Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt
Tom Herbert <tom@herbertland.com> Mon, 27 May 2019 20:28 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD8D2120099 for <ipv6@ietfa.amsl.com>; Mon, 27 May 2019 13:28:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eAAHIGl9a5HF for <ipv6@ietfa.amsl.com>; Mon, 27 May 2019 13:28:16 -0700 (PDT)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4056312006B for <ipv6@ietf.org>; Mon, 27 May 2019 13:28:16 -0700 (PDT)
Received: by mail-qk1-x730.google.com with SMTP id m18so19455401qki.8 for <ipv6@ietf.org>; Mon, 27 May 2019 13:28:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0FAIlfuiZHwlPCfoZXCnF/mobYrJPU9eW6XdAPgLk2I=; b=K2+QWWbkwAl0Bxf8jdyWG/Dxk9i4ZnVVHZKBjYJLbOQJcXTEJcepD+W1qZWd1jD/9L kkq15O81c2QgYWVm3c5lbyMlvsBSUOV3uAfxfPKQE/tGFhbmXgJdRcy7s7Kfzj0X90m0 qTUt9joZUuMegOyMM/u19+D5mbakI40kbIAnlM6J5PRfZct+j48ILTCl0j0UjjsvrIdp fy2VWiTjZL+b8gUSmh2MTMQ5rZIzC6iQDpS84MckuIksEH0krMgVBMyODUqvHi9WfdGM myGa0SGGnbZwTpjQ72fcy1707truA7BLRaeWxJ/l3wg47VFNLWWvgUGODISXfqmZiOsh Akzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0FAIlfuiZHwlPCfoZXCnF/mobYrJPU9eW6XdAPgLk2I=; b=huBplYOJMqKODdTx0kidIT96/TUlflGYjsPP7fDmzW9GrxFYFY4Q0VqyqnOLNgx/pk MuqZlWzg3O2Gv+EUXDD8q/WMfVnTsvl04djmLvnjDLaV/Aw9KJtlQJM7bA1EV0r+EFKN RyagqifcZ6xJF2VucTPEmK/+j0d05+K2S3BI53twzOXan8FUK9UlGIbf8AWYKp3395dU O1cyjViuD8aBgM8nH2HH2/TjM8dVdJrMzZP1yWPKExjH7KM1BvvOniwgWNZNYtsBTp4a CSZd/6FCWksrMD0FpbmvWGOgk9n23as50Q6Nksf2s+4ZmeMfurBU5pbleESCaHxVJTlP migw==
X-Gm-Message-State: APjAAAUWUpLzbCTLl/F+P41kVvCpjZe+hBkF/wGtMtbvqL34dffIOPad qEUCCsLK5Dr5zTyWvOoK7v6OxGDOhhiGRDJXEMuoRlk3W8U=
X-Google-Smtp-Source: APXvYqz5hPLoruxv2ZVcUk5jH4TRbfnhbqnJD3j8lnkHcWBjciXCQS2OvtMFWfD3eZgNWz72dR9aIZalRFpaVBvKRws=
X-Received: by 2002:a05:620a:1329:: with SMTP id p9mr2853779qkj.224.1558988895209; Mon, 27 May 2019 13:28:15 -0700 (PDT)
MIME-Version: 1.0
References: <155864405637.8647.14887579664730161506@ietfa.amsl.com> <CALx6S35yGHr+Hh0xB8EKZbJZxbP39MeeFH1_veWPOGiR=bXi4w@mail.gmail.com> <de5b23e5-d960-f722-6636-1c1ebc1194cf@foobar.org>
In-Reply-To: <de5b23e5-d960-f722-6636-1c1ebc1194cf@foobar.org>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 27 May 2019 13:28:04 -0700
Message-ID: <CALx6S36RHQv0VfWhXZ0Xf82ONQdraRfjdqE+-mQBoes-F7ErbA@mail.gmail.com>
Subject: Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt
To: Nick Hilliard <nick@foobar.org>
Cc: 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/a_xbdfD3zilX2b-fXV02JVDJ5Lk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 May 2019 20:28:19 -0000
On Mon, May 27, 2019 at 12:58 PM Nick Hilliard <nick@foobar.org> wrote: > > Tom, > > Overall this looks useful. > > Minor nits: > > > options in Type-length-value (TLV) format. Each option includes a > > length of the data field in octets, and the minimum size of an option > > (non-pad type) is two bytes and the maximum length is 257 bytes. > > rephrase as: > > > options in Type-length-value (TLV) format. Each option includes a > > length of the data field in octets: the minimum size of an option > > (non-pad type) is two octets and the maximum length is 257 octets. > > s/extensions headers/extension headers/ > > s/attack of extension headers-- many/attack of extension headers, many/ > > s/may be applied on the number/may be applied to the number/ > > s/hosts may institute limits on/hosts may implement limits for/ > > s/of a fixed sized/of a fixed size/ > > s/for Parameter Problem type/for Parameter Problem types/ > > s/chain exceeds it processing/chain exceeds its processing/ > > Can I suggest the following for the security consideration section? > > -- > 5 Security Considerations > > The security considerations for ICMPv6 described in [RFC4443] apply > to this document. > > A malicious actor could use crafted packets to trigger ICMPv6 error > replies described in this document, thereby allowing them to > discover configuration or hardware characteristics of an > intermediate node. If the intermediate node processes packets which > trigger extension header limit ICMPv6 error replies by processing > them in a slow path, then an attacker may be able to selectively > flood the slow-path packet processor or the specific slow-path > processing ingress queue, thereby affecting the packet processor's > ability to handle legitimate ICMPv6 error replies. > Hi Nick, Thanks for the comments. For your proposed security considerations text, is the problem of exposing hardware configuration specific to only these type of ICMP errors? Do we need to provide so much detail about the possible attack? Also I suspect that ICMP error processing is in slow path processing anyway and there are other ways to generate an ICMP flood, the bigger issue might be in divulging details about hardware capabilities of intermediate nodes to third parties in the ICMP error. How about text like this: "In some circumstances, the sending of ICMP errors could be exploited for denial of service attack or as a means to covertly deduce processing capabilities of nodes as a precursor to denial of service attack. As such, an implementation MAY allow configurable policy to rate limit or withhold sending of ICMP in environments where security of ICMP errors is an issue." Thanks, Tom > -- > > Nick > > Tom Herbert wrote on 24/05/2019 18:57: > > Hello, > > > > This is an update to ICMPv6 errors for processing limits. The material > > change is to add an "Option too big" Parameter Problem code. This is > > used used if a HBH or DO option length exceeds a limit, or the length > > consecutive padding in HBH or DO options list exceeds a limit. The > > recommended priority for reporting errors was also update accordingly. > > > > Thanks, > > Tom > > > > On Thu, May 23, 2019 at 1:42 PM <internet-drafts@ietf.org> wrote: > >> > >> > >> A New Internet-Draft is available from the on-line Internet-Drafts directories. > >> This draft is a work item of the IPv6 Maintenance WG of the IETF. > >> > >> Title : ICMPv6 errors for discarding packets due to processing limits > >> Author : Tom Herbert > >> Filename : draft-ietf-6man-icmp-limits-02.txt > >> Pages : 12 > >> Date : 2019-05-23 > >> > >> Abstract: > >> Network nodes may discard packets if they are unable to process > >> protocol headers of packets due to processing constraints or limits. > >> When such packets are dropped, the sender receives no indication so > >> it cannot take action to address the cause of discarded packets. This > >> document defines ICMPv6 errors that can be sent by a node that > >> discards packets because it is unable to process the protocol > >> headers. A node that receives such an ICMPv6 error may be able to > >> modify what it sends in future packets to avoid subsequent packet > >> discards. > >> > >> > >> The IETF datatracker status page for this draft is: > >> https://datatracker.ietf.org/doc/draft-ietf-6man-icmp-limits/ > >> > >> There are also htmlized versions available at: > >> https://tools.ietf.org/html/draft-ietf-6man-icmp-limits-02 > >> https://datatracker.ietf.org/doc/html/draft-ietf-6man-icmp-limits-02 > >> > >> A diff from the previous version is available at: > >> https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-icmp-limits-02 > >> > >> > >> Please note that it may take a couple of minutes from the time of submission > >> until the htmlized version and diff are available at tools.ietf.org. > >> > >> Internet-Drafts are also available by anonymous FTP at: > >> ftp://ftp.ietf.org/internet-drafts/ > >> > >> -------------------------------------------------------------------- > >> IETF IPv6 working group mailing list > >> ipv6@ietf.org > >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > >> -------------------------------------------------------------------- > > > > -------------------------------------------------------------------- > > IETF IPv6 working group mailing list > > ipv6@ietf.org > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > -------------------------------------------------------------------- > >
- I-D Action: draft-ietf-6man-icmp-limits-02.txt internet-drafts
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Tom Herbert
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Nick Hilliard
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Tom Herbert
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Mark Smith
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Nick Hilliard
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Tom Herbert
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Nick Hilliard
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Tom Herbert