Re: [Technical Errata Reported] RFC4443 (4445)
Brian Haberman <brian@innovationslab.net> Mon, 14 September 2015 12:20 UTC
Return-Path: <brian@innovationslab.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3C031B3463 for <ipv6@ietfa.amsl.com>; Mon, 14 Sep 2015 05:20:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZC6ntTYPgHu for <ipv6@ietfa.amsl.com>; Mon, 14 Sep 2015 05:20:26 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E5FD1B4410 for <ipv6@ietf.org>; Mon, 14 Sep 2015 05:20:19 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 4656C88127 for <ipv6@ietf.org>; Mon, 14 Sep 2015 05:20:19 -0700 (PDT)
Received: from clemson.jhuapl.edu (swifi-nat.jhuapl.edu [128.244.87.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id F0E19328081A for <ipv6@ietf.org>; Mon, 14 Sep 2015 05:20:18 -0700 (PDT)
Subject: Re: [Technical Errata Reported] RFC4443 (4445)
To: "ipv6@ietf.org" <ipv6@ietf.org>
References: <20150816000126.4978D180207@rfc-editor.org>
From: Brian Haberman <brian@innovationslab.net>
Message-ID: <55F6BB81.7020702@innovationslab.net>
Date: Mon, 14 Sep 2015 08:20:17 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <20150816000126.4978D180207@rfc-editor.org>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="2gJ8dO6xdBm5LVg11fMex0bb0C5gPAO8u"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/yCezBHi2vua1ZHE1UFrGqGHn9aI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2015 12:20:29 -0000
All,
Looking for thoughts on this erratum. Given my understanding of
the development of RFC 4443, I am inclined to reject this erratum. It
appears to be making a retroactive change to the text to align with
current terminology and functionality. That is not the function of the
errata system.
Does anyone believe this is a valid erratum?
Regards,
Brian
On 8/15/15 8:01 PM, RFC Errata System wrote:
> The following errata report has been submitted for RFC4443,
> "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification".
>
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=4443&eid=4445
>
> --------------------------------------
> Type: Technical
> Reported by: Dennis Ferguson <dennis.c.ferguson@gmail.com>
>
> Section: 3.1
>
> Original Text
> -------------
> ICMPv6 Fields:
>
> Type 1
>
> Code 0 - No route to destination
> [...]
> 5 - Source address failed ingress/egress policy
> 6 - Reject route to destination
> [...]
> If the reason for the failure to deliver is lack of a matching entry
> in the forwarding node's routing table, the Code field is set to 0.
> (This error can occur only in nodes that do not hold a "default
> route" in their routing tables.)
> [...]
> If the reason for the failure to deliver is that the route to the
> destination is a reject route, the Code field is set to 6. This may
> occur if the router has been configured to reject all the traffic for
> a specific prefix.
>
> Codes 5 and 6 are more informative subsets of code 1.
>
>
> Corrected Text
> --------------
> ICMPv6 Fields:
>
> Type 1
>
> Code 0 - No route to destination
> [...]
> 5 - Source address failed ingress/egress policy
> 6 - Destination address failed ingress/egress policy
> [...]
> If the reason for the failure to deliver is lack of an entry in the
> forwarding node's routing table that can be used to reach the
> destination, the Code field is set to 0. This error may be reported
> by nodes that lack a default route or are the origin of an aggregate
> route
> [...]
> If the reason for the failure to deliver is that the packet with this
> destination address is not allowed due to ingress or egress filtering
> policies, the Code field is set to 6.
>
> Codes 5 and 6 are more informative subsets of code 1.
>
>
> Notes
> -----
> A router that is the explicit or implicit origin of an aggregate
> route prefix in routing must not forward messages to destinations
> matching the aggregate prefix using a route with a prefix less specific
> than the aggregate route it originated (e.g. a defaut route). This
> constraint is necessary to produce correct, loop-free routing. The
> parenthetical comment in the current description of the Code 0 error
> overlooks the fact that such nodes may lack a route which may be used to
> reach a destination matching an aggregate prefix, and may be the only
> nodes which could report this lack, even if they do have routes to less
> specific matching prefixes. The suggested change to the Code 0
> description attempts to correct this.
>
> Concerning Code 6, the earliest definition of a "reject route" I've
> found in writing is in the RFC 2096 IP Forwarding Table MIB (though
> 4.3BSD-Reno kernels supported them in 1990 and there may well be earlier
> uses). The updated description of inetCidrRouteType in RFC 4292 says this:
>
> reject(2) refers to a route that, if matched, discards
> the message as unreachable and returns a notification
> (e.g., ICMP error) to the message sender. This is used
> in some protocols as a means of correctly aggregating
> routes.
>
> In the MIB a reject route is a generic mechanism to indicate that packets
> with matching destinations won't be forwarded using less specific routes,
> but instead will be discarded if no more specific matching route to use
> to forward the packet is known with an error being returned to the
> message sender. The reason no specific error is associated with this is
> that while the presence of the reject route describes how messages are
> forwarded, or not forwarded (i.e. the mechanism), it does not describe why
> they are being forwarded like that (i.e. the policy); to know the latter
> requires knowing why the reject route was added. Knowing which error
> will be reported hence requires knowing the purpose that is being
> implemented by the reject route.
>
> The original use of the mechanism, as indicated above, was to produce
> correct forwarding on routers originating aggregate routes. Another use
> of the mechanism, to prevent packets with Local IPv6 destination addresses
> from being forwarded beyond a site's administrative boundary, was suggested
> in Section 4.3 of RFC 4193 (I believe this can only be understood as a
> suggestion, rather than an implementation requirement, since the policy
> it requires could be indistinguishably implemented with a firewall filter
> instead).
>
> The current definition of Code 6 describes the error being reported
> as "Reject route to destination", that is it ascribes the reason for
> the error to the mechanism itself rather than the policy the mechanism
> was employed to implement. If this was the intent then its discription
> is technically inaccurate. A reject route does not necessarily implement
> an administrative prohibition nor is its function necessarily to "reject
> all traffic for a specific prefix"; the original use of reject routes
> for aggregation is inconsistent with both of these. What I believe is
> that the intent of Code 6 is to report the error associated with the
> RFC 4193 border patrol policy, independent of how that is implemented, and
> so I've changed the text to better reflect that.
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party (IESG)
> can log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC4443 (draft-ietf-ipngwg-icmp-v3-07)
> --------------------------------------
> Title : Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification
> Publication Date : March 2006
> Author(s) : A. Conta, S. Deering, M. Gupta, Ed.
> Category : DRAFT STANDARD
> Source : IP Version 6 Working Group
> Area : Internet
> Stream : IETF
> Verifying Party : IESG
>
- Re: [Technical Errata Reported] RFC4443 (4445) Brian Haberman
- Re: [Technical Errata Reported] RFC4443 (4445) 神明達哉
- Re: [Technical Errata Reported] RFC4443 (4445) Ralph Droms
- Re: [Technical Errata Reported] RFC4443 (4445) Dennis Ferguson
- Re: [Technical Errata Reported] RFC4443 (4445) otroan