.254.3.177]) with mapi id 14.02.0328.011; Mon, 7 Oct 2013 11:13:26 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: "ietf@ietf.org" <ietf@ietf.org>, IETF-Announce <ietf-announce@ietf.org>
Subject: RE: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard
Thread-Topic: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard
Thread-Index: AQHOv6KmVHjrcZv7kkeUppI3Iq7lo5nk+jmggASVUyA=
Date: Mon, 07 Oct 2013 18:13:26 +0000
Message-ID: <2134F8430051B64F815C691A62D9831811BDD3@XCH-BLV-504.nw.nos.boeing.com>
References: <20131002185522.20697.96027.idtracker@ietfa.amsl.com> <2134F8430051B64F815C691A62D9831811AEFC@XCH-BLV-504.nw.nos.boeing.com>
In-Reply-To: <2134F8430051B64F815C691A62D9831811AEFC@XCH-BLV-504.nw.nos.boeing.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.247.104.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2013 18:13:41 -0000

Hi, I would like to make a small amendment to what I said in my
previous message as follows:

4) Section 5, change the final paragraph to:

   "As a result of the above mentioned requirements, a packet's header
   chain length MUST fit within the Path MTU associated with its
   destination.  Hosts MAY discover the Path MTU, using procedures such
   as those defined in [RFC1981] and [RFC4821]. However, if a host does
   not discover the Path MTU, it MUST assume the IPv6 minumum MTU of
   1280 bytes [RFC2460]. The host MUST then limit each packet's header
   chain length to the Path MTU minus 256 bytes in case additional
   encapsulation headers are inserted by tunnels on the path."

Thanks - Fred
fred.l.templin@boeing.com

> -----Original Message-----
> From: ietf-bounces@ietf.org [mailto:ietf-bounces@ietf.org] On Behalf Of
> Templin, Fred L
> Sent: Friday, October 04, 2013 1:42 PM
> To: ietf@ietf.org; IETF-Announce
> Cc: ipv6@ietf.org
> Subject: RE: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt>
> (Implications of Oversized IPv6 Header Chains) to Proposed Standard
> 
> Hi, I have a concern about this document. In the definition of "IPv6
> Header Chain", it says:
> 
>   "However, if a second IPv6 header appears in the header chain, as
>    is the case when IPv6 is tunneled over IPv6, the second IPv6
>    header is considered to be an upper-layer header and terminates
>    the header chain."
> 
> This means that stateless firewalls are being directed to discontinue
> extension header parsing when a first encapsulated IPv6 header is
> encountered - even though there may be many more parsable (inner)
> headers that follow. As a result, the firewall would either have to
> drop or forward the packet without examining the true upper layer
> header. This may result in an incorrect perception that tunneled
> traffic is either less reliable or more dangerous than non-tunneled
> traffic.
> 
> Here are my suggested changes to address this issue:
> 
> 1) Section 3, under "IPv6 Header Chain", change:
> 
>   "However, if a second IPv6 header appears in the header chain, as
>    is the case when IPv6 is tunneled over IPv6, the second IPv6
>    header is considered to be an upper-layer header and terminates
>    the header chain."
> 
> to:
> 
>   "However, if a second IPv6 header appears in the header chain, as
>    is the case when IPv6 is tunneled over IPv6, the second IPv6
>    header is optionally considered to be either an upper-layer header
>    that terminates the header chain or another extension header that
>    continues the chain."
> 
> 2) Section 3, under "Upper-layer Header", change:
> 
>   "In the general case, the upper-layer header is the first member
>    of the header chain that is neither an IPv6 header nor an IPv6
>    extension header."
> 
> to:
> 
>   "In the general case, the upper-layer header is the first member
>    of the header chain that is not considered to be an extension
> header."
> 
> 3) Section 3, under "Upper-layer Header", delete the following
> sentence:
> 
>   "However, if either an ESP header, or a second IPv6 header occur in
>    the header chain, they are considered to be upper layer headers and
>    they terminate the header chain."
> 
> 4) Section 5, change the final paragraph to:
> 
>   "As a result of the above mentioned requirements, a packet's header
>    chain length cannot exceed the Path MTU associated with its
>    destination.  Hosts MAY discover the Path MTU, using procedures such
>    as those defined in [RFC1981] and [RFC4821].  However, if a host
> does
>    not discover the Path MTU, it MUST limit the header chain length to
>    1024 bytes.  Limiting the header chain length to 1024 bytes ensures
>    that the header chain length does not exceed the IPv6 minimum MTU
>    [RFC2460] even if additional encapsulation headers are inserted by
>    tunnels on the path."
> 
> Thanks - Fred
> Fred.l.templin@boeing.com
> 
> 
> 
> 
> > -----Original Message-----
> > From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On Behalf
> Of
> > The IESG
> > Sent: Wednesday, October 02, 2013 11:55 AM
> > To: IETF-Announce
> > Cc: ipv6@ietf.org
> > Subject: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt>
> > (Implications of Oversized IPv6 Header Chains) to Proposed Standard
> >
> >
> > The IESG has received a request from the IPv6 Maintenance WG (6man)
> to
> > consider the following document:
> > - 'Implications of Oversized IPv6 Header Chains'
> >   <draft-ietf-6man-oversized-header-chain-08.txt> as Proposed
> Standard
> >
> > The IESG plans to make a decision in the next few weeks, and solicits
> > final comments on this action. Please send substantive comments to
> the
> > ietf@ietf.org mailing lists by 2013-10-16. Exceptionally, comments
> may
> > be
> > sent to iesg@ietf.org instead. In either case, please retain the
> > beginning of the Subject line to allow automated sorting.
> >
> > Abstract
> >
> >
> >    The IPv6 specification allows IPv6 header chains of an arbitrary
> >    size.  The specification also allows options which can in turn
> > extend
> >    each of the headers.  In those scenarios in which the IPv6 header
> >    chain or options are unusually long and packets are fragmented, or
> >    scenarios in which the fragment size is very small, the first
> >    fragment of a packet may fail to include the entire IPv6 header
> >    chain.  This document discusses the interoperability and security
> >    problems of such traffic, and updates RFC 2460 such that the first
> >    fragment of a packet is required to contain the entire IPv6 header
> >    chain.
> >
> >
> >
> >
> > The file can be obtained via
> > http://datatracker.ietf.org/doc/draft-ietf-6man-oversized-header-
> chain/
> >
> > IESG discussion can be tracked via
> > http://datatracker.ietf.org/doc/draft-ietf-6man-oversized-header-
> > chain/ballot/
> >
> >
> > No IPR declarations have been submitted directly on this I-D.
> >
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------

v2.35.0 | Report a Bug | By Email | System Status