IETF Logo Mail Archive

Re: Death by extension header (was:RE: New Version Notification for draft-li-6man-hbh-fwd-hdr-00.txt)

Warren Kumari <warren@kumari.net> Fri, 10 July 2020 20:13 UTC

Return-Path: <warren@kumari.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A32DF3A0909 for <ipv6@ietfa.amsl.com>; Fri, 10 Jul 2020 13:13:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jayZzm0K4pJV for <ipv6@ietfa.amsl.com>; Fri, 10 Jul 2020 13:13:49 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C8453A0923 for <6man@ietf.org>; Fri, 10 Jul 2020 13:13:49 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id g2so3885595lfb.0 for <6man@ietf.org>; Fri, 10 Jul 2020 13:13:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PogRoUvEi14i04T+q7OrkR3lZt6EIXDXUacNFVDF7GM=; b=mVWM+xVF0wlIjuXi1wrww+2TAZQpuK+Dit/GHQX9SLM2U8+vcEP2TWWpDMS89V7YMX 6sF10l5Fpu+OlEyInqvPFuGNgkXHlaHarpBQh4ZpekXW/zGRoJQtM1dYERbPi5L4J96l ryEn5SS3X9ATrtcZZFWM3VaQNJsyI69tW5drjKz5n1iJNABvurMx7EKM73dTmhiU/dz3 +G1fyHTmZjOl5ZOUwJJJeOuTivu5ONJq1CHGqQsXYUoj4RGsFvErXm8wimvIAwB26hHY L/MJmTxEDp/6dt/PNwhtd5sQnJvv7ozt+WQzQzod5PXSJzl3qV8hIJQbtaesCDRI9lnN AK0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PogRoUvEi14i04T+q7OrkR3lZt6EIXDXUacNFVDF7GM=; b=mg6Wzs+8MkHTwspXRjL3i6Q/CkF+fDX/vjojJYKjC1q4b8QRH9SeCnMcL4j4W4uQYj /hPSntZ6eKvpgvVbSNJRJ5MFnE/PAauUilVYfVcKsP20C46LKniOoN7+7skO0WUBnm30 aL795UGRqaCIgGjX0Oak673oGBbHcBWBQcUgT9vgPzw6w7t7jTq+7eRhf0Fbksut2TpG Kp6kgu1KZKudAQbNKreX12U6EnU6D35oNqimAmxlOAm9ZTbFBo1lFiWBJZ6wbDJQ03sm MhEt3wY6LdytYgjgQF0qyJvv+MyBsvIEnFSFpRSpcgzi8Mp7bLvhqY0mfGBIMpwHBxvW Er3Q==
X-Gm-Message-State: AOAM532TIUd0brnqF2yEbUWT/Veh3UVTRWHksX6OHKsJrqM5Ui4LbMTQ otgWk3r2JiQEsxue7JRoVzArfZgsf9M0fse/HBO8uA==
X-Google-Smtp-Source: ABdhPJx5daFhVzyJJRURV+H3s1NKJZLiik0QEbcWzUCJ4GHnS1hEtI2aTm8xPsbvdXxEL/fg1AdbdogcGybki8X1Z0M=
X-Received: by 2002:a05:6512:31ce:: with SMTP id j14mr33468960lfe.200.1594412026974; Fri, 10 Jul 2020 13:13:46 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR05MB6348708352E1EE4421A61D63AE650@DM6PR05MB6348.namprd05.prod.outlook.com> <CALx6S34e21BLHRfx+p7agrzzDsx-M-XxB6cZQnWc-d0wqSesRQ@mail.gmail.com> <20200710183228.GV42197@faui48f.informatik.uni-erlangen.de>
In-Reply-To: <20200710183228.GV42197@faui48f.informatik.uni-erlangen.de>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 10 Jul 2020 16:13:10 -0400
Message-ID: <CAHw9_iJmXyCzQkiYWrF5sMMmBDj2heV5Tdm3WUqHShhgiY=L+g@mail.gmail.com>
Subject: Re: Death by extension header (was:RE: New Version Notification for draft-li-6man-hbh-fwd-hdr-00.txt)
To: Toerless Eckert <tte@cs.fau.de>
Cc: Tom Herbert <tom@herbertland.com>, "6man@ietf.org" <6man@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007e6b3205aa1bfa8b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/WlADMBpckuzdZw98CNxXBCRjm_A>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 20:13:54 -0000

On Fri, Jul 10, 2020 at 2:32 PM Toerless Eckert <tte@cs.fau.de> wrote:

> IMHO: See my email earlier in the thread about punting stuff to slow-path,
> especially when/before
> you figure out that you should have just ignored something at linerarte.
>
> Aka: not sufficiently prescriptive RFCs + bad implementations == extension
> header based features killed in deployments.
>

Ah, that is my cue:
https://www.ietf.org/archive/id/draft-taylor-v6ops-fragdrop-02.txt (expired
in 2013) and
https://tools.ietf.org/html/draft-gont-v6ops-ipv6-ehs-packet-drops-03 (expired
in 2016).

I'm sure that this is once again going to devolve into the standard "But
you shouldn't!!!! It kills puppies" vs "I have a network to run; I'm not
just going to let anything in" vs "Here is some real world data" thread.
Even with the spec changes, there is still ample evidence that deployed
hardware barfs on these, and so...

W



>
> Cheers
>     Toerless
>
> On Fri, Jul 10, 2020 at 11:29:10AM -0700, Tom Herbert wrote:
> > On Fri, Jul 10, 2020 at 11:18 AM Ron Bonica <rbonica@juniper.net> wrote:
> > >
> > > Tom,
> > >
> > > I am forking a new thread since this is not directly related to
> Shuping's draft.
> > >
> > > Any variable length extension header can be used in a DoS attack. So,
> if a node encounters a packet that satisfies any of the following criteria,
> it should discard the packet and send an ICMP message as described in
> https://tools.ietf.org/html/draft-herbert-6man-icmp-limits-03.
> > >
> > > - The extension header chain is longer than the node can process
> > > - An individual extension header is longer than the node can process
> > > - The total number of options contained by all instances of the HBH
> and Destination Options header exceeds the number or options that the node
> can process.
> > >
> >
> > Ron,
> >
> > Right, those are the ICMP errors for the allowance to drop or ignore
> > extension headers in section 5.3 of RFC8504, there's also default
> > limits suggested in that doc. Do you think this is sufficient in
> > routers to get past the DOS concern?
> >
> > Tom
> >
> > >
> Ron
> > >
> > >
> > >
> > > Juniper Business Use Only
> > >
> > > -----Original Message-----
> > > From: Tom Herbert <tom@herbertland.com>
> > > Sent: Friday, July 10, 2020 1:13 PM
> > > To: Ron Bonica <rbonica@juniper.net>
> > > Cc: Pengshuping (Peng Shuping) <pengshuping@huawei.com>; 6man@ietf.org
> > > Subject: Re: New Version Notification for
> draft-li-6man-hbh-fwd-hdr-00.txt
> > >
> > > [External Email. Be cautious of content]
> > >
> > >
> > > On Fri, Jul 10, 2020 at 7:59 AM Ron Bonica <rbonica=
> 40juniper.net@dmarc.ietf.org> wrote:
> > > >
> > > > Peng,
> > > >
> > > > While your solution may require refinement, I think that you have
> latched on to a problem that needs to be solved. HBH Options, as they were
> originally conceived in RFC 1883, are very useful.
> > > >
> > > > When IPv6 was first implemented on high-speed routers (circa 2000),
> HBH options were not yet well-understood and ASICs were not so capable as
> they are today. So, early IPv6 implementation dispatched all packet that
> contain HBH options to their slow path. In these implementations, a large
> flow of IPv6 packets could congest the slow path, causing other critical
> functions that are executed on the slow path to fail. These critical
> functions include routing and network management.
> > > >
> > > > To mitigate this DoS vulnerability, many operators deployed Access
> Control Lists (ACLs) that discard all packets containing HBH Options. This
> introduced a circular problem:
> > > >
> > > > - An implementation problem caused HBH to become a DoS vector
> > > > - Because HBH was a DoS vector, network operators deployed ACLs that
> > > > discard packets containing HBH
> > > > - Because network operators deployed ACLs that discard packets
> > > > containing HBH, network designers stopped defining new HBH Options
> > > > - Because network designers stopped defining new HBH Options, the
> > > > community was not motivated to fix the implementation problem that
> > > > cause HBH to become a DoS vector
> > > >
> > > > If we can fix the implementation problem that caused HBH to become a
> DoS vector, we can break this cycle and start using HBH Options.
> > > >
> > > Ron,
> > >
> > > I think there were "protocol problems" in the original design of HBH.
> > > The requirement that _all_ routers in the path process Hop-by-Hop
> options was in retrospect too austere, and the possibility that an attacker
> could stuff a packet with hundreds of bogus options, only limited by MTU,
> was, again in retrospect, a pretty obvious DOS vector.
> > > I believe these problems have been addressed in RFC8200 and RFC8504.
> > > We certainly welcome the feedback from router vendors whether these
> mitigations are sufficient to make HBH options deployable.
> > >
> > > Tom
> > >
> > > > Let's continue to work on a solution.
> > > >
> > > >                                                          Ron
> > > >
> > > >
> > > >
> > > > Juniper Business Use Only
> > > >
> > > > -----Original Message-----
> > > > From: ipv6 <ipv6-bounces@ietf.org> On Behalf Of Pengshuping (Peng
> > > > Shuping)
> > > > Sent: Thursday, July 2, 2020 12:07 PM
> > > > To: 6man@ietf.org
> > > > Subject: FW: New Version Notification for
> > > > draft-li-6man-hbh-fwd-hdr-00.txt
> > > >
> > > > [External Email. Be cautious of content]
> > > >
> > > >
> > > > Hi Folks,
> > > >
> > > > We have just uploaded a new draft aiming to analyze and tackle the
> issues faced by the Hop-by-Hop Options Header, which has been sparsely used
> without any form of large scale deployment.
> > > >
> > > > However, as IPv6 is being rapidly and widely deployed worldwide,
> more and more new services that requires hop-by-hop forwarding process
> behavior are emerging, and also the already defined over ten HBH Options
> are going to be used widely in practice.
> > > >
> > > > We look forward to hearing your feedback and comments, and try to
> release the benefits that could be provided by HBH Options header
> altogether.
> > > >
> > > > Best regards,
> > > > Shuping
> > > >
> > > > -----Original Message-----
> > > > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
> > > > Sent: Thursday, July 2, 2020 11:31 PM
> > > > To: Lizhenbin <lizhenbin@huawei.com>; Pengshuping (Peng Shuping)
> > > > <pengshuping@huawei.com>
> > > > Subject: New Version Notification for
> draft-li-6man-hbh-fwd-hdr-00.txt
> > > >
> > > >
> > > > A new version of I-D, draft-li-6man-hbh-fwd-hdr-00.txt has been
> successfully submitted by Shuping Peng and posted to the IETF repository.
> > > >
> > > > Name:           draft-li-6man-hbh-fwd-hdr
> > > > Revision:       00
> > > > Title:          Hop-by-Hop Forwarding Options Header
> > > > Document date:  2020-07-03
> > > > Group:          Individual Submission
> > > > Pages:          10
> > > > URL:
> https://urldefense.com/v3/__https://www.ietf.org/internet-drafts/draft-li-6man-hbh-fwd-hdr-00.txt__;!!NEt6yMaO-gk!QoInpMGHwaC7LsKAVISa9A00dbzuCmO7S4CG2fZYHGYeOXYwVmtNTFnzgB-bqLrg$
> > > > Status:
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-li-6man-hbh-fwd-hdr/__;!!NEt6yMaO-gk!QoInpMGHwaC7LsKAVISa9A00dbzuCmO7S4CG2fZYHGYeOXYwVmtNTFnzgM5iPE22$
> > > > Htmlized:
> https://urldefense.com/v3/__https://tools.ietf.org/html/draft-li-6man-hbh-fwd-hdr-00__;!!NEt6yMaO-gk!QoInpMGHwaC7LsKAVISa9A00dbzuCmO7S4CG2fZYHGYeOXYwVmtNTFnzgPvsH43l$
> > > > Htmlized:
> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-li-6man-hbh-fwd-hdr__;!!NEt6yMaO-gk!QoInpMGHwaC7LsKAVISa9A00dbzuCmO7S4CG2fZYHGYeOXYwVmtNTFnzgBQxbwZb$
> > > >
> > > >
> > > > Abstract:
> > > >    RFC8200 specifies the HBH header that is assumed to be processed
> by
> > > >    each hop in the delivery path of the packet.  However, RFC8200
> also
> > > >    expects that nodes processing the HBH header have been explicitly
> > > >    configured to do so.  Therefore, it cannot be assumed that a HBH
> > > >    header present in the packet is processed.  It all depends on the
> > > >    configuration of each node across the path.  Moreover, in most of
> > > >    networks today, the processing of the HBH header is done in the
> > > >    control plane (slow processing path) which incurs several
> limitations
> > > >    among which resources consumption and security risk.
> > > >
> > > >    For these reasons, over time, the Hop-by-Hop Options header has
> been
> > > >    sparsely used without any form of large scale deployment.  Also,
> most
> > > >    of already defined HBH options are forwarding options which
> contain
> > > >    forwarding plane information that needs not to be sent to the
> control
> > > >    plane.
> > > >
> > > >    This document proposes a new Hop-by-Hop Forwarding Options Header
> in
> > > >    order to carry Hop-by-Hop options that are solely intended to and
> > > >    processed by the forwarding plane.  This new HBH header is
> confined
> > > >    in and dedicated to the forwarding plane while the current HBH
> header
> > > >    can still be used for control plane options.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Please note that it may take a couple of minutes from the time of
> submission until the htmlized version and diff are available at
> tools.ietf.org.
> > > >
> > > > The IETF Secretariat
> > > >
> > > >
> > > > --------------------------------------------------------------------
> > > > IETF IPv6 working group mailing list
> > > > ipv6@ietf.org
> > > > Administrative Requests:
> > > >
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6
> > > >
> __;!!NEt6yMaO-gk!QoInpMGHwaC7LsKAVISa9A00dbzuCmO7S4CG2fZYHGYeOXYwVmtNT
> > > > FnzgEBbFhyl$
> > > > --------------------------------------------------------------------
> > > >
> > > > --------------------------------------------------------------------
> > > > IETF IPv6 working group mailing list
> > > > ipv6@ietf.org
> > > > Administrative Requests:
> > > >
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/ipv6
> > > >
> __;!!NEt6yMaO-gk!Qu9y9Ou2SvlYIZjMQa3hBXcu08HG3W4BBIcFoOHCfp41HtkdIYuDs
> > > > XM8uyxPWt9N$
> > > > --------------------------------------------------------------------
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
>
> --
> ---
> tte@cs.fau.de
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf

v2.23.0 | Report a Bug | By Email