IETF Logo Mail Archive

Re: [v6ops] [Last-Call] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05

Mark Smith <markzzzsmith@gmail.com> Tue, 23 February 2021 16:55 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9187D3A0A25; Tue, 23 Feb 2021 08:55:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.598
X-Spam-Level:
X-Spam-Status: No, score=-0.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uTaX6Ve6BQ8W; Tue, 23 Feb 2021 08:55:26 -0800 (PST)
Received: from mail-oo1-xc31.google.com (mail-oo1-xc31.google.com [IPv6:2607:f8b0:4864:20::c31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED6693A0A1E; Tue, 23 Feb 2021 08:55:16 -0800 (PST)
Received: by mail-oo1-xc31.google.com with SMTP id f26so4013021oog.5; Tue, 23 Feb 2021 08:55:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=l6SkfflLFj8bk6lotIWcWwBwqQKP2781wA8wdjk4XYM=; b=ZameFNmVH0tQCN51WRdct9BSi217KGU+yfmSXuqP++47Z27G/VY/7IkunjaRZduGZ0 W2fYXXIR/qX6qKrdn0gMpETerxT5sveFBhHPqRBLGjZHdue4XYx2RD+duousV6urzi7s oHgNhBR1ABvTU3bgzamTpH9aM6Pjl/qZDdY2wiwTR3j1LFEqz3Ps4dfI/BLFTIdmIrYH OQPReFuETk+Hn3lKYlJSNey2TVoZt6C1oCkmG7bx9alPcDIJnUT4cB7Iudft4Sfjdpzs aXAjiOwe5LLq8gHNdksyH03PGXbFslwSeh01/8W0PbGZi7cYlix2nGnoLj0YlVPbdqBF Ij1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=l6SkfflLFj8bk6lotIWcWwBwqQKP2781wA8wdjk4XYM=; b=aLrqqmBI06/G8hLNfUDOi65oUQI2dH9vQZOQc2Rz+cHlD36CNdQF6L8rw/sbIbJyWD gYw0rfVTB1+xbO7NPP5qOGZGjUq9ip5RNYfvfn8fgaKEUAbn7SmXxcdHWMfZ915ksKOS ss12ybOvqAC+lJk60N9MZN5wTYMaTc6Q8iSCH+e+5gQW6FsstilfFa/b4WIm5BsyZI1Y +iZWfueHv4TP3sp2VRTU2skZqm4fkoOo4NIsZg2K8zqBLzmapdoqvqcqcED7EPa7a/jt yUTxiVQobAX2AvSEOBw0adijC26vwco0jn+KwP8g5yHxingGLQaeDm2Ox5UI0WinI1Xb 8e6w==
X-Gm-Message-State: AOAM531QInJzRdHj8NZWp6oYDAywN2yjP8pdPdia1p3R855mSVlq+gLD jyHD2sWtkt2yxC/7liVnJx/u071vgP6EWrOBx3U=
X-Google-Smtp-Source: ABdhPJwMG/nFYXemRtbUuGXjs+3Qf/bkVZhlE8qNgMvqzPTXl9JKEN8aWNtlGJI7ASWmZ8tksBde7IsRk5A4Bp/2uGQ=
X-Received: by 2002:a4a:d88a:: with SMTP id b10mr884086oov.29.1614099316038; Tue, 23 Feb 2021 08:55:16 -0800 (PST)
MIME-Version: 1.0
References: <161366727749.10107.14514005068158901089@ietfa.amsl.com> <42668fb5-a355-e656-7d99-c40b3d33fb92@si6networks.com> <0e377231-c319-2157-30a0-759e2f96a692@gmail.com> <5f464f17-85ed-f105-35f9-02f35d04aed2@si6networks.com> <CALx6S364zGbq_HZNNVEaJHnHccuk4Zau2DXhmaVYbwnYQc-5bw@mail.gmail.com> <1847e8e3-543f-5deb-dd14-f7c7fa3677db@si6networks.com> <CALx6S34TPppMRJrOvyJ05LLeRvv+S51pQHJnzZDKk-qOdsF0AA@mail.gmail.com> <e41f3484-f816-e185-2d99-94323c8da732@si6networks.com> <CALx6S34qSxGijVcs229bAL5gMhMvMNYUXm3yEmrg6wxUiUAiaA@mail.gmail.com> <bf83d228-25bc-21bb-f984-d58ead6bf492@si6networks.com> <CALx6S35Kh-QAXJDAucuw5Wty37MBiwS=pqQknMZ+15b7D5Sn8A@mail.gmail.com> <34e78618-cb28-71a1-a9d3-7aec38032659@si6networks.com>
In-Reply-To: <34e78618-cb28-71a1-a9d3-7aec38032659@si6networks.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Wed, 24 Feb 2021 03:54:49 +1100
Message-ID: <CAO42Z2zqD9_d2Fbr25Y2CV1GdzYKd167yf5DHeHna7V66pF65A@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: Tom Herbert <tom@herbertland.com>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>, IPv6 Operations <v6ops@ietf.org>, draft-ietf-v6ops-ipv6-ehs-packet-drops.all@ietf.org, last-call@ietf.org, tsv-art@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/CsYvZPCYGqS7T3Rgl22nO1znb7k>
Subject: Re: [v6ops] [Last-Call] Tsvart last call review of draft-ietf-v6ops-ipv6-ehs-packet-drops-05
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2021 16:55:28 -0000

On Wed, 24 Feb 2021 at 02:51, Fernando Gont <fgont@si6networks.com> wrote:
>
> Hi, Tom,
>
> On 23/2/21 11:34, Tom Herbert wrote:
> [...]
> >>From the draft:
> >
> > "Unless appropriate mitigations are put in place (e.g., packet
> > dropping and/or rate- limiting), an attacker could simply send a large
> > amount of IPv6 traffic employing IPv6 Extension Headers with the
> > purpose of performing a Denial of Service (DoS) attack"
> >
> > That is clearly recommending a mitigation which is to drop packets or
> > rate-limit.
>
> No, We're just stating the obvious. If we were performing a
> recommendation, the text would be something like "IPv6 implementations
> should". And we'd also be using RFC2119 speak... and the document would
> be BCP.
>

It reads like an implied recommendation to me.

It's stating possible prevention measures, and then the consequences
of not doing them. That implies the stated prevention measures are
recommended. (e.g. "If you aren't careful with a knife, you could cut
yourself (so be careful with a knife)").

If you don't want it to read like a recommendation, the prevention
measures should be taken out, and just state the action and the
consequences e.g. something like:

"It is possible for an attacker to send a large amount of IPv6 traffic
employing IPv6 Extension Headers with the purpose of performing a
Denial of Service (DoS) attack."

That leaves it to the reader to work out how to prevent or mitigate
the consequences if they consider it to be an issue.

Regards,
Mark.

>
> > Without any parameterization, this effectively justifies
> > routers to arbitrarily drop all packets with any extension headers
> > (rate-limiting packets makes the protocol effectively useless). Also,
> > if mitigations are being mentioned then the draft should also mention
> > the possibility that routers could be fixed, this is particularly
> > apropos with regards to the "DoS due to implementation errors".
> > Contemporary routers are trending towards being programmable so
> > implementation errors should be more amendable to being fixed without
> > hardware swap out.
>
> This is document does not provide any sort of advice. It's an analysis
> of which packets may get dropped.
>
> What you are asking could indeed be interesting -- but it's certainly
> out of the scope of this document.
>
> Thanks,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email