Re: [secdir] secdir review of draft-ietf-6man-oversized-header-chain-08

Tobias Gondrom <tobias.gondrom@gondrom.org> Thu, 17 October 2013 08:17 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7052111E810B for <secdir@ietfa.amsl.com>; Thu, 17 Oct 2013 01:17:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.102
X-Spam-Level:
X-Spam-Status: No, score=-95.102 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TzPVlKxwsmCr for <secdir@ietfa.amsl.com>; Thu, 17 Oct 2013 01:17:02 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 20F9321F9A50 for <secdir@ietf.org>; Thu, 17 Oct 2013 01:17:00 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=kqxKUvjnrWJnjMCyCM3sYdUAD7HpJW3t5zHprbwI8EhZN+UsVupo4Om1TZAlbVwHCkPNoXA1T4FqY1ugz25Zit5WYw2Ezaqqk1JYE8uZFwxWIRFG66QHOP8LV5POPKtc; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 1143 invoked from network); 17 Oct 2013 10:16:57 +0200
Received: from 188-222-103-191.zone13.bethere.co.uk (HELO ?192.168.1.100?) (188.222.103.191) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 17 Oct 2013 10:16:57 +0200
Message-ID: <525F9CF8.4060905@gondrom.org>
Date: Thu, 17 Oct 2013 09:16:56 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: fgont@si6networks.com, secdir@ietf.org, iesg@ietf.org, draft-ietf-6man-oversized-header-chain.all@tools.ietf.org
References: <51D41722.8080900@gondrom.org> <525F0063.202@gondrom.org> <525F0F35.9010706@si6networks.com> <525F1481.4020001@gondrom.org> <525F3669.20102@si6networks.com>
In-Reply-To: <525F3669.20102@si6networks.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [secdir] secdir review of draft-ietf-6man-oversized-header-chain-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2013 08:17:08 -0000

Thank you for your answers.
All the best, Tobias


On 17/10/13 01:59, Fernando Gont wrote:
> On 10/16/2013 07:34 PM, Tobias Gondrom wrote:
>>>> 1. A question, less from a security, but interoperability perspective:
>>>> is there any deplyoment data on any potential backwards compatibility
>>>> issues with current IPv6 deployments? Namely are there noteworthy
>>>> deployments with large IPv6 header chains beyond the first fragment
>>>> currently in deployment?
>>> No.
>> Does this "No" mean:
>> (1) there are no noteworthey deployments or does it only mean
>> (2) we have no data at all and therefore don't know what we will break
>> with the update?
> There are no specified use cases for such oversized header chains (for
> instance, look at the extension header types and options specified so far).
>
> Besides, what I've seen and what others have indicated is the same: with
> the addition that any intentional use of extension headers typically
> leads to packet drops (see draft-ietf-6man-ext-transmit-05.txt).
>
>
>>>> 2. section 5 third paragraph:
>>>> I wonder whether we should be more strict and replace the "MAY" with a
>>>> "SHOULD"?
>>>> This would make intermediate behavior consistent with the host from the
>>>> previous paragraph and should avoid inconsistencies within the network
>>>> topology?
>>> IIRC, the "intermmediate systems MAY drop" is so that intermmediate
>>> systems are not required to process the entire header chain. -- i.e.:
>>> "If you want to drop such packets, you're free to... but we don't
>>> require e.g. routers to process the entire IPv6 header chain to find
>>> whether the entire header chain is present and then decide whether to
>>> drop or not".
>>>
>>> OTOH, the "MAY send an ICMPv6 error message" could be changed to "if you
>>> drop, you SHOULD send an ICMPv6 error message", I guess.
>>>
>>> Thanks,
>> I see. Actually I meant both, but let's look at them separately:
>>
>> 1. "intermmediate systems MAY drop"
>> Actually a "SHOULD" does not require them either, but substantially
>> encourages more than the "MAY".
> An implementation that does not follow SHOULDs is said to be
> "conditionally complaint" where in our case, we deem a middle-box that
> doesn't drop such packets as fully-cumpliant  hence the "MAY".
>
> If a middle-box does not really need to look at the upper-layer header,
> then requiring (SHOULD) it to look at the header chain just to drop the
> offending packets is rather overkill.
>
>
>> Question: I assume from your answer,
>> most intermediate systems just pass through without checking that the
>> header conform to updated 2460,
> Well, packets that do not contain the entire IPv6 header chain in the
> first fragment are currently RFC2460-compliant -- that's exactly why
> we're pushing this document.
>
>
>
>> 2. For the ICMPv6 error message, you are right that should be a "SHOULD"
>> not a "MAY" as it is on the condition of the dropped packet.
> I will change this unless anyone objects (or points out something I may
> have missed).
>
> Thanks!
>
> Best regards,