IETF Logo Mail Archive

RE: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard

"Templin, Fred L" <Fred.L.Templin@boeing.com> Tue, 15 October 2013 13:56 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E795211E8128; Tue, 15 Oct 2013 06:56:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.488
X-Spam-Level:
X-Spam-Status: No, score=-6.488 tagged_above=-999 required=5 tests=[AWL=0.111, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97SLGiOri6Wk; Tue, 15 Oct 2013 06:56:19 -0700 (PDT)
Received: from stl-mbsout-01.boeing.com (stl-mbsout-01.boeing.com [130.76.96.169]) by ietfa.amsl.com (Postfix) with ESMTP id BDD2F11E8138; Tue, 15 Oct 2013 06:55:41 -0700 (PDT)
Received: from stl-mbsout-01.boeing.com (localhost.localdomain [127.0.0.1]) by stl-mbsout-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with ESMTP id r9FDtZU8027597; Tue, 15 Oct 2013 08:55:35 -0500
Received: from XCH-NWHT-11.nw.nos.boeing.com (xch-nwht-11.nw.nos.boeing.com [130.247.25.114]) by stl-mbsout-01.boeing.com (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id r9FDsT4b025711 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Tue, 15 Oct 2013 08:55:34 -0500
Received: from XCH-BLV-208.nw.nos.boeing.com (10.57.37.5) by XCH-NWHT-11.nw.nos.boeing.com (130.247.25.114) with Microsoft SMTP Server (TLS) id 8.3.327.1; Tue, 15 Oct 2013 06:55:24 -0700
Received: from XCH-BLV-504.nw.nos.boeing.com ([169.254.4.85]) by XCH-BLV-208.nw.nos.boeing.com ([169.254.8.27]) with mapi id 14.03.0158.001; Tue, 15 Oct 2013 06:55:24 -0700
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Ray Hunter <v6ops@globis.net>
Subject: RE: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard
Thread-Topic: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard
Thread-Index: AQHOySFFebc9KTehbEGO6mhunuAlj5n1xs+A
Date: Tue, 15 Oct 2013 13:55:23 +0000
Message-ID: <2134F8430051B64F815C691A62D9831812E34F@XCH-BLV-504.nw.nos.boeing.com>
References: <20131002185522.20697.96027.idtracker@ietfa.amsl.com> <2134F8430051B64F815C691A62D9831811EB23@XCH-BLV-504.nw.nos.boeing.com> <D1F5CE61-253E-4F07-AED1-4A4AB4C4AB68@employees.org> <2134F8430051B64F815C691A62D9831811EE66@XCH-BLV-504.nw.nos.boeing.com> <E29381FD-C839-4DBA-8711-3A4EBA83E379@employees.org> <2134F8430051B64F815C691A62D9831811EF1C@XCH-BLV-504.nw.nos.boeing.com> <5255D6EE.4050300@gmail.com> <2134F8430051B64F815C691A62D9831811F688@XCH-BLV-504.nw.nos.boeing.com> <5257AD5E.9090806@globis.net> <5257B870.1060003@si6networks.com> <2134F8430051B64F815C691A62D9831812C120@XCH-BLV-504.nw.nos.boeing.com> <52582F8B.8040306@si6networks.com> <52585658.50205@gmail.com> <2134F8430051B64F815C691A62D9831812C654@XCH-BLV-504.nw.nos.boeing.com> <52587EB8.4020506@gmail.com> <f0df0113f68045a1bdadf0155eae5e34@CO1PR05MB442.namprd05.prod.outlook.com> <2134F8430051B64F815C691A62D9831812D72D@XCH-BLV-504.nw.nos.boeing.com> <525C5CDE.3000604@globis.net>
In-Reply-To: <525C5CDE.3000604@globis.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.247.104.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Cc: "ietf@ietf.org" <ietf@ietf.org>, 6man Mailing List <ipv6@ietf.org>, Fernando Gont <fgont@si6networks.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2013 13:56:29 -0000

Hi Ray,

> -----Original Message-----
> From: Ray Hunter [mailto:v6ops@globis.net]
> Sent: Monday, October 14, 2013 2:07 PM
> To: Templin, Fred L
> Cc: Ronald Bonica; Brian E Carpenter; Fernando Gont; 6man Mailing List;
> ietf@ietf.org
> Subject: Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt>
> (Implications of Oversized IPv6 Header Chains) to Proposed Standard
> 
> > Templin, Fred L <mailto:Fred.L.Templin@boeing.com>
> > 14 October 2013 19:39
> > Hi Ron,
> >
> >> -----Original Message-----
> >> From: Ronald Bonica [mailto:rbonica@juniper.net]
> >> Sent: Saturday, October 12, 2013 7:07 PM
> >> To: Brian E Carpenter; Templin, Fred L
> >> Cc: Fernando Gont; 6man Mailing List; ietf@ietf.org; Ray Hunter
> >> Subject: RE: Last Call: <draft-ietf-6man-oversized-header-chain-
> 08.txt>
> >> (Implications of Oversized IPv6 Header Chains) to Proposed Standard
> >>
> >> +1
> >>
> >> Is there a way to decouple this discussion from draft-ietf-6man-
> >> oversized-header-chain? I would be glad to discuss it in the context
> of
> >> a separate draft.
> >
> > I don't know if there is a way to decouple it. I believe I have shown
> > a way to not mess up tunnels while at the same time not messing up
> your
> > draft. That should be a win-win. In what way would imposing a 1K
> limit
> > on the IPv6 header chain not satisfy the general case?
> >
> > Thanks - Fred
> > fred.l.templin@boeing.com
> 
> This draft may not go as far as you'd like (e.g. specifying a hard
> limit
> on header length as some proportion of MTU), and I'm also aware of the
> issue of MTU fragmentation and nested tunnels, but I'm still not clear
> on how this draft specifically "messes up tunnels."
>
> Can you explain what specific text in the current draft you consider
> harmful?

That hosts would be permitted to send MTU-sized header chains.

> And why that couldn't be dealt with in a later draft (that imposes
> additional limits on header chains in specific scenarios)?

Once a spec says that a host is permitted to send MTU-sized header
chains the die is cast and no later draft will be able to undo it.
The host has no idea that there may be one or more tunnels in the
path, and so has no way of knowing to alter its behavior to be
kind to tunnels.

That, plus the fact that attackers will be able to craft packets
intended to fool middleboxes by sending a fragmented tunneled
packet with the "good" part of the header chain in the first
fragment and the "bad" part of the header chain in the second
fragment.

Thanks - Fred
fred.l.templin@boeing.com


> Thanks.
> 
> 
> >
> >>                                                              Ron
> >>
> >>
> >>>> So, it wasn't necessarily the case that 1280 was a product of
> >>>> "thoughtful analysis" so much as the fact that **they were rushing
> >> to
> >>>> get a spec out the door**. So now, 16 years later, we get to put
> it
> >>>> back on the 6man charter milestone list.
> >>> We could have that discussion in 6man, sure, but I don't believe
> that
> >>> it's relevant to the question of whether draft-ietf-6man-oversized-
> >>> header-chain
> >>> is ready. This draft mitigates a known problem in terms of the
> >> current
> >>> IPv6 standards.
> >>>
> >
> >
> 
> --
> Regards,
> RayH

v2.34.0 | Report a Bug | By Email | System Status