IETF Logo Mail Archive

Re: Conflicting requirements for sending ICMPv6 and EH scan?

Ole Troan <otroan@employees.org> Wed, 29 May 2019 07:35 UTC

Return-Path: <otroan@employees.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0F4E12018F for <ipv6@ietfa.amsl.com>; Wed, 29 May 2019 00:35:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J_3RF84pZSXd for <ipv6@ietfa.amsl.com>; Wed, 29 May 2019 00:35:35 -0700 (PDT)
Received: from bugle.employees.org (accordion.employees.org [198.137.202.74]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7124212016C for <ipv6@ietf.org>; Wed, 29 May 2019 00:35:35 -0700 (PDT)
Received: from astfgl.hanazo.no (77.16.61.109.tmi.telenormobil.no [77.16.61.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bugle.employees.org (Postfix) with ESMTPSA id 90646FECC1BB; Wed, 29 May 2019 07:35:34 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by astfgl.hanazo.no (Postfix) with ESMTP id 5ECBA164553D; Wed, 29 May 2019 09:35:30 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Subject: Re: Conflicting requirements for sending ICMPv6 and EH scan?
From: Ole Troan <otroan@employees.org>
In-Reply-To: <CALx6S37-tRSo=OaKAAtZoCh1QXeUMN+jjyEuGq5d93APFWUNYA@mail.gmail.com>
Date: Wed, 29 May 2019 09:35:30 +0200
Cc: "Joel M. Halpern" <jmh@joelhalpern.com>, 6man WG <ipv6@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <06BE9E0C-1ACD-4FFE-9FC6-881A071FF9B0@employees.org>
References: <CALx6S37wNpe=XweKh=Y6ARZ1nfjvySmK=km6+_UTDVFPujp7bA@mail.gmail.com> <C5EF34CD-8408-490F-A460-6D392495D218@employees.org> <CALx6S35M_iZpm3jhAf4s4QSWHd-kdM4+4ZW-NeVqZtNiTpK0JQ@mail.gmail.com> <50C4484A-790A-4960-966D-E947B625AF3E@employees.org> <CALx6S369+y9-MoAzjfL17p-xcFSW5c62ykgBzaJEy5UpdBz0Bg@mail.gmail.com> <A2B2BB45-D66D-4407-86F1-13331A78E8A6@employees.org> <CALx6S34-11bSJMUQ6pK8cZ5zEa+fUkQWNRZbCR7sVasQMzjong@mail.gmail.com> <C1F78071-CB87-4D57-967E-A1612392FADD@employees.org> <f5b7349b-f1c5-237f-2f7f-9403e0b80496@joelhalpern.com> <07E04DAC-A0F9-4D40-982C-B36FDAE59D0B@employees.org> <CALx6S37-tRSo=OaKAAtZoCh1QXeUMN+jjyEuGq5d93APFWUNYA@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/yEU8H64uomCO7WXLuw51ygroldQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2019 07:35:49 -0000

Tom,

>>> (Trimmed.)
>>> If you don't check for ICMP in the received message, couldn't one easily get two misbehaving boxes (each trying to use an option the other doesn't understand) bouncing ICMPs back and forth?  Preventing that is the reason for the rule.
>> 
>> Right.
>> If host A includes in it's ICMP error messages an unknown to host B EH _ and_ host B includes an unknown to host A EH in it's ICMP error messages, you would get a loop.
>> That I don't think we can fix, apart from stating though shalt not do that.
>> 
>> Now, for the case where host A includes in it's ICMP error message an known EH, but with a problematic option inside, and host B would do the same, then Tom's "skip to the end if I can" approach would work.
>> And thinking some more about it, I think that behaviour is the correct one. And as I think was pointed out earlier, you are not "processing headers" any longer, you are just peaking at the upper layer protocol type.
>> 
> Ole,
> 
> Yes, I think the approach is reasonable (and we've been doing it for
> fourteen years anyway!).

Agree, and at the same time I do not agree it is mandated by RFC.
(and we can of course discuss if it should have been. ;-))

> Assuming we do continue to perform the deep parse, then what should be
> done if we can't conclusively determine whether or not the packet
> contains an ICMP error (for instance we hit something like an
> unrecognized next header or ESP)? Right now the ICMP error is sent
> anyway, but strict adherence to RFC4443 might imply we shoudn't send.

That's equivalent to my first example above.
You encounter a parameter problem in a header chain that cannot be walked to the end, you should send the ICMP.
Of course at that point it would be unwise to likely known or likely unknown EHs before the ICMP header, in the ICMP error response...

Cheers,
Ole

v2.23.0 | Report a Bug | By Email