Re: [secdir] secdir review of draft-ietf-6man-oversized-header-chain-08

Tobias Gondrom <tobias.gondrom@gondrom.org> Wed, 16 October 2013 22:34 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DF2F11E8195 for <secdir@ietfa.amsl.com>; Wed, 16 Oct 2013 15:34:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.037
X-Spam-Level:
X-Spam-Status: No, score=-95.037 tagged_above=-999 required=5 tests=[AWL=0.325, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4I8xoqzXL5f for <secdir@ietfa.amsl.com>; Wed, 16 Oct 2013 15:34:47 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id DFD6D11E8204 for <secdir@ietf.org>; Wed, 16 Oct 2013 15:34:42 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=HUZvC4AyhdWX73xa3uF0vG3kPY+KG8S9Gs7BE3mvqMzE9tT5ZMZ+IxbP88fyE/FDlzfntTgQxPF4mIM9cKgjfnyEVQ/Bc3bwemlvTmMoPYsv97cwvyGT056XyAk3rbgd; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 15370 invoked from network); 17 Oct 2013 00:34:41 +0200
Received: from 188-222-103-191.zone13.bethere.co.uk (HELO ?192.168.1.100?) (188.222.103.191) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 17 Oct 2013 00:34:41 +0200
Message-ID: <525F1481.4020001@gondrom.org>
Date: Wed, 16 Oct 2013 23:34:41 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: fgont@si6networks.com, secdir@ietf.org, iesg@ietf.org, draft-ietf-6man-oversized-header-chain.all@tools.ietf.org
References: <51D41722.8080900@gondrom.org> <525F0063.202@gondrom.org> <525F0F35.9010706@si6networks.com>
In-Reply-To: <525F0F35.9010706@si6networks.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [secdir] secdir review of draft-ietf-6man-oversized-header-chain-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2013 22:34:53 -0000

On 16/10/13 23:12, Fernando Gont wrote:
> Hi, Tobias,
>
> Thanks so much for your review! -- Please find my comments in-line...
>
> On 10/16/2013 06:08 PM, Tobias Gondrom wrote:
>> 1. A question, less from a security, but interoperability perspective:
>> is there any deplyoment data on any potential backwards compatibility
>> issues with current IPv6 deployments? Namely are there noteworthy
>> deployments with large IPv6 header chains beyond the first fragment
>> currently in deployment?
> No.

Does this "No" mean:
(1) there are no noteworthey deployments or does it only mean
(2) we have no data at all and therefore don't know what we will break
with the update?

>> 2. section 5 third paragraph:
>> I wonder whether we should be more strict and replace the "MAY" with a
>> "SHOULD"?
>> This would make intermediate behavior consistent with the host from the
>> previous paragraph and should avoid inconsistencies within the network
>> topology?
> IIRC, the "intermmediate systems MAY drop" is so that intermmediate
> systems are not required to process the entire header chain. -- i.e.:
> "If you want to drop such packets, you're free to... but we don't
> require e.g. routers to process the entire IPv6 header chain to find
> whether the entire header chain is present and then decide whether to
> drop or not".
>
> OTOH, the "MAY send an ICMPv6 error message" could be changed to "if you
> drop, you SHOULD send an ICMPv6 error message", I guess.
>
> Thanks,

I see. Actually I meant both, but let's look at them separately:

1. "intermmediate systems MAY drop"
Actually a "SHOULD" does not require them either, but substantially
encourages more than the "MAY". Question: I assume from your answer,
most intermediate systems just pass through without checking that the
header conform to updated 2460, i.e. header ends within the first
fragment? In the end, I have no strong feelings about this, i.e. ok with
both (MAY and SHOULD).

2. For the ICMPv6 error message, you are right that should be a "SHOULD"
not a "MAY" as it is on the condition of the dropped packet.

Best regards, Tobias