IETF Logo Mail Archive

Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice

RJ Atkinson <rja.lists@gmail.com> Thu, 31 May 2012 18:09 UTC

Return-Path: <rja.lists@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C3E321F8747 for <v6ops@ietfa.amsl.com>; Thu, 31 May 2012 11:09:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.481
X-Spam-Level:
X-Spam-Status: No, score=-3.481 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GlR69q+iGQOR for <v6ops@ietfa.amsl.com>; Thu, 31 May 2012 11:09:38 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 721DE21F8746 for <v6ops@ietf.org>; Thu, 31 May 2012 11:09:38 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so876313vbb.31 for <v6ops@ietf.org>; Thu, 31 May 2012 11:09:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; bh=YYL4pAVl64/v0kdYlaKeSAZK62neFg2hatA/0SnFzEE=; b=pw7mxdnl/gX6JKJw7Nct4PylpDSf/uTKtpwokHAyAlk/hoRX5yAlWh7HD5SeaU8G2Y tgwRKs6HdkAOJN73uIMWgM9gE6A2r9BhwEDFKxeq9450IPn60e0HrejEAZ2Q/8UZOYqy MJDxkxCnQ0sZPEzJudECVgf4OXS8znyaB3wIReXdjxkkKfldlL9jc3dzNMRk7yHYL0u2 Q3ov9qj6+4sWIok1ZR9IfjDUNHsSlRJlwZKB/56hn0xCFRyanbYX4T03AvVCOXjxYdGF Uuuy1shiXcftlxlMw67olIVjkW0/9q7YpCTp1H9cjjhoJ1rrWJV8r3X8kO4m5C4isD+V fJ+Q==
Received: by 10.220.151.80 with SMTP id b16mr3215099vcw.4.1338487777929; Thu, 31 May 2012 11:09:37 -0700 (PDT)
Received: from [10.30.20.11] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id g10sm6010811vdk.2.2012.05.31.11.09.36 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 31 May 2012 11:09:37 -0700 (PDT)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Apple Message framework v1278)
From: RJ Atkinson <rja.lists@gmail.com>
In-Reply-To: <4FC7934B.4010205@si6networks.com>
Date: Thu, 31 May 2012 14:09:37 -0400
Content-Transfer-Encoding: 7bit
Message-Id: <49E46AEE-9BB2-4A08-8069-29D692B21B6B@gmail.com>
References: <7BAC243D-7B55-460E-B36C-52CA83F12B78@gmail.com> <4FC6AAD4.4090108@si6networks.com> <13205C286662DE4387D9AF3AC30EF456D76C44FF13@EMBX01-WF.jnpr.net> <4FC7864D.8000307@si6networks.com> <13205C286662DE4387D9AF3AC30EF456D76C450163@EMBX01-WF.jnpr.net> <4FC7934B.4010205@si6networks.com>
To: v6ops@ietf.org
X-Mailer: Apple Mail (2.1278)
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2012 18:09:39 -0000

On 31  May 2012, at 11:50 , Fernando Gont wrote:
> On 05/31/2012 12:16 PM, Ronald Bonica wrote:
>> 1) Hosts MUST NOT fragment ICMPv6 Router Solicitation, Router
>> Advertisement, Neighbor Solicitation, Neighbor Advertisement or
>> Redirect messages.
> 
> This one is correct.
> 
> Note that in draft-gont-6man-nd-extension-headers, we're currently
> saying "SHOULD NOT", but this should probably be changed to "MUST NOT",
> as you indicate.

Agree.  

"MUST NOT" seems to be functionally necessary here.

>> 3) Hosts MUST NOT fragment packets carrying any next-layer protocol
>> unless the IPv6 header, all extension headers, the entire next-layer
>> protocol header are included in the first fragment. TCP and UDP are
>> examples of next-layer protocols.
> 
> This is correct.
> 
> We have expressed this requirement (in
> draft-gont-6man-oversized-header-chain-01.txt) as:
> 
>   All IPv6 packets MUST contain the entire IPv6 header chain within the
>   first "assumed Path-MTU" bytes of the packet.  If a packet is
>   fragmented, the first fragment of the packet (i.e., that with a
>   Fragment Offset of 0) must contain the entire IPv6 header chain
>   within the first "assumed Path-MTU" [RFC1981] [RFC4821] bytes of the
>   packet.

That seems OK at first reading.  

I hope there already is text that has the effect of requiring 
a receiving IPv6 node to drop any received ICMPv6 that hid 
behind a Fragment Header.  One imagines the actual requirement 
for receiving IPv6 nodes might be written more generically.

As an example to clarify things, it would not hurt to explicitly 
note that this does NOT preclude the use of TCP Jumbo data payloads, 
but instead merely requires that all *headers*, starting from IPv6 
base header and continuing up to & including the TCP header, 
be present in the 1st packet.

This means that the RA Guard document ought to:
(1) cite (normatively) draft-gont-6man-oversized-header-chain, 
(2) delete Rule 4 of the RA Guard draft (which is not needed), 
and 
(3) add clarifying text to the RA Guard draft noting that the 
    referenced 6MAN document ensures that RA messages that 
    try to hide behind a Fragment Header will be dropped 
    by the receiving IPv6 node.


Yours,

Ran

v2.23.0 | Report a Bug | By Email