Re: Conflicting requirements for sending ICMPv6 and EH scan?
Tom Herbert <tom@herbertland.com> Sat, 25 May 2019 22:47 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 759AC120120 for <ipv6@ietfa.amsl.com>; Sat, 25 May 2019 15:47:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sCqugS3SwnjS for <ipv6@ietfa.amsl.com>; Sat, 25 May 2019 15:47:48 -0700 (PDT)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60BB412002F for <ipv6@ietf.org>; Sat, 25 May 2019 15:47:48 -0700 (PDT)
Received: by mail-qk1-x731.google.com with SMTP id l128so59759qke.2 for <ipv6@ietf.org>; Sat, 25 May 2019 15:47:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aCOTVf6FaK0ePYgWz3/bvjTXRjE89v8ptTHoT73eRLU=; b=QJhiFZiPWf0XOnSxj/aamB/Siv/wfqNOkAnkfUYZiomCx92KSzlJ3F2bZyVIDz17Ur UrDcOatMz9xIjjtRhnk8x1Y+A2mMfXXHeswSAI6kPWxrBNIdbLtXQBtq5LIT963jTjN3 +3O8v1/4AqLEKooiR1vBVBiScMcal1mOwzUM72xpFA1U+4k5we4FRFQZBdFDMxuOpSlb xoNoyIVxz5UrpRxVYkyI8+y4ZCfZoaBtK4XhY25jlOcX7g1RF8aZtp5wWIyldJ6/JY8U rglXux8Exu16AW48zhRqO0qQu/em8I+4YbnpcZV53mTziBvV5ow1ukF9N8HH0xWj6vtr 8TPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aCOTVf6FaK0ePYgWz3/bvjTXRjE89v8ptTHoT73eRLU=; b=HUQa6gBSWM/uDX3lIHVaRyNHPzvkBiYWJ70kcsxBwEY4OegxnyFeo4zM1E3aeqoY3I eYVGYVIEvEHLNtRBQDdwwgwTpnOq3gxOpMaemI0JSRcsxwdegE3UeXy6IIIkEOH93xVI 1iNQdpIttTnOz3NaTu2cJ2bjDev531AFS0Ofb55G25WVqef3xfdfkXi5qCeEH13Wckt9 KI6Ufnn+UuYytdcjwGCXUDg3zsr+aPYI0Cpup/QAu4hXdQFcwGOY4EG9mBT8qLj5NPUE d1+1odPvuPyLMwmmPvpYdd0uh9r8Uso2ZO8ci92ZFAeql4hmtH2WBQeJ9rDLycZruF0c G7zA==
X-Gm-Message-State: APjAAAXTBqc/7S3/hZfWB2PHrN9N1G8Tdg3X8T2t4VVlDnRELe6aKySt vOy4jO4XCi77mPHyjqzSaAGY/g3AkL9BuLPcX3zH5k3s1rg=
X-Google-Smtp-Source: APXvYqyOBJHefIRhK6leoIaPBZpp4xNr2meBwbvSWntPrKaV267LG9gSVFyYtXmYV2C3Z7JrBSadv49nd19ghRorjiw=
X-Received: by 2002:aed:2665:: with SMTP id z92mr57620255qtc.368.1558824467027; Sat, 25 May 2019 15:47:47 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S37wNpe=XweKh=Y6ARZ1nfjvySmK=km6+_UTDVFPujp7bA@mail.gmail.com> <alpine.DEB.2.20.1905250852590.1824@uplift.swm.pp.se>
In-Reply-To: <alpine.DEB.2.20.1905250852590.1824@uplift.swm.pp.se>
From: Tom Herbert <tom@herbertland.com>
Date: Sat, 25 May 2019 15:47:36 -0700
Message-ID: <CALx6S366PCJu_yNuOuwYAdBBVCh-vJowLFckg4bzyj0hVamaCQ@mail.gmail.com>
Subject: Re: Conflicting requirements for sending ICMPv6 and EH scan?
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/qgoDbP4Wd1QDreHaTRuwLj7MW0o>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 May 2019 22:47:50 -0000
On Fri, May 24, 2019 at 11:57 PM Mikael Abrahamsson <swmike@swm.pp.se> wrote: > > On Fri, 24 May 2019, Tom Herbert wrote: > > > Hello, > > > > I am updating the references in Linux stack from RFC2460 to RFC8200. I > > came across the ipv6_skip_exthdr function which contains a long, and > > somewhat apologetic, comment that this function is purposely walking > > over all the IPv6 extension headers for the purpose of locating the > > transport layer protocol and hence violates RFC2460 (RFC8200): > > > > "Therefore, extension headers must be processed strictly in the order > > they appear in the packet; a receiver must not, for example, scan > > through a packet looking for a particular kind of extension header and > > process that header prior to processing all preceding ones." > > > > The need for this function arises from the requirement of RFC4443: > > > > "(e) An ICMPv6 error message MUST NOT be originated as a result of > > receiving the following: > > > > (e.1) An ICMPv6 error message." > > > > So, for instance, if we are sending an ICMP error because of a problem > > with an extension header, we need to walk (process) the other > > extension headers to determine if the transport is ICMPv6 and if it is > > then not send the error. > > > > The comment is over fourteen years old! I would like to resolve > > somehow as not being a violation of standard. Any ideas how to do > > that? > > Is this ipv6_skip_exthdr only used as a sanity check when having decided > to send an ICMP6v6 error message, or is it used in other cases as well? > Mikael, Good question! Yes, it seems to be called in a few cases. We also skip over extension headers when trying to determine the flow of packet (for firewall or hash for ECMP, etc.). The commonality amongst all these cases seems to be that they are doing passive DPI with the purpose of extacting higher protocol layer information about a packet to make decisions or to fulfil requirements when processing lowering layers (as in the case of the ICMPv6). So I think it might be reasonable to say that these conform with the spirit of RFC8200 requirements since this is only parsing headers beyong the current header being processed, not actually performing the specified processing of deeper protocol headers out of order. The also implies another subtle issue. ESP might be used in transport mode with ICMP, so it would is impossible to determine in that case whether an ESP packet contains an ICMP error. That's probably a pathological issue. Tom > -- > Mikael Abrahamsson email: swmike@swm.pp.se
- Conflicting requirements for sending ICMPv6 and E… Tom Herbert
- Re: Conflicting requirements for sending ICMPv6 a… Mikael Abrahamsson
- Re: Conflicting requirements for sending ICMPv6 a… Tom Herbert
- Re: Conflicting requirements for sending ICMPv6 a… Fernando Gont
- Re: Conflicting requirements for sending ICMPv6 a… Ole Troan
- Re: Conflicting requirements for sending ICMPv6 a… Tom Herbert
- Re: Conflicting requirements for sending ICMPv6 a… Ole Troan
- Re: Conflicting requirements for sending ICMPv6 a… Tom Herbert
- Re: Conflicting requirements for sending ICMPv6 a… Ole Troan
- Re: Conflicting requirements for sending ICMPv6 a… Tom Herbert
- Re: Conflicting requirements for sending ICMPv6 a… Ole Troan
- Re: Conflicting requirements for sending ICMPv6 a… Joel M. Halpern
- Re: Conflicting requirements for sending ICMPv6 a… Tom Herbert
- Re: Conflicting requirements for sending ICMPv6 a… Ole Troan
- Re: Conflicting requirements for sending ICMPv6 a… Tom Herbert
- Re: Conflicting requirements for sending ICMPv6 a… Fernando Gont
- Re: Conflicting requirements for sending ICMPv6 a… Mark Smith
- Re: Conflicting requirements for sending ICMPv6 a… Ole Troan
- Re: Conflicting requirements for sending ICMPv6 a… Fernando Gont
- RE: Conflicting requirements for sending ICMPv6 a… Ron Bonica
- Re: Conflicting requirements for sending ICMPv6 a… Tom Herbert
- RE: Conflicting requirements for sending ICMPv6 a… Ron Bonica
- Re: Conflicting requirements for sending ICMPv6 a… Tom Herbert
- Re: Conflicting requirements for sending ICMPv6 a… Fernando Gont
- Re: Conflicting requirements for sending ICMPv6 a… Tom Herbert
- Re: Conflicting requirements for sending ICMPv6 a… Mark Smith