Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt
Mark Smith <markzzzsmith@gmail.com> Mon, 27 May 2019 22:28 UTC
Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4725B12007A for <ipv6@ietfa.amsl.com>; Mon, 27 May 2019 15:28:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X_BTh_NTRCx0 for <ipv6@ietfa.amsl.com>; Mon, 27 May 2019 15:28:28 -0700 (PDT)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1E45120043 for <ipv6@ietf.org>; Mon, 27 May 2019 15:28:28 -0700 (PDT)
Received: by mail-oi1-x22c.google.com with SMTP id w9so12801821oic.9 for <ipv6@ietf.org>; Mon, 27 May 2019 15:28:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yrB4yLxJHQ4HtAtgJk/LKGNwDwH23ZBkcEY0ryZox2k=; b=gKNiZ2jlyXneQGMGKp72GcYKwjP4N+9YoonMCQy+gbkYEhS2NgpXwFSZijUrm2gCfX CNfiERxfcMO7zywfQdqK+3y1VI0Me9Wq9onOrpkqd/fLBKek6d67Wgn3/R1K5U+s5Eeu Gc3mp0g1Le//eN9ds89N9shFB8/u2pvmNAA3TETPJFYRGIo8ysB6qh4TDRWtp+e13e7G qQqoeZPxQbMP6pVyCSFfhXevR2/jvr4kkP1z/2L4wnzyNucy0YlfuOYkvZejBlh+vHc2 goR3YFq97VFl5k7FzXrKVJpycX0s115pVyAGuxvSuYllhQBjmaMJy+FVtP+1ZEsdwpem zbFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yrB4yLxJHQ4HtAtgJk/LKGNwDwH23ZBkcEY0ryZox2k=; b=qG7zejaNqp5ITrpkl5cCEW4U7JSilDgS+UjM1H5G1fAqORIgvQVYspczsZ5oc9bd/8 jto9cwv4Qo8/EviFNQyivv/fiBpT3mO1TnSgQPkjIJY89JsSGmoU6kJs7oe3FMWvx3Yy oqH83Ay1EXWlIeCnKmpy1ek6qIHzimI+sve64nabb9OrAsLDIN0yZhfYihv3Wr7NsJkg vqU7M8MX+SHzstYBhp+PnGljK1ZeMYrs4/x+A96fRWfDJrWH/qyDGEjE7f5BsUKz+Iro o7tHh39QgtC5CKNL+Qo0zSGGOIWNFaQ4btLKDcS2U4Y5O86tmN8ssSCMEAWSDdFsREXR /0oA==
X-Gm-Message-State: APjAAAUM5OWqSVn4eJsD2+/p6dRPoHc6V0nJKGJGhMQ6U5cP5Us1lcZt zy4UcHgCrf6kTL3twS/M76U1U4cNPgYOdkhIHOJAFw==
X-Google-Smtp-Source: APXvYqx8eAcHS0rmgoXC9UziSqmt4NjZ9sJtWkr6owUjc5IqYQj4y3P0X+XnXfKSTOCjtT3ac4Z8fhjceQ7Xcz6eyrw=
X-Received: by 2002:aca:c187:: with SMTP id r129mr729575oif.164.1558996107806; Mon, 27 May 2019 15:28:27 -0700 (PDT)
MIME-Version: 1.0
References: <155864405637.8647.14887579664730161506@ietfa.amsl.com> <CALx6S35yGHr+Hh0xB8EKZbJZxbP39MeeFH1_veWPOGiR=bXi4w@mail.gmail.com> <de5b23e5-d960-f722-6636-1c1ebc1194cf@foobar.org> <CALx6S36RHQv0VfWhXZ0Xf82ONQdraRfjdqE+-mQBoes-F7ErbA@mail.gmail.com>
In-Reply-To: <CALx6S36RHQv0VfWhXZ0Xf82ONQdraRfjdqE+-mQBoes-F7ErbA@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Tue, 28 May 2019 08:28:01 +1000
Message-ID: <CAO42Z2zeQVYkf50C_AwntMoiK400g6=6Z6Sot9-Om9fLMUsH9g@mail.gmail.com>
Subject: Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt
To: Tom Herbert <tom@herbertland.com>
Cc: Nick Hilliard <nick@foobar.org>, 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/rzEoFr7c9XNo9wNdD5i7Of7FZ9U>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 May 2019 22:28:30 -0000
On Tue, 28 May 2019 at 06:29, Tom Herbert <tom@herbertland.com> wrote: > > On Mon, May 27, 2019 at 12:58 PM Nick Hilliard <nick@foobar.org> wrote: > > > > Tom, > > > > Overall this looks useful. > > > > Minor nits: > > > > > options in Type-length-value (TLV) format. Each option includes a > > > length of the data field in octets, and the minimum size of an option > > > (non-pad type) is two bytes and the maximum length is 257 bytes. > > > > rephrase as: > > > > > options in Type-length-value (TLV) format. Each option includes a > > > length of the data field in octets: the minimum size of an option > > > (non-pad type) is two octets and the maximum length is 257 octets. > > > > s/extensions headers/extension headers/ > > > > s/attack of extension headers-- many/attack of extension headers, many/ > > > > s/may be applied on the number/may be applied to the number/ > > > > s/hosts may institute limits on/hosts may implement limits for/ > > > > s/of a fixed sized/of a fixed size/ > > > > s/for Parameter Problem type/for Parameter Problem types/ > > > > s/chain exceeds it processing/chain exceeds its processing/ > > > > Can I suggest the following for the security consideration section? > > > > -- > > 5 Security Considerations > > > > The security considerations for ICMPv6 described in [RFC4443] apply > > to this document. > > > > A malicious actor could use crafted packets to trigger ICMPv6 error > > replies described in this document, thereby allowing them to > > discover configuration or hardware characteristics of an > > intermediate node. If the intermediate node processes packets which > > trigger extension header limit ICMPv6 error replies by processing > > them in a slow path, then an attacker may be able to selectively > > flood the slow-path packet processor or the specific slow-path > > processing ingress queue, thereby affecting the packet processor's > > ability to handle legitimate ICMPv6 error replies. > > > Hi Nick, > > Thanks for the comments. For your proposed security considerations > text, is the problem of exposing hardware configuration specific to > only these type of ICMP errors? Do we need to provide so much detail > about the possible attack? Also I suspect that ICMP error processing > is in slow path processing anyway and there are other ways to generate > an ICMP flood, the bigger issue might be in divulging details about > hardware capabilities of intermediate nodes to third parties in the > ICMP error. > > How about text like this: > > "In some circumstances, the sending of ICMP errors could be exploited > for denial of service attack or as a means to covertly deduce > processing capabilities of nodes as a precursor to denial of service > attack. As such, an implementation MAY allow configurable policy to > rate limit ICMPv6 is already to be rate limited, per RFC 4443, 2.4, f. > or withhold sending of ICMP in environments where security > of ICMP errors is an issue." > > Thanks, > Tom > > > -- > > > > Nick > > > > Tom Herbert wrote on 24/05/2019 18:57: > > > Hello, > > > > > > This is an update to ICMPv6 errors for processing limits. The material > > > change is to add an "Option too big" Parameter Problem code. This is > > > used used if a HBH or DO option length exceeds a limit, or the length > > > consecutive padding in HBH or DO options list exceeds a limit. The > > > recommended priority for reporting errors was also update accordingly. > > > > > > Thanks, > > > Tom > > > > > > On Thu, May 23, 2019 at 1:42 PM <internet-drafts@ietf.org> wrote: > > >> > > >> > > >> A New Internet-Draft is available from the on-line Internet-Drafts directories. > > >> This draft is a work item of the IPv6 Maintenance WG of the IETF. > > >> > > >> Title : ICMPv6 errors for discarding packets due to processing limits > > >> Author : Tom Herbert > > >> Filename : draft-ietf-6man-icmp-limits-02.txt > > >> Pages : 12 > > >> Date : 2019-05-23 > > >> > > >> Abstract: > > >> Network nodes may discard packets if they are unable to process > > >> protocol headers of packets due to processing constraints or limits. > > >> When such packets are dropped, the sender receives no indication so > > >> it cannot take action to address the cause of discarded packets. This > > >> document defines ICMPv6 errors that can be sent by a node that > > >> discards packets because it is unable to process the protocol > > >> headers. A node that receives such an ICMPv6 error may be able to > > >> modify what it sends in future packets to avoid subsequent packet > > >> discards. > > >> > > >> > > >> The IETF datatracker status page for this draft is: > > >> https://datatracker.ietf.org/doc/draft-ietf-6man-icmp-limits/ > > >> > > >> There are also htmlized versions available at: > > >> https://tools.ietf.org/html/draft-ietf-6man-icmp-limits-02 > > >> https://datatracker.ietf.org/doc/html/draft-ietf-6man-icmp-limits-02 > > >> > > >> A diff from the previous version is available at: > > >> https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-icmp-limits-02 > > >> > > >> > > >> Please note that it may take a couple of minutes from the time of submission > > >> until the htmlized version and diff are available at tools.ietf.org. > > >> > > >> Internet-Drafts are also available by anonymous FTP at: > > >> ftp://ftp.ietf.org/internet-drafts/ > > >> > > >> -------------------------------------------------------------------- > > >> IETF IPv6 working group mailing list > > >> ipv6@ietf.org > > >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > >> -------------------------------------------------------------------- > > > > > > -------------------------------------------------------------------- > > > IETF IPv6 working group mailing list > > > ipv6@ietf.org > > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > > -------------------------------------------------------------------- > > > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > --------------------------------------------------------------------
- I-D Action: draft-ietf-6man-icmp-limits-02.txt internet-drafts
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Tom Herbert
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Nick Hilliard
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Tom Herbert
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Mark Smith
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Nick Hilliard
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Tom Herbert
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Nick Hilliard
- Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt Tom Herbert