IETF Logo Mail Archive

Re: [savi] Potential issue for all SAVI mechanisms?

Jean-Michel Combes <jeanmichel.combes@gmail.com> Tue, 28 June 2011 17:27 UTC

Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3B1121F86B8 for <savi@ietfa.amsl.com>; Tue, 28 Jun 2011 10:27:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.905
X-Spam-Level:
X-Spam-Status: No, score=-101.905 tagged_above=-999 required=5 tests=[AWL=-1.695, BAYES_00=-2.599, CN_BODY_35=0.339, J_CHICKENPOX_29=0.6, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHDYa90c1CZY for <savi@ietfa.amsl.com>; Tue, 28 Jun 2011 10:26:59 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 83CC111E80FD for <savi@ietf.org>; Tue, 28 Jun 2011 10:26:59 -0700 (PDT)
Received: by gya6 with SMTP id 6so224775gya.31 for <savi@ietf.org>; Tue, 28 Jun 2011 10:26:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=9KF8rHNWOvzYppurYBoya5y560WIj3vNbnIErDRPIXY=; b=MNclO5mva8rdKHU+M+cByvTiZSiiYT704oWXsPkJILbMr3yFV4NBzMQJ98BqjC1vnJ PRNrFCpr7aTDPhbDQCJeNT/iwFn3AGbGuN2V4BfbALT2pBvaCV8vGDsB7h2LC1OakgTc vRPqXdFCvr3747/macbAAFcdwnpkR1YsjjOJg=
MIME-Version: 1.0
Received: by 10.151.24.16 with SMTP id b16mr8997133ybj.195.1309282018338; Tue, 28 Jun 2011 10:26:58 -0700 (PDT)
Received: by 10.147.182.9 with HTTP; Tue, 28 Jun 2011 10:26:58 -0700 (PDT)
In-Reply-To: <4E01F2FF.7030108@acm.org>
References: <4E01F2FF.7030108@acm.org>
Date: Tue, 28 Jun 2011 19:26:58 +0200
Message-ID: <BANLkTikn45azMHnnduE3BG2o2ttB2Q7syg@mail.gmail.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: Erik Nordmark <nordmark@acm.org>
Content-Type: text/plain; charset="GB2312"
Content-Transfer-Encoding: quoted-printable
Cc: SAVI Mailing List <savi@ietf.org>
Subject: Re: [savi] Potential issue for all SAVI mechanisms?
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2011 17:27:00 -0000

Hi,

2011/6/22 Erik Nordmark <nordmark@acm.org>:
>
>
> -------- Original Message --------
> Subject: Re: [savi] Potential issue for all SAVI mechanisms?
> Date: Wed, 22 Jun 2011 06:39:15 -0700
> From: Erik Nordmark <nordmark@sonic.net>
> To: marcelo bagnulo braun <marcelo@it.uc3m.es>
> CC: savi@ietf.org
>
> On 6/21/11 10:26 PM, marcelo bagnulo braun wrote:
>>
>> Right, the question is how comon is for legitimate users to send
>> NDP/DHCP/SEND fragmented packets? IS there any concrete real useful
>> situacion where this happens?
>
> The way I read RFC 4861's
>   The size of an ND packet including the IP header is limited to the
>   link MTU.  When adding options to an ND packet, a node MUST NOT
>   exceed the link MTU.
> is that ND packets should not be fragmented. But the spec doesn't have
> an explicit MUST NOT fragment.

This is a good point.

>
> I haven't looked at the DHCP and SEND RFCs.
>
>> If not, maybe we could simply say that SAVI will ignore the fragmented
>> packets.
>> If yes, then it seems we may have a problem.
>
> I don't think we can just ignore them, since that would assume that the
> receivers would explicitly drop fragmented ND/DHCP/SEND packets, which
> they are not required to do.
>
> Can we always tell whether a packet, which might in theory have 2K of
> Destination options, is a ND/DHCP/SEND packet? Clearly not unless RFC
> 2460 requires that some bytes of the ULP (TCP, UDP, ICMP, etc) header is
> always in the first fragment. In practice it would be reasonable to
> expect that. But it seems to be a protocol change to IPv6 to require
> that senders must put the ULP header in the first fragment.

Based on RFC 2460:
(1) the Next Header value inside the Fragment header identifies the
first header of the Fragmentable Part of the original packet
(2) The Unfragmentable Part consists of the IPv6 header plus any
extension headers that must be processed by nodes en route to the
destination, that is, all headers up to and including the Routing
header if present, else the Hop-by-Hop Options header if present, else
no extension headers.
(3) Extension header order is: IPv6 header, Hop-by-Hop Options header,
Destination Options header, Routing header, Fragment header,
Authentication header, Encapsulating Security Payload header,
Destination Options header, upper-layer header

So, as far as I can see, there are only 3 scenarios where the Next
Header value inside the Fragment header is not ND(including SEND, as
this is just ND options)/DHCP:
(a) AH
(b) ESP
(c) Destination Option

IMHO, ND/DHCP messages with such extension headers are not common ...


>
> Then the SAVI devices can assume and require that the known ULP is
> contained in the first fragment, thus they can determine whether a
> packet is ND/DHCP/SEND, and reject any such packets that include a
> fragment header.

Indeed, we could assume for each SAVI mechanism that:
- if the Next Header value inside the Fragment header is ND/UDP(DHCP),
the packet is processed
- else the packet is dropped and the incident is logged

As SAVI has a site/link scope, with the logs, IMHO, it should be
easier for the SAVI admin to understand/solve the issue.

Best regards.

JMC.



>
>   Erik
>
>> Regards, marcelo
>>
>>
>> El 22/06/11 06:35, Jun Bi escribió:
>>>
>>> In the Ethernet environment, the MTU is 1500, DHCP reply is not a
>>> large packet and it won't be fragmented.
>>> Maybe the packet size of RA is large and might be fragmented, but it
>>> is not processed in SAVI.
>>>
>>> thanks,
>>> Jun Bi
>>>
>>> -----原始邮件----- From: Joel M. Halpern
>>> Sent: Wednesday, June 22, 2011 8:17 AM
>>> To: Jun Bi
>>> Cc: Jean-Michel Combes ; SAVI Mailing List
>>> Subject: Re: [savi] Potential issue for all SAVI mechanisms?
>>>
>>> I do not think this is a sufficient answer. Whether the device is a
>>> switch or a router, reassembling or maintaining packet state across
>>> fragements is a non-trivial undertaking.
>>>
>>> I can imagine some kludges to get around this, but they have broader
>>> impact than just SAVI. (For example, rejecting first packets that do
>>> not have enough information to determine whether or not they are
>>> claiming to be RAs or DHCP replies.)
>>>
>>> Yours,
>>> Joel
>>>
>>> On 6/21/2011 9:56 AM, Jun Bi wrote:
>>>>
>>>> Hi Jean-Michel,
>>>>
>>>> What we are talking about "savi switch" is a 2.5 layer switch (layer 2
>>>> switch in data plan with layer 3-aware in controll/management plan).
>>>> So what I know from switch vendor is that the 2.5 layer switch chip or
>>>> the stronger CPU can handel it.
>>>> For example, the chip can recongnize the Protocol ID field of IP packets
>>>> to recongznie HDCP or NDP packets (even in fragments),
>>>> then copy them to switch CPU. The CPU can handle it.
>>>>
>>>> The SAVI switch has been really implmented and deployed, so I did really
>>>> see any problem in real network.
>>>> BTW, it seems that SAVI switch doesn't snoop and process RA packets for
>>>> binding, so maybe RA packet is different.
>>>>
>>>> thanks,
>>>> Jun Bi
>>>>
>>>> -----原始邮件----- From: Jean-Michel Combes
>>>> Sent: Tuesday, June 21, 2011 9:37 PM
>>>> To: SAVI Mailing List
>>>> Subject: [savi] Potential issue for all SAVI mechanisms?
>>>>
>>>> Hi,
>>>>
>>>> Maybe you already know that there is a discussion on v6ops/6man MLs
>>>> about RA Guard evasion (cf.
>>>> http://www.ietf.org/mail-archive/web/ipv6/current/msg14204.html).
>>>> One of the methods to perform this evasion is fragmentation: it seems
>>>> that a L2 device would not be able to re-assemble all the fragments
>>>> without an important extra-cost and so would not be able to determine
>>>> whether or not the message is a Router Advertisement (cf.
>>>> http://www.ietf.org/mail-archive/web/ipv6/current/msg14240.html).
>>>>
>>>> Knowing that:
>>>> (1) In common use-case, SAVI device is a L2 device
>>>> (2) SAVI mechanisms are based on NDP/SEND/DHCP messages inspection
>>>>
>>>> I am wondering whether or not fragmentation would not impact strongly
>>>> SAVI specifications too: any fragmented NDP/SEND/DHCP message could
>>>> not update correctly the Binding Table and so what would be the
>>>> consequences?
>>>>
>>>> I would appreciate comments from WG members, especially
>>>> implementors/manufacturers, about this.
>>>>
>>>> Thanks in advance for your replies.
>>>>
>>>> Best regards.
>>>>
>>>> JMC.
>>>> _______________________________________________
>>>> savi mailing list
>>>> savi@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/savi
>>>> _______________________________________________
>>>> savi mailing list
>>>> savi@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/savi
>>>
>>> _______________________________________________
>>> savi mailing list
>>> savi@ietf.org
>>> https://www.ietf.org/mailman/listinfo/savi
>>
>> _______________________________________________
>> savi mailing list
>> savi@ietf.org
>> https://www.ietf.org/mailman/listinfo/savi
>>
>
> _______________________________________________
> savi mailing list
> savi@ietf.org
> https://www.ietf.org/mailman/listinfo/savi
>

v2.23.0 | Report a Bug | By Email