[IPv6]Re: Fwd: New Version Notification for draft-iurman-6man-eh-occurrences-00.txt
Justin Iurman <justin.iurman@gmail.com> Tue, 23 December 2025 21:58 UTC
Return-Path: <justin.iurman@gmail.com>
X-Original-To: ipv6@mail2.ietf.org
Delivered-To: ipv6@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2ED959E8A8D0 for <ipv6@mail2.ietf.org>; Tue, 23 Dec 2025 13:58:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zg-pFn2i813D for <ipv6@mail2.ietf.org>; Tue, 23 Dec 2025 13:58:39 -0800 (PST)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BC5319E8A884 for <6man@ietf.org>; Tue, 23 Dec 2025 13:58:38 -0800 (PST)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-64b61f82b5fso7100789a12.0 for <6man@ietf.org>; Tue, 23 Dec 2025 13:58:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766527118; x=1767131918; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=N4HY9TfuevNEIWClr/s84zF9/A73Rmwp9lfaZ9GyWQc=; b=auyVvePs3FHMJZqv7GnJD6II5D5ePaX3rJ8dbVnH8DI0NmegLgGpSyCIel5TCFySDL 2mHyZba4J75/Kuh3esWC1En1JYQee6dpk5t1/nta5r0hvA4zU+uJmyNooZRlQbkLtwut Ol01UvVsGT9uLoAVzSWPLP/bDXD6FIJ4rtS0uG4BP+CySJJEYa1F/hC5WCit0g+hJ4vo mWc15+qF9XtxLo1PJgAZU4LBWXw7wobKUAcGMGlMVTiC5MVav5snx8MLZy/sCkX2gTqj HG5vdeVofnbjU9sPBYMMVY5nrCx7IErA3GKylGhe/ij85avTsoG2gUzF1MYK9sNKaxT1 9vWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766527118; x=1767131918; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=N4HY9TfuevNEIWClr/s84zF9/A73Rmwp9lfaZ9GyWQc=; b=dhzDGIkNJEUDdauXvWTfHwtI58vpLdsyZsYasCevcszho7EEzHeM5PIPB28AvCgro2 WAWlbhqLwjKCdqiGooq6d+9EpVzF7qPArL5tC5XorMms86LCJ9y9p15nHsvRCr05/dPq WPixEzr3glb+923pIDuEk2kp+KgEzuJWHAMNgUnQ9C6xgwkK+RR5UxVaG5N63lue5q3d UB7SoX6UGiNJGO2JPjGJzXBxHm9dmcoAuvlytgXFhclo2wSGAUj2XKb350MLebKqx8W2 1hXWXP9aEQZSTzY3yzd+0FIZlvFRZjF3aov5fjLrtdGvrRyCFV1CSSTsDO96rvpiwIqw gFTw==
X-Forwarded-Encrypted: i=1; AJvYcCXWEfjV4zJg6jLlhn7ZU2q6JC2pey2StLxys55h9Noxx9TadBITwle8GJJAPLemw0b/3e8U@ietf.org
X-Gm-Message-State: AOJu0YxytW6TxMweREuO68oIR5CEAtZzTXLz7GkKFUdyW6hGg764fDsN 0q2jrMvREggPSQBXL8e3dl1Ksh1JnsXEMevfdGiGa24d4C1iEXlSXkznvCrKQt6H
X-Gm-Gg: AY/fxX7MAZBSMz+t0+OwwVHo49Hu7FfhMDhu0FFLF9cJRY2lPFQj/DIMe+P8uEQD9kM 7kzADcSbCZ+/uk/4mCa1c6kUcl5MdJc/cxcdm2oEYH610wFuwsoJCGyMbWEWmnI20mBOGq8jBY7 28xVV0ys94u5NGjHLqtIRrQk4/xOtdQu5gVxMg9Gseaq8cbe5KpFsvIqY/vEfHe6byuh4nRaXS3 LkNnPQ/k7YJU9TSi2CigTcee9QHqGuOkve8IWz+fDNXIEqaFtuKe+Ow5yqFJchqZim83dPyHCdG zcOm2xw3IPSbwMP6xLzyNifutrczNe/rL+Vpkj7PBAYfbTZIpWmIQtmn/Wgp+zcI4lGQIoJZ3J7 WfPIeznEUqPjiEH7LrJYQjPqO8fjh5USJ486j1+/qa0ZMnGIgPUofFltU/n7e3jblx/Ny8+MIn1 Gfp5b8zQKYDtZ15Hl19mtYVb7PLraZ4AVjf9FWPbZwszeJ8+tqJruO+TkXMx+M+nhilQ==
X-Google-Smtp-Source: AGHT+IGbM8uxipNvsSYAzzcbubulz8FnsFnrp2VuPMV2F7rFlYPmw9IoefAojpeZK1VOx4i2+tDvmA==
X-Received: by 2002:a05:6402:1e90:b0:64d:4894:776b with SMTP id 4fb4d7f45d1cf-64d48947948mr8156783a12.27.1766527117518; Tue, 23 Dec 2025 13:58:37 -0800 (PST)
Received: from ?IPV6:2a02:a03f:a75e:9a00:4071:9dfd:8d91:6722? ([2a02:a03f:a75e:9a00:4071:9dfd:8d91:6722]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-64b916b66e2sm15102128a12.34.2025.12.23.13.58.36 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 23 Dec 2025 13:58:37 -0800 (PST)
Message-ID: <9f701a6a-667f-498e-9f21-e29eb6a970e8@gmail.com>
Date: Tue, 23 Dec 2025 22:58:34 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Sebastian Moeller <moeller0@gmx.de>
References: <176651727681.861963.1665571528282296202@dt-datatracker-5656579b89-p6k4r> <af5fd42c-fbb9-4606-a8c6-208a7ff6bc6f@gmail.com> <C6D81618-1EE3-411B-A33B-08DA13D97615@gmail.com> <9da3faac-479d-4638-ba91-bd81f6d38692@gmail.com> <CALx6S37OGUD_ysrd6AvMa13SVMv8SiWYs5F_RR_i3rzcMXMrEw@mail.gmail.com> <26504d91-3c61-4a0c-8943-d82e3acedd89@gmail.com> <CALx6S378CDW3TC2zz=NFpw+dtms8fokbVOzW0aCAYRuOC_G3Tw@mail.gmail.com> <d123e415-7b4b-4eae-a0b6-e3c576d691d3@gmail.com> <91D3D1EF-C61E-46EE-89CE-76D41BC04190@gmx.de>
Content-Language: en-US
From: Justin Iurman <justin.iurman@gmail.com>
In-Reply-To: <91D3D1EF-C61E-46EE-89CE-76D41BC04190@gmx.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Message-ID-Hash: CHVMO5JTFU2MKZBKSYY4P56NG3TZZ6BY
X-Message-ID-Hash: CHVMO5JTFU2MKZBKSYY4P56NG3TZZ6BY
X-MailFrom: justin.iurman@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ipv6.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Bob Hinden <bob.hinden@gmail.com>, 6man@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [IPv6]Re: Fwd: New Version Notification for draft-iurman-6man-eh-occurrences-00.txt
List-Id: "IPv6 Maintenance Working Group (6man)" <ipv6.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/lwwkKJ8fk372F4TP-_ad3EtknMs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Owner: <mailto:ipv6-owner@ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Subscribe: <mailto:ipv6-join@ietf.org>
List-Unsubscribe: <mailto:ipv6-leave@ietf.org>
Sebastian, On 12/23/25 22:41, Sebastian Moeller wrote: > Justin, > >> On 23. Dec 2025, at 22:33, Justin Iurman <justin.iurman@gmail.com> wrote: >> >> Tom, >> >> On 12/23/25 22:21, Tom Herbert wrote: >>> On Tue, Dec 23, 2025 at 1:05 PM Justin Iurman <justin.iurman@gmail.com> wrote: >>>> >>>> Tom, >>>> >>>> On 12/23/25 21:55, Tom Herbert wrote: >>>>> On Tue, Dec 23, 2025 at 12:31 PM Justin Iurman <justin.iurman@gmail.com> wrote: >>>>>> >>>>>> Bob, >>>>>> >>>>>> I don't think it does, but I may be wrong. Could you point me to the >>>>>> text you have in mind? >>>>>> >>>>>> This draft enforces the number of occurrences of all Extension Headers, >>>>>> not the number of options inside a Hop-by-Hop or Destination Options >>>>>> header nor the processing of Hbh/options. Which is, IMHO, different from >>>>>> RFC 9673. The idea came after a discussion with Tom on the mailing list >>>>>> (regarding draft-ietf-6man-eh-limits), and his concern about DoS attacks >>>>>> on hosts, mainly for the Destination Options header which could appear >>>>>> many times (i.e., at least more than two). I believe this draft solves >>>>>> that concern and at the same time avoids the need to publish >>>>>> draft-ietf-6man-eh-limits, which by the way may also require changes in >>>>>> rfc8504-bis Section 5.3 (e.g., maybe a smaller limit on the number of >>>>>> options, current is 8). Other concerns about the size of EHs and/or >>>>>> options in draft-ietf-6man-eh-limits don't need to be addressed IMHO, as >>>>>> already discussed and explained previously on the mailing list. Overall, >>>>>> I see this draft + rfc8504-bis + RFC 9673 as an acceptable solution, >>>>>> compared to draft-ietf-6man-eh-limits. >>>>> >>>>> Justin, >>>>> >>>>> This was already addressed in eh-limits draft: >>>>> >>>>> " >>>>> A host or intermediate MAY enforce the recommended extension >>>>> header ordering and number of occurrences of extension headers >>>>> described in Section 4.1 of [RFC8200]. Per the ordering >>>>> recommendations, each extension header can occur at most once in a >>>>> packet with the exception of Destination Options header which can >>>>> occur twice. The recommended extension header ordering per >>>>> [RFC8200] is: >>>>> >>>>> - IPv6 header >>>>> - Hop-by-Hop Options header >>>>> - Destination Options header >>>>> - Routing header >>>>> - Fragment header >>>>> - Authentication header >>>>> - Encapsulating Security Payload header >>>>> - Destination Options header >>>>> - Upper-Layer header >>>>> >>>>> If a host or intermediate node enforces extension header ordering >>>>> and a packet is received with extension headers out of order or >>>>> the number of occurrences of an extension header is greater than >>>>> one, or two for the Destination Options header, then the receiving >>>>> node MUST discard the packet and MAY send an ICMP Parameter >>>>> Problem message with code 0 (Erroneous Header Field Encountered) >>>>> [RFC4443] to the packet's source address. >>>>> " >>>>> >>>>> Also, this draft is only for one tiny part of the problem and I don't >>>>> believe it is really addressing the core issue which is the high drop >>>>> rates of packets with extension headers. >>>> >>>> Correct. However, we already discussed why draft-ietf-6man-eh-limits was >>>> trying to do too much by specifying limits on the size of EHs and Hbh/Do >>>> options (feedback from WG members and the IESG). And since you did not >>>> want to remove these problematic parts in the draft, I see this draft as >>>> a good trade-off and the only way forward. >>> Justin, >>> I don't see how this is a good trade-off nor the only way forward for >>> solving the undepoyability of extension headers. IMO, if we're not >>> going to address the real issues with extension headers then the best >>> way forward is to deprecate them. >> >> Right, I'll do it again and repeat what was already discussed. Why is it a good trade-off? Because it mitigates DoS attacks, especially for Hbh and DO (which was one of the concerns in draft-ietf-6man-eh-limits). Because rfc8504-bis can specify new limits on the number of Hbh/DO options (although the current default of 8 could reasonably remain, thanks to this draft). Because RFC 9673 already handles the processing of Hbh and its options. And, above all, because what you're trying to solve cannot be solved the way you did. Specifying limits on the size of EHs and options would be useless (at best) or dangerous. Why? Well, if you look at the reasons of such drops, there are two: (i) policies applied by operators, and (ii) hardware limitation. For the first one, you can't do much except trying to educate people. For the second one, specifying "limits" won't solve anything. There are proofs that recent hardware do not have such low limitation (i.e., small parsing buffers). The solution is therefore to not have a solution, i.e., situation will improve over time (old hardware will be replaced at some point). > > That IMHO is more wishful thinking, and less robust engineering: if operators have no desire of actually parsing deep into packets due to their policies, what makes you believe that the (I assume non-exhaustive) examples you saw in recent router hardware to allow deeper parsing will actually be predictive of the capabilities of all modern hardware to come? Now, maybe there are reasons that hardware vendors need/want these deeper inspection capabilities even if their customer,ers do not seem to care; do you know of any such motivations that might allow a robust prediction that deeper buffers are here to stay? This is indeed wishful thinking, but not entirely. It was observed that operators tend to apply policies on Hbh and Frag (and RHs too sometimes), but not really on DO or other EHs where pure hardware limitation is the root cause in that case. What's already heavily filtered by operators is going to be hard to save. Regarding your question(s), I believe SRv6 is a good example of why you would want to be able to parse deep (e.g., an old 64-byte parsing buffer is probably not what you want in most cases here). That (i.e., market pressure on vendors regarding SRv6 capabilities), combined with evolving hardware capabilities, leads me to foresee the sun behind the clouds in the long term. Justin > Regards > Sebastian > > > > > >> >> Justin >> >>> Tom >>>> >>>> Justin >>>> >>>>> Tom >>>>> >>>>>> >>>>>> Justin >>>>>> >>>>>> On 12/23/25 20:57, Bob Hinden wrote: >>>>>>> Justin, >>>>>>> >>>>>>> I suggest you take a look at RFC 9673 "IPv6 Hop-by-Hop Options Processing Procedures”. I believe it covers this topic for hop-by-hop options. >>>>>>> >>>>>>> Bob >>>>>>> >>>>>>> >>>>>>>> On Dec 23, 2025, at 11:26 AM, Justin Iurman <justin.iurman@gmail.com> wrote: >>>>>>>> >>>>>>>> Hi everyone, >>>>>>>> >>>>>>>> Happy holidays! >>>>>>>> >>>>>>>> This new draft aims to mitigate the risk of DoS attacks due to an abusive use of IPv6 Extension Headers. This problem is related to non-normative language combined with ambiguous wording in RFC 8200. This is one of the concerns raised in draft-ietf-6man-eh-limits. Feedback welcome! >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Justin >>>>>>>> >>>>>>>> -------- Forwarded Message -------- >>>>>>>> Subject: New Version Notification for draft-iurman-6man-eh-occurrences-00.txt >>>>>>>> Date: Tue, 23 Dec 2025 11:14:36 -0800 >>>>>>>> From: internet-drafts@ietf.org >>>>>>>> To: Justin Iurman <justin.iurman@uliege.be> >>>>>>>> >>>>>>>> A new version of Internet-Draft draft-iurman-6man-eh-occurrences-00.txt has >>>>>>>> been successfully submitted by Justin Iurman and posted to the >>>>>>>> IETF repository. >>>>>>>> >>>>>>>> Name: draft-iurman-6man-eh-occurrences >>>>>>>> Revision: 00 >>>>>>>> Title: Mitigating DoS attacks in IPv6 by clarifying the number of occurrences of Extension Headers >>>>>>>> Date: 2025-12-23 >>>>>>>> Group: Individual Submission >>>>>>>> Pages: 5 >>>>>>>> URL: https://www.ietf.org/archive/id/draft-iurman-6man-eh-occurrences-00.txt >>>>>>>> Status: https://datatracker.ietf.org/doc/draft-iurman-6man-eh-occurrences/ >>>>>>>> HTMLized: https://datatracker.ietf.org/doc/html/draft-iurman-6man-eh-occurrences >>>>>>>> >>>>>>>> >>>>>>>> Abstract: >>>>>>>> >>>>>>>> This document updates RFC 8200 by specifying normative requirements >>>>>>>> on the number of occurrences of IPv6 Extension Headers. Operational >>>>>>>> experience has demonstrated that permitting multiple occurrences of >>>>>>>> the same Extension Header can create parsing ambiguity, increase >>>>>>>> attack surface, and complicate packet processing in general. This is >>>>>>>> especially true for both the Hop-by-Hop Options Header and the >>>>>>>> Destination Options Header, which can contain a number of options. >>>>>>>> This document restricts IPv6 packets to carry at most one instance of >>>>>>>> each Extension Header, with the exception of the Destination Options >>>>>>>> Header, which is permitted to appear twice as specified in RFC 8200. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> The IETF Secretariat >>>>>>>> >>>>>>>> >>>>>>>> -------------------------------------------------------------------- >>>>>>>> IETF IPv6 working group mailing list >>>>>>>> ipv6@ietf.org >>>>>>>> List Info: https://mailman3.ietf.org/mailman3/lists/ipv6@ietf.org/ >>>>>>>> -------------------------------------------------------------------- >>>>>>> >>>>>> >>>>>> -------------------------------------------------------------------- >>>>>> IETF IPv6 working group mailing list >>>>>> ipv6@ietf.org >>>>>> List Info: https://mailman3.ietf.org/mailman3/lists/ipv6@ietf.org/ >>>>>> -------------------------------------------------------------------- >>>> >> >> -------------------------------------------------------------------- >> IETF IPv6 working group mailing list >> ipv6@ietf.org >> List Info: https://mailman3.ietf.org/mailman3/lists/ipv6@ietf.org/ >> -------------------------------------------------------------------- >
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Fwd: New Version Notification for draft-iur… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Bob Hinden
- [IPv6]Re: Fwd: New Version Notification for draft… Tom Herbert
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Tom Herbert
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Sebastian Moeller
- [IPv6]Re: Fwd: New Version Notification for draft… Tom Herbert
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Tom Herbert
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Nick Hilliard
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Nick Hilliard
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Tom Herbert
- [IPv6]Re: Fwd: New Version Notification for draft… Tom Herbert
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Tom Herbert
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Tom Herbert
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Tom Herbert
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Sebastian Moeller
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Justin Iurman
- [IPv6]Re: Fwd: New Version Notification for draft… Nick Hilliard