RE: Invalid IP in INIT/INITCAK message
"Dan Wing" <dwing@cisco.com> Fri, 17 September 2010 00:13 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA93E3A6B04 for <tsvwg@core3.amsl.com>; Thu, 16 Sep 2010 17:13:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.566
X-Spam-Level:
X-Spam-Status: No, score=-110.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MglAlErpEcfz for <tsvwg@core3.amsl.com>; Thu, 16 Sep 2010 17:13:17 -0700 (PDT)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id BF8603A6AC0 for <tsvwg@ietf.org>; Thu, 16 Sep 2010 17:13:14 -0700 (PDT)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EAOJPkkyrRN+K/2dsb2JhbACVUYxDcal2nEOFQQSES4tD
X-IronPort-AV: E=Sophos;i="4.56,378,1280707200"; d="scan'208";a="187902520"
Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-4.cisco.com with ESMTP; 17 Sep 2010 00:13:39 +0000
Received: from dwingWS ([10.32.240.196]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id o8H0Dd4R024957; Fri, 17 Sep 2010 00:13:39 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Randy Stewart' <randall@lakerest.net>
References: <AANLkTi=Rr5h9SnpxqNPvTnGfMx7fodb_QqH9kr8pmNh1@mail.gmail.com> <Pine.LNX.4.64.1009141111200.22843@adax.adax> <CBD0D74D-4F93-42BE-A092-C4A8A7F72E03@lakerest.net> <043b01cb55d5$1cae4890$560ad9b0$@com> <D56EF519-0AB3-48D2-A7F9-876F155FBF49@lurchi.franken.de> <047601cb55db$5c0ff6e0$142fe4a0$@com> <88948F5D-181F-416A-BC2B-6AED889B0EC9@lakerest.net>
In-Reply-To: <88948F5D-181F-416A-BC2B-6AED889B0EC9@lakerest.net>
Subject: RE: Invalid IP in INIT/INITCAK message
Date: Thu, 16 Sep 2010 17:13:39 -0700
Message-ID: <059701cb55fd$2de59aa0$89b0cfe0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: ActV7KbXBxHu2cQQTXeIQcZN9hUs6AAEFw6w
Content-Language: en-us
Cc: "'\"'Michael Tüxen'\"'" <Michael.Tuexen@lurchi.franken.de>, 'tsvwg' <tsvwg@ietf.org>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2010 00:13:51 -0000
> -----Original Message----- > From: Randy Stewart [mailto:randall@lakerest.net] > Sent: Thursday, September 16, 2010 3:11 PM > To: Dan Wing > Cc: "'Michael Tüxen'"; 'tsvwg' > Subject: Re: Invalid IP in INIT/INITCAK message > > Dan: > > SOme comments in-line.. > > > On Sep 16, 2010, at 1:11 PM, Dan Wing wrote: > > >> -----Original Message----- > >> From: Michael Tüxen [mailto:Michael.Tuexen@lurchi.franken.de] > >> Sent: Thursday, September 16, 2010 12:58 PM > >> To: Dan Wing > >> Cc: 'Randy Stewart'; 'Chris Benson'; 'tsvwg' > >> Subject: Re: Invalid IP in INIT/INITCAK message > >> > >> On Sep 16, 2010, at 9:26 PM, Dan Wing wrote: > >> > >>>> -----Original Message----- > >>>> From: tsvwg-bounces@ietf.org [mailto:tsvwg-bounces@ietf.org] On > >> Behalf > >>>> Of Randy Stewart > >>>> Sent: Wednesday, September 15, 2010 1:58 PM > >>>> To: Chris Benson > >>>> Cc: tsvwg > >>>> Subject: Re: Invalid IP in INIT/INITCAK message > >>>> > >>>> Chris: > >>>> > >>>> Even besides the point you make is another issue in several > >>>> drafts that have been lost to time (and probably should be > >>>> resurrected). > >>>> > >>>> It is completely possible for a peer to list an address that it > >>>> really has but is not really valid for you. I.e. address scoping. > >>>> > >>>> If the peer incorrectly scopes its address and for example > >>>> sends a private address "10.1.1.1" with its init.. > >>> > >>> Let's say the SCTP server has two inerfaces -- one public-facing > >>> with a public IPv4 address, and another is 10.1.1.254. > >>> > >>> How is the incoming SCTP INIT to the public IPv4 address, > containing > >>> 10.1.1.1 in the INIT, supposed to be handled? > >> Hi Dan, > >> > >> we need to bring back the address scoping IDs... There was actually > >> one for IPv4 see > >> http://tools.ietf.org/html/draft-stewart-tsvwg-sctp-ipv4-00 > >> and one for IPv6 > >> http://tools.ietf.org/html/draft-stewart-tsvwg-sctpipv6-00 > >> > >> They need to be combined based on the so called level > >> from the first ID... > >> > >> The client should not list the private address in the INIT, > >> when it is sent to a public address. > >> This is described by the second bullet of section 3.3 of the > >> above ID. The FreeBSD implementation would not list the address. > > > > But how do we prevent the association from being ABORTed, > > as described in > > http://tools.ietf.org/html/draft-stewart-tsvwg-sctp- > > ipv4-00#section-3.2 > > > > Seems in addition to what is described in that I-D, some ABORTs will > > need to be ignored. > > Well actually if the client outside follows the scoping draft as > Michael > said you would NOT list the 10. network and thus no abort would be > generated. > > And if you want to use the 10. network in the association then you > would > need to have the client send the INIT to the 10. network to begin with. > > This is the only way that the server would then know its safe to list > the 10. network and that the clients 10. network is reachable and the > same > one as the servers... > > The heart of the idea is to only list address that are in scope of > the association. If an address is not in scope then the client does > not list it... thus no aborts... > > This is the same sort of thing that we do with link-local address in > V6... the > only way you can add one to an association is NOT list it and send to > your peer > (somehow the client must know which interface... KAME-BSD did this > interface > index thing in the destination address)... and that way when you > received the > packet you would include the link local address and be able to snatch > in what > the actual input interface was.... > > You have the same problem there... since a link local on one network > may be on another > at a different host... > > If you follow the rules of those two drafts (which do need to be > merged and resurrected) then > you would never have any stray aborts floating around.. I now see what you're saying, thanks. But this turns this into the same address-selection problem that is causing us grief as described in RFC5220, RFC5221, and draft-troan-multihoming-without-nat66. -d > R > > > > > > > >>> Seems the SCTP client and server should try to use 10.1.1.1 and > >>> 10.1.1.254 (when they are on the same network) but it's also > >>> important to not abort their association if they aren't on > >>> the same network (and there is another SCTP host on the > >>> local network, listening on the same port). > >> I think they should NOT list the addresses. If they want to use it, > >> the client should send the INIT to the private address listing > >> the global one. > > > > The client cannot always know the server also has a private address. > > If it could, all of the server's addresses would be in DNS and > > we wouldn't need to have the addresses in INIT / INIT-ACK. > > > > -d > > > >> Best regards > >> Michael > >>> > >>>> In such a case you probably don't want to destroy the assoc.. but > >>>> instead > >>>> silently discard the address. > >>>> > >>>> V6 Link local address are in this same category.. If the source > >> address > >>>> is a link local.. fine you can use it since you can determine > which > >>>> link > >>>> it goes with.. But if the link local is listed... then the > address, > >>>> though > >>>> valid for the sender is un-useable by the receiver since the > >> receiver > >>>> will > >>>> not know which link it goes with. > >>> > >>> Agreed that is a problem for link local (fe80::/64). > >>> > >>> What of ULA (fc00::/7), which seem they could suffer the same > >>> scoping > >>> problem as RFC1918 addresses -- namely, can't tell if the peer is > >>> in the same scoped network or not. > >>> > >>> -d > >>> > >>> > >>>> R > >>>> > >>>> On Sep 14, 2010, at 11:48 AM, Chris Benson wrote: > >>>> > >>>>> Dear Padmalochan, > >>>>> > >>>>> Before considering an appropriate ABORT error code, I am > >>>>> not convinced that including [additional] invalid IPv4 > >>>>> addresses (such as 0.0.0.0 or 255.255.255.255) should > >>>>> abort the establishment of the association. I'll assume > >>>>> that there is a valid address somewhere, because the > >>>>> chunk got here! > >>>>> > >>>>> I'll pose this preliminary question: > >>>>> > >>>>> (Q1) If an INIT or INIT ACK message contains a well-formed but > >>>>> numerically unusable IPv4 address, should the association setup > >>>>> be aborted? > >>>>> > >>>>> The RFC mentions an extreme case of an INIT ACK chunk containing > >>>>> 1,000 IPv4 addresses. It seems harsh (to me) to reject the > >>>>> whole association if one of these addresses is not usable. > >>>>> > >>>>> There are "clues" in the RFC that one might proceed anyway > >>>>> (assuming at least one usable address). This is mentioned > >>>>> several times, including here: > >>>>> > >>>>> RFC 4960 Section 5.1.2, 2nd IMPLEMENTATION NOTE, page 60. > >>>>> IMPLEMENTATION NOTE: If an SCTP endpoint that only supports > >>>>> either IPv4 or IPv6 receives IPv4 and IPv6 addresses in an > >>>>> INIT or INIT ACK chunk from its peer, it MUST use all the > >>>>> addresses belonging to the supported address family. The > >>>>> other addresses MAY be ignored. The endpoint SHOULD NOT > >>>>> respond with any kind of error indication. > >>>>> > >>>>> On your actual question, it seems to me that "Unresolvable > >>>>> Address" is intended for an incoming request to use an Address > >>>>> Type that is not supported ("unwilling or incapable") by the > >>>>> receiver. So you would use this error code if you didn't > >>>>> support IPv4 addresses at all, for example. > >>>>> > >>>>> I don't see a more appropriate error code, though. Perhaps > >>>>> this is because the answer to my (Q1) above is "no". > >>>>> > >>>>> Various IPv4 multicast addresses (224.0.0.0 - 239.255.255.255) > >>>>> including link local addresses, similarly don't seem appropriate > >>>>> for SCTP. I would be inclined not to police every address at > >>>>> the expense of the association. I'd just discover during the > >>>>> association that it isn't "reachable". > >>>>> > >>>>> With thanks, from Chris Benson. > >>>>> > >>>>> On Wed, 8 Sep 2010, Padmalochan Moharana wrote: > >>>>> > >>>>>>> Date: Wed, 8 Sep 2010 12:55:06 +0530 > >>>>>>> From: Padmalochan Moharana <padman.m@gmail.com> > >>>>>>> To: tsvwg <tsvwg@ietf.org> > >>>>>>> Subject: Invalid IP in INIT/INITCAK message > >>>>>>> > >>>>>>> Hi All, > >>>>>>> What should be the behavior of the SCTP endpoint on receive > >>>>>>> INIT/ > >>>>>>> INIT > >>>>>>> ACK message with invalid IP (0.0.0.0 or 255.255.255.255)? > >>>>>>> Should endpoint discard the received INIT/INITACK message and > >>>>>>> response > >>>>>>> ABORT with error cause Unresolvable Address? > >>>>>>> > >>>>>>> Br, > >>>>>>> Padmalochan > >>>>>>> > >>>>> > >>>> > >>>> ----- > >>>> Randall Stewart > >>>> randall@lakerest.net > >>>> > >>>> > >>> > >>> > >>> > > > > > > ----- > Randall Stewart > randall@lakerest.net > >
- Invalid IP in INIT/INITCAK message Padmalochan Moharana
- Re: Invalid IP in INIT/INITCAK message Thomas Dreibholz
- Re: Invalid IP in INIT/INITCAK message Padmalochan Moharana
- Re: Invalid IP in INIT/INITCAK message Randy Stewart
- Re: Invalid IP in INIT/INITCAK message Chris Benson
- Re: Invalid IP in INIT/INITCAK message Randy Stewart
- RE: Invalid IP in INIT/INITCAK message Dan Wing
- Re: Invalid IP in INIT/INITCAK message Michael Tüxen
- RE: Invalid IP in INIT/INITCAK message Dan Wing
- Re: Invalid IP in INIT/INITCAK message Randy Stewart
- RE: Invalid IP in INIT/INITCAK message Dan Wing