Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.txt
"George V. Neville-Neil" <gnn@neville-neil.com> Fri, 11 May 2007 20:55 UTC
Return-path: <ipv6-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hmc9W-0002Qm-Vk; Fri, 11 May 2007 16:55:50 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hmc9U-0002Bp-Si for ipv6@ietf.org; Fri, 11 May 2007 16:55:48 -0400
Received: from mrout3.yahoo.com ([216.145.54.173]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Hmc9T-0000DJ-FI for ipv6@ietf.org; Fri, 11 May 2007 16:55:48 -0400
Received: from 104.32.61.10.in-addr.arpa.neville-neil.com (proxy8.corp.yahoo.com [216.145.48.13]) by mrout3.yahoo.com (8.13.6/8.13.6/y.out) with ESMTP id l4BKt5VK064594; Fri, 11 May 2007 13:55:07 -0700 (PDT)
Date: Fri, 11 May 2007 13:54:51 -0700
Message-ID: <m28xbvkrms.wl%gnn@neville-neil.com>
From: "George V. Neville-Neil" <gnn@neville-neil.com>
To: JINMEI Tatuya / 神明達哉 <jinmei@isl.rdc.toshiba.co.jp>
In-Reply-To: <m1irb0umsu.wl%jinmei@isl.rdc.toshiba.co.jp>
References: <31D43DED-5BEE-4730-8FCB-476FA9EE1A97@eads.net> <46432309.1020902@innovationslab.net> <m2tzukn0xp.wl%gnn@neville-neil.com> <ED9B698C-6892-4FE8-87FD-02372C4DA338@ca.afilias.info> <m1irb0umsu.wl%jinmei@isl.rdc.toshiba.co.jp>
User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (Shijō) APEL/10.7 Emacs/22.0.95 (i386-apple-darwin8.8.2) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
X-Spam-Score: 1.6 (+)
X-Scan-Signature: 41c17b4b16d1eedaa8395c26e9a251c4
Cc: Brian Haberman <brian@innovationslab.net>, IETF IPv6 Mailing List <ipv6@ietf.org>
Subject: Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.txt
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Errors-To: ipv6-bounces@ietf.org
At Fri, 11 May 2007 11:16:49 +0900, jinmei wrote: > "packets addressed to them" still sounds a little ambiguous to me; it > could be interpreted as including intermediate hops specified in the > routing header or as only meaning the final destination. The intent > should obviously be the former, so I'd rephrase it further: > > "Compliant IPv6 hosts and routers MUST NOT process RH0 in packets > whose destination address in the IPv6 header is an address > assigned to them." > > BTW, I agree we shouldn't require routers to inspect every IPv6 packet > and drop it when it contains RH0 (even if whose IPv6 dst is NOT a > routers' address). It should leave to FWs, not ordinary routers. > > > I note that KAME's response to this is similar, but it's not clear to > > me that it's precisely identical: a patched KAME implementation > > treats the type 0 routing header as an unknown routing header > > (according to <http://www.kame.net/newsletter/20070502/>). This > > suggests to me that a patched KAME implementation will process a > > datagram containing RH0, but that RH0 header(s) in the datagram will > > not be acted upon. I would welcome corrections to my feeble > > assumptions in this area (I have done no tests, nor read any source > > code to confirm). > > I guess you're talking about whether the node returns an ICMPv6 error > when receiving a packet that contains an RH0 whose IPv6 dst is one of > its own addresses. KAME's implementation treats it as an "unknown > type" of routing header as you guessed and it returns an ICMPv6 > parameter problem error as a result. This is an intentional behavior: > > http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/route6.c.diff?r1=1.62;r2=1.63 > > (Which type of error is appropriate is a different question) > > > A packet containing RH0 presumably is intended not to be processed on > > the system identified by the destination address field; if it was, no > > RH0 would be present. This suggests to me that "MUST drop" is the > > right thing, rather than "process as if RH0 was not there"; in > > addition, if we assume that today any packet with RH0 is likely to be > > malicious, any processing of a packet containing RH0 which has the > > potential to result in backscatter seems like it should properly be > > avoided. > > I believe we should rather return an ICMPv6 error. Even if we decide > to deprecate type0 RH, there will be many non-updated systems for a > certain period of time. Since there is at least one know popular (but > non-attacking) usage of RH0, i.e., probing 'return path' by > traceroute, we'll still see non-attacking packets containing RH0. It > would be better to notice such innocent but not just well-informed > users explicitly, rather than simply dropping the packet. Regarding > 'backscatter', if you mean a DoS for the ICMPv6 recipient with a > source-spoofed packets containing RH0, I don't think it's a big > concern in this context; that's not different from other type of > backscatter' attacks with a forged source address, so simply > prohibiting this case wouldn't help much; and I believe returning an > error is actually helpful as I stated above. Also, ICMPv6 errors are > rate limited, so the backscatter effect is limited accordingly. > I agree with what Jinmei is saying here and this is how the HEAD of FreeBSD works currently, while it is only STABLE (5 and 6) that have the sysctl. If the final decision is to go this way then I can backport a patch to 5 and 6 so that all FreeBSD's work this way. As I've said before I am waiting for a decision before I go patching the code again. Best, George -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.txt Jeroen Massar
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Joe Abley
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Pekka Savola
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Brian Haberman
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jari Arkko
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jeroen Massar
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Pekka Savola
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jeroen Massar
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… George V. Neville-Neil
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Joe Abley
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… gnn
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… JINMEI Tatuya / 神明達哉
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… JINMEI Tatuya / 神明達哉
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jun-ichiro itojun Hagino 2.0
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jun-ichiro itojun Hagino 2.0
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Guillaume Valadon / ギョーム バラドン
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jun-ichiro itojun Hagino 2.0
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Guillaume Valadon / ギョーム バラドン
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… JINMEI Tatuya / 神明達哉
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… George V. Neville-Neil
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Tim Enos
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Jun-ichiro itojun Hagino 2.0
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Ebalard, Arnaud
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Joe Abley
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Joe Abley
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… Guillaume Valadon / ギョーム バラドン
- Re: I-D ACTION:draft-jabley-ipv6-rh0-is-evil-00.t… David Malone
- Routing Header Type 0 way forward Brian Haberman