IETF Logo Mail Archive

Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice

Joel jaeggli <joelja@bogus.com> Wed, 30 May 2012 21:55 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A739D1F0C5D for <v6ops@ietfa.amsl.com>; Wed, 30 May 2012 14:55:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.999
X-Spam-Level:
X-Spam-Status: No, score=-101.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_13=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LSManoUna2fw for <v6ops@ietfa.amsl.com>; Wed, 30 May 2012 14:55:33 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by ietfa.amsl.com (Postfix) with ESMTP id 2090D1F0C5C for <v6ops@ietf.org>; Wed, 30 May 2012 14:55:33 -0700 (PDT)
Received: from Joels-MacBook-Pro.local (218.sub-166-250-46.myvzw.com [166.250.46.218]) (authenticated bits=0) by nagasaki.bogus.com (8.14.4/8.14.4) with ESMTP id q4ULtQK3079343 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Wed, 30 May 2012 21:55:26 GMT (envelope-from joelja@bogus.com)
Message-ID: <4FC69747.3090209@bogus.com>
Date: Wed, 30 May 2012 14:55:19 -0700
From: Joel jaeggli <joelja@bogus.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Ronald Bonica <rbonica@juniper.net>
References: <20120529143900.25613.76678.idtracker@ietfa.amsl.com> <3B0A71DA-8846-4FFF-9AD8-9B106EF8799B@gmail.com> <4FC52FD3.9060206@gont.com.ar> <AB2444D4-E85B-4E61-9944-47FB1E369203@gmail.com> <003f01cd3e36$a3a09a60$eae1cf20$@lampo@eurid.eu> <DCC302FAA9FE5F4BBA4DCAD4656937791742B3394D@PRVPEXVS03.corp.twcable.com> <4FC64D8A.2020302@joelhalpern.com> <13205C286662DE4387D9AF3AC30EF456D76C387C2C@EMBX01-WF.jnpr.net>
In-Reply-To: <13205C286662DE4387D9AF3AC30EF456D76C387C2C@EMBX01-WF.jnpr.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (nagasaki.bogus.com [147.28.0.81]); Wed, 30 May 2012 21:55:28 +0000 (UTC)
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, 'Fernando Gont' <fernando@gont.com.ar>
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2012 21:55:33 -0000

On 5/30/12 12:32 , Ronald Bonica wrote:
> Joel,
> 
> On the one hand, I don't think that v6ops is overstepping its
> charter. It isn't modifying IPv6. It is merely identifying a
> combination of IPv6 features that might spell trouble used in the
> same datagram.

It's saying that that packets matching the criterion should be discarded
in order to protect yourself from damage. That is to my mind a fairly
operational recommendation.

> On the other hand, I would be thrilled if the 6man WG would update
> RFC 4443 to say something like "ICMPv6 packets MUST NOT be fragmented
> unless the ICMPv6 Type, Code and Checksum all fit in the first
> fragment".

+1

> Ron <Speaking as individual contributor>
> 
> 
>> -----Original Message----- From: v6ops-bounces@ietf.org
>> [mailto:v6ops-bounces@ietf.org] On Behalf Of Joel M. Halpern Sent:
>> Wednesday, May 30, 2012 12:41 PM To: 'Fernando Gont' Cc:
>> v6ops@ietf.org Subject: Re: [v6ops] Last Call:
>> <draft-ietf-v6ops-ra-guard- implementation-04.txt> (Implementation
>> Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best
>> Current Practice
>> 
>> I do see the importance of being apply to apply RAGuard in a
>> device which does not accumulate fragment state.  (I don't want to
>> try to analyze the potential DoS attack of having such state.)
>> 
>> However, the proposal introduces a network limtiation, essentially
>> a protocol change, in the network.  I did not think v6Ops was free
>> to recommend behaviors (dropping unclassifiable fragments) which
>> basically violate the base IPv6 spec.
>> 
>> It seems that the right answer was discussed much earlier, namely 
>> changing the protocol behavior (a 6man activity) to tell hosts to 
>> reject RA and ND packets which were received in fragments.
>> 
>> If that is the right answer, then we have to be very careful about 
>> creating long-lived restrictions as a remediation until such a
>> solution can be adopted.
>> 
>> Yours, Joel _______________________________________________ v6ops
>> mailing list v6ops@ietf.org 
>> https://www.ietf.org/mailman/listinfo/v6ops
> _______________________________________________ v6ops mailing list 
> v6ops@ietf.org https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email