Re: [v6ops] Extension Headers / Impact on Security Devices

Joe Touch <touch@isi.edu> Tue, 26 May 2015 23:56 UTC

Return-Path: <touch@isi.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 625C61B332A for <v6ops@ietfa.amsl.com>; Tue, 26 May 2015 16:56:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F218TArDzegi for <v6ops@ietfa.amsl.com>; Tue, 26 May 2015 16:56:40 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1862F1ACD77 for <v6ops@ietf.org>; Tue, 26 May 2015 16:56:40 -0700 (PDT)
Received: from [128.9.160.252] (pen.isi.edu [128.9.160.252]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id t4QNuIKq020840 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 26 May 2015 16:56:18 -0700 (PDT)
Message-ID: <55650821.4060907@isi.edu>
Date: Tue, 26 May 2015 16:56:17 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, v6ops@ietf.org
References: <20150515113728.GH3028@ernw.de> <878002773.794.1431739346723.JavaMail.yahoo@mail.yahoo.com> <555AB8FA.2080405@si6networks.com> <F6AA9AEA-49F0-488C-84EA-50BE103987C8@nominum.com> <555B8622.5000806@isi.edu> <555BA184.8080701@gmail.com> <555BA43F.8010303@isi.edu> <5564FB74.5020303@gmail.com> <5564FE3F.4050102@isi.edu> <556503CF.4030101@gmail.com>
In-Reply-To: <556503CF.4030101@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/9FwkCqHOyF8SNpPws3PxORykvzQ>
Subject: Re: [v6ops] Extension Headers / Impact on Security Devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 23:56:41 -0000


On 5/26/2015 4:37 PM, Brian E Carpenter wrote:
> On 27/05/2015 11:14, Joe Touch wrote:
>>
>>
>> On 5/26/2015 4:02 PM, Brian E Carpenter wrote:
>>> On 20/05/2015 08:59, Joe Touch wrote:
>> ...
>>>>> No. RFC 2460 makes it clear that hops don't modify extension headers
>>>>> (except for shuffling within a routing header).
>>>>
>>>> HBH headers are the exception and can be modified in-transit, which
>>>> would affect a transport-offset header.
>>>
>>> I don't get where RFC 2460 allows that.
>>
>> Section 4 states:
>>
>>    With one exception, extension headers are not examined or processed
>>    by any node along a packet's delivery path, until the packet reaches
>>    the node (or each of the set of nodes, in the case of multicast)
>>    identified in the Destination Address field of the IPv6 header.
>> ...
>>
>>    The exception referred to in the preceding paragraph is the Hop-by-
>>    Hop Options header, which carries information that must be examined
>>    and processed by every node along a packet's delivery path, including
>>    the source and destination nodes.
>>
>> In addition, RFC2460 defines a bit to handle when changes to such
>> options occurs en-route:
>>
>>       1 - Option Data may change en-route
>>
>> What is the purpose of that bit if the data can never change en-route?
>>
>> Such changes can affect the content and *length* of these options.
> 
> Oh yuck. I suspect that allowing a length change is an unintended side
> effect, but you're correct that it isn't forbidden. I've certainly
> always read that text as allowing an update of the current value
> of the content, not an increase in the length.

FWIW, I don't see anything that prohibits adding headers either.

Not that I think that's a great thing to play with, but seems in-scope too.

Joe