Re: [v6ops] Extension Headers / Impact on Security Devices

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 27 May 2015 00:23 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C4611ACE66 for <v6ops@ietfa.amsl.com>; Tue, 26 May 2015 17:23:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gXkXWzeduPit for <v6ops@ietfa.amsl.com>; Tue, 26 May 2015 17:23:32 -0700 (PDT)
Received: from mail-pa0-x235.google.com (mail-pa0-x235.google.com [IPv6:2607:f8b0:400e:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F4541ACE65 for <v6ops@ietf.org>; Tue, 26 May 2015 17:23:31 -0700 (PDT)
Received: by pacwv17 with SMTP id wv17so104610412pac.2 for <v6ops@ietf.org>; Tue, 26 May 2015 17:23:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=9TeDkiGS3KioRhwGKx0ZZY6HewnPJk7t1Rrs4izvCxM=; b=ktuli0FMiOmwO552BCBTgtqR57B4V1YJ48lMu1J2e3NroSe3ilCXrVNP1mUr152Fdx 2mYks4sfn64CUUAhlEz/Y8IWZhfwC5q2TGmJegi9U5HAPrPzdbkjWXvvAC9DsNgfmLTW QQlwmcAxKOD540PHnPRxS8X2Wnej6ah7z+Ip4LNeSHd9wXYhoxqcRlEtFr+mYCGlYa+z bVNwXTf2R22Z6xINHOPAd0a+fRSKBLqg+kbmqZStlFfbFoE6K4ameQwJqi4WxYGAO8JV oBmD1gxxYkMzoCqpt5iVwX8LaL3wGgvGoRW9s0HWAmnJnxvRLnczaeOHFvSxrR2vt+lH uMeQ==
X-Received: by 10.66.66.173 with SMTP id g13mr54537340pat.155.1432686211030; Tue, 26 May 2015 17:23:31 -0700 (PDT)
Received: from ?IPv6:2001:df0:0:2006:c0da:ac17:5f6d:8e76? ([2001:df0:0:2006:c0da:ac17:5f6d:8e76]) by mx.google.com with ESMTPSA id a10sm11560118pdn.57.2015.05.26.17.23.27 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 May 2015 17:23:29 -0700 (PDT)
Message-ID: <55650E82.3090407@gmail.com>
Date: Wed, 27 May 2015 12:23:30 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Joe Touch <touch@isi.edu>, v6ops@ietf.org
References: <20150515113728.GH3028@ernw.de> <878002773.794.1431739346723.JavaMail.yahoo@mail.yahoo.com> <555AB8FA.2080405@si6networks.com> <F6AA9AEA-49F0-488C-84EA-50BE103987C8@nominum.com> <555B8622.5000806@isi.edu> <555BA184.8080701@gmail.com> <555BA43F.8010303@isi.edu> <5564FB74.5020303@gmail.com> <5564FE3F.4050102@isi.edu> <556503CF.4030101@gmail.com> <55650821.4060907@isi.edu>
In-Reply-To: <55650821.4060907@isi.edu>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/9rQVX02aLlaJCAtrqGu14ADNbno>
Subject: Re: [v6ops] Extension Headers / Impact on Security Devices
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2015 00:23:34 -0000

On 27/05/2015 11:56, Joe Touch wrote:
> 
> 
> On 5/26/2015 4:37 PM, Brian E Carpenter wrote:
>> On 27/05/2015 11:14, Joe Touch wrote:
>>>
>>>
>>> On 5/26/2015 4:02 PM, Brian E Carpenter wrote:
>>>> On 20/05/2015 08:59, Joe Touch wrote:
>>> ...
>>>>>> No. RFC 2460 makes it clear that hops don't modify extension headers
>>>>>> (except for shuffling within a routing header).
>>>>>
>>>>> HBH headers are the exception and can be modified in-transit, which
>>>>> would affect a transport-offset header.
>>>>
>>>> I don't get where RFC 2460 allows that.
>>>
>>> Section 4 states:
>>>
>>>    With one exception, extension headers are not examined or processed
>>>    by any node along a packet's delivery path, until the packet reaches
>>>    the node (or each of the set of nodes, in the case of multicast)
>>>    identified in the Destination Address field of the IPv6 header.
>>> ...
>>>
>>>    The exception referred to in the preceding paragraph is the Hop-by-
>>>    Hop Options header, which carries information that must be examined
>>>    and processed by every node along a packet's delivery path, including
>>>    the source and destination nodes.
>>>
>>> In addition, RFC2460 defines a bit to handle when changes to such
>>> options occurs en-route:
>>>
>>>       1 - Option Data may change en-route
>>>
>>> What is the purpose of that bit if the data can never change en-route?
>>>
>>> Such changes can affect the content and *length* of these options.
>>
>> Oh yuck. I suspect that allowing a length change is an unintended side
>> effect, but you're correct that it isn't forbidden. I've certainly
>> always read that text as allowing an update of the current value
>> of the content, not an increase in the length.
> 
> FWIW, I don't see anything that prohibits adding headers either.

"With one exception, extension headers are not examined or processed
by any node along a packet's delivery path, until the packet reaches
the node (or each of the set of nodes, in the case of multicast)
identified in the Destination Address field of the IPv6 header."

To me that clearly implies not adding (which is a form of processing).

   Brian

> Not that I think that's a great thing to play with, but seems in-scope too.
> 
> Joe
>