Re: IPv6 Type 0 Routing Header issues
Mohacsi Janos <mohacsi@niif.hu> Wed, 25 April 2007 07:41 UTC
Return-path: <ipv6-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hgc7k-0007tP-U2; Wed, 25 Apr 2007 03:41:12 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hgc7j-0007tE-IC for ipv6@ietf.org; Wed, 25 Apr 2007 03:41:11 -0400
Received: from mail.ki.iif.hu ([193.6.222.241]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Hgc7j-0000Qb-67 for ipv6@ietf.org; Wed, 25 Apr 2007 03:41:11 -0400
Received: by mail.ki.iif.hu (Postfix, from userid 1003) id DB6945651; Wed, 25 Apr 2007 09:41:09 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id D9F2A5650; Wed, 25 Apr 2007 09:41:09 +0200 (CEST)
Date: Wed, 25 Apr 2007 09:41:09 +0200
From: Mohacsi Janos <mohacsi@niif.hu>
X-X-Sender: mohacsi@mignon.ki.iif.hu
To: "George V. Neville-Neil" <gnn@neville-neil.com>
In-Reply-To: <m2mz0xp6je.wl%gnn@neville-neil.com>
Message-ID: <20070425093402.A30586@mignon.ki.iif.hu>
References: <462D4706.4000504@spaghetti.zurich.ibm.com> <462E7AB4.3050807@piuha.net> <m2mz0xp6je.wl%gnn@neville-neil.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 41c17b4b16d1eedaa8395c26e9a251c4
Cc: v6ops@ops.ietf.org, ipv6@ietf.org, IPv6 Ops list <ipv6-ops@lists.cluenet.de>
Subject: Re: IPv6 Type 0 Routing Header issues
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Errors-To: ipv6-bounces@ietf.org
Hi All, I think this is not a solution. The problems of routing header type 0 well know by the community since long time. This has been documented for more than 2-3 years know (raised 4 years ago). Are there any consensus, that type 0 routing header should be deprecated? Until that it is documented to be filtered if there is no need for it. The current patch provided by OpenBSD/FreeBSD makes *BSD IPv6 implemenation non-conformant to standard. I would rather focus on pf changes - allow filtering based on the routing header type. Currently you can filter based existence/non-existence of routing header type. This is currently clearly not enough.... Regards, Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 On Wed, 25 Apr 2007, George V. Neville-Neil wrote: > At Wed, 25 Apr 2007 00:46:28 +0300, > Jari Arkko wrote: >> >> >>> Just in case folks are missing out on this, find below a rather nasty >>> security issue. >>> >> >> I cannot say that this is a big surprise, even if the specific attack >> is news to me and it has a major impact. Some issues with Type 0 >> have been known for years; I think draft-savola-ipv6-rh-ha was the >> first to report these. RFC 4294 warns of the issues and RFC 3775 >> design was based on the idea of avoiding Type 0 because it >> was felt that at some point Type 0 would likely be filtered due >> to its problems. Also, draft-ietf-v6ops-security-overview was recently >> approved. It notes, among other things that "it may be desirable >> to forbid or limit the processing of Type 0 Routing Headers >> in hosts and some routers." >> >> So I think we should take that advice and modify the stacks that >> do not do the right thing today. A good first approximation is >> to add a configuration knob for processing Type 0 headers >> in both hosts and routers, with default set to off. Better >> firewall support for doing this would also be needed (without >> disabling use of Type 2, of course). >> > > FreeBSD has already committed patches disabling the processing of > route header option 0 by default in all 3 of the currently shipping > branches (HEAD, 6-STABLE and 5-STABLE). > >> But we at the IETF also need to draw a conclusion about the >> state of Type 0. This feature needs to be retired. > > The sooner that decision is made the better. Those of us working on > the stacks would like to remove this processing if the feature is > retired. > > Best, > George Neville-Neil > (FreeBSD Security Team and Core Member) > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- IPv6 Type 0 Routing Header issues Jeroen Massar
- Re: IPv6 Type 0 Routing Header issues Jari Arkko
- Re: IPv6 Type 0 Routing Header issues George V. Neville-Neil
- Re: IPv6 Type 0 Routing Header issues Mohacsi Janos
- Re: IPv6 Type 0 Routing Header issues David Malone
- Re: IPv6 Type 0 Routing Header issues Remi Denis-Courmont
- Re: IPv6 Type 0 Routing Header issues Jun-ichiro itojun Hagino
- Re: IPv6 Type 0 Routing Header issues Paul Vixie
- Re: IPv6 Type 0 Routing Header issues Jun-ichiro itojun Hagino
- Re: IPv6 Type 0 Routing Header issues Rob Austein
- Re: IPv6 Type 0 Routing Header issues Tim Enos
- Question for IPv6 w.g. on [Re: IPv6 Type 0 Routin… Bob Hinden
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jun-ichiro itojun Hagino 2.0
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Perry Lorier
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Brian E Carpenter
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… David Malone
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… David Malone
- Re: IPv6 Type 0 Routing Header issues Ed Jankiewicz
- Re: IPv6 Type 0 Routing Header issues Gert Doering
- Re: IPv6 Type 0 Routing Header issues Gert Doering
- RE: IPv6 Type 0 Routing Header issues Manfredi, Albert E
- RE: IPv6 Type 0 Routing Header issues Tony Hain
- RE: IPv6 Type 0 Routing Header issues Tony Hain
- RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Tony Hain
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… james woodyatt
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… james woodyatt
- Re: IPv6 Type 0 Routing Header issues George V. Neville-Neil
- Re: IPv6 Type 0 Routing Header issues Alun Evans
- Re: IPv6 Type 0 Routing Header issues Jeroen Massar
- Re: IPv6 Type 0 Routing Header issues David Malone
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jun-ichiro itojun Hagino 2.0
- Re: IPv6 Type 0 Routing Header issues Ebalard, Arnaud
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Ignatios Souvatzis
- itojun2.0 (RE: IPv6 Type 0 Routing Header issues) Jun-ichiro itojun Hagino 2.0
- Re: itojun2.0 (RE: IPv6 Type 0 Routing Header iss… Jun-ichiro itojun Hagino 2.0
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jari Arkko
- RE: IPv6 Type 0 Routing Header issues Manfredi, Albert E
- RE: IPv6 Type 0 Routing Header issues Tony Hain
- RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Dave Thaler
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Tim Hartrick
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jun-ichiro itojun Hagino 2.0
- RE: IPv6 Type 0 Routing Header issues Jun-ichiro itojun Hagino 2.0
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jun-ichiro itojun Hagino 2.0
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Theo de Raadt
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Bob Hinden
- RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Pekka Savola
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Brian E Carpenter
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Pars Mutaf
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Theo de Raadt
- RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Dave Thaler
- RE: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jun-ichiro itojun Hagino 2.0
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Eric Klein
- Re: IPv6 Type 0 Routing Header issues james woodyatt
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Brian E Carpenter
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Roger Jorgensen
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jeroen Massar
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Paul Vixie
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Eric Klein
- Re: IPv6 Type 0 Routing Header issues George V. Neville-Neil
- Re: IPv6 Type 0 Routing Header issues Ebalard, Arnaud
- Re: IPv6 Type 0 Routing Header issues gnn
- Re: IPv6 Type 0 Routing Header issues Mini
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Jeroen Massar
- Re: Question for IPv6 w.g. on [Re: IPv6 Type 0 Ro… Eric Klein
- Re: Question for IPv6 w.g. on Kenjiro Cho
- Re: itojun2.0 (RE: IPv6 Type 0 Routing Header iss… Jun-ichiro itojun Hagino 2.0
- Re: itojun2.0 (RE: IPv6 Type 0 Routing Header iss… Jun-ichiro itojun Hagino 2.0
- Re: IPv6 Type 0 Routing Header issues David Malone
- Re: IPv6 Type 0 Routing Header issues Jun-ichiro itojun Hagino 2.0