Re: Errata for RFC4862
Mark Smith <markzzzsmith@gmail.com> Mon, 09 January 2017 19:14 UTC
Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79F7512944C for <ipv6@ietfa.amsl.com>; Mon, 9 Jan 2017 11:14:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49ul4By9rdAX for <ipv6@ietfa.amsl.com>; Mon, 9 Jan 2017 11:14:23 -0800 (PST)
Received: from mail-ua0-x22d.google.com (mail-ua0-x22d.google.com [IPv6:2607:f8b0:400c:c08::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1944312986C for <ipv6@ietf.org>; Mon, 9 Jan 2017 11:14:17 -0800 (PST)
Received: by mail-ua0-x22d.google.com with SMTP id 35so36133664uak.1 for <ipv6@ietf.org>; Mon, 09 Jan 2017 11:14:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7M9AWMfGojqpcoU9BiM+TIoFVIKc5NOmEcq+td3gCyc=; b=tPR2SbRrecgRnt4cvQUjkG00ALTGhjRQcWbdIDuxTGaBuHRGkB81ZMrEoE7WBihqie 7nTOuyAOz2UQh9/033fZlSZYIGUPJKFG9upfTjvkpcGWepq+gMuBsBebDBRnN0DXOeye ZVXIMKAM4YHDgV2Ht7FS76P9Y6rMmnb5Wztl9Kzo0NFC7MSsId4Bi0eoACXLG8zy9XZ6 Dgytj2Sty/YUXhjcVBD+1nSXCdUWAzfhl481l04GZ1UIrDNB2sVU/TxU0uac/kK5mhy2 /NKclQlN0Sa1kfqr3F9miuuZC2upX2yx4RLHJtPB/PY/XodEh65gt/Vy65zp0a34AQdC 7qnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7M9AWMfGojqpcoU9BiM+TIoFVIKc5NOmEcq+td3gCyc=; b=Yn2cUKpzmcbAWlZZJ7iU/0N6ZQiRNL6RLS89c/kivSOViRJf8YxrX+MfvxVRMoqX38 8dlUO06d6FoTAgQArRjUKE0vIPHUKxJZK++fuMJ3HWalD3JEuRWRkB3YULpm3merh7uR +6CxivsDlv2chNz9WDAfOtb+cmf689Xtjg2xwpBX8Ga5QGgoHFoY0PePcIcaSH/eDciS kTbx1aNU7d43Pd8E/Lxm25+qTwN6aDrdPQFtpJrVfdg/LxZugTre+h8zcJFlJwXRlfxP apdOJ2f1CALet4al7n199AoUAn8dvBAM7Su2Np5cw32HdFnQKREPrOW8xxCRMFrh/mKP TSkw==
X-Gm-Message-State: AIkVDXKxXyEZc5FTPH6jY1SXnYMknnnRr2WCH4xYJNMARs5vqpDGc7aat983b6ljs412dND3+soUKvaK9/uiKw==
X-Received: by 10.159.35.143 with SMTP id 15mr8499478uao.28.1483989256059; Mon, 09 Jan 2017 11:14:16 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.2.235 with HTTP; Mon, 9 Jan 2017 11:13:45 -0800 (PST)
In-Reply-To: <E459F5B0-D088-4D74-B92A-9A8671249716@employees.org>
References: <CAO42Z2xH9wqXKFjtAbv6isQ3cG1=FNUmkNFq2DGJdqj9BFDVaQ@mail.gmail.com> <E459F5B0-D088-4D74-B92A-9A8671249716@employees.org>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Tue, 10 Jan 2017 06:13:45 +1100
Message-ID: <CAO42Z2zb9AyMkG12Gr9mBZapZBD=u9xg-R+DD-YkKTbmCc4OhA@mail.gmail.com>
Subject: Re: Errata for RFC4862
To: Ole Troan <otroan@employees.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/yEXLxmyhpShbYjVIvQt2WA97puM>
Cc: 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2017 19:14:24 -0000
Hi Ole, On 9 January 2017 at 19:53, <otroan@employees.org> wrote: > Mark, > > The current text is crafted both to allow renumbering and to support scenarios where the RA lifetimes are short. I.e. under two hours. Check/Rule 2 seems to be the only check/rule specifically permitting less than 2 hours, but it is only doing so if the RA is authenticated. So non-authenticated RAs with a Valid Lifetime of 2 hours should be ignored. The text seems to be stating and enforcing this 2 hour minimum a number of times: 1. If the received Valid Lifetime is greater than 2 hours, ... set the valid lifetime of the corresponding address to the advertised Valid Lifetime. 2. If RemainingLifetime is less than or equal to 2 hours, ignore the Prefix Information option with regards to the valid lifetime, unless the Router Advertisement from which this option was obtained has been authenticated ... 3. Otherwise, reset the valid lifetime of the corresponding address to 2 hours. Perhaps in the the first check/rule, it should have been an 'and' rather than an 'or': 1. If the received Valid Lifetime is greater than 2 hours and greater than RemainingLifetime, set the valid lifetime of the corresponding address to the advertised Valid Lifetime. Flipping the perspective around, if less than 2 hour Valid Lifetimes are acceptable from non-authenticated RAs, then this set of 3 checks/rules could be much simpler and a single statement: "If the received Valid Lifetime is greater than the RemainingLifetime, reset the valid lifetime to the received Valid Lifetime." However, I don't think that would protect against the DoS described. > Your proposed changes appear to lock the lifetimes to no less than two hours. Is that correctly understood? > For unauthenticated RAs, yes. That would seem to be the solution to the DoS attack mentioned. "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes." where small seems to be viewed as < 2 hours by the previous check/rule text. I've mentioned it because I believed where was a minimum VL in an RA PIO of 2 hours for unauthenticated RAs, and have recently heard of an ISP sending VLs of 1 hours. Those RAs should be failing the very first > 2 hour check (the very first part of check/rule 1), however they're not, and the receiving implementation is not using the VL correctly (so there look to be two problems). Regards, Mark. > Btw, this might not be appropriate for an erratum, but I do also think we should revisit this behaviour. For the IPv6 core specifications to Internet standards work, I think the tentative conclusion was that we needed to do 4861/4862bis documents in-place before considering an advancement. > > O. > >> On 8 Jan 2017, at 06:30, Mark Smith <markzzzsmith@gmail.com> wrote: >> >> Hi, >> >> I've struggled with the Errata tool complaining about not having line >> breaks at 72 characters for the last 15 or so minutes, and after >> making number of failed attempts to fix that, that's enough! >> >> Section: >> >> 5.5.3 RouterAdvertisement Processing >> >> >> Original Text: >> >> 1. If the received Valid Lifetime is greater than 2 hours or >> greater than RemainingLifetime, set the valid lifetime of the >> corresponding address to the advertised Valid Lifetime. >> >> 2. If RemainingLifetime is less than or equal to 2 hours, ignore >> the Prefix Information option with regards to the valid >> lifetime, unless the Router Advertisement from which this >> option was obtained has been authenticated (e.g., via Secure >> Neighbor Discovery [RFC3971]). If the Router Advertisement >> was authenticated, the valid lifetime of the corresponding >> address should be set to the Valid Lifetime in the received >> option. >> >> 3. Otherwise, reset the valid lifetime of the corresponding >> address to 2 hours. >> >> >> Corrected Text: >> >> 1. If the Router Advertisement is not authenticated (e.g., via Secure >> Neighbor Discovery [RFC3971]), and if the received Valid Lifetime is greater >> than 2 hours, set the valid lifetime of the corresponding address to the >> advertised Valid Lifetime. >> >> 2. If the Router Advertisement has been authenticated (e.g., via Secure >> Neighbor Discovery [RFC3971]), the valid lifetime of the corresponding >> address should be set to the Valid Lifetime in the received option >> (regardless of whether it is greater than 2 hours or not). >> >> 3. Otherwise, reset the valid lifetime of the corresponding address to 2 >> hours. >> >> In other words, unless an RA is authenticated, Valid Lifetimes in RA PIOs >> MUST be greater than 2 hours. >> >> >> Notes: >> >> For unauthenticated RAs, throughout the text there are numerous checks >> to prevent a possible DoS attack described in the subsequent >> paragraph: >> >> "The above rules address a specific denial-of-service attack in >> which a bogus advertisement could contain prefixes with very small >> Valid Lifetimes." >> >> Check 1 above would seem to allow a Valid Lifetime in an RA PIO that >> is much less than 2 hours, as long as the value is greater than the >> RemainingLifetime. For example, if a host's RemainingLifetime for an >> address is 60 seconds, an RA PIO ValidLifetime of 61 seconds would be >> acceptable. This would seem to contradict the DoS protection goal. >> >> Check 2 does check to ensure that RemainingLifetime is greater than 2 >> hours, however Check 1 has >> already accepted the RA PIO VL <2 hours (if greater than >> RemainingLifetime) and set the address's Valid >> Lifetime to a value possibly much less than 2 hours. >> >> An attacker could take advantage of this by doing the following: >> >> 1. Send an initial RA with a ValidLifetime of 2 hours, which would pass Check 1. >> 2. Wait until around 1 hour and 59.5 minutes, and then send an RA with >> a ValidLifetime of 61 seconds. >> 3. Send RAs every 30 or so seconds with a ValidLifetime of 61 seconds, >> holding all of the victim hosts' >> ValidLifetimes at a low value. These RAs would also pass Check 1 as >> long as the VL in the RA was >> greater than the hosts' current VL for the addresses. >> 4. When it could cause the most significant denial of service, stop >> sending the RAs, causing the hosts' >> address VLs and therefore the addresses to expire within 60 seconds or so. >> >> >> Regards, >> Mark. >> >> -------------------------------------------------------------------- >> IETF IPv6 working group mailing list >> ipv6@ietf.org >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >> -------------------------------------------------------------------- >
- Errata for RFC4862 Mark Smith
- Re: Errata for RFC4862 otroan
- Re: Errata for RFC4862 Fernando Gont
- Re: Errata for RFC4862 otroan
- Re: Errata for RFC4862 神明達哉
- Re: Errata for RFC4862 Mark Smith
- Re: Errata for RFC4862 Tim Chown
- Re: Errata for RFC4862 神明達哉
- Re: Errata for RFC4862 Mark Smith
- Re: Errata for RFC4862 Tim Chown