IETF Logo Mail Archive

Re: [tcpm] 793bis: what to say about source routing

Gorry Fairhurst <gorry@erg.abdn.ac.uk> Tue, 30 November 2021 09:17 UTC

Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18E653A100E for <tcpm@ietfa.amsl.com>; Tue, 30 Nov 2021 01:17:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.75
X-Spam-Level:
X-Spam-Status: No, score=-3.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNDa6iOpYFcR for <tcpm@ietfa.amsl.com>; Tue, 30 Nov 2021 01:17:30 -0800 (PST)
Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [137.50.19.135]) by ietfa.amsl.com (Postfix) with ESMTP id 4B1E93A1190 for <tcpm@ietf.org>; Tue, 30 Nov 2021 01:17:26 -0800 (PST)
Received: from [192.168.1.93] (fgrpf.plus.com [212.159.18.54]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPSA id B18331B0022D; Tue, 30 Nov 2021 09:17:18 +0000 (GMT)
Content-Type: multipart/alternative; boundary="------------lWDtAtDgZWnU3T08pg94D7Ke"
Message-ID: <2095724f-5db8-bcd7-df4e-b655b92d5cf6@erg.abdn.ac.uk>
Date: Tue, 30 Nov 2021 09:17:14 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
To: "touch@strayalpha.com" <touch@strayalpha.com>, Wes Eddy <wes@mti-systems.com>
Cc: tcpm IETF list <tcpm@ietf.org>
References: <242bd633-0a7b-51dd-9200-3e3360d75e83@mti-systems.com> <E5ACB10A-FB03-4A5C-9862-400E6FB8F4F1@strayalpha.com>
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
In-Reply-To: <E5ACB10A-FB03-4A5C-9862-400E6FB8F4F1@strayalpha.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/l7pUcnz4IlUe086HGFVqbB-2mQ4>
Subject: Re: [tcpm] 793bis: what to say about source routing
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 09:17:36 -0000

Pleasse see below.

On 30/11/2021 04:53, touch@strayalpha.com wrote:
> Hi, Wes,
>
> The text in RFC793bis is correct and sufficient regarding TCP. TCP has 
> no business making recommendations about what options IP uses.
>
> Let’s please not continue to propagate the misconception that features 
> that are not expected are either errors or attacks. And let’s please 
> stop citing this deeply flawed work that is not BCP. Whether IP source 
> routing is disabled or not on a system should be of no consequence to 
> TCP. It is either used or not; when used, TCP *MUST* support its use
>
> Joe
>
> —
> Joe Touch, temporal epistemologist
> www.strayalpha.com <http://www.strayalpha.com>
>
I have looked again at the text in 3.9.2.1. I would suggest a more 
radical change to that text.

First, it is entitled "Source Routing", to me this was once have been 
about the IPv4 source routing option, but I suggest this is actually an 
"example" where the host provides input that selects the path from the 
host, and we really should say this much more explicitly and not hide 
this as an example of an IPv4 option.

* So: To me MUST-51 is wrong in a transport spec. It should have been a 
part of an interface to a source route spec - there is no interop issue 
here, and it isn't a requirement for TCP! similarly I'd argue that 
MUST-52 is wrong in a transport spec, it's dictating host policy on how 
to use the interface.

* MUST-53 is important in that it provides a return path. The important 
advice/requirements apply to other cases also that can select 
interfaces/paths: the correct source and destination address (and any 
other selectors used to choose a path - segment routing, and others) 
needs to be appled and a return address needs to be notified that can be 
consistently used to reach the remote host (which I expect is what 
MUST-53 is about).

- The datagram language was odd, probably better as an "IP packet".

... SHLD-24 appears to be about the path changing... although this isn't 
really a TCP thing, it is important thing to get correct. It seems to be 
a lower layer thing: If the path changes, the packets from TCP change 
their forwarding to be consistent ...

To me the security concerns are not relevant here - this is a transport 
spec., and the mechanisms below need to be designed correctly, and while 
an exmaple or two are good, it seems rather silly to state or enumerate 
the different sub-transport protocols or their individual concerns.

Gorry

>> On Nov 29, 2021, at 7:12 PM, Wesley Eddy <wes@mti-systems.com> wrote:
>>
>> One of the IESG comments that needs to be addressed on 793bis regards 
>> source routing.  There is the comment:
>>
>>     [S3.9.2.1]
>>
>>     * I feel like there should be some additional caveat about security
>>        implications of support for source routing.  RFC 6274, for example, says
>>        packets with LSRR (6274s3.13.2.3) and SSRR (6274s3.13.2.4) options should
>>        be dropped, citing various security concerns.
>>
>>        I'm not sure there needs to be a lot of text; perhaps just an observation
>>        that some end systems may not support the source route semantics described
>>        here for security (or policy) reasons?
>>
>> After looking at what 6274 says (which is Informational) and 793bis, 
>> here are my main thoughts:
>>
>>     (1) The text in question was written for IPv4, prior to IPv6 with
>>     its own methods (deprecated RH0, and now other things like
>>     segment routing).
>>
>>     (2) I'm not aware of anything changing with regard to 1122's
>>     description of IPv4 source routing support in IP stacks.
>>
>>     (3) Looking at defaults on popular Linux systems, it looks like
>>     "net.ipv4.conf.default.accept_source_route = 1" is not uncommon
>>     ... so source routing support probably still exists.  I didn't
>>     look at what the TCP code does though, with regard to incoming
>>     source routed packets to see if it matches what 793bis says.
>>
>> So, my suggestion is that we rename that section of 793bis (section 
>> 3.9.2.1) to be specific to *IPv4* source routing, and then append at 
>> the end of the section a sentence like:
>>
>>     RFC 6274 describes security concerns with IP source routing, and
>>     source routing may be disabled or unsupported on some systems.
>>
>> Does this sound good?  Note that it basically leaves any flavors of 
>> IPv6 source routing unmentioned (which seems right, since there isn't 
>> anything on standards track to use).  I would be very happy if 
>> someone more knowledgeable about the state of source routing support 
>> and usage could check this and share their thoughts.
>>
>>
>>
>> _______________________________________________
>> tcpm mailing list
>> tcpm@ietf.org
>> https://www.ietf.org/mailman/listinfo/tcpm
>
>
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email