IETF Logo Mail Archive

Re: [IPv6] sendmsg() for HBH ? Re: Removing extension headers from packets (revisited)

Tom Herbert <tom@herbertland.com> Tue, 22 August 2023 15:47 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF3CFC151541 for <ipv6@ietfa.amsl.com>; Tue, 22 Aug 2023 08:47:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5_79CWIfihJc for <ipv6@ietfa.amsl.com>; Tue, 22 Aug 2023 08:47:23 -0700 (PDT)
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94DA1C151533 for <6man@ietf.org>; Tue, 22 Aug 2023 08:45:39 -0700 (PDT)
Received: by mail-pg1-x52e.google.com with SMTP id 41be03b00d2f7-564b6276941so2961599a12.3 for <6man@ietf.org>; Tue, 22 Aug 2023 08:45:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1692719139; x=1693323939; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=M/CGgl0UOtWKo6ISZTX5bTNlvABaPpLEdEiXb08RAYs=; b=KFPNubI4SktqopqAHLVavR7/02uHlSpSVucl+IY3lMA7YXign0lfSz6kBofFU10yCH YEITPoXLk0w7y4+7WrtB81WGjl4bdUc3sKscDiwuOgP5UqEI2ZKTPf7AFoCjH3+XxIUH lxtEE4jRRiqmuOc1i7QZ9V5iaIQfEWuKfPrhJBJ2BhjNCj1IR7IoorqZ97gSAbd+PDJv TbLIYNdkHgMLMi2+U1ZuGabBIYyV6uo1NTTd4HRAae4ssA9PO/4hrqWriixQNXDqBWqj OIIY9ZL4qW0Li4iW1baDiIu4CCFxcXJItU6wlt9iwOrXLtZnvBGTwvsBB83576zGWyRe wuoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692719139; x=1693323939; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=M/CGgl0UOtWKo6ISZTX5bTNlvABaPpLEdEiXb08RAYs=; b=YqafS0Chns0hb1pdxwppdWACimMNEhIAucSo1KyktviZN3m3D/ftPHPWGXe6waamxp 70XWLm23h8j8PcQDj5BwP7WtnPzTRzBWytaiEV5lfJatSBC7YPDqz0XvhYrhQCSaZtiC 3vwIG8gthab8uiyUuswTrfgP6tUwtOrlDTLcv4gua053P40tDxN0qM4/wIYjuxPVxdR8 26xfSjUKsoKDERo5a03P+7lWSESVZ71cJmpN9MKXpjMyv/AjQgz3FGXIJdPt3HcGAt0Z Pr7euQiXCKzoDRYFwUfBRUoi7DegAkzVJlwkQ6t3VJZxWpQq7M0+H9/Z2Lp4mgymjoXp mSDg==
X-Gm-Message-State: AOJu0YwGZF7UDDwv6YjrNpNIrcy52j5iXbNH1uJTB89tPTgC9CTuPn8G xrTo7yhEM/r5qij3QOMJgeH/4Y5t6ggedCrIRyUZf7Wbe/0i3oMP
X-Google-Smtp-Source: AGHT+IEiFcbv8X9nED6g3n5U+dX75GFXHXdhBkE9vgTnsMntpBXds2kcagdedMg9NMeS+AndGutOHmpGPynMUqV30eY=
X-Received: by 2002:a17:90a:fb89:b0:26b:534e:234 with SMTP id cp9-20020a17090afb8900b0026b534e0234mr7827267pjb.35.1692719138723; Tue, 22 Aug 2023 08:45:38 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S36gQBgNAp-Poq3pRupGWUh0iA8M546=S=vUp5cQK_82TQ@mail.gmail.com> <ZN8g05pO83NdLN90@faui48e.informatik.uni-erlangen.de> <CALx6S35RS4uKvaQ9G5R5BdffWKsmdUxR3KuwYqf8xtAKuTtqbw@mail.gmail.com> <ZOSKZgTNYRBFOZVj@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <ZOSKZgTNYRBFOZVj@faui48e.informatik.uni-erlangen.de>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 22 Aug 2023 08:45:25 -0700
Message-ID: <CALx6S34uOXyy+MBDR2Zb+9i9CPnRwrGV-TZcQ-wd5gi67SPKpw@mail.gmail.com>
To: Toerless Eckert <tte@cs.fau.de>
Cc: 6MAN <6man@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/y0gp7NvMBkyOxTARIua4Ri4ETgs>
Subject: Re: [IPv6] sendmsg() for HBH ? Re: Removing extension headers from packets (revisited)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Aug 2023 15:47:26 -0000

On Tue, Aug 22, 2023 at 3:14 AM Toerless Eckert <tte@cs.fau.de> wrote:
>
> On Fri, Aug 18, 2023 at 07:14:22AM -0700, Tom Herbert wrote:
> > Hi Toerless,
> >
> > Yes, admin privileges are need to set EH in Linux. I have patches to fix
> > that and am planning to push them at some point.
>
> Thanks, and *sigh* I was hoping that in the last 8 years where i hadn't checked this,
> something would have improved.
>
> > Yes, fortunately OS support doesn't require and standards action.
>
> True, but i think to remember that when we asked last time, that there where
> concerns from the linux kernel community that such non-privileged access to
> extension headers would pose security risks and hence it was never enabled
> in the linux kernel.

Yes, it does require fine grained security controls.

>
> Think about an unprivileged application using a UDP socket to send an
> SRH EH. Scary ? Network operators that use SRH might think so.

Network operators don't normally trust hosts anyway, and privileged
operations are only intended to protect host resources not network
resources. This is why HMAC is defined for SRH, FAST tickets can be
authenticated by the network, etc.

>
> Think about an unprivileged IoT application using a UDP socket to send
> a RFC6554 EH. Scary ? I would think all folks knowledgable of networking
> using RPL would say it should not be scary.

It's no different than if the IoT device was hacked and the attacker
started sending spewing routing headers. It's incumbent on the network
to protect itself from untrusted sources.

>
> Aka: One and the same fundamental scheme (traffic steering info) may likely
> be seen as more or less "privileged".
>
> And i think we simply need to put more force behind the notion that extension headers
> must NOT require special privileges. Or else, we will never get easy ubiquitous
> use of them.

Yes.

>
> Privile can and should be tied to protocol if anything (ICMP(v6)) for example,
> raw IP sockets etc. But not to any TCP, SCTP, UDP, QUICK or other correctly
> per-application demultiplexable transport protocol sockets.
>
> In return, the question is what level of security requirements do extension
> headers have to have to permit such unprivileged use ?

IIRC, the patches allowed the admin to enable HbH and destination
options by option number.

>
> To me, its practically, that extension headers MUST NOT impact / be impacted
> by traffic not matching their 5-tuple transport connection/transaction.
>
> This is a simple security requirement, but i am not sure it was written down anywhere.
> Is it (i don't know all relevant text).
>
> Do all our EH meet this security requirement ? aka: no traffic monitoring
> extension heaeder collection more than 5-tuple info ? I hope we do...
>
I think what you're saying is that correct processing of extension
headers cannot depend on headers or data that follow the extension
headers, nor on any external context or and state. AFAIK, this is true
for currently defined extension headers and options within extension
headers.

One possible exception is that we might want to process Destination
Options before a Routing Header differently than Destination Options
after a Routing Header or Destination Options without a Routing
Header. In the recommended EH ordering of RFC8200, a Routing Header
immediately follows Destination Options, so if the next header of
DestOpts is 43 then that is a strong signal that those are Destination
Options before the Routing Header and this determination is made just
by inspecting the DestOpts header. If this signal is used to DestOpts
processed differently it's probably debatable whether this violates
the rule about processing being dependent on downstream headers.

Tom


> Cheers
>     Toerless
>
> >
> > Tom
> >
> >
> > > Cheers
> > >     Toerless
> > >
> > > On Mon, Aug 14, 2023 at 01:12:40PM -0700, Tom Herbert wrote:
> > > > Hi 6man,
> > > >
> > > > I know this topic of removing extension headers has been brought up
> > > > before, but I think in light of some emerging use cases it might be
> > > > worth revisiting.
> > > >
> > > > draft-herbert-fast and draft-media-hdr-wireless describe host to
> > > > network signaling. Both of these use Hop-by-Hop extension headers
> > > > (draft-media-hdr-wireless currently specifies using UDP options, but
> > > > could be HBH). A common attribute of these is that the information in
> > > > Hop-by-Hop options is only relevant in the local network of the
> > > > source. More specifically, it might only be relevant to the first hop
> > > > router in a provider network to process the options. After processing
> > > > by that router, the Hop-by-Hop option just along for the ride, no
> > > > other nodes in the path care about it and the end node probably
> > > > doesn't care either.
> > > >
> > > > Segment routing has a similar property. Once the final segment is set
> > > > in the Destination Address, the segment routing header contains no
> > > > useful information to downstream nodes.
> > > >
> > > > In both these cases, as long as the destination is in the same domain
> > > > as the sender, we expect things to work. For EH it's a statement of
> > > > practicality because of perceived drop rates on the Internet, for
> > > > segment routing it's inherent in the design for segment routing
> > > > domains. So this raises the question, what happens if a sender sends
> > > > to a destination out of its local domain and still wants services
> > > > applied to packets while they're in the local domain, or what if
> > > > segment routing is used to route a packet to an egress point in the
> > > > segment routing domain that then traverses the Internet.
> > > >
> > > > Could it be acceptable for routers to remove HBH EH or routing header
> > > > EH when a packet exits a limited domain? I realize this is contrary to
> > > > RFC8200 and might be considered an architectural abomination, but on
> > > > the other hand this might be a practical way to improve the
> > > > deployability of extension headers without any material adverse side
> > > > effects (other than packets being dropped which might happen anyway if
> > > > packets with EH escaped the limited domain).
> > > >
> > > > Comments?
> > > >
> > > > Thanks,
> > > > Tom
> > > >
> > > > --------------------------------------------------------------------
> > > > IETF IPv6 working group mailing list
> > > > ipv6@ietf.org
> > > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > > > --------------------------------------------------------------------
> > >
> > > --
> > > ---
> > > tte@cs.fau.de
> > >
>
> --
> ---
> tte@cs.fau.de

v2.23.0 | Report a Bug | By Email