IETF Logo Mail Archive

Re: Validation of Packet Too Big Payload using Echo Request

Prabhakar Lakhera <plakhera@apple.com> Thu, 30 July 2020 00:26 UTC

Return-Path: <plakhera@apple.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B33383A0AD9 for <ipv6@ietfa.amsl.com>; Wed, 29 Jul 2020 17:26:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUv2BvWqDqCy for <ipv6@ietfa.amsl.com>; Wed, 29 Jul 2020 17:26:03 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF6C63A0AD5 for <6man@ietf.org>; Wed, 29 Jul 2020 17:26:03 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.42/8.16.0.42) with SMTP id 06U0IPE4020702; Wed, 29 Jul 2020 17:26:01 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=uTpCzSwJS7FwnjLyNITUwjaOmUbb6pWYmzlE9HjktNA=; b=PiOrdP1X+TwRMLDmYqXteBWAiv7+B9d3Si3QDSXkrwi/FvXxJ7U4II4U1M6O8Ua1laLT T4pHDtmuEYOlvJlLipHZPjr3ms2Z1gEyDmPfyHnzfhsc9h7PVMiEnh6gYgierPnuUfXu yb618RX0UGy0VYfV/PI1eN99EuDWcVdw2wY9JYI8qCleLAkSnLQ8HzoxTpvSNL0O94OY /MMaZn+RNJQdKyzpHLoQghGV9GqnsKadH1wVvNQPwXPVk8DXGkX3SBvCVQaZcqp2IoNK Kp9hgba0zQkvgXVIPyWuJmtYJCMeh5KKwkg2oXfEuAUBgjOdu2kYcMeiz5wFW3dXAoDa aA==
Received: from rn-mailsvcp-mta-lapp01.rno.apple.com (rn-mailsvcp-mta-lapp01.rno.apple.com [10.225.203.149]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 32kj391gpd-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 29 Jul 2020 17:26:01 -0700
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) with ESMTPS id <0QE900A5IAJDOGK0@rn-mailsvcp-mta-lapp01.rno.apple.com>; Wed, 29 Jul 2020 17:26:01 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) id <0QE900U00A6Z0900@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Wed, 29 Jul 2020 17:26:01 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 74fa0bde907e3b74f7a3642966111f5f
X-Va-E-CD: f5c12aef7156e4eaffb3234cbd110187
X-Va-R-CD: f19c62e0b4b466324fa430a169bcbf72
X-Va-CD: 0
X-Va-ID: db10be61-8359-43af-9350-3e37554afac0
X-V-A:
X-V-T-CD: eeb530a43afdbed44757bc67818dc989
X-V-E-CD: f5c12aef7156e4eaffb3234cbd110187
X-V-R-CD: f19c62e0b4b466324fa430a169bcbf72
X-V-CD: 0
X-V-ID: 9a3fe4ea-deee-44e5-80b0-be3ce98ac8fe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-29_18:2020-07-29, 2020-07-29 signatures=0
Received: from localhost (unknown [17.235.36.110]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.5.20200312 64bit (built Mar 12 2020)) with ESMTPSA id <0QE90118DAJCLW00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Wed, 29 Jul 2020 17:26:00 -0700 (PDT)
From: Prabhakar Lakhera <plakhera@apple.com>
Message-id: <F943D03D-2A3D-406A-8F81-930540CEA3EB@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_C937A7F3-61A4-4D75-BAB3-500497AD1A97"
MIME-version: 1.0 (Mac OS X Mail 13.0 \(3649\))
Subject: Re: Validation of Packet Too Big Payload using Echo Request
Date: Wed, 29 Jul 2020 17:25:59 -0700
In-reply-to: <CAJgLMKsX=+cUbfpfWxnxVNbV9GUSdtX5v0hog_yLFGdmvgb=Lg@mail.gmail.com>
Cc: Shawn Zhang <yuanshan_zhang=40apple.com@dmarc.ietf.org>, 6MAN <6man@ietf.org>, Timothy Winters <twinters@iol.unh.edu>, Lorenzo Colitti <lorenzo@google.com>
To: Timothy Winters <tim@qacafe.com>
References: <26C02BD5-96CC-44D1-9CCB-00DE059D40D9@employees.org> <20200728114355.GF39464@shawns-mbp.lan> <CAJgLMKuzreN7Er5yebbxtZWwp-A1EXuqAYaF6ZgqF6NyhaPaFA@mail.gmail.com> <CAKD1Yr0MWME0Te6Sek5Kyi_TZT2sPo_HPoZce5rrU1oJSxsYBw@mail.gmail.com> <DE991374-96A4-4CCC-9D5B-CC97CC5B361F@apple.com> <CAJgLMKsX=+cUbfpfWxnxVNbV9GUSdtX5v0hog_yLFGdmvgb=Lg@mail.gmail.com>
X-Mailer: Apple Mail (2.3649)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-29_18:2020-07-29, 2020-07-29 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/qKXqeU2WEbvPR02ukgynvhYW60A>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 00:26:08 -0000


> On Jul 29, 2020, at 1:15 PM, Timothy Winters <tim@qacafe.com> wrote:
> 
> I think we are discussing two different things here. One is about IPv6 Ready Logo SHOULD position and another about the RFC clause in question. 
> 
> As a reminder SHOULD is defined in RFC 2119 as:  
> 
> "This word, or the adjective "RECOMMENDED", mean that there
>    may exist valid reasons in particular circumstances to ignore a
>    particular item, but the full implications must be understood and
>    carefully weighed before choosing a different course "
> 
> IPv6 Ready Logo has been required SHOULD/MUST based on this definition for the last 15 years.  The reason for this is we want devices to support these interoperable standards, if they have a good reason for not implementing it, they can state it.  We've had several companies with security reasons not implement a SHOULD.  Also we allow for Advanced features, for things such a ping since not all devices have a method for initiating a ping.
> 
> For this clause in particular, it's also a security risk to accept all Packet Too Big messages without checking if the offending packet was valid.

Unlike v4 though, the minimum MTU for v6 is somewhat of a larger value if 1280. There are recommendations on not processing any lower values.
The cost caused therefore is somewhat minimized.

> Currently the line applies to all traffic, maybe we can all work on a draft to update this language to not apply to traffic but something more realistic?

I am not sure what that language would look like. It would end up getting into specifics for each use-case (ICMPv6 vs UDP vs TCP).
For example, QUIC is like TCP for most purpose but one may not get the complete payload in the errors to be able to validate these errors thereby would have to limit itself to UDP level checks.

It is one of those things that I think should be left to implementations to decide, whether they do it or not. And if they do it, decide on the on validation method of their choice.

> ~Tim
> 
> On Wed, Jul 29, 2020 at 2:16 PM Prabhakar Lakhera <plakhera@apple.com <mailto:plakhera@apple.com>> wrote:
> Specially, given the proposed test expects node to be stateful with ICMPv6 Echo Replies.
> That just opens up another window of exploit.
> 
> It is also not great that one can only provide “best effort” checks. That is do one thing for ICMPv6, check for tuple for UDP, additionally check for  sequence numbers for TCP.
> 
> Given the MTU has lower bound of 1280, the requirement should *not* be part of IPv6 ready logo as a must. The spec says it is a should, and that’s how it needs to be read.
> 
> Thanks! 
> 
>> On Jul 29, 2020, at 5:02 AM, Lorenzo Colitti <lorenzo@google.com <mailto:lorenzo@google.com>> wrote:
>> 
>> I'm not sure that the desired behaviour is reasonably implementable. Wouldn't it require the sending node to keep state on all packets it had ever sent? For how long?
>> 
>> The implementation can relatively easily check if a PTB matches an *existing* socket. But what if the following happens?
>> 
>> 1. App opens UDP socket, sends packet.
>> 2. App closes socket.
>> 3. PTB arrives for packet in step #1.
>> 4. App opens socket on same port again, sends identical packet again.
>> 
>> If the stack rejects the packet in #3, arguably it makes things worse. But accepting it is difficult without keeping state on sockets after they are closed, which is both ill-defined (how long do you need to keep the state?) and potentially expensive / exposing a DoS vector.
>> 
>> On Tue, Jul 28, 2020, 21:00 Timothy Winters <tim@qacafe.com <mailto:tim@qacafe.com>> wrote:
>> Hi Shawn,
>> 
>> If you are referring to the IPv6 Ready Logo Core Test Specification for this, we have a possible problem for this validation test case for devices that don't track ICMPv6 connections.
>> 
>> "Possible Problems:  If the device under test does not support tracking connections for ICMPv6 this test case may be omitted."
>> 
>> If you have other questions about IPv6 Ready please feel free to take this to the info@ipv6ready.org <mailto:info@ipv6ready.org>.
>> 
>> ~Tim
>> 
>> On Tue, Jul 28, 2020 at 7:48 AM Shawn Zhang <yuanshan_zhang=40apple.com@dmarc.ietf.org <mailto:40apple.com@dmarc.ietf.org>> wrote:
>> Hi Ole,
>> 
>> I am reviving this thread. 
>> 
>> >> Frankly, I think for compliance this should be treated as a *SHOULD* and not as a MUST.
>> 
>> > Yes, I think that's a correct interpretation.
>> > That's what 8201 says too. "Nodes should appropriately validate..."
>> 
>> Since RFC8201 says “SHOULD” instead of “MUST”, should this test be removed from the compliance test as it is not a mandatory behavior?
>> 
>> IMHO, since the smallest packet size is capped at 1280, it won't cause too much risk  even if we don't verify it using Echo Request here.
>> 
>> Bests,
>> Shawn
>> 
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org <mailto:ipv6@ietf.org>
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
>> --------------------------------------------------------------------
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org <mailto:ipv6@ietf.org>
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 <https://www.ietf.org/mailman/listinfo/ipv6>
>> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email