Re: [secdir] secdir review of draft-ietf-6man-oversized-header-chain-08
Tobias Gondrom <tobias.gondrom@gondrom.org> Wed, 16 October 2013 22:34 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DF2F11E8195 for <secdir@ietfa.amsl.com>; Wed, 16 Oct 2013 15:34:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.037
X-Spam-Level:
X-Spam-Status: No, score=-95.037 tagged_above=-999 required=5 tests=[AWL=0.325, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4I8xoqzXL5f for <secdir@ietfa.amsl.com>; Wed, 16 Oct 2013 15:34:47 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id DFD6D11E8204 for <secdir@ietf.org>; Wed, 16 Oct 2013 15:34:42 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=HUZvC4AyhdWX73xa3uF0vG3kPY+KG8S9Gs7BE3mvqMzE9tT5ZMZ+IxbP88fyE/FDlzfntTgQxPF4mIM9cKgjfnyEVQ/Bc3bwemlvTmMoPYsv97cwvyGT056XyAk3rbgd; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 15370 invoked from network); 17 Oct 2013 00:34:41 +0200
Received: from 188-222-103-191.zone13.bethere.co.uk (HELO ?192.168.1.100?) (188.222.103.191) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 17 Oct 2013 00:34:41 +0200
Message-ID: <525F1481.4020001@gondrom.org>
Date: Wed, 16 Oct 2013 23:34:41 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: fgont@si6networks.com, secdir@ietf.org, iesg@ietf.org, draft-ietf-6man-oversized-header-chain.all@tools.ietf.org
References: <51D41722.8080900@gondrom.org> <525F0063.202@gondrom.org> <525F0F35.9010706@si6networks.com>
In-Reply-To: <525F0F35.9010706@si6networks.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [secdir] secdir review of draft-ietf-6man-oversized-header-chain-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2013 22:34:53 -0000
On 16/10/13 23:12, Fernando Gont wrote: > Hi, Tobias, > > Thanks so much for your review! -- Please find my comments in-line... > > On 10/16/2013 06:08 PM, Tobias Gondrom wrote: >> 1. A question, less from a security, but interoperability perspective: >> is there any deplyoment data on any potential backwards compatibility >> issues with current IPv6 deployments? Namely are there noteworthy >> deployments with large IPv6 header chains beyond the first fragment >> currently in deployment? > No. Does this "No" mean: (1) there are no noteworthey deployments or does it only mean (2) we have no data at all and therefore don't know what we will break with the update? >> 2. section 5 third paragraph: >> I wonder whether we should be more strict and replace the "MAY" with a >> "SHOULD"? >> This would make intermediate behavior consistent with the host from the >> previous paragraph and should avoid inconsistencies within the network >> topology? > IIRC, the "intermmediate systems MAY drop" is so that intermmediate > systems are not required to process the entire header chain. -- i.e.: > "If you want to drop such packets, you're free to... but we don't > require e.g. routers to process the entire IPv6 header chain to find > whether the entire header chain is present and then decide whether to > drop or not". > > OTOH, the "MAY send an ICMPv6 error message" could be changed to "if you > drop, you SHOULD send an ICMPv6 error message", I guess. > > Thanks, I see. Actually I meant both, but let's look at them separately: 1. "intermmediate systems MAY drop" Actually a "SHOULD" does not require them either, but substantially encourages more than the "MAY". Question: I assume from your answer, most intermediate systems just pass through without checking that the header conform to updated 2460, i.e. header ends within the first fragment? In the end, I have no strong feelings about this, i.e. ok with both (MAY and SHOULD). 2. For the ICMPv6 error message, you are right that should be a "SHOULD" not a "MAY" as it is on the condition of the dropped packet. Best regards, Tobias
- [secdir] secdir review of draft-ietf-appsawg-rfc5… Tobias Gondrom
- [secdir] secdir review of draft-ietf-6man-oversiz… Tobias Gondrom
- Re: [secdir] secdir review of draft-ietf-6man-ove… Fernando Gont
- Re: [secdir] secdir review of draft-ietf-6man-ove… Tobias Gondrom
- Re: [secdir] secdir review of draft-ietf-6man-ove… Fernando Gont
- Re: [secdir] secdir review of draft-ietf-6man-ove… Tobias Gondrom