ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard

2013-10-16 10:47:12
from [Templin, Fred L] [Permanent Link] 
Hi Ole,


-----Original Message-----
From: Ole Troan [mailto:otroan(_at_)employees(_dot_)org]
Sent: Wednesday, October 16, 2013 8:29 AM
To: Templin, Fred L
Cc: Fernando Gont; Ronald Bonica; Brian E Carpenter; 6man-
chairs(_at_)tools(_dot_)ietf(_dot_)org; Ray Hunter; 6man Mailing List; 
ietf(_at_)ietf(_dot_)org
Subject: Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt>
(Implications of Oversized IPv6 Header Chains) to Proposed Standard

Fred,


To repeat what has already been said many times (and hopefully for
just one final time), if the host is permitted to include an MTU-

sized

header chain and if there is a tunnel on the path that needs to

fragment

for whatever reason, then that header chain is going to spill into a
second fragment. Then, middleboxes that wish to examine the entire
header chain in the first fragment for whatever reason will be unable
to do so. Consensus or no, those are the facts.


absolutely.

the outer IPv6 header is a new datalink for the inner IPv6 header.
there is no architectural difference if that L2 is IPv6, IPv4 or PPP.
take IPv4 or PPP as an example, if PPP provides fragmentation, then
there is no expectation that the PPP or IPv4 layer keeps the payload
IPv6 header chain in one PPP or IPv4 fragment.

the rules in this document are not recursive. the header chain
terminates as soon as another IPv6 header is encountered.


I disagree with the header chain terminating as soon as another IPv6
header is encounter. That defeats defense-in-depth, since outer
perimeter middleboxes would be forced to admit packets with unexamined
header chains inward to inner perimeter middleboxes. And, if the
unexamined header chains contain bad stuff inserted by an attacker,
the attack is successful.

That requirement is also not observed by common middlebox systems
such as Wireshark and tcpdump. Both will blast past encapsulating
IPv6 headers through to the header chain inserted by the original
host without stopping at the outermost IPv6 header.

Thanks - Fred
fred(_dot_)l(_dot_)templin(_at_)boeing(_dot_)com
 

does that clarification help?
I'm not quite sure if the document is clear enough on this point.

Best regards,
Ole
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard, Ole Troan
Next by Date:  Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard, Fernando Gont
Previous by Thread:  Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard, Ole Troan
Next by Thread:  Re: Last Call: <draft-ietf-6man-oversized-header-chain-08.txt> (Implications of Oversized IPv6 Header Chains) to Proposed Standard, Fernando Gont
Indexes:  [Date] [Thread] [Top] [All Lists]