IETF Logo Mail Archive

Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice

RJ Atkinson <rja.lists@gmail.com> Wed, 30 May 2012 21:00 UTC

Return-Path: <rja.lists@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B08C611E809C for <v6ops@ietfa.amsl.com>; Wed, 30 May 2012 14:00:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.366
X-Spam-Level:
X-Spam-Status: No, score=-3.366 tagged_above=-999 required=5 tests=[AWL=0.233, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZITNj5aSSAmo for <v6ops@ietfa.amsl.com>; Wed, 30 May 2012 14:00:00 -0700 (PDT)
Received: from mail-vc0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 1016C11E8088 for <v6ops@ietf.org>; Wed, 30 May 2012 13:59:59 -0700 (PDT)
Received: by vcqp1 with SMTP id p1so195924vcq.31 for <v6ops@ietf.org>; Wed, 30 May 2012 13:59:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; bh=Qo7XmZMLJwBDf02NqT1wArzh5kxEqBP1IX8tx69C/rM=; b=a3W1CkxWc0kZeIdsjiVjMrltH2k/2rglBK+cP+ho6ith2csNAZ0fR5ZvDthhKVySXr IgwpgZlMsu8lnYwimDx5Z3QU05TwLBrKxXn/ES/A/XEE5vbTS6INy6U9d+W6ru9Wpf7H ZmmkfRrKURXp4A/M6aCzixF1mHK/nO603LFuiHPeBU2z3pjvHn3WUFBl2XqTvaoOQTAd Qw4/h/zo2Rq6xTkgahnNJUPDWHHblnajTz6lnOzn6eg+725h31xHfF4xtpH1p0kw3lH8 KQLncGCV8AHk1V5/ixH5eSs1aiDVFM4Qd4Hn2H+Mtehi7CRxplr3FqFWa/qP1eFukKcm zY9g==
Received: by 10.220.115.81 with SMTP id h17mr7737436vcq.66.1338411599419; Wed, 30 May 2012 13:59:59 -0700 (PDT)
Received: from [10.30.20.11] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id o15sm1328396vdi.15.2012.05.30.13.59.57 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 30 May 2012 13:59:58 -0700 (PDT)
From: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 30 May 2012 16:59:56 -0400
Message-Id: <7BAC243D-7B55-460E-B36C-52CA83F12B78@gmail.com>
To: v6ops@ietf.org
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2012 21:00:00 -0000

Earlier, Joel Halpern wrote:
> It seems that the right answer was discussed much earlier, namely
> changing the protocol behavior (a 6man activity) to tell hosts to
> reject RA and ND packets which were received in fragments.


Earlier, Ron Bonica wrote:
> I would be thrilled if the 6man WG would update RFC 4443 to say something like:
> "ICMPv6 packets MUST NOT be fragmented unless the ICMPv6 Type, Code, and Checksum 
> all fit in the first fragment".


I support Joel and Ron in this.  


A better approach for the RA Guard document would be:

1) to put together a separate I-D for 6MAN that says approximately 
   the above (and explains why).  There is probably a little text
   clarifying that any host receiving an RA that did not comply with
   the proposed new rule above MUST be dropped by that receiving host.

   One imagines this would not be controversial within 6MAN and could 
   proceed quickly.  If it were controversial there, that would 
   tend to indicate a significant problem with the current RA Guard text.

   This would be a more comprehensive protection.  Ultimately, the
   risk of unauthorised RA messages is a risk to the hosts, so host IPv6
   implementers have strong incentive to update their stacks quickly 
   once the IPv6 specifications are updated accordingly.  



2) in parallel with (1), revise the RA Guard I-D to either delete
   "Rule 4" (e.g. citing the proposed new rule above) or invert the
   meaning of Rule 4.  Either way, the objective would be that all 
   valid IPv6 packets are passed by an RA Guard all the time.


Yours,

Ran

PS:  It seems to me that the V6 OPS WG ought not be recommending 
     behaviours that violate the IPv6 specifications.  Instead, 
     if situations arise where V6 OPS thinks the specified behaviour 
     is either wrong or incompletely described, then someone should 
     propose an IPv6 specification update/edit/correction to the 6MAN WG.

v2.23.0 | Report a Bug | By Email