Hi Silvia, On Sun, May 17, 2015 at 06:43:11PM +0000, Silvia Hagen wrote: > Hi > > I keep stumbling about that "recommendational wording" in RFC 2460 everytime > I teach it. > > Couldn't we update RFC2460 and make this list a strict order?
good luck bringing this suggestion to IETF 6man... ;-) > > I would want my firewall to notify me if the EHs in a packet do not follow > the list. actually when we tested a number of commercial firewalls in late 2013 (results here: https://www.ernw.de/download/TR14_IPv6SecSummit_AAtlasis-RISC-project_results.pdf) it turned out that pretty much all of them follow a (from our perspective "reasonable approach", that is dropping "unusal combinations or number of ext_hdrs" by default. (which, of course, violates RFC 2460. but apparently all major vendors follow a line of reasoning similar to ours). so, in short, firewalls "are not affected". > And limiting the number of possible EHs per packet might be a good idea. yes, that _would actually be_ a good idea. I'm cross-posting this to v6ops as there's a related discussion going on right now. pls forgive this potential Usenet etiquette violation. best Enno > > Silvia > > -----Urspr?ngliche Nachricht----- > Von: ipv6-wg [mailto:[email protected]] Im Auftrag von Benedikt > Stockebrand > Gesendet: Sonntag, 17. Mai 2015 18:39 > An: [email protected] > Betreff: Re: [ipv6-wg] Extension Headers / Impact on Security Devices > > Hi Enno and list, > > Enno Rey <[email protected]> writes: > > > hope everybody had a great #RIPE70 meeting. We did! > > Many thanks to the organizers and chairs! > > and thanks to the actual speakers as well the speakers we had to turn down > due to time constraints, too:-) > > > If the chairs consider this appropriate we will happily give a > > presentation on this stuff in Bucharest or at another occasion. > > Sounds good to me! > > > - looking at the "liberty" RFC2460 provides as for ext_hdrs (wrt to > > their number, order[...] > > Actually, as far as I'm concerned that's the real core of the problem. > Or more specifically, the first two lines of RFC 2460, section 4.1: > > When more than one extension header is used in the same packet, it is > recommended that those headers appear in the following order: > > followed on the next page by > > Each extension header should occur at most once, except for the > Destination Options header which should occur at most twice (once > before a Routing header and once before the upper-layer header). > > Note in particular that these are not even RFC 2119 "SHOULD" or "RECOMMENDED" > and such. > > The impact here is actually at least twofold: > > - It is impossible to implement this as a simple pipeline architecture > in hardware; at least for cases deviating from the "recommendations" > above this effectively becomes either excessively complex to implement > in hardware or an invitation to DoS when implemented in software on an > otherwise hardware router. > > - As I understand it, at least some of the issues you have found are > effectively based on violating the second paragraph quoted, making it > impossible to come up with a lower bound on how long the header chain > can actually get and therefore leading to the fragmentation related > attacks and similar you have discovered. > > The original idea was that the extension headers are processed strictly in > the order they occur, so one question to ask is if there is any valid reason > to violate these "recommendations" for other than malicious purposes. > > > Cheers, > > Benedikt > > -- > Benedikt Stockebrand, Stepladder IT Training+Consulting > Dipl.-Inform. http://www.stepladder-it.com/ > > Business Grade IPv6 --- Consulting, Training, Projects > > BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/ > > -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ======================================================= Blog: www.insinuator.net || Conference: www.troopers.de Twitter: @Enno_Insinuator =======================================================
