Re: [secdir] secdir review of draft-ietf-6man-oversized-header-chain-08
Fernando Gont <fgont@si6networks.com> Thu, 17 October 2013 02:19 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72B6611E8226; Wed, 16 Oct 2013 19:19:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.67
X-Spam-Level:
X-Spam-Status: No, score=-2.67 tagged_above=-999 required=5 tests=[AWL=-0.071, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jSI0r759AknA; Wed, 16 Oct 2013 19:19:47 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 0608111E822C; Wed, 16 Oct 2013 19:19:12 -0700 (PDT)
Received: from 17-153-16-190.fibertel.com.ar ([190.16.153.17] helo=[192.168.1.166]) by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.80.1) (envelope-from <fgont@si6networks.com>) id 1VWdB7-0000IK-7C; Thu, 17 Oct 2013 04:19:09 +0200
Message-ID: <525F3669.20102@si6networks.com>
Date: Wed, 16 Oct 2013 21:59:21 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: Tobias Gondrom <tobias.gondrom@gondrom.org>, secdir@ietf.org, iesg@ietf.org, draft-ietf-6man-oversized-header-chain.all@tools.ietf.org
References: <51D41722.8080900@gondrom.org> <525F0063.202@gondrom.org> <525F0F35.9010706@si6networks.com> <525F1481.4020001@gondrom.org>
In-Reply-To: <525F1481.4020001@gondrom.org>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [secdir] secdir review of draft-ietf-6man-oversized-header-chain-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2013 02:19:48 -0000
On 10/16/2013 07:34 PM, Tobias Gondrom wrote: >>> 1. A question, less from a security, but interoperability perspective: >>> is there any deplyoment data on any potential backwards compatibility >>> issues with current IPv6 deployments? Namely are there noteworthy >>> deployments with large IPv6 header chains beyond the first fragment >>> currently in deployment? >> No. > > Does this "No" mean: > (1) there are no noteworthey deployments or does it only mean > (2) we have no data at all and therefore don't know what we will break > with the update? There are no specified use cases for such oversized header chains (for instance, look at the extension header types and options specified so far). Besides, what I've seen and what others have indicated is the same: with the addition that any intentional use of extension headers typically leads to packet drops (see draft-ietf-6man-ext-transmit-05.txt). >>> 2. section 5 third paragraph: >>> I wonder whether we should be more strict and replace the "MAY" with a >>> "SHOULD"? >>> This would make intermediate behavior consistent with the host from the >>> previous paragraph and should avoid inconsistencies within the network >>> topology? >> IIRC, the "intermmediate systems MAY drop" is so that intermmediate >> systems are not required to process the entire header chain. -- i.e.: >> "If you want to drop such packets, you're free to... but we don't >> require e.g. routers to process the entire IPv6 header chain to find >> whether the entire header chain is present and then decide whether to >> drop or not". >> >> OTOH, the "MAY send an ICMPv6 error message" could be changed to "if you >> drop, you SHOULD send an ICMPv6 error message", I guess. >> >> Thanks, > > I see. Actually I meant both, but let's look at them separately: > > 1. "intermmediate systems MAY drop" > Actually a "SHOULD" does not require them either, but substantially > encourages more than the "MAY". An implementation that does not follow SHOULDs is said to be "conditionally complaint" where in our case, we deem a middle-box that doesn't drop such packets as fully-cumpliant hence the "MAY". If a middle-box does not really need to look at the upper-layer header, then requiring (SHOULD) it to look at the header chain just to drop the offending packets is rather overkill. > Question: I assume from your answer, > most intermediate systems just pass through without checking that the > header conform to updated 2460, Well, packets that do not contain the entire IPv6 header chain in the first fragment are currently RFC2460-compliant -- that's exactly why we're pushing this document. > 2. For the ICMPv6 error message, you are right that should be a "SHOULD" > not a "MAY" as it is on the condition of the dropped packet. I will change this unless anyone objects (or points out something I may have missed). Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [secdir] secdir review of draft-ietf-appsawg-rfc5… Tobias Gondrom
- [secdir] secdir review of draft-ietf-6man-oversiz… Tobias Gondrom
- Re: [secdir] secdir review of draft-ietf-6man-ove… Fernando Gont
- Re: [secdir] secdir review of draft-ietf-6man-ove… Tobias Gondrom
- Re: [secdir] secdir review of draft-ietf-6man-ove… Fernando Gont
- Re: [secdir] secdir review of draft-ietf-6man-ove… Tobias Gondrom