IETF Logo Mail Archive

Re: Fwd: New Version Notification for draft-hinden-6man-hbh-processing-01.txt

Gorry Fairhurst <gorry@erg.abdn.ac.uk> Thu, 10 June 2021 08:05 UTC

Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48DB43A3946 for <ipv6@ietfa.amsl.com>; Thu, 10 Jun 2021 01:05:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dZv4nmfmCEKJ for <ipv6@ietfa.amsl.com>; Thu, 10 Jun 2021 01:05:07 -0700 (PDT)
Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [137.50.19.135]) by ietfa.amsl.com (Postfix) with ESMTP id 0102A3A3945 for <ipv6@ietf.org>; Thu, 10 Jun 2021 01:05:06 -0700 (PDT)
Received: from Gorrys-13-Work.lan (fgrpf.plus.com [212.159.18.54]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPSA id 063D11B0023D; Thu, 10 Jun 2021 09:04:58 +0100 (BST)
Subject: Re: Fwd: New Version Notification for draft-hinden-6man-hbh-processing-01.txt
To: Fernando Gont <fernando.gont@edgeuno.com>, "bob.hinden@gmail.com" <bob.hinden@gmail.com>, "ipv6@ietf.org" <ipv6@ietf.org>
References: <162265842779.4095.2393609365780372735@ietfa.amsl.com> <E5A31CCD-104D-4B92-9730-4FCFBF191F46@gmail.com> <17adf4b21d428d051e390574e976e3f61aee33c0.camel@edgeuno.com>
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Message-ID: <c995799c-194e-6432-a54d-3b5f557730e1@erg.abdn.ac.uk>
Date: Thu, 10 Jun 2021 09:04:58 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.10.2
MIME-Version: 1.0
In-Reply-To: <17adf4b21d428d051e390574e976e3f61aee33c0.camel@edgeuno.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/YMQX2BPrma-drEaC2uGa4d53_ng>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2021 08:05:12 -0000

Hi Fernando,


On 10/06/2021 08:40, Fernando Gont wrote:

> Hi, Bob & Gorry,
>
> Some comments:
>
> * Section 4, page 4:
>
> >  The changes meant that an implementation complied with the IPv6
> >  specification even if it did not process hop-by-hop options, and
> > that
> >  it was expected that routers would add configuration information to
> >  control which hop-by-hop options they would process.
>
> The way I interpret RFC8200 is that a router is configured whether it
> needs to process the HbH header in the first place, rather than whether
> to process specific options.
>
I see, I don't see RFC8200 as saying whether this has to be a global 
"switch"

to disable processing, or whether it allows configuration that can result

in disabling. This ID intends to update and clarify that aspect.

>
> * Section 4, page 5:
>
> >    There has been research that discussed the general problem with
> >    dropping packets containing IPv6 extension headers, including the
> >    Hop-by-Hop Options header.  For example [Hendriks] states that
> >    "dropping all packets with Extension Headers, is a bad practice"
>
> Given the number of vulnerabilities associated with the processing of
> IPv6 EHs, and that it's a feature that is largely unused, the converse
> is probably true.
>
I thought you'd say so. However, this is a proposal to simplify the method

and to enable them to be used. I don't agree that this is generally 
unsupported

and I suggest yoy

>
> * Section 4, page 5:
>
> This discussion misses an important point/aspect: the lgnth of the IPv6
> header chain. e.g., asking nodes to support a single HbH option if such
> option is, say, 256 bytes, will still be unfeasible.
>
Are you saying the first option (HBH has to be first), is not within the

first 256 bytes? I don't understand.

>
> * Section 5.1, page 6:
> > [RFC8200] also requires
> >    that a Hop-by-Hop Options header can only appear once in a packet.
>
>
> This doesn't seem accurate. RFC8200 states:
>
>    IPv6 nodes must accept and attempt to process extension headers in
>    any order and occurring any number of times in the same packet,
>    except for the Hop-by-Hop Options header, which is restricted to
>    appear immediately after an IPv6 header only.  Nonetheless, it is
>    strongly advised that sources of IPv6 packets adhere to the above
>    recommended order until and unless subsequent specifications revise
>    that recommendation.
>
> i.e., there's a recommendation to send only one HbH, but still required
> to process all received. (cursed by the robustness principle, if you
> wish :-) )
>
The proposed ID targets PS to change this.

> * Section 5.2, page 6:
>
> >    If the node can not process an option in the Fast Path, it MUST
> >    behave as if it does not recognize the Option Type (as described
> > in
> >    the next paragraph).
>
> My take is that a router that wouldn't be able to process options in
> the fast-path wouldn't even bother to parse the contents of the HbH in
> the first place....
>
I think we can trip-up easily on slow path and fast path terms, as we have

seen on this list.

>
> * Section 5.3, page 8:
>
> >       The Router Alert Option is a problem since it's function is to
> > do
> >       what this specification is proposing to eliminate, that is,
> >       process the packet in the Slow Path.  One approach would be to
> >       deprecate it as it's usage appears to be limited and packets
> >       containing Hop-by-Hop options are frequently dropped.
>
> Nore: This option is employed for MLD packets, which result from ND
> using multicast. In such scenarios (MLD is link-local) packets survive
> -- cause they don't need to be forwarded in the first place. Whether
> using RAO for MLD (or whether MLD itself) is a good idea, is a
> different question... ;-)
Sure, isn't a Router Alert also used hop-by-hop with MPLS, RSVP for QoS, 
and other methods?

> * Section 5.3, page 8:
>
>
> >    A Fast Path implementation SHOULD verify that a Router Alert
> > contains
> >    a protocol, as indicated by the Value field in the Router Alert
> >    option, that is configured as a protocol of interest to that
> > router.
> >    A verified packet SHOULD be sent on the Slow Path for processing
> >    [RFC6398].
>
> If the device knows it's not using a protocol that may need to rely on
> RAOs, why should the device parse, say, RAOs in the first place?
>
I'm OK with what you say.
>
> * Section 6, page 9:
> >    Any new IPv6 Hop-by-Hop option designed in the future should be
> >    designed to be processed in the Fast Path.  New options MUST NOT
> > be
> >    defined that require Slow Path processing.  New Hop-by-Hop options
> >    SHOULD have the following characteristics:
>
> >    *  Straight forward to process.  That is, they should be designed
> > to
> >       keep the time to process low.
>
> >    *  Fixed size in 8-octet units.  Specifically any new Hop-by-Hop
> >       options should not be variable size that could extend beyond
> > what
> >       can be executed in the Fast Path.
>
> This is missing the overall option length.
>
>
> * Section 8, page 10:
>
> >    Security issues with IPv6 Hop-by-Hop options are well known and
> > have
> >    been documented in several places, including [RFC6398], [RFC6192],
> >    and [I-D.ietf-v6ops-ipv6-ehs-packet-drops].  The main issue, as
> > noted
> >    in Section 4, is that any mechanism that can be used to force
> > packets
> >    into the router's Slow Path can be exploited as a denial of
> > service
> >    attack on a transit router by saturating the resources need for
> >    router management protocols (e.g., routing protocols, network
> >    management protocols, etc.) that may cause the router to
> > fail.  Due
> >    to this it's common for transit routers to drop packets with Hop-
> > by-
> >    Hop options headers.
>
> This discussion missess to note and acknowledge that there is a general
> issue associated with IPv6 extension headers.
>
> HbH has extra problems. But there are other general issues that apply
> to all EHs, and not just HbH.
>
>
> * Section 8, page 10:
>
> >    *  Limited the default number of Hop-by-Hop options that that can
> > be
> >       in a packet to a single Hop-by-Hop option.
>
> If you are pursuing that path, you should also limite the overall IPv6
> header chain length. That;s probably even more important than limiting
> the number of EHs or number of HbH options.
>
Why does that impact the ability to process a HBH-O in a router?
>
> Thanks!
>
> Regards,

Best wishes,

Gorry

v2.23.0 | Report a Bug | By Email