Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt

Mark Smith <markzzzsmith@gmail.com> Mon, 27 May 2019 22:28 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4725B12007A for <ipv6@ietfa.amsl.com>; Mon, 27 May 2019 15:28:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X_BTh_NTRCx0 for <ipv6@ietfa.amsl.com>; Mon, 27 May 2019 15:28:28 -0700 (PDT)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1E45120043 for <ipv6@ietf.org>; Mon, 27 May 2019 15:28:28 -0700 (PDT)
Received: by mail-oi1-x22c.google.com with SMTP id w9so12801821oic.9 for <ipv6@ietf.org>; Mon, 27 May 2019 15:28:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yrB4yLxJHQ4HtAtgJk/LKGNwDwH23ZBkcEY0ryZox2k=; b=gKNiZ2jlyXneQGMGKp72GcYKwjP4N+9YoonMCQy+gbkYEhS2NgpXwFSZijUrm2gCfX CNfiERxfcMO7zywfQdqK+3y1VI0Me9Wq9onOrpkqd/fLBKek6d67Wgn3/R1K5U+s5Eeu Gc3mp0g1Le//eN9ds89N9shFB8/u2pvmNAA3TETPJFYRGIo8ysB6qh4TDRWtp+e13e7G qQqoeZPxQbMP6pVyCSFfhXevR2/jvr4kkP1z/2L4wnzyNucy0YlfuOYkvZejBlh+vHc2 goR3YFq97VFl5k7FzXrKVJpycX0s115pVyAGuxvSuYllhQBjmaMJy+FVtP+1ZEsdwpem zbFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yrB4yLxJHQ4HtAtgJk/LKGNwDwH23ZBkcEY0ryZox2k=; b=qG7zejaNqp5ITrpkl5cCEW4U7JSilDgS+UjM1H5G1fAqORIgvQVYspczsZ5oc9bd/8 jto9cwv4Qo8/EviFNQyivv/fiBpT3mO1TnSgQPkjIJY89JsSGmoU6kJs7oe3FMWvx3Yy oqH83Ay1EXWlIeCnKmpy1ek6qIHzimI+sve64nabb9OrAsLDIN0yZhfYihv3Wr7NsJkg vqU7M8MX+SHzstYBhp+PnGljK1ZeMYrs4/x+A96fRWfDJrWH/qyDGEjE7f5BsUKz+Iro o7tHh39QgtC5CKNL+Qo0zSGGOIWNFaQ4btLKDcS2U4Y5O86tmN8ssSCMEAWSDdFsREXR /0oA==
X-Gm-Message-State: APjAAAUM5OWqSVn4eJsD2+/p6dRPoHc6V0nJKGJGhMQ6U5cP5Us1lcZt zy4UcHgCrf6kTL3twS/M76U1U4cNPgYOdkhIHOJAFw==
X-Google-Smtp-Source: APXvYqx8eAcHS0rmgoXC9UziSqmt4NjZ9sJtWkr6owUjc5IqYQj4y3P0X+XnXfKSTOCjtT3ac4Z8fhjceQ7Xcz6eyrw=
X-Received: by 2002:aca:c187:: with SMTP id r129mr729575oif.164.1558996107806; Mon, 27 May 2019 15:28:27 -0700 (PDT)
MIME-Version: 1.0
References: <155864405637.8647.14887579664730161506@ietfa.amsl.com> <CALx6S35yGHr+Hh0xB8EKZbJZxbP39MeeFH1_veWPOGiR=bXi4w@mail.gmail.com> <de5b23e5-d960-f722-6636-1c1ebc1194cf@foobar.org> <CALx6S36RHQv0VfWhXZ0Xf82ONQdraRfjdqE+-mQBoes-F7ErbA@mail.gmail.com>
In-Reply-To: <CALx6S36RHQv0VfWhXZ0Xf82ONQdraRfjdqE+-mQBoes-F7ErbA@mail.gmail.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Tue, 28 May 2019 08:28:01 +1000
Message-ID: <CAO42Z2zeQVYkf50C_AwntMoiK400g6=6Z6Sot9-Om9fLMUsH9g@mail.gmail.com>
Subject: Re: I-D Action: draft-ietf-6man-icmp-limits-02.txt
To: Tom Herbert <tom@herbertland.com>
Cc: Nick Hilliard <nick@foobar.org>, 6man <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/rzEoFr7c9XNo9wNdD5i7Of7FZ9U>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 May 2019 22:28:30 -0000

On Tue, 28 May 2019 at 06:29, Tom Herbert <tom@herbertland.com> wrote:
>
> On Mon, May 27, 2019 at 12:58 PM Nick Hilliard <nick@foobar.org> wrote:
> >
> > Tom,
> >
> > Overall this looks useful.
> >
> > Minor nits:
> >
> > >  options in Type-length-value (TLV) format. Each option includes a
> > >  length of the data field in octets, and the minimum size of an option
> > >  (non-pad type) is two bytes and the maximum length is 257 bytes.
> >
> > rephrase as:
> >
> > >  options in Type-length-value (TLV) format. Each option includes a
> > >  length of the data field in octets:  the minimum size of an option
> > >  (non-pad type) is two octets and the maximum length is 257 octets.
> >
> > s/extensions headers/extension headers/
> >
> > s/attack of extension headers-- many/attack of extension headers, many/
> >
> > s/may be applied on the number/may be applied to the number/
> >
> > s/hosts may institute limits on/hosts may implement limits for/
> >
> > s/of a fixed sized/of a fixed size/
> >
> > s/for Parameter Problem type/for Parameter Problem types/
> >
> > s/chain exceeds it processing/chain exceeds its processing/
> >
> > Can I suggest the following for the security consideration section?
> >
> > --
> > 5  Security Considerations
> >
> >     The security considerations for ICMPv6 described in [RFC4443] apply
> >     to this document.
> >
> >     A malicious actor could use crafted packets to trigger ICMPv6 error
> >     replies described in this document, thereby allowing them to
> >     discover configuration or hardware characteristics of an
> >     intermediate node.  If the intermediate node processes packets which
> >     trigger extension header limit ICMPv6 error replies by processing
> >     them in a slow path, then an attacker may be able to selectively
> >     flood the slow-path packet processor or the specific slow-path
> >     processing ingress queue, thereby affecting the packet processor's
> >     ability to handle legitimate ICMPv6 error replies.
> >
> Hi Nick,
>
> Thanks for the comments. For your proposed security considerations
> text, is the problem of exposing hardware configuration specific to
> only these type of ICMP errors? Do we need to provide so much detail
> about the possible attack? Also I suspect that ICMP error processing
> is in slow path processing anyway and there are other ways to generate
> an ICMP flood, the bigger issue might be in divulging details about
> hardware capabilities of intermediate nodes to third parties in the
> ICMP error.
>
> How about text like this:
>
> "In some circumstances, the sending of ICMP errors could be exploited
> for denial of service attack or as a means to covertly deduce
> processing capabilities of nodes as a precursor to denial of service
> attack. As such, an implementation MAY allow configurable policy to
> rate limit

ICMPv6 is already to be rate limited, per RFC 4443, 2.4, f.


> or withhold sending of ICMP in environments where security
> of ICMP errors is an issue."
>
> Thanks,
> Tom
>
> > --
> >
> > Nick
> >
> > Tom Herbert wrote on 24/05/2019 18:57:
> > > Hello,
> > >
> > > This is an update to ICMPv6 errors for processing limits. The material
> > > change is to add an "Option too big" Parameter Problem code. This is
> > > used used if a HBH or DO option length exceeds a limit, or the length
> > > consecutive padding in HBH or DO options list exceeds a limit. The
> > > recommended priority for reporting errors was also update accordingly.
> > >
> > > Thanks,
> > > Tom
> > >
> > > On Thu, May 23, 2019 at 1:42 PM <internet-drafts@ietf.org> wrote:
> > >>
> > >>
> > >> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> > >> This draft is a work item of the IPv6 Maintenance WG of the IETF.
> > >>
> > >>          Title           : ICMPv6 errors for discarding packets due to processing limits
> > >>          Author          : Tom Herbert
> > >>          Filename        : draft-ietf-6man-icmp-limits-02.txt
> > >>          Pages           : 12
> > >>          Date            : 2019-05-23
> > >>
> > >> Abstract:
> > >>     Network nodes may discard packets if they are unable to process
> > >>     protocol headers of packets due to processing constraints or limits.
> > >>     When such packets are dropped, the sender receives no indication so
> > >>     it cannot take action to address the cause of discarded packets. This
> > >>     document defines ICMPv6 errors that can be sent by a node that
> > >>     discards packets because it is unable to process the protocol
> > >>     headers. A node that receives such an ICMPv6 error may be able to
> > >>     modify what it sends in future packets to avoid subsequent packet
> > >>     discards.
> > >>
> > >>
> > >> The IETF datatracker status page for this draft is:
> > >> https://datatracker.ietf.org/doc/draft-ietf-6man-icmp-limits/
> > >>
> > >> There are also htmlized versions available at:
> > >> https://tools.ietf.org/html/draft-ietf-6man-icmp-limits-02
> > >> https://datatracker.ietf.org/doc/html/draft-ietf-6man-icmp-limits-02
> > >>
> > >> A diff from the previous version is available at:
> > >> https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-icmp-limits-02
> > >>
> > >>
> > >> Please note that it may take a couple of minutes from the time of submission
> > >> until the htmlized version and diff are available at tools.ietf.org.
> > >>
> > >> Internet-Drafts are also available by anonymous FTP at:
> > >> ftp://ftp.ietf.org/internet-drafts/
> > >>
> > >> --------------------------------------------------------------------
> > >> IETF IPv6 working group mailing list
> > >> ipv6@ietf.org
> > >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > >> --------------------------------------------------------------------
> > >
> > > --------------------------------------------------------------------
> > > IETF IPv6 working group mailing list
> > > ipv6@ietf.org
> > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > > --------------------------------------------------------------------
> > >
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------