IETF Logo Mail Archive

Re: Comments on <draft-gont-6man-rfc6564bis-01>

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 27 October 2015 19:16 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFC5B1ACE64; Tue, 27 Oct 2015 12:16:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JHSIDw8GkwaS; Tue, 27 Oct 2015 12:16:18 -0700 (PDT)
Received: from mail-pa0-x22b.google.com (mail-pa0-x22b.google.com [IPv6:2607:f8b0:400e:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03BC01ACE2D; Tue, 27 Oct 2015 12:16:18 -0700 (PDT)
Received: by pasz6 with SMTP id z6so230593023pas.2; Tue, 27 Oct 2015 12:16:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=0PJpfB1alDT6md3OXcutIlVnDd2LPIS4JWnirvtLanQ=; b=Ups0ozKeng4DMTrdMo1JXKdIY/BtDZ/MFECFAvXZCSv9FPoSfHYofXY/20fTJBrmxh zin6H+i8/XGMx0yTCi/Fl548VIJnQAwn3IG6ynu01Fv1fHNcJua29vpekKSZpV1ZkyGU +CxKaMnRofqXwU6QrXM1uLMCTdP1qvxS9vFiyRZzXRA0so0YjwHBQKkr+4VheyWLBENj E1qGjGa1IZcOinybJ1fbRvPECQ67h/+BMl4TzTtmk2pxggMoRmxg5FEslx/WYTLE7XDp Wz47Y+Knsm8SbvLiTxAQ9ElsDAHlpFFq/fhFi57H9ni4bYoRH0I6JBQTiuhUlWAZjFaa U0uA==
X-Received: by 10.66.254.7 with SMTP id ae7mr29023415pad.129.1445973377723; Tue, 27 Oct 2015 12:16:17 -0700 (PDT)
Received: from ?IPv6:2406:e007:7b18:1:28cc:dc4c:9703:6781? ([2406:e007:7b18:1:28cc:dc4c:9703:6781]) by smtp.gmail.com with ESMTPSA id rc5sm41022626pbc.95.2015.10.27.12.16.14 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Oct 2015 12:16:16 -0700 (PDT)
Subject: Re: Comments on <draft-gont-6man-rfc6564bis-01>
To: Hagen Paul Pfeifer <hagen@jauu.net>, Bob Hinden <bob.hinden@gmail.com>
References: <5ABE9F3B-FD35-4288-B7AE-A154A4DF384C@gmail.com> <20151024124803.GA4053@virgo.local> <372F6293-A02F-4ABA-B132-152E1B82DC07@gmail.com> <1858999608.4668.1445880199015.JavaMail.open-xchange@ox1app> <562ECA7F.5010306@gmail.com> <1162141237.6003.1445967143331.JavaMail.open-xchange@ox1app>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <562FCD81.6050704@gmail.com>
Date: Wed, 28 Oct 2015 08:16:17 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <1162141237.6003.1445967143331.JavaMail.open-xchange@ox1app>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/jHaJaueMxcGSn8WireXH8Pfq-8c>
Cc: IPv6 List <ipv6@ietf.org>, draft-gont-6man-rfc6564bis <draft-gont-6man-rfc6564bis@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2015 19:16:20 -0000

On 28/10/2015 06:32, Hagen Paul Pfeifer wrote:
>> On October 27, 2015 at 1:51 AM Brian E Carpenter
>> <brian.e.carpenter@gmail.com> wrote:
> 
> Hey Brian
> 
>> That is 6 extension header types. There are 11 header types
>> currently registered:
>> http://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xhtml#extension-header
>> .
>> Where does the code handle the other 5, and in particular how does it
>> handle the experimental values, whose structure is completely open?
> 
> The Linux Kernel must handle some types a little bit different. So for
> example see
> http://lxr.free-electrons.com/source/include/uapi/linux/in6.h#L130 and
> click on IPPROTO_MH you will find the code how IP Mobility is implemented.
> HIP and SHIM is not mainlined and not supported yet. Sure, a patch can
> help to make these extension headers known to let the kernel ignore them.
> If currently one of these extension header is received the packet will be
> discarded. Maybe this is an indicator that HIP/SHIM is not widely adopted.
> ;-) Note: "received" means in particular the packet is locally delivered.
> Let's skip the decision what happens to HIP/SHIM packets over netfiltered
> forwarding paths.

No, we can't skip it, because that's the point. Of course, the receiving host
must contain code for any extension headers it is supposed to understand.
Taking the example of shim6, if a receiving host has installed linshim6
it works just fine *except* that some annoying firewall on the path drops
all the packets. A firewall built on Linux will do that, judging by the code
extract you supplied.

> The experimental range is not supported because it is impossible! This is
> the central issue and it is addressed with this ID (among other things).
> Supporting the "experimental range" is not possible because the kernel do
> not know how the particular extension header is encoded! The kernel do not
> know how to jump over unknown extension header. 

Sure, if we're talking about the receiving host. But a firewall should be
configurable to allow the packet through. That's the point of RFC7045.

> What is required is a
> guarantee that a particular extension header is encoded in a pre-known
> format. This is where draft-gont-6man-rfc6564bis comes into play.
> 
> 1. Define a Universal Extension Header with a TLV like encoding where the
> header size is always at the same position
> 2. Provide the Kernel a guarantee that a header is encoded with the
> Universal Extension header

I think that buffer overflow attacks are built on the assumption that
such a 'guarantee' is meaningless. Isn't that the entire reason that firewall
people like to discard unknown headers?

   Brian

v2.23.0 | Report a Bug | By Email