RE: Invalid IP in INIT/INITCAK message
"Dan Wing" <dwing@cisco.com> Thu, 16 September 2010 20:11 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F8903A6990 for <tsvwg@core3.amsl.com>; Thu, 16 Sep 2010 13:11:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.247
X-Spam-Level:
X-Spam-Status: No, score=-110.247 tagged_above=-999 required=5 tests=[AWL=0.052, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UggSKHkp-KVv for <tsvwg@core3.amsl.com>; Thu, 16 Sep 2010 13:11:09 -0700 (PDT)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 8CBC83A69F5 for <tsvwg@ietf.org>; Thu, 16 Sep 2010 13:11:08 -0700 (PDT)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EADsWkkyrR7Hu/2dsb2JhbACVS4xDcak3nESFQQSES4tD
X-IronPort-AV: E=Sophos;i="4.56,378,1280707200"; d="scan'208";a="187798085"
Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-4.cisco.com with ESMTP; 16 Sep 2010 20:11:33 +0000
Received: from dwingWS ([10.32.240.196]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id o8GKBXue012859; Thu, 16 Sep 2010 20:11:33 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Michael Tüxen' <Michael.Tuexen@lurchi.franken.de>
References: <AANLkTi=Rr5h9SnpxqNPvTnGfMx7fodb_QqH9kr8pmNh1@mail.gmail.com> <Pine.LNX.4.64.1009141111200.22843@adax.adax> <CBD0D74D-4F93-42BE-A092-C4A8A7F72E03@lakerest.net> <043b01cb55d5$1cae4890$560ad9b0$@com> <D56EF519-0AB3-48D2-A7F9-876F155FBF49@lurchi.franken.de>
In-Reply-To: <D56EF519-0AB3-48D2-A7F9-876F155FBF49@lurchi.franken.de>
Subject: RE: Invalid IP in INIT/INITCAK message
Date: Thu, 16 Sep 2010 13:11:33 -0700
Message-ID: <047601cb55db$5c0ff6e0$142fe4a0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: ActV2YW5mVz4/YXmRteEA4TfJdPvDQAAXHlg
Content-Language: en-us
Cc: 'tsvwg' <tsvwg@ietf.org>, 'Randy Stewart' <randall@lakerest.net>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Sep 2010 20:11:12 -0000
> -----Original Message----- > From: Michael Tüxen [mailto:Michael.Tuexen@lurchi.franken.de] > Sent: Thursday, September 16, 2010 12:58 PM > To: Dan Wing > Cc: 'Randy Stewart'; 'Chris Benson'; 'tsvwg' > Subject: Re: Invalid IP in INIT/INITCAK message > > On Sep 16, 2010, at 9:26 PM, Dan Wing wrote: > > >> -----Original Message----- > >> From: tsvwg-bounces@ietf.org [mailto:tsvwg-bounces@ietf.org] On > Behalf > >> Of Randy Stewart > >> Sent: Wednesday, September 15, 2010 1:58 PM > >> To: Chris Benson > >> Cc: tsvwg > >> Subject: Re: Invalid IP in INIT/INITCAK message > >> > >> Chris: > >> > >> Even besides the point you make is another issue in several > >> drafts that have been lost to time (and probably should be > >> resurrected). > >> > >> It is completely possible for a peer to list an address that it > >> really has but is not really valid for you. I.e. address scoping. > >> > >> If the peer incorrectly scopes its address and for example > >> sends a private address "10.1.1.1" with its init.. > > > > Let's say the SCTP server has two inerfaces -- one public-facing > > with a public IPv4 address, and another is 10.1.1.254. > > > > How is the incoming SCTP INIT to the public IPv4 address, containing > > 10.1.1.1 in the INIT, supposed to be handled? > Hi Dan, > > we need to bring back the address scoping IDs... There was actually > one for IPv4 see > http://tools.ietf.org/html/draft-stewart-tsvwg-sctp-ipv4-00 > and one for IPv6 > http://tools.ietf.org/html/draft-stewart-tsvwg-sctpipv6-00 > > They need to be combined based on the so called level > from the first ID... > > The client should not list the private address in the INIT, > when it is sent to a public address. > This is described by the second bullet of section 3.3 of the > above ID. The FreeBSD implementation would not list the address. But how do we prevent the association from being ABORTed, as described in http://tools.ietf.org/html/draft-stewart-tsvwg-sctp-ipv4-00#section-3.2 Seems in addition to what is described in that I-D, some ABORTs will need to be ignored. > > Seems the SCTP client and server should try to use 10.1.1.1 and > > 10.1.1.254 (when they are on the same network) but it's also > > important to not abort their association if they aren't on > > the same network (and there is another SCTP host on the > > local network, listening on the same port). > I think they should NOT list the addresses. If they want to use it, > the client should send the INIT to the private address listing > the global one. The client cannot always know the server also has a private address. If it could, all of the server's addresses would be in DNS and we wouldn't need to have the addresses in INIT / INIT-ACK. -d > Best regards > Michael > > > >> In such a case you probably don't want to destroy the assoc.. but > >> instead > >> silently discard the address. > >> > >> V6 Link local address are in this same category.. If the source > address > >> is a link local.. fine you can use it since you can determine which > >> link > >> it goes with.. But if the link local is listed... then the address, > >> though > >> valid for the sender is un-useable by the receiver since the > receiver > >> will > >> not know which link it goes with. > > > > Agreed that is a problem for link local (fe80::/64). > > > > What of ULA (fc00::/7), which seem they could suffer the same scoping > > problem as RFC1918 addresses -- namely, can't tell if the peer is > > in the same scoped network or not. > > > > -d > > > > > >> R > >> > >> On Sep 14, 2010, at 11:48 AM, Chris Benson wrote: > >> > >>> Dear Padmalochan, > >>> > >>> Before considering an appropriate ABORT error code, I am > >>> not convinced that including [additional] invalid IPv4 > >>> addresses (such as 0.0.0.0 or 255.255.255.255) should > >>> abort the establishment of the association. I'll assume > >>> that there is a valid address somewhere, because the > >>> chunk got here! > >>> > >>> I'll pose this preliminary question: > >>> > >>> (Q1) If an INIT or INIT ACK message contains a well-formed but > >>> numerically unusable IPv4 address, should the association setup > >>> be aborted? > >>> > >>> The RFC mentions an extreme case of an INIT ACK chunk containing > >>> 1,000 IPv4 addresses. It seems harsh (to me) to reject the > >>> whole association if one of these addresses is not usable. > >>> > >>> There are "clues" in the RFC that one might proceed anyway > >>> (assuming at least one usable address). This is mentioned > >>> several times, including here: > >>> > >>> RFC 4960 Section 5.1.2, 2nd IMPLEMENTATION NOTE, page 60. > >>> IMPLEMENTATION NOTE: If an SCTP endpoint that only supports > >>> either IPv4 or IPv6 receives IPv4 and IPv6 addresses in an > >>> INIT or INIT ACK chunk from its peer, it MUST use all the > >>> addresses belonging to the supported address family. The > >>> other addresses MAY be ignored. The endpoint SHOULD NOT > >>> respond with any kind of error indication. > >>> > >>> On your actual question, it seems to me that "Unresolvable > >>> Address" is intended for an incoming request to use an Address > >>> Type that is not supported ("unwilling or incapable") by the > >>> receiver. So you would use this error code if you didn't > >>> support IPv4 addresses at all, for example. > >>> > >>> I don't see a more appropriate error code, though. Perhaps > >>> this is because the answer to my (Q1) above is "no". > >>> > >>> Various IPv4 multicast addresses (224.0.0.0 - 239.255.255.255) > >>> including link local addresses, similarly don't seem appropriate > >>> for SCTP. I would be inclined not to police every address at > >>> the expense of the association. I'd just discover during the > >>> association that it isn't "reachable". > >>> > >>> With thanks, from Chris Benson. > >>> > >>> On Wed, 8 Sep 2010, Padmalochan Moharana wrote: > >>> > >>>>> Date: Wed, 8 Sep 2010 12:55:06 +0530 > >>>>> From: Padmalochan Moharana <padman.m@gmail.com> > >>>>> To: tsvwg <tsvwg@ietf.org> > >>>>> Subject: Invalid IP in INIT/INITCAK message > >>>>> > >>>>> Hi All, > >>>>> What should be the behavior of the SCTP endpoint on receive INIT/ > >>>>> INIT > >>>>> ACK message with invalid IP (0.0.0.0 or 255.255.255.255)? > >>>>> Should endpoint discard the received INIT/INITACK message and > >>>>> response > >>>>> ABORT with error cause Unresolvable Address? > >>>>> > >>>>> Br, > >>>>> Padmalochan > >>>>> > >>> > >> > >> ----- > >> Randall Stewart > >> randall@lakerest.net > >> > >> > > > > > >
- Invalid IP in INIT/INITCAK message Padmalochan Moharana
- Re: Invalid IP in INIT/INITCAK message Thomas Dreibholz
- Re: Invalid IP in INIT/INITCAK message Padmalochan Moharana
- Re: Invalid IP in INIT/INITCAK message Randy Stewart
- Re: Invalid IP in INIT/INITCAK message Chris Benson
- Re: Invalid IP in INIT/INITCAK message Randy Stewart
- RE: Invalid IP in INIT/INITCAK message Dan Wing
- Re: Invalid IP in INIT/INITCAK message Michael Tüxen
- RE: Invalid IP in INIT/INITCAK message Dan Wing
- Re: Invalid IP in INIT/INITCAK message Randy Stewart
- RE: Invalid IP in INIT/INITCAK message Dan Wing