IETF Logo Mail Archive

RE: Invalid IP in INIT/INITCAK message

"Dan Wing" <dwing@cisco.com> Fri, 17 September 2010 00:13 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA93E3A6B04 for <tsvwg@core3.amsl.com>; Thu, 16 Sep 2010 17:13:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.566
X-Spam-Level:
X-Spam-Status: No, score=-110.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MglAlErpEcfz for <tsvwg@core3.amsl.com>; Thu, 16 Sep 2010 17:13:17 -0700 (PDT)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id BF8603A6AC0 for <tsvwg@ietf.org>; Thu, 16 Sep 2010 17:13:14 -0700 (PDT)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EAOJPkkyrRN+K/2dsb2JhbACVUYxDcal2nEOFQQSES4tD
X-IronPort-AV: E=Sophos;i="4.56,378,1280707200"; d="scan'208";a="187902520"
Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-4.cisco.com with ESMTP; 17 Sep 2010 00:13:39 +0000
Received: from dwingWS ([10.32.240.196]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id o8H0Dd4R024957; Fri, 17 Sep 2010 00:13:39 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Randy Stewart' <randall@lakerest.net>
References: <AANLkTi=Rr5h9SnpxqNPvTnGfMx7fodb_QqH9kr8pmNh1@mail.gmail.com> <Pine.LNX.4.64.1009141111200.22843@adax.adax> <CBD0D74D-4F93-42BE-A092-C4A8A7F72E03@lakerest.net> <043b01cb55d5$1cae4890$560ad9b0$@com> <D56EF519-0AB3-48D2-A7F9-876F155FBF49@lurchi.franken.de> <047601cb55db$5c0ff6e0$142fe4a0$@com> <88948F5D-181F-416A-BC2B-6AED889B0EC9@lakerest.net>
In-Reply-To: <88948F5D-181F-416A-BC2B-6AED889B0EC9@lakerest.net>
Subject: RE: Invalid IP in INIT/INITCAK message
Date: Thu, 16 Sep 2010 17:13:39 -0700
Message-ID: <059701cb55fd$2de59aa0$89b0cfe0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: ActV7KbXBxHu2cQQTXeIQcZN9hUs6AAEFw6w
Content-Language: en-us
Cc: "'\"'Michael Tüxen'\"'" <Michael.Tuexen@lurchi.franken.de>, 'tsvwg' <tsvwg@ietf.org>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2010 00:13:51 -0000

> -----Original Message-----
> From: Randy Stewart [mailto:randall@lakerest.net]
> Sent: Thursday, September 16, 2010 3:11 PM
> To: Dan Wing
> Cc: "'Michael Tüxen'"; 'tsvwg'
> Subject: Re: Invalid IP in INIT/INITCAK message
> 
> Dan:
> 
> SOme comments in-line..
> 
> 
> On Sep 16, 2010, at 1:11 PM, Dan Wing wrote:
> 
> >> -----Original Message-----
> >> From: Michael Tüxen [mailto:Michael.Tuexen@lurchi.franken.de]
> >> Sent: Thursday, September 16, 2010 12:58 PM
> >> To: Dan Wing
> >> Cc: 'Randy Stewart'; 'Chris Benson'; 'tsvwg'
> >> Subject: Re: Invalid IP in INIT/INITCAK message
> >>
> >> On Sep 16, 2010, at 9:26 PM, Dan Wing wrote:
> >>
> >>>> -----Original Message-----
> >>>> From: tsvwg-bounces@ietf.org [mailto:tsvwg-bounces@ietf.org] On
> >> Behalf
> >>>> Of Randy Stewart
> >>>> Sent: Wednesday, September 15, 2010 1:58 PM
> >>>> To: Chris Benson
> >>>> Cc: tsvwg
> >>>> Subject: Re: Invalid IP in INIT/INITCAK message
> >>>>
> >>>> Chris:
> >>>>
> >>>> Even besides the point you make is another issue in several
> >>>> drafts that have been lost to time (and probably should be
> >>>> resurrected).
> >>>>
> >>>> It is completely possible for a peer to list an address that it
> >>>> really has but is not really valid for you. I.e. address scoping.
> >>>>
> >>>> If the peer incorrectly scopes its address and for example
> >>>> sends a private address "10.1.1.1" with its init..
> >>>
> >>> Let's say the SCTP server has two inerfaces -- one public-facing
> >>> with a public IPv4 address, and another is 10.1.1.254.
> >>>
> >>> How is the incoming SCTP INIT to the public IPv4 address,
> containing
> >>> 10.1.1.1 in the INIT, supposed to be handled?
> >> Hi Dan,
> >>
> >> we need to bring back the address scoping IDs... There was actually
> >> one for IPv4 see
> >> http://tools.ietf.org/html/draft-stewart-tsvwg-sctp-ipv4-00
> >> and one for IPv6
> >> http://tools.ietf.org/html/draft-stewart-tsvwg-sctpipv6-00
> >>
> >> They need to be combined based on the so called level
> >> from the first ID...
> >>
> >> The client should not list the private address in the INIT,
> >> when it is sent to a public address.
> >> This is described by the second bullet of section 3.3 of the
> >> above ID. The FreeBSD implementation would not list the address.
> >
> > But how do we prevent the association from being ABORTed,
> > as described in
> > http://tools.ietf.org/html/draft-stewart-tsvwg-sctp-
> > ipv4-00#section-3.2
> >
> > Seems in addition to what is described in that I-D, some ABORTs will
> > need to be ignored.
> 
> Well actually if the client outside follows the scoping draft as
> Michael
> said you would NOT list the 10. network and thus no abort would be
> generated.
> 
> And if you want to use the 10. network in the association then you
> would
> need to have the client send the INIT to the 10. network to begin with.
> 
> This is the only way that the server would then know its safe to list
> the 10. network and that the clients 10. network is reachable and the
> same
> one as the servers...
> 
> The heart of the idea is to only list address that are in scope of
> the association. If an address is not in scope then the client does
> not list it... thus no aborts...
> 
> This is the same sort of thing that we do with link-local address in
> V6... the
> only way you can add one to an association is NOT list it and send to
> your peer
> (somehow the client must know which interface... KAME-BSD did this
> interface
> index thing in the destination address)... and that way when you
> received the
> packet you would include the link local address and be able to snatch
> in what
> the actual input interface was....
> 
> You have the same problem there... since a link local on one network
> may be on another
> at a different host...
> 
> If you follow the rules of those two drafts (which do need to be
> merged and resurrected) then
> you would never have any stray aborts floating around..

I now see what you're saying, thanks.  

But this turns this into the same address-selection problem that is causing
us grief as described in RFC5220, RFC5221, and
draft-troan-multihoming-without-nat66.

-d


> R
> 
> 
> >
> >
> >>> Seems the SCTP client and server should try to use 10.1.1.1 and
> >>> 10.1.1.254 (when they are on the same network) but it's also
> >>> important to not abort their association if they aren't on
> >>> the same network (and there is another SCTP host on the
> >>> local network, listening on the same port).
> >> I think they should NOT list the addresses. If they want to use it,
> >> the client should send the INIT to the private address listing
> >> the global one.
> >
> > The client cannot always know the server also has a private address.
> > If it could, all of the server's addresses would be in DNS and
> > we wouldn't need to have the addresses in INIT / INIT-ACK.
> >
> > -d
> >
> >> Best regards
> >> Michael
> >>>
> >>>> In such a case you probably don't want to destroy the assoc.. but
> >>>> instead
> >>>> silently discard the address.
> >>>>
> >>>> V6 Link local address are in this same category.. If the source
> >> address
> >>>> is a link local.. fine you can use it since you can determine
> which
> >>>> link
> >>>> it goes with.. But if the link local is listed... then the
> address,
> >>>> though
> >>>> valid for the sender is un-useable by the receiver since the
> >> receiver
> >>>> will
> >>>> not know which link it goes with.
> >>>
> >>> Agreed that is a problem for link local (fe80::/64).
> >>>
> >>> What of ULA (fc00::/7), which seem they could suffer the same
> >>> scoping
> >>> problem as RFC1918 addresses -- namely, can't tell if the peer is
> >>> in the same scoped network or not.
> >>>
> >>> -d
> >>>
> >>>
> >>>> R
> >>>>
> >>>> On Sep 14, 2010, at 11:48 AM, Chris Benson wrote:
> >>>>
> >>>>> Dear Padmalochan,
> >>>>>
> >>>>> Before considering an appropriate ABORT error code, I am
> >>>>> not convinced that including [additional] invalid IPv4
> >>>>> addresses (such as 0.0.0.0 or 255.255.255.255) should
> >>>>> abort the establishment of the association.  I'll assume
> >>>>> that there is a valid address somewhere, because the
> >>>>> chunk got here!
> >>>>>
> >>>>> I'll pose this preliminary question:
> >>>>>
> >>>>> (Q1) If an INIT or INIT ACK message contains a well-formed but
> >>>>> numerically unusable IPv4 address, should the association setup
> >>>>> be aborted?
> >>>>>
> >>>>> The RFC mentions an extreme case of an INIT ACK chunk containing
> >>>>> 1,000 IPv4 addresses.  It seems harsh (to me) to reject the
> >>>>> whole association if one of these addresses is not usable.
> >>>>>
> >>>>> There are "clues" in the RFC that one might proceed anyway
> >>>>> (assuming at least one usable address).  This is mentioned
> >>>>> several times, including here:
> >>>>>
> >>>>> RFC 4960 Section 5.1.2, 2nd IMPLEMENTATION NOTE, page 60.
> >>>>> IMPLEMENTATION NOTE: If an SCTP endpoint that only supports
> >>>>> either IPv4 or IPv6 receives IPv4 and IPv6 addresses in an
> >>>>> INIT or INIT ACK chunk from its peer, it MUST use all the
> >>>>> addresses belonging to the supported address family.  The
> >>>>> other addresses MAY be ignored.  The endpoint SHOULD NOT
> >>>>> respond with any kind of error indication.
> >>>>>
> >>>>> On your actual question, it seems to me that "Unresolvable
> >>>>> Address" is intended for an incoming request to use an Address
> >>>>> Type that is not supported ("unwilling or incapable") by the
> >>>>> receiver. So you would use this error code if you didn't
> >>>>> support IPv4 addresses at all, for example.
> >>>>>
> >>>>> I don't see a more appropriate error code, though. Perhaps
> >>>>> this is because the answer to my (Q1) above is "no".
> >>>>>
> >>>>> Various IPv4 multicast addresses (224.0.0.0 - 239.255.255.255)
> >>>>> including link local addresses, similarly don't seem appropriate
> >>>>> for SCTP.  I would be inclined not to police every address at
> >>>>> the expense of the association.  I'd just discover during the
> >>>>> association that it isn't "reachable".
> >>>>>
> >>>>> With thanks, from Chris Benson.
> >>>>>
> >>>>> On Wed, 8 Sep 2010, Padmalochan Moharana wrote:
> >>>>>
> >>>>>>> Date: Wed, 8 Sep 2010 12:55:06 +0530
> >>>>>>> From: Padmalochan Moharana <padman.m@gmail.com>
> >>>>>>> To: tsvwg <tsvwg@ietf.org>
> >>>>>>> Subject: Invalid IP in INIT/INITCAK message
> >>>>>>>
> >>>>>>> Hi All,
> >>>>>>> What should be the behavior of the SCTP endpoint on receive
> >>>>>>> INIT/
> >>>>>>> INIT
> >>>>>>> ACK message with invalid IP (0.0.0.0 or 255.255.255.255)?
> >>>>>>> Should endpoint discard the received INIT/INITACK message and
> >>>>>>> response
> >>>>>>> ABORT with error cause Unresolvable Address?
> >>>>>>>
> >>>>>>> Br,
> >>>>>>> Padmalochan
> >>>>>>>
> >>>>>
> >>>>
> >>>> -----
> >>>> Randall Stewart
> >>>> randall@lakerest.net
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >
> >
> 
> -----
> Randall Stewart
> randall@lakerest.net
> 
>

v2.23.0 | Report a Bug | By Email