IETF Logo Mail Archive

Re: [tcpm] 793bis: what to say about source routing

Mirja Kuehlewind <mirja.kuehlewind@ericsson.com> Tue, 30 November 2021 10:58 UTC

Return-Path: <mirja.kuehlewind@ericsson.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81CB03A1210 for <tcpm@ietfa.amsl.com>; Tue, 30 Nov 2021 02:58:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.801
X-Spam-Level:
X-Spam-Status: No, score=-2.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9zTHdC-LDyDW for <tcpm@ietfa.amsl.com>; Tue, 30 Nov 2021 02:58:36 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2067.outbound.protection.outlook.com [40.107.21.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06C543A1223 for <tcpm@ietf.org>; Tue, 30 Nov 2021 02:58:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=a2eZQZL4jcicxDTZ/32w97sTlhwokSSZg9HV6W4Ak1/NnoNap+b4VCptXrXYzkPUgsAKXw3mClthzkrxTtvhr8DxsIzZwtIpMOtuPEemAF/MpuERzaiuzGmx89p9hc0ahme4e6zh+5WqGCj8a2gH8vz3w3iLNSv4iet9MKBWZKJh0FFUrm0f9S0TTNJBEf8mAtglw77YD94uK2/x0NxJy6zUeFY6mnOs2VvDWFFenxWhULF3ftW2u19HL5EZc3WHXKlxBTI3B01asxHNl6cbjSGxuukYlv46BpIt3lG0B4mK1qXVsJ0X7y6DIKLDVm3npWzQRGgzP2IMbg4msBcq/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PtdZSnKmYGFuhDCw/s/Gf/e9RyoHBRIDYGVCqxqd10o=; b=dxL2ehGW4YY3/xCP/b2nF3VkaNbEHNiWLpN6PXe7No9C8eG+9RCG++4QcVKJYj7RCFhTgKwcy5Gxox3mCRlKdAw2MNHSRa0LN/Jf/2VwZBpJ082baMMc5zvQh1U8WM9JLGb+MoRmS8RZes4W575HMGYjx9NfYNZtubdmhoE+aZES5eKuMkQXdy0v0AGDyapzfPCzzn5teKoQxcL2IfwnynNbt/2G86dCjyAl15090XrU+teSZxtYIatwEhG710YsB4AkIXcCZrZtun8vM07nhN65ESoakLN2CydhsJSsnGYgkpRVIFReJZwOmtVcfFRrrJ9bm+hDtUxGSxm0DXDEdA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PtdZSnKmYGFuhDCw/s/Gf/e9RyoHBRIDYGVCqxqd10o=; b=AvlfQeOC4iRKkdUL+Ana0VkqD+5L8QQArOJTDIhQQV2LV+g7Jbq4t4O+XeuNIqgDgSpBBb92IvzYZgjdAHLA1VgquiaH9ueaUp2kMu7qNvWjdhFDKnfMXr6vuiC94KBkVYfTuNDvVgunAUKIm68+KfI9WRkUo1No1vCEpXgPl8Y=
Received: from PAXPR07MB7806.eurprd07.prod.outlook.com (2603:10a6:102:13a::19) by PR1PR07MB5738.eurprd07.prod.outlook.com (2603:10a6:102:7::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.6; Tue, 30 Nov 2021 10:58:31 +0000
Received: from PAXPR07MB7806.eurprd07.prod.outlook.com ([fe80::6df2:1bf8:5d67:26fc]) by PAXPR07MB7806.eurprd07.prod.outlook.com ([fe80::6df2:1bf8:5d67:26fc%4]) with mapi id 15.20.4734.024; Tue, 30 Nov 2021 10:58:31 +0000
From: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
To: "touch@strayalpha.com" <touch@strayalpha.com>, Wes Eddy <wes@mti-systems.com>
CC: tcpm IETF list <tcpm@ietf.org>
Thread-Topic: [tcpm] 793bis: what to say about source routing
Thread-Index: AQHX5ZgfMFL3YIPEb0mf+h39T//QH6wbgSSAgAB22gA=
Date: Tue, 30 Nov 2021 10:58:31 +0000
Message-ID: <DC407DA4-5A13-47CB-A952-70B9473221F6@ericsson.com>
References: <242bd633-0a7b-51dd-9200-3e3360d75e83@mti-systems.com> <E5ACB10A-FB03-4A5C-9862-400E6FB8F4F1@strayalpha.com>
In-Reply-To: <E5ACB10A-FB03-4A5C-9862-400E6FB8F4F1@strayalpha.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.48.21041102
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 84b8ff5f-49e9-4ec5-9ff9-08d9b3f058d0
x-ms-traffictypediagnostic: PR1PR07MB5738:
x-microsoft-antispam-prvs: <PR1PR07MB5738286A86B01E84C0C1B8B3F4679@PR1PR07MB5738.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nV/fHB3bETBPdErMSzPZvfKrb4emWdhcDm2N+K6+iREXT0oUIId8IOiURGTJg+Tu/Wmd0zwnLs0omlmrBPkdbv8INC8L9Cl9sZ64DxADIUkxNPYzrpUjAO+VqstinIjVNaloDSoJMzis4+oOg03My9bQG2FNf9f3La+9+xR411knHt/JfFpuMf3kOo0MDc7zKG0/ysYa8dQW1wrrDKdo0M4sQwKLCdA3vdfyM4vHbDsASDx+2u96p0vss967C2yTHi/1i7Tku01o2SMSdRNf9c/VEkD5k9fdA7cne5vzOcgl+83dN6hGjXsIxUISLLDNVW9eNDIrYT/p2PI1L99odzZ/WcCmUAlrMtxz7+xUubX7+V+JiIyQxfUk/IwzRjRU2IErOUTrG/vvEHGj5Ry4weqpTNnLlJLacsfYRRnkgQOG1sfxxH3vqle5ZaY8xoe+IIizjCQOSywJY3xULGd4ZUfUx25kLRaXDY4EBAWiLEsuAE2hzLvE8Fm1VI73Jrg8+SUA88Tr7hxA8zcLqc3zbPnpYkr+wT+3B7Pk/H3AygZbAb9tWFOcstSdLd2pqsjQaq7+riNGpj786j+Egc9EnDWAxwvAt7uEq4Pkr3tlcG+0iHEy0VQhSZQKBTb86R018zt0BCoCshEKGNMqGSBeQyzLSNJ+06I28NT0xF/ekaV9h6Vd94DXgOASmooeGdvQW3wirhUDoRW0fB6CtB9um/zF021oSCN+NIPEhybD/LcwulnV9Klqzp9WI76WLJac3yvU0zDBohSYi1YzGpixy7KrEO9qKZs2+yRwAErB9EUS64iu6NVTodkd62j09aFM
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PAXPR07MB7806.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(38100700002)(2906002)(4326008)(8936002)(122000001)(6512007)(44832011)(2616005)(71200400001)(166002)(36756003)(83380400001)(86362001)(186003)(6506007)(53546011)(8676002)(508600001)(66946007)(6486002)(5660300002)(64756008)(66556008)(66476007)(38070700005)(33656002)(82960400001)(76116006)(91956017)(966005)(66446008)(316002)(110136005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ZXMpaRQ3PeOBm9i6dQUHMP+O3fwXHProgj3SJGrg3jjMMHHAPnNUsNjQ9cQ/kYU0udnpM5VhBCGOaKt9N7pLtABm2csKU+v7wXGK2u7NLdWV8NAl2tx5YolIfOeZ/Xrv5QSn7tIvDdn9VEkdYyUtMAnF6UxNTVog8hdJp5cdp0yDO9BbYLTFLBtwkcNiIkh0S6yEFCMnZ3TJ01mph4AU8DrvaW1tl0YLu6K9gn4hHO5YeSFyvHEpu2qIOkOnvAXZQCV8D/R3HVw00IbU5EfofNckYe+SQKS+sHTh3QSEWEJa+wnA8snWf8G4a4Upej3tHwVDeiagX5+EuMIN27fZAVGj1nDQVUF0MuSVCeQhDF2eNuN9uveu8MyyVzKiv2gsmvjA5kaes89pCiPxci0SiJewi26yMHq0e8eSK0YIEb/lEc8lGrODi7n6CSAWMIgKuTSnBPTgLxyEfX9aqd9hQB/Ywq2/mcQ/6DY0qmadY9H7hINdMKzPwn4F9dfq3KD2K6eM65PZnEPjCcpJx58FaepiwjRYLhwPrP56dx71UtbBsZHwOMkYYL4ChdCHYLD8fuTotpy1aggEXn23PyTB53+qKK+NuWInuTVm8BKH+RCpLUW5FsQ1tlAJhvUe77sA5rIYNrbpGqkFESkJ/bb5IbKBx/Ml98cQ5Gl3eC9JB9mhc0Bb7JBWSwgwWebVY/po1sQ1o9kuoKxr7xR43voVb1IEaOzXmsXF6rB/L0Tv3RXs9TvPyDHAGldF8WXjQ8bxhpRYySwBTr8hfgCPVcWSP+/yGsnTg0S+BcSAvgPr67efjVtEZXDhtdY3UbOUPOPrSOEYYNH6fMY1h5ehebotWaeaPu+MrIT6/MLV0yHbnhpE9LWsENB00kRkaYld8zNjoscN7ZV17PlBwhz2FAPLwj9awEFOXuDOoHfBZ8iOBU0R/g05o4RJQV5kd/ohAFHHCvCiV3UE5B+nbRYwPG8ACcrlKSDKzGvZEqZ9ggWzeAPElIOzETtcQPfcZhWlrx6vjIZaTc+BcGEX7D1Rb6bhb6FQ8kZ+UMlWtoTdPTJfG1g0+v0uuN143xJXl06dhluTH594p6EBsGIsb1B0DmFyhjo2R3P7a/oRLVMu804smcuDE9jzRs14d4lsfvw/m1QYH1FFwrHp8yLXeFEJ9gHp7v2WwiZfB1hJRbeyVGyFlgzWOEELikvUTIXxwkDKAsF+b79dzQdbMkmTthWZLHCw4zxTGYWcBtJZo66zrS3U94ZJ4dSrXp1oLc9W6kiAR0cJLvsAt4h6dmeEkR+JWvnJpEJ7T8kn2kjUMDcEi2VWdqd6lDCEwTrSD+NHpXIfiV7+A6/Xqu9lx54M/p2MNZX30BIF5+HJR8XXDukmgG4PTDclJYXWTfgRqJ9IJd9zRD68/liyAit98EgORggm0i9G+/tSehTSiuOMrqghc0lB3LTrRgkExVuIck7Gh5ddq7f3PZTj2AloY1gTYOSr0hjnZdwH684NKk11q3cYBwzrEOqpUpzTHV9w0rZAgulzJst33byLnpe3IYe3YOk+PURGVvMwuFkym8YJKuaF/9nm3WCxUO6kiCEh20//1LpqSwmKTu4zTalOLar/kTWiD9Klb0DWRDpWoH0eogaSKcOOxjs8IuSY1tWO+lGgCSeVp89HEJlEMlU365P7wcP5v5M3hvI55o/qru1FevDzguLUjoyVrXdsoP5CH4HwR9wcUPIzp8ThQU/PQiBuRGqDZHML82IUBPKchUn1bQ8Wk1rRYWI=
Content-Type: multipart/alternative; boundary="_000_DC407DA45A1347CBA95270B9473221F6ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PAXPR07MB7806.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 84b8ff5f-49e9-4ec5-9ff9-08d9b3f058d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Nov 2021 10:58:31.1583 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aCxLlELKikqPUTQTjwYpKnpl8Mrxm1/aJRCZCYzPlr1os4JaQgrR59w1TdcSbqlqBkeWmnmhqjQlEJ6lWnqnhSOJ1md+dVPnJ/xxKkbuy78=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR1PR07MB5738
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/UMqkrJFVdweoKoA8Y9ZVRaOuYYo>
Subject: Re: [tcpm] 793bis: what to say about source routing
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 10:58:42 -0000

I agree with Joe. I don’t find the guidance in RFC 6274 particular relevant for someone who is implementing TCP.

Especially I don’t think it would make sense to limit the existing section to IPv4 only. If you really want to add the propose sentence below, that sentence could be limited to IPv4 (“RFC 6274 describes security concerns with IPv4 source routing… “).

Mirja




From: tcpm <tcpm-bounces@ietf.org> on behalf of "touch@strayalpha.com" <touch@strayalpha.com>
Date: Tuesday, 30. November 2021 at 05:53
To: Wes Eddy <wes@mti-systems.com>
Cc: tcpm IETF list <tcpm@ietf.org>
Subject: Re: [tcpm] 793bis: what to say about source routing

Hi, Wes,

The text in RFC793bis is correct and sufficient regarding TCP. TCP has no business making recommendations about what options IP uses.

Let’s please not continue to propagate the misconception that features that are not expected are either errors or attacks. And let’s please stop citing this deeply flawed work that is not BCP. Whether IP source routing is disabled or not on a system should be of no consequence to TCP. It is either used or not; when used, TCP *MUST* support its use

Joe

—
Joe Touch, temporal epistemologist
www.strayalpha.com<https://protect2.fireeye.com/v1/url?k=b5d6ea65-ea4dd326-b5d6aafe-861fcb972bfc-8afd7ad9b245f6b9&q=1&e=671185cd-2b01-458b-ba0a-52af0b0bb739&u=http%3A%2F%2Fwww.strayalpha.com%2F>


On Nov 29, 2021, at 7:12 PM, Wesley Eddy <wes@mti-systems.com<mailto:wes@mti-systems.com>> wrote:

One of the IESG comments that needs to be addressed on 793bis regards source routing.  There is the comment:

[S3.9.2.1]



* I feel like there should be some additional caveat about security

  implications of support for source routing.  RFC 6274, for example, says

  packets with LSRR (6274s3.13.2.3) and SSRR (6274s3.13.2.4) options should

  be dropped, citing various security concerns.



  I'm not sure there needs to be a lot of text; perhaps just an observation

  that some end systems may not support the source route semantics described

  here for security (or policy) reasons?
After looking at what 6274 says (which is Informational) and 793bis, here are my main thoughts:
(1) The text in question was written for IPv4, prior to IPv6 with its own methods (deprecated RH0, and now other things like segment routing).
(2) I'm not aware of anything changing with regard to 1122's description of IPv4 source routing support in IP stacks.
(3) Looking at defaults on popular Linux systems, it looks like "net.ipv4.conf.default.accept_source_route = 1" is not uncommon ... so source routing support probably still exists.  I didn't look at what the TCP code does though, with regard to incoming source routed packets to see if it matches what 793bis says.
So, my suggestion is that we rename that section of 793bis (section 3.9.2.1) to be specific to *IPv4* source routing, and then append at the end of the section a sentence like:
RFC 6274 describes security concerns with IP source routing, and source routing may be disabled or unsupported on some systems.
Does this sound good?  Note that it basically leaves any flavors of IPv6 source routing unmentioned (which seems right, since there isn't anything on standards track to use).  I would be very happy if someone more knowledgeable about the state of source routing support and usage could check this and share their thoughts.


_______________________________________________
tcpm mailing list
tcpm@ietf.org<mailto:tcpm@ietf.org>
https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email