IETF Logo Mail Archive

Re: [savi] Potential issue for all SAVI mechanisms?

"Joel M. Halpern" <jmh@joelhalpern.com> Tue, 28 June 2011 17:40 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC36311E8139 for <savi@ietfa.amsl.com>; Tue, 28 Jun 2011 10:40:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.282
X-Spam-Level:
X-Spam-Status: No, score=-102.282 tagged_above=-999 required=5 tests=[AWL=-0.283, BAYES_00=-2.599, J_CHICKENPOX_29=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oHn2yBfj2KJZ for <savi@ietfa.amsl.com>; Tue, 28 Jun 2011 10:40:11 -0700 (PDT)
Received: from hgblob.out.tigertech.net (hgblob.out.tigertech.net [74.114.88.71]) by ietfa.amsl.com (Postfix) with ESMTP id 6C1EC11E812F for <savi@ietf.org>; Tue, 28 Jun 2011 10:40:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hgblob.tigertech.net (Postfix) with ESMTP id 64B3A32467BE; Tue, 28 Jun 2011 10:39:41 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at hgblob.tigertech.net
Received: from [10.10.10.102] (pool-71-161-50-66.clppva.btas.verizon.net [71.161.50.66]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by hgblob.tigertech.net (Postfix) with ESMTPSA id A59C232463DD; Tue, 28 Jun 2011 10:39:40 -0700 (PDT)
Message-ID: <4E0A11D8.5010300@joelhalpern.com>
Date: Tue, 28 Jun 2011 13:39:36 -0400
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Lightning/1.0b2 Thunderbird/3.1.11
MIME-Version: 1.0
To: Jean-Michel Combes <jeanmichel.combes@gmail.com>
References: <4E01F2FF.7030108@acm.org> <BANLkTikn45azMHnnduE3BG2o2ttB2Q7syg@mail.gmail.com>
In-Reply-To: <BANLkTikn45azMHnnduE3BG2o2ttB2Q7syg@mail.gmail.com>
Content-Type: text/plain; charset="GB2312"
Content-Transfer-Encoding: 7bit
Cc: SAVI Mailing List <savi@ietf.org>
Subject: Re: [savi] Potential issue for all SAVI mechanisms?
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2011 17:40:11 -0000

I don't think this works.
The question is not how often ND packets have that structure, but whether
1) Hosts will accept ND packets with that structure
and
2) Other protocols will use that structure.

If both of those are true, which they currently are, then a SAVI device
can not detect an ND packet which is fragmented and hiding behind
destination options.
But, contrary to your resolution below, since other protocols use that
construct, SAVI devices can not simply drop all packets that are
fragmented and where the only visible next header is destination options
(or AH, or ESP.)  they would be dropping legitimate data packets.

It does not matter whether any legitimate sender of ND messages would
ever use that construct.

As far as I can tell, the only path to sanity here is for the hosts not
to accept such packets.
And that is a matter for 6man, not for SAVI.  We should simply document
this as a residual threat.

Yours,
Joel


On 6/28/2011 1:26 PM, Jean-Michel Combes wrote:
> Based on RFC 2460:
> (1) the Next Header value inside the Fragment header identifies the
> first header of the Fragmentable Part of the original packet
> (2) The Unfragmentable Part consists of the IPv6 header plus any
> extension headers that must be processed by nodes en route to the
> destination, that is, all headers up to and including the Routing
> header if present, else the Hop-by-Hop Options header if present, else
> no extension headers.
> (3) Extension header order is: IPv6 header, Hop-by-Hop Options header,
> Destination Options header, Routing header, Fragment header,
> Authentication header, Encapsulating Security Payload header,
> Destination Options header, upper-layer header
> 
> So, as far as I can see, there are only 3 scenarios where the Next
> Header value inside the Fragment header is not ND(including SEND, as
> this is just ND options)/DHCP:
> (a) AH
> (b) ESP
> (c) Destination Option
> 
> IMHO, ND/DHCP messages with such extension headers are not common ...
> 
> 
>> >
>> >  Then the SAVI devices can assume and require that the known ULP is
>> >  contained in the first fragment, thus they can determine whether a
>> >  packet is ND/DHCP/SEND, and reject any such packets that include a
>> >  fragment header.
> Indeed, we could assume for each SAVI mechanism that:
> - if the Next Header value inside the Fragment header is ND/UDP(DHCP),
> the packet is processed
> - else the packet is dropped and the incident is logged
> 
> As SAVI has a site/link scope, with the logs, IMHO, it should be
> easier for the SAVI admin to understand/solve the issue.
> 
> Best regards.
> 
> JMC.
> 
> 
>

v2.23.0 | Report a Bug | By Email