IETF Logo Mail Archive

Re: Conflicting requirements for sending ICMPv6 and EH scan?

Tom Herbert <tom@herbertland.com> Sat, 25 May 2019 22:47 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 759AC120120 for <ipv6@ietfa.amsl.com>; Sat, 25 May 2019 15:47:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sCqugS3SwnjS for <ipv6@ietfa.amsl.com>; Sat, 25 May 2019 15:47:48 -0700 (PDT)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60BB412002F for <ipv6@ietf.org>; Sat, 25 May 2019 15:47:48 -0700 (PDT)
Received: by mail-qk1-x731.google.com with SMTP id l128so59759qke.2 for <ipv6@ietf.org>; Sat, 25 May 2019 15:47:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aCOTVf6FaK0ePYgWz3/bvjTXRjE89v8ptTHoT73eRLU=; b=QJhiFZiPWf0XOnSxj/aamB/Siv/wfqNOkAnkfUYZiomCx92KSzlJ3F2bZyVIDz17Ur UrDcOatMz9xIjjtRhnk8x1Y+A2mMfXXHeswSAI6kPWxrBNIdbLtXQBtq5LIT963jTjN3 +3O8v1/4AqLEKooiR1vBVBiScMcal1mOwzUM72xpFA1U+4k5we4FRFQZBdFDMxuOpSlb xoNoyIVxz5UrpRxVYkyI8+y4ZCfZoaBtK4XhY25jlOcX7g1RF8aZtp5wWIyldJ6/JY8U rglXux8Exu16AW48zhRqO0qQu/em8I+4YbnpcZV53mTziBvV5ow1ukF9N8HH0xWj6vtr 8TPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aCOTVf6FaK0ePYgWz3/bvjTXRjE89v8ptTHoT73eRLU=; b=HUQa6gBSWM/uDX3lIHVaRyNHPzvkBiYWJ70kcsxBwEY4OegxnyFeo4zM1E3aeqoY3I eYVGYVIEvEHLNtRBQDdwwgwTpnOq3gxOpMaemI0JSRcsxwdegE3UeXy6IIIkEOH93xVI 1iNQdpIttTnOz3NaTu2cJ2bjDev531AFS0Ofb55G25WVqef3xfdfkXi5qCeEH13Wckt9 KI6Ufnn+UuYytdcjwGCXUDg3zsr+aPYI0Cpup/QAu4hXdQFcwGOY4EG9mBT8qLj5NPUE d1+1odPvuPyLMwmmPvpYdd0uh9r8Uso2ZO8ci92ZFAeql4hmtH2WBQeJ9rDLycZruF0c G7zA==
X-Gm-Message-State: APjAAAXTBqc/7S3/hZfWB2PHrN9N1G8Tdg3X8T2t4VVlDnRELe6aKySt vOy4jO4XCi77mPHyjqzSaAGY/g3AkL9BuLPcX3zH5k3s1rg=
X-Google-Smtp-Source: APXvYqyOBJHefIRhK6leoIaPBZpp4xNr2meBwbvSWntPrKaV267LG9gSVFyYtXmYV2C3Z7JrBSadv49nd19ghRorjiw=
X-Received: by 2002:aed:2665:: with SMTP id z92mr57620255qtc.368.1558824467027; Sat, 25 May 2019 15:47:47 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S37wNpe=XweKh=Y6ARZ1nfjvySmK=km6+_UTDVFPujp7bA@mail.gmail.com> <alpine.DEB.2.20.1905250852590.1824@uplift.swm.pp.se>
In-Reply-To: <alpine.DEB.2.20.1905250852590.1824@uplift.swm.pp.se>
From: Tom Herbert <tom@herbertland.com>
Date: Sat, 25 May 2019 15:47:36 -0700
Message-ID: <CALx6S366PCJu_yNuOuwYAdBBVCh-vJowLFckg4bzyj0hVamaCQ@mail.gmail.com>
Subject: Re: Conflicting requirements for sending ICMPv6 and EH scan?
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/qgoDbP4Wd1QDreHaTRuwLj7MW0o>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 May 2019 22:47:50 -0000

On Fri, May 24, 2019 at 11:57 PM Mikael Abrahamsson <swmike@swm.pp.se> wrote:
>
> On Fri, 24 May 2019, Tom Herbert wrote:
>
> > Hello,
> >
> > I am updating the references in Linux stack from RFC2460 to RFC8200. I
> > came across the ipv6_skip_exthdr function which contains a long, and
> > somewhat apologetic, comment that this function is purposely walking
> > over all the IPv6 extension headers for the purpose of locating the
> > transport layer protocol and hence violates RFC2460 (RFC8200):
> >
> > "Therefore, extension headers must be processed strictly in the order
> > they appear in the packet; a receiver must not, for example, scan
> > through a packet looking for a particular kind of extension header and
> > process that header prior to processing all preceding ones."
> >
> > The need for this function arises from the requirement of RFC4443:
> >
> > "(e) An ICMPv6 error message MUST NOT be originated as a result of
> >       receiving the following:
> >
> >       (e.1) An ICMPv6 error message."
> >
> > So, for instance, if we are sending an ICMP error because of a problem
> > with an extension header, we need to walk (process) the  other
> > extension headers to determine if the transport is ICMPv6 and if it is
> > then not send the error.
> >
> > The comment is over fourteen years old! I would like to resolve
> > somehow as not being a violation of standard. Any ideas how to do
> > that?
>
> Is this ipv6_skip_exthdr only used as a sanity check when having decided
> to send an ICMP6v6 error message, or is it used in other cases as well?
>
Mikael,

Good question! Yes, it seems to be called in a few cases. We also skip
over extension headers when trying to determine the flow of packet
(for firewall or hash for ECMP, etc.). The commonality amongst all
these cases seems to be that they are doing passive DPI with the
purpose of extacting higher protocol layer information about a packet
to make decisions or to fulfil requirements when processing lowering
layers (as in the case of the ICMPv6). So I think it might be
reasonable to say that these conform with the spirit of RFC8200
requirements since this is only parsing headers beyong the current
header being processed, not actually performing the specified
processing of deeper protocol headers out of order.

The also implies another subtle issue. ESP might be used in transport
mode with ICMP, so it would is impossible to determine in that case
whether an ESP packet contains an ICMP error. That's probably a
pathological issue.

Tom

> --
> Mikael Abrahamsson    email: swmike@swm.pp.se

v2.23.0 | Report a Bug | By Email