Re: [savi] Potential issue for all SAVI mechanisms?
Jean-Michel Combes <jeanmichel.combes@gmail.com> Tue, 28 June 2011 18:02 UTC
Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 791C911E8131 for <savi@ietfa.amsl.com>; Tue, 28 Jun 2011 11:02:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.999
X-Spam-Level:
X-Spam-Status: No, score=-102.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_29=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8UOAcur+W1xP for <savi@ietfa.amsl.com>; Tue, 28 Jun 2011 11:02:41 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id D42E811E808C for <savi@ietf.org>; Tue, 28 Jun 2011 11:02:40 -0700 (PDT)
Received: by gwb20 with SMTP id 20so226937gwb.31 for <savi@ietf.org>; Tue, 28 Jun 2011 11:02:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=mjoaXjQAICIbbpnXGdx7FZ6/mA2b95q980YYu2HaTMs=; b=qoQNrPJkt1iDRuHkHFBp71f+mvhB/UpPL+b1i5xdsraNP6ExJ2L40DxfbVSscMIi4m bYYFU6HEjXAC2+WTPuGaTufsw9fUjBhLYccqolHpkTCLyE8X/b8JwrqNoNllO7YKA3u2 1PrAqhYIQs6cSZQvGguVVjqqT4Y5DNit1D0Oc=
MIME-Version: 1.0
Received: by 10.146.59.36 with SMTP id h36mr2365028yaa.7.1309284160196; Tue, 28 Jun 2011 11:02:40 -0700 (PDT)
Received: by 10.147.182.9 with HTTP; Tue, 28 Jun 2011 11:02:40 -0700 (PDT)
In-Reply-To: <4E0A11D8.5010300@joelhalpern.com>
References: <4E01F2FF.7030108@acm.org> <BANLkTikn45azMHnnduE3BG2o2ttB2Q7syg@mail.gmail.com> <4E0A11D8.5010300@joelhalpern.com>
Date: Tue, 28 Jun 2011 20:02:40 +0200
Message-ID: <BANLkTik0fM4xF_iYbZBv6uQ5LwnTS+foyg@mail.gmail.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: SAVI Mailing List <savi@ietf.org>
Subject: Re: [savi] Potential issue for all SAVI mechanisms?
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2011 18:02:41 -0000
Hi Joel, 2011/6/28 Joel M. Halpern <jmh@joelhalpern.com>: > I don't think this works. > The question is not how often ND packets have that structure, but whether > 1) Hosts will accept ND packets with that structure > and > 2) Other protocols will use that structure. > > If both of those are true, which they currently are, then a SAVI device > can not detect an ND packet which is fragmented and hiding behind > destination options. > But, contrary to your resolution below, since other protocols use that > construct, SAVI devices can not simply drop all packets that are > fragmented and where the only visible next header is destination options > (or AH, or ESP.) they would be dropping legitimate data packets. Yep, I missed this ... So, a new proposal: - if the Next Header value inside the Fragment header is ND/UDP(DHCP), the packet is processed by the SAVI device - if the Next Header value inside the Fragment header is not ND/UDP(DHCP) and there is a binding, the packet is processed by the SAVI device - else the packet is dropped and the incident is logged > > It does not matter whether any legitimate sender of ND messages would > ever use that construct. > > As far as I can tell, the only path to sanity here is for the hosts not > to accept such packets. > And that is a matter for 6man, not for SAVI. We should simply document > this as a residual threat. IMHO, this is a matter for SAVI too, because, if the SAVI device is not able to process fragmented ND/DHCP packets from a node to correctly update the Binding Table, by default, any packet from this node will be dropped by the SAVI device even if hosts accept such packets. Cheers. JMC. > > Yours, > Joel > > > On 6/28/2011 1:26 PM, Jean-Michel Combes wrote: >> Based on RFC 2460: >> (1) the Next Header value inside the Fragment header identifies the >> first header of the Fragmentable Part of the original packet >> (2) The Unfragmentable Part consists of the IPv6 header plus any >> extension headers that must be processed by nodes en route to the >> destination, that is, all headers up to and including the Routing >> header if present, else the Hop-by-Hop Options header if present, else >> no extension headers. >> (3) Extension header order is: IPv6 header, Hop-by-Hop Options header, >> Destination Options header, Routing header, Fragment header, >> Authentication header, Encapsulating Security Payload header, >> Destination Options header, upper-layer header >> >> So, as far as I can see, there are only 3 scenarios where the Next >> Header value inside the Fragment header is not ND(including SEND, as >> this is just ND options)/DHCP: >> (a) AH >> (b) ESP >> (c) Destination Option >> >> IMHO, ND/DHCP messages with such extension headers are not common ... >> >> >>> > >>> > Then the SAVI devices can assume and require that the known ULP is >>> > contained in the first fragment, thus they can determine whether a >>> > packet is ND/DHCP/SEND, and reject any such packets that include a >>> > fragment header. >> Indeed, we could assume for each SAVI mechanism that: >> - if the Next Header value inside the Fragment header is ND/UDP(DHCP), >> the packet is processed >> - else the packet is dropped and the incident is logged >> >> As SAVI has a site/link scope, with the logs, IMHO, it should be >> easier for the SAVI admin to understand/solve the issue. >> >> Best regards. >> >> JMC. >> >> >> >
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- [savi] Potential issue for all SAVI mechanisms? Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… marcelo bagnulo braun
- Re: [savi] Potential issue for all SAVI mechanism… marcelo bagnulo braun
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Mikael Abrahamsson
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Erik Nordmark
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Erik Nordmark
- Re: [savi] Potential issue for all SAVI mechanism… Eric Levy-Abegnoli
- Re: [savi] Potential issue for all SAVI mechanism… Erik Nordmark
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Guang Yao
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Fred Baker
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Fred Baker
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García