IETF Logo Mail Archive

Re: Conflicting requirements for sending ICMPv6 and EH scan?

Ole Troan <otroan@employees.org> Tue, 28 May 2019 10:23 UTC

Return-Path: <otroan@employees.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5956D1201C3 for <ipv6@ietfa.amsl.com>; Tue, 28 May 2019 03:23:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cuN0g6F-KOM for <ipv6@ietfa.amsl.com>; Tue, 28 May 2019 03:23:36 -0700 (PDT)
Received: from bugle.employees.org (accordion.employees.org [198.137.202.74]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E5661201BB for <ipv6@ietf.org>; Tue, 28 May 2019 03:23:36 -0700 (PDT)
Received: from astfgl.hanazo.no (unknown [173.38.220.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bugle.employees.org (Postfix) with ESMTPSA id 95EF8FECC193; Tue, 28 May 2019 10:23:35 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by astfgl.hanazo.no (Postfix) with ESMTP id 4DFC5162F14F; Tue, 28 May 2019 12:23:31 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Subject: Re: Conflicting requirements for sending ICMPv6 and EH scan?
From: Ole Troan <otroan@employees.org>
In-Reply-To: <CALx6S35M_iZpm3jhAf4s4QSWHd-kdM4+4ZW-NeVqZtNiTpK0JQ@mail.gmail.com>
Date: Tue, 28 May 2019 12:23:31 +0200
Cc: 6man WG <ipv6@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <50C4484A-790A-4960-966D-E947B625AF3E@employees.org>
References: <CALx6S37wNpe=XweKh=Y6ARZ1nfjvySmK=km6+_UTDVFPujp7bA@mail.gmail.com> <C5EF34CD-8408-490F-A460-6D392495D218@employees.org> <CALx6S35M_iZpm3jhAf4s4QSWHd-kdM4+4ZW-NeVqZtNiTpK0JQ@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/uIReWYkBrIMS7ZT4wx_0MIKy8Nw>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2019 10:23:37 -0000

Tom,

> The rfc4443 text you are quoting is from section 2.4. That deals with processing rules for ICMP messages. That is, you already know you have received an ICMP at that point. 
> 
> If you are looking at the corner case where someone sends you an ICMP message with an unparsable extension header chain, then you have to treat that as any other packet with unknown headers. 
> 
> Ole, here is an example scenario:
> 
> A host receives a packet with a destination option whose type is unrecognized by the host. The high order bits of the option type indicate that an ICMP error should be sent in response to receiving an unknown option. But, per the text quoted from RFC4443, we are not permitted to send the ICMP error if the received packet was itself an ICMP error packet. At this point, we're only processing the destination options, so we don't know yet whether or not the received packet is ICMP-- the only way to determine that is to parse the packet beyond the destination options EH to find the transport protocol.

But in the general case you cannot. And probably shouldn't either.
In this case the stack cannot know that it has received an ICMP message and the provisions in RFC4443 do not apply.

Is there any case where an ICMP error message can include extension headers before the ICMP header?

If we allow that, you could indeed imagine a (very constructed) case, where host A sends host B an unparsable header chain ICMP, and host B responds with a different unparsable header chain ICMP.

Best regards,
Ole

v2.23.0 | Report a Bug | By Email