IETF Logo Mail Archive

Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice

Fernando Gont <fgont@si6networks.com> Thu, 31 May 2012 18:53 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D267121F8633 for <v6ops@ietfa.amsl.com>; Thu, 31 May 2012 11:53:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BMxOaYaEJjjv for <v6ops@ietfa.amsl.com>; Thu, 31 May 2012 11:53:01 -0700 (PDT)
Received: from srv01.bbserve.nl (unknown [IPv6:2a02:27f8:1025:18::232]) by ietfa.amsl.com (Postfix) with ESMTP id F163E21F8630 for <v6ops@ietf.org>; Thu, 31 May 2012 11:52:59 -0700 (PDT)
Received: from 61-128-17-190.fibertel.com.ar ([190.17.128.61] helo=[192.168.0.212]) by srv01.bbserve.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <fgont@si6networks.com>) id 1SaAUU-0001my-IX; Thu, 31 May 2012 20:52:58 +0200
Message-ID: <4FC7BE00.10403@si6networks.com>
Date: Thu, 31 May 2012 15:52:48 -0300
From: Fernando Gont <fgont@si6networks.com>
Organization: SI6 Networks
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: RJ Atkinson <rja.lists@gmail.com>
References: <7BAC243D-7B55-460E-B36C-52CA83F12B78@gmail.com> <4FC6AAD4.4090108@si6networks.com> <13205C286662DE4387D9AF3AC30EF456D76C44FF13@EMBX01-WF.jnpr.net> <4FC7864D.8000307@si6networks.com> <13205C286662DE4387D9AF3AC30EF456D76C450163@EMBX01-WF.jnpr.net> <4FC7934B.4010205@si6networks.com> <49E46AEE-9BB2-4A08-8069-29D692B21B6B@gmail.com>
In-Reply-To: <49E46AEE-9BB2-4A08-8069-29D692B21B6B@gmail.com>
X-Enigmail-Version: 1.5pre
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2012 18:53:03 -0000

Hi, Ran,

On 05/31/2012 03:09 PM, RJ Atkinson wrote:
>> This one is correct.
>>
>> Note that in draft-gont-6man-nd-extension-headers, we're currently
>> saying "SHOULD NOT", but this should probably be changed to "MUST NOT",
>> as you indicate.
> 
> Agree.  
> 
> "MUST NOT" seems to be functionally necessary here.

Ok, I will update the doc and resubmit, such that 6man wg is polled
about adoption of this I-D with this change 'in'.

Note: the only possible "issue" here is that with SEND, packets *might*
grow large enough to need fragmentation. However:

1) The aforementioned behaviour would be specified for traditional ND,
rather than SEND.
2) At least the packet sizes sampled in the SEND spec are not larger
than 1280 bytes
3) If you do deploy send, you don't really want to rely on
fragmentation. If you do, then an attacker could trivially "disable"
SEND by performing fragmentation (DoS) attacks.

-- Just wanted to double-check this with you before the s/SHOULD/MUST/
change.


>> We have expressed this requirement (in
>> draft-gont-6man-oversized-header-chain-01.txt) as:
>>
>>   All IPv6 packets MUST contain the entire IPv6 header chain within the
>>   first "assumed Path-MTU" bytes of the packet.  If a packet is
>>   fragmented, the first fragment of the packet (i.e., that with a
>>   Fragment Offset of 0) must contain the entire IPv6 header chain
>>   within the first "assumed Path-MTU" [RFC1981] [RFC4821] bytes of the
>>   packet.
> 
> That seems OK at first reading.  
> 
> I hope there already is text that has the effect of requiring 
> a receiving IPv6 node to drop any received ICMPv6 that hid 
> behind a Fragment Header.  

Such requirement is in draft-gont-6man-nd-extension-headers.
Essentially, draft-gont-6man-nd-extension-headers forbids the use of
fragmentation with ND, and hence this means that when it comes to ND
you'll always have the entire IPv6 header chain available in the same
packet (if you don't, the packet was fragmented, and you're required to
fragment it).

draft-gont-6man-oversized-header-chain tackles a more general problem:
since we cannot ban IPv6 fragmentation altogether for general traffic
(for obvious reasons), for the general case we require the first
fragment to include the entire IPv6 header chain (i.e., "put as many
headers as you want (including fragmentation)... but the entire IPv6
header chain must be available in the first fragment").


> One imagines the actual requirement
> for receiving IPv6 nodes might be written more generically.
> 
> As an example to clarify things, it would not hurt to explicitly 
> note that this does NOT preclude the use of TCP Jumbo data payloads, 
> but instead merely requires that all *headers*, starting from IPv6 
> base header and continuing up to & including the TCP header, 
> be present in the 1st packet.

You mean this could/should be clarified in
draft-gont-6man-oversized-header-chain-01, or somewhere else?



> This means that the RA Guard document ought to:
> (1) cite (normatively) draft-gont-6man-oversized-header-chain, 
> (2) delete Rule 4 of the RA Guard draft (which is not needed), 
> and 
> (3) add clarifying text to the RA Guard draft noting that the 
>     referenced 6MAN document ensures that RA messages that 
>     try to hide behind a Fragment Header will be dropped 
>     by the receiving IPv6 node.

But if it's agreed that packets that do not contain the entire IPv6
header chain shouldn't be there, what would be the motivation for
allowing them through ra-guard? -- Put another way, if we include a
normative reference to draft-gont-6man-oversized-header-chain, this
implicitly mean that, even with rule #4 in, the posibility of false
positives is 0 (and OTOH, leaving rule #4 in allows ra-guard to protect
'legacy' implementations.

(Me just wanting to follow your reasoning here)

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email