IETF Logo Mail Archive

Re: [mpls] Last Call: <draft-ietf-mpls-in-udp-04.txt> (Encapsulating MPLS in UDP) to Proposed Standard

Alia Atlas <akatlas@gmail.com> Wed, 22 January 2014 02:34 UTC

Return-Path: <akatlas@gmail.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 167D11A0152 for <mpls@ietfa.amsl.com>; Tue, 21 Jan 2014 18:34:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wWD0WVpQIXtY for <mpls@ietfa.amsl.com>; Tue, 21 Jan 2014 18:34:47 -0800 (PST)
Received: from mail-ie0-x231.google.com (mail-ie0-x231.google.com [IPv6:2607:f8b0:4001:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id C8ADB1A0125 for <mpls@ietf.org>; Tue, 21 Jan 2014 18:34:46 -0800 (PST)
Received: by mail-ie0-f177.google.com with SMTP id at1so7943295iec.22 for <mpls@ietf.org>; Tue, 21 Jan 2014 18:34:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=MHIB4QoQD5POM/YGlFDGNRG9+A19iRq51m4Mo04wXa8=; b=QgtUsxlOKPbuKXIPSEc5NwvtUSx+jBwGf5chlo2VQqCTis1tGx6Vgpok46J3AKDt0a CSsDjyVlGvko67RmQYFXtXkKZPz+iX3+YDlU2df77wVz74EPqmPljpgMLyTdogcJdOuP TJwhxdAeu1FNsppbhRY2Q1KgHneRiLtw9k7obJYK6xhP7M/mSmV2uPG4xHeX0xfBZiTV kzefbOIKjE/38PUer4zA/aPcGbKp/anwZFH7fDpaXRA0z609Z/W5IlJ5NZJCuBYq1Dr0 i2yU4sdNeADlJNYEypjOLQt2knX+QDgfMNC/E6d5SQy13Bdr8hxZzG2dKhL9UwNg7nRL /t4w==
MIME-Version: 1.0
X-Received: by 10.50.25.129 with SMTP id c1mr21074906igg.23.1390358086276; Tue, 21 Jan 2014 18:34:46 -0800 (PST)
Received: by 10.64.72.132 with HTTP; Tue, 21 Jan 2014 18:34:46 -0800 (PST)
In-Reply-To: <290E20B455C66743BE178C5C84F1240847E63346DF@EXMB01CMS.surrey.ac.uk>
References: <290E20B455C66743BE178C5C84F1240847E63346DE@EXMB01CMS.surrey.ac.uk> <201401220024.s0M0OwGW068768@maildrop2.v6ds.occnc.com> <290E20B455C66743BE178C5C84F1240847E63346DF@EXMB01CMS.surrey.ac.uk>
Date: Tue, 21 Jan 2014 21:34:46 -0500
Message-ID: <CAG4d1rdF=p0BkWuGcmvvA39s3LSidSBVKYYW=ugxgiazVCRXeg@mail.gmail.com>
From: Alia Atlas <akatlas@gmail.com>
To: l.wood@surrey.ac.uk
Content-Type: multipart/alternative; boundary="047d7bdc10ecd7e0c704f085f7ae"
Cc: joelja@bogus.com, "mpls@ietf.org" <mpls@ietf.org>, "Eggert, Lars" <lars@netapp.com>
Subject: Re: [mpls] Last Call: <draft-ietf-mpls-in-udp-04.txt> (Encapsulating MPLS in UDP) to Proposed Standard
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2014 02:34:52 -0000

Lloyd,

On Tue, Jan 21, 2014 at 8:04 PM, <l.wood@surrey.ac.uk> wrote:

> Curtis,
>
> the 'intended for use within a service provider' and not for mass use
> sounds reasonable,
> and scoping in this way may also alleviate some congestion control
> concerns.
>

[Alia] Excellent - so if we can describe filtering on the correct fields to
enforce this constrained scope, then the concerns about congestion control
may be alleviated.

>
> But outgoing packet filtering, when you're trying to catch a corrupted
> port,
> and the port is not what you think it is? That's going to do a partial job
> of corrupted addresses in IPv6 at best. (v4 has header checksums,
> ports in v4 and v6 are open to corruption sans UDP pseudo-header
> check.)
>

[Alia] Are you actually suggesting that it is highly likely for both the
destination IP and UDP port to be simultaneously corrupted on a significant
flow of packets where each link already has a FCS covering the entire
packet?

[Alia] We have vast existence proof that MPLS label stacks, also covered
only by link FCS, that this is not the case.  Naturally the top label is
manipulated but the rest of the label stack is just passed through and not
looked at.

Not convinced by providers already blocking inbound traffic on a new port -
> particularly given discussion of handling entropy with varying ports
> in another thread.
>

[Alia] For defense, isn't it a case of block ports by default and only open
the destination ports that are explicitly needed?  That's how firewalls
that I've seen work; perhaps others have a common counterexample?  The
entropy is put into the source port, which isn't relevant here.


> So, I don't think filtering is a useful solution here to the problem posed
> by zero UDP checksums. (An actual UDP checksum solves it, of course.)
>

[Alia] Can you clearly articulate what you see as the threat scenario and
the necessary scale and probability to be meaningful here?

Regards,
Alia


>
> regards
>
> Lloyd Wood
> http://about.me/lloydwood
> ________________________________________
> From: Curtis Villamizar [curtis@ipv6.occnc.com]
> Sent: 22 January 2014 00:24
> To: Wood L  Dr (Electronic Eng)
> Cc: curtis@ipv6.occnc.com; lars@netapp.com; stbryant@cisco.com;
> joelja@bogus.com; mpls@ietf.org
> Subject: Re: [mpls] Last Call: <draft-ietf-mpls-in-udp-04.txt>
> (Encapsulating MPLS in UDP) to Proposed Standard
>
> Lloyd,
>
> Since MPLS over UDP is intended to be used within a provider, how
> about if we recommend the following:
>
>   If no MPLS over UDP is intended to go outside a service provider,
>   then packet filters should be added to block traffic with the UDP
>   port number for MPLS over UDP to prevent misconfiguation or packet
>   error to cause MPLS over UDP packets to escape,
>
> If either the IP destination address or the UDP destination port were
> corrupted, then the packet would not leave.  The former because the
> intended destination within the provider would get the packet.  The
> latter because with the UDP port intact the provider's filter would
> block it.
>
> This would also prevent ordinary users from making use of MPLS over
> UDP, which with its absense of congestion control is causing some
> objections.
>
> Providers would already be blocking traffic coming into their net with
> this UDP port, particularly to their own infrastructure.  The filters
> might cover only their own addresses allowing users to make use of
> MPLS over UDP, or could block it entirely.
>
> This is in line with Alia's suggestion that we define a profile of
> intended use being for service providers internal use.
>
> Curtis
>
>
> In message <
> 290E20B455C66743BE178C5C84F1240847E63346DE@EXMB01CMS.surrey.ac.uk>
> l.wood@surrey.ac.uk writes:
> >
> > > When encapsulating in UDP, the UDP checksum might be zero but the IP
> > > checksum can still be filled in so the IP destination is checked
> >
> > IPv6 doesn't have an IP header checksum. So with an error in the
> > header the packet can go anywhere.
> >
> >
> > > Lack of UDP checksum should at worst mean that the destination gets a
> > > packet with a munged payload, pulls off the IP and UDP headers and
> > > continues to forward
> >
> > ... or a munged header, and forwards to a different application on a
> different port.
> >
> > See RFC 6936 section 3, which goes through the scenarios -  but plays
> light
> > on the side-effects. My beef is with:
> >
> >    A protocol or application that uses the zero UDP checksum method must
> >    ensure that the lack of checksum does not affect the protocol
> >    operation.  This includes being robust to receiving an unintended
> >    packet from another protocol or context following corruption of a
> >    destination or source address and/or port value.  It also includes
> >    considering the need for additional implicit protection mechanisms
> >    required when using the payload of a UDP packet received with a zero
> >    checksum.
> >
> > Lack of a UDP checksum in one protocol can affect the operation of other
> > protocols minding their own business, until they receive and try to
> handle
> > a corrupted packet from the first protocol because port or address is
> > corrupted. There are a lot of applications that presume that the data
> they
> > are given is error-free, and they presume that rogue data is not
> injected into
> > their conversation.
> >
> > I mean, if you're going to use a zero UDP checksum, and your application
> > messes up and gives itself corrupt data, fine. More fool you. By analogy
> > as a risk, it's like speeding while talking on a cellphone and crashing
> into a tree.
> > But if your lack of checksum means you affect other applications who have
> > to now protect themselves against your data, you're effectively now
> crashing
> > into and harming other people. They weren't in armoured cars to protect
> > against this? They had no right to be on the road!
> >
> > Zero UDP checksums are hit-and-run accidents waiting to happen.
> >
> > Lloyd Wood
> > http://about.me/lloydwood
> > ________________________________________
> > From: Curtis Villamizar [curtis@ipv6.occnc.com]
> > Sent: 21 January 2014 20:14
> > To: Eggert, Lars
> > Cc: Stewart Bryant; Wood L  Dr (Electronic Eng); curtis@ipv6.occnc.com;
> Joel Jaeggli; mpls@ietf.org
> > Subject: Re: [mpls] Last Call: <draft-ietf-mpls-in-udp-04.txt>
> (Encapsulating MPLS in UDP) to Proposed Standard
> >
> > In message <558A15A9-204A-4447-923C-58DC2A3CED8A@netapp.com>
> > "Eggert, Lars" writes:
> >
> > > Hi,
> > >
> > > On 2014-1-21, at 12:50, Stewart Bryant <stbryant@cisco.com> wrote:
> > > > In terms of congestion and misdelivery it is interesting looking
> > > > at the number of horses that are already bounding around
> > > > in the paddock outside the stable:
> > > >
> > > > IP types: 47 (GRE) and 137 (MPLS-in-IP) for example.
> > >
> > > there is a big difference between encapsulation in IP and
> > > encapsulation in UDP. Everything encapsulated with "obscure" IP
> > > protocol numbers will get dropped by default at NATs and firewalls,
> > > whereas UDO traffic happily traverses them. The reach of UDP traffic
> > > is much broader.
> > >
> > > Lars
> >
> >
> > Stray UDP packets carrying MPLS getting to grandma's firewall is
> > really stretching the argument but ...
> >
> > When encapsulating in UDP, the UDP checksum might be zero but the IP
> > checksum can still be filled in so the IP destination is checked and
> > grandma need not worry about these packets.  But ...
> >
> > Grandma's firewall would block since there is no state established on
> > the firewall with the opposite port pair pattern.  But ...
> >
> > Even if it went through when the packet reached grandma's subnet the
> > payload is junk bound to an unused port.  Maybe it hits grandma's DNS
> > server and is interpreted as a badly malformed DNS request.
> >
> > So grandma seems safe from these bad packets.
> >
> > Lack of UDP checksum should at worst mean that the destination gets a
> > packet with a munged payload, pulls off the IP and UDP headers and
> > continues to forward.  At worst has the wrong MPLS label and gets
> > blackholed in the provider network somewhere.  If it ends up at the
> > correct MPLS egress, if IP, the IP checksum is checked.  If a TCP or
> > UDP payload carried in that IP got munged the packet could end up at
> > the destination with a bad TCP or UDP checksum and get dropped.
> >
> > Curtis
> _______________________________________________
> mpls mailing list
> mpls@ietf.org
> https://www.ietf.org/mailman/listinfo/mpls
>

v2.23.0 | Report a Bug | By Email