Re: [Tsv-art] [v6ops] [Last-Call] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05

Tom Herbert <tom@herbertland.com> Wed, 24 February 2021 17:01 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBDD53A1812 for <tsv-art@ietfa.amsl.com>; Wed, 24 Feb 2021 09:01:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mVWfKDjYcFxA for <tsv-art@ietfa.amsl.com>; Wed, 24 Feb 2021 09:01:41 -0800 (PST)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 188CC3A1815 for <tsv-art@ietf.org>; Wed, 24 Feb 2021 09:01:40 -0800 (PST)
Received: by mail-ej1-x62a.google.com with SMTP id lr13so4223321ejb.8 for <tsv-art@ietf.org>; Wed, 24 Feb 2021 09:01:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=R9y1RY6e9l2NUUeyNS5fEazw/aaa5/ujMh/3sbcugZs=; b=Q8IrpK69W8KjWIKPqu3aTrlmwbtACqNWaROcYIv87p+l9GBKIYj3+WM0zu/Ohj5jYf /p3cagP1RgGbEw5PYRek/ezoOg0i2zikW3owm9CJy5JD0YS4oY9ftblBfJhzhP42O9+i kXFRLopVpdJWi3V3CzSb++hP+W8jQPzSQ6QeoiXa1W9MViX17B3jUdO1kjTAyF86cZua 5lIg+kJpF0XlVs3+szeviii3lmem86tqMSAai1+i4LE2SUD60CZgMuFgVrDJauOWJNQ9 USkfpqJYgcL+tn+A2IqSCzSKumJvHIQJieMhcgroFfj5Pc5aNYOvx8TmljFQ6OLktcnT OIVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=R9y1RY6e9l2NUUeyNS5fEazw/aaa5/ujMh/3sbcugZs=; b=YYXs5JJYwBa97uGRC7tsIvzj0H0z7lj6HcbWkU9S0UN1DFusG26LTXTE1+O1FooNRk XV/9Dk0TZ0Mn9Oux8AKYxpQ3+5upwVC3Wz7emv6FzhIaQOLdoi9NtiRrR4D3bQG6+99t +PDcnU9jW/onxWkmCMFBrtdesr/PLbxADkCPrQqbjoSnltTT1DCFAgwJSRxxxY0+/EV7 QBNMM3sRaN5gK7TnhSmDtIMTHGHplEazE/kWdz83yXKYoe8UsTGHt/TijzwJV3n1FqGv 0oN+55JlwhUJJs66Ma8jebKijL5w+dIuLOmeue3onAC9dND9uhl7jS3lnywQNDi+K9uB Rzmw==
X-Gm-Message-State: AOAM530xsZeXcxmZ4aKNmxRxF0U/lHQ6tsZ9Yd8OyEYFZEUIQYcEEDaP 6/kkn31vG3nFUYQXm2NiKl8c2qcHSqKGXJrbyUpTZA==
X-Google-Smtp-Source: ABdhPJxam/QPXNfxSacbdvCmpLqLgRhjhUyL9lTh70Y1ma2UUhpHrNfEdrx9BjvJJvQHrZ34E8SVX46tcUQ5cD8mqAo=
X-Received: by 2002:a17:907:7252:: with SMTP id ds18mr32436349ejc.239.1614186099135; Wed, 24 Feb 2021 09:01:39 -0800 (PST)
MIME-Version: 1.0
References: <161366727749.10107.14514005068158901089@ietfa.amsl.com> <42668fb5-a355-e656-7d99-c40b3d33fb92@si6networks.com> <0e377231-c319-2157-30a0-759e2f96a692@gmail.com> <5f464f17-85ed-f105-35f9-02f35d04aed2@si6networks.com> <CALx6S364zGbq_HZNNVEaJHnHccuk4Zau2DXhmaVYbwnYQc-5bw@mail.gmail.com> <1847e8e3-543f-5deb-dd14-f7c7fa3677db@si6networks.com> <CALx6S34TPppMRJrOvyJ05LLeRvv+S51pQHJnzZDKk-qOdsF0AA@mail.gmail.com> <e41f3484-f816-e185-2d99-94323c8da732@si6networks.com> <CALx6S34qSxGijVcs229bAL5gMhMvMNYUXm3yEmrg6wxUiUAiaA@mail.gmail.com> <bf83d228-25bc-21bb-f984-d58ead6bf492@si6networks.com> <CALx6S35Kh-QAXJDAucuw5Wty37MBiwS=pqQknMZ+15b7D5Sn8A@mail.gmail.com> <34e78618-cb28-71a1-a9d3-7aec38032659@si6networks.com> <CAO42Z2zqD9_d2Fbr25Y2CV1GdzYKd167yf5DHeHna7V66pF65A@mail.gmail.com> <0bd316ac-1789-f4c6-d280-943ad6e60309@si6networks.com>
In-Reply-To: <0bd316ac-1789-f4c6-d280-943ad6e60309@si6networks.com>
From: Tom Herbert <tom@herbertland.com>
Date: Wed, 24 Feb 2021 10:01:28 -0700
Message-ID: <CALx6S34dMEEJ+OPUu_=FW1Y5AQuvAaHzBPEe448S7rfbMmHN_w@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: Mark Smith <markzzzsmith@gmail.com>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>, IPv6 Operations <v6ops@ietf.org>, draft-ietf-v6ops-ipv6-ehs-packet-drops.all@ietf.org, last-call@ietf.org, tsv-art@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/TGZMGIbg5VjqGhUi05k2-87hHKs>
Subject: Re: [Tsv-art] [v6ops] [Last-Call] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 17:01:43 -0000

On Wed, Feb 24, 2021 at 9:27 AM Fernando Gont <fgont@si6networks.com> wrote:
>
> On 23/2/21 13:54, Mark Smith wrote:
> > On Wed, 24 Feb 2021 at 02:51, Fernando Gont <fgont@si6networks.com> wrote:
> >>
> >> Hi, Tom,
> >>
> >> On 23/2/21 11:34, Tom Herbert wrote:
> >> [...]
> >>> >From the draft:
> >>>
> >>> "Unless appropriate mitigations are put in place (e.g., packet
> >>> dropping and/or rate- limiting), an attacker could simply send a large
> >>> amount of IPv6 traffic employing IPv6 Extension Headers with the
> >>> purpose of performing a Denial of Service (DoS) attack"
> >>>
> >>> That is clearly recommending a mitigation which is to drop packets or
> >>> rate-limit.
> >>
> >> No, We're just stating the obvious. If we were performing a
> >> recommendation, the text would be something like "IPv6 implementations
> >> should". And we'd also be using RFC2119 speak... and the document would
> >> be BCP.
> >>
> >
> > It reads like an implied recommendation to me.
> >
> > It's stating possible prevention measures, and then the consequences
> > of not doing them. That implies the stated prevention measures are
> > recommended. (e.g. "If you aren't careful with a knife, you could cut
> > yourself (so be careful with a knife)").
>
> I think you're reading more from the draft that what we have written or
> meant.
>
> Your example is a good one, and has indeed two parts:
>
>     "If you aren't careful with a knife, you could cut yourself"
>
> This is a *fact* and I don't think there's much room for debate around it.
>
>
>    "(so be careful with a knife)"
>
> *This* is advice.
>
>
> Our document contains the former (a fact), but not the later (advice).
>
Fernando,

The analogy doesn't hold here because unlike knives, extension headers
are not inherently dangerous. The problems have been caused by some
routers implementations that have assumed unwritten requirements (like
routers must access transport layer), unquantified requirements
(header chains can't be too long), and apparently buggy
implementations (mentioned in the draft). This draft describes, cites,
recommends, references, or suggests (whichever you prefer) two
specific mitigations which are to drop packets or rate limit packets.
These mitigations are described without context or parameterization,
so the reader might infer that blindly dropping all packets with
extension headers is an acceptable mitigation. Furthermore, if the
draft is suggesting mitigations to problems created by routers, then
an obvious one would be to ask router vendors to fix their bugs (which
I am trying to say without cynicism).

Tom

> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>