Re: RFC6434bis open issue - IPv6 EH protection
Fernando Gont <fgont@si6networks.com> Tue, 07 November 2017 12:23 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA2C913FE61 for <ipv6@ietfa.amsl.com>; Tue, 7 Nov 2017 04:23:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pr20eaNvIT6h for <ipv6@ietfa.amsl.com>; Tue, 7 Nov 2017 04:23:09 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C240B13FE67 for <ipv6@ietf.org>; Tue, 7 Nov 2017 04:23:08 -0800 (PST)
Received: from [192.168.3.67] (unknown [181.165.119.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 679FB8028D; Tue, 7 Nov 2017 13:23:04 +0100 (CET)
Subject: Re: RFC6434bis open issue - IPv6 EH protection
To: Tim Chown <Tim.Chown@jisc.ac.uk>, 6man WG <ipv6@ietf.org>
References: <4E35047B-BB4A-4ED2-BB1D-535EC54C6502@jisc.ac.uk>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <f2ef6692-512b-0d06-94e7-3547d07ea469@si6networks.com>
Date: Tue, 07 Nov 2017 09:24:50 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <4E35047B-BB4A-4ED2-BB1D-535EC54C6502@jisc.ac.uk>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/rZ3e2qsc9ABbB5IfsEvD3hNZjrM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Nov 2017 12:23:12 -0000
On 11/07/2017 08:59 AM, Tim Chown wrote: > Hi, > > Here is a second open issue in the draft for which the authors would like comments. > > In response to previous discussions, Tom Herbert kindly supplied some text on how nodes may protect themselves from excessive EH options. I support the idea/text (in general). > > There are two issues here. > 1. Does the text look reasonable? > 2. The text is quite long, and is not published elsewhere; is a separate draft more appropriate with just briefer text in 6434bis? If the text focuses solely on the number of EHs, I guess it could be included to this document. But I would be fine with the other option, too. > In general, we have minimised new text in 6434bis, and pointed at material published in RFCs elsewhere. > > — snip — > > 5.3. Protecting a node from excessive EH options > > Per RFC 8200, end hosts are expected to process all extension > headers, destination options, and hop-by-hop options in a packet. > Given that the only limit on the number and size of extension headers > is the MTU, the processing of received packets could be considerable. > It is also conceivable that a long chain of extension headers might > be used as a form of denial-of-service attack. Accordingly, a host > may place limits on the number and sizes of extension headers and > options it is willing to process. "may place" or "MAY place"? > A host MAY limit the number of consecutive PAD1 options in > destination options or hop-by-hop options to seven. In this case, if > the more than seven consecutive PAD1 options are present the the > packet should be silently discarded. The rationale is that if > padding of eight or more bytes is required than the PADN option > should be used. > > A host MAY limit number of bytes in a PADN option to be less than > eight. In such a case, if a PADN option is present that has a length > greater than seven then the packet should be silently discarded. The > rationale for this guideline is that the purpose of padding is for > alignment and eight bytes is the maximum alignment used in IPv6. > > A host MAY disallow unknown options in destination options or hob-by- > hop options. This should be configurable where the default is to > accept unknown options and process them per RFC2460. If a packet > with unknown options is received and the host is configured to > disallow them, then the packet should be silently discarded. While I'm not against this paragraph, this one is more tricky. If the information in an option is early "optional", then you should be fine ignoring the option. At the end of the they, the high order two bits of the option type give guidance regarding what to do. > A host MAY impose a limit on the maximum number of non-padding > options allowed in a destination options and hop-by-hop extension > headers. If this feature is supported the maximum number should be > configurable and the default value SHOULD be set to eight. The > limits for destination options and hop-by-hop options may be > separately configurable. If a packet is received and the number of > destination or hop-by-hop optines exceeds the limit, then the packet > should be silently discarded. This seems fine. I assume you're tackling "unknown options". Otherwise you could say something along the lines of "at most one instance of each of the specified options for this EH type". > A host MAY impose a limit on the maximum length of destination > options or hop-by-hop options extension header. This value should be > configurable and the default is to accept options of any length. s/options of any length/extension headers of any length/ might be clearrer. > If > a packet is received and the length of destination or hop-by-hop > options extension header exceeds the length limit, then the packet > should be silently discarded. A meta question here is whether one should silently drop, or respond with an ICMPv6 error. For the long EH chains in RFC7112, we do the later. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- RFC6434bis open issue - IPv6 EH protection Tim Chown
- Re: RFC6434bis open issue - IPv6 EH protection Fernando Gont
- Re: RFC6434bis open issue - IPv6 EH protection Brian E Carpenter