in flight ipv6 extension header insertion considered
play

In-Flight IPv6 Extension Header Insertion Considered Harmful - PowerPoint PPT Presentation

Aug 20, 2023 •156 likes •506 views

In-Flight IPv6 Extension Header Insertion Considered Harmful draft-smith-6man-in-flight-eh-insertion-harmful IETF-106 Mark Smith markzzzsmith@gmail.com Naveen Kottapalli naveen.sarma@gmail.com Ron Bonica rbonica@juniper.net Fernando Gont

  1. In-Flight IPv6 Extension Header Insertion Considered Harmful draft-smith-6man-in-flight-eh-insertion-harmful IETF-106 Mark Smith markzzzsmith@gmail.com Naveen Kottapalli naveen.sarma@gmail.com Ron Bonica rbonica@juniper.net Fernando Gont fgont@si6networks.com Tom Herbert tom@quantonium.net

  2. RFC 1883, RFC 2460 ”Internet Protocol, Version 6 (IPv6) Specification” “With one exception, extension headers are not examined or processed by any node along a packet's delivery path , until the packet reaches the node (or each of the set of nodes, in the case of multicast) identified in the Destination Address field of the IPv6 header.”

  3. RFC 1883, RFC 2460 ”Internet Protocol, Version 6 (IPv6) Specification” “The exception referred to in the preceding paragraph is the Hop-by-Hop Options header , which carries information that must be examined and processed by every node along a packet's delivery path , including the source and destination nodes. The Hop-by-Hop Options header, when present, must immediately follow the IPv6 header . Its presence is indicated by the value zero in the Next Header field of the IPv6 header.”

  4. RFC 8200 ”Internet Protocol, Version 6 (IPv6) Specification” “ Extension headers (except for the Hop-by-Hop Options header) are not processed, inserted, or deleted by any node along a packet's delivery path, until the packet reaches the node (or each of the set of nodes, in the case of multicast) identified in the Destination Address field of the IPv6 header.”

  5. RFC 8200 ”Internet Protocol, Version 6 (IPv6) Specification” “The Hop-by-Hop Options header is not inserted or deleted , but may be examined or processed by any node along a packet's delivery path , until the packet reaches the node (or each of the set of nodes, in the case of multicast) identified in the Destination Address field of the IPv6 header. The Hop-by-Hop Options header, when present, must immediately follow the IPv6 header. Its presence is indicated by the value zero in the Next Header field of the IPv6 header.”

  6. RFC 8200 Changes Motivations “must be examined and processed by every node along a packet's delivery path ” to “ may be examined or processed by any node along a packet's delivery path ” High speed routers observed ignoring HbH header “must”

  7. RFC 8200 Changes Motivations “With one exception, extension headers are not examined or processed by any node along a packet's delivery path , until ...” rephrased to be more explicit: “ Extension headers (except for the Hop-by-Hop Options header) are not processed, inserted, or deleted by any node along a packet's delivery path, until ...” “Insertion of IPv6 Segment Routing Headers in a Controlled Domain” draft-voyer-6man-extension-header-insertion

  8. (Full) Internet Standard 86 (of 92) 0086 Internet Protocol, Version 6 (IPv6) Specification. S. Deering, R. Hinden. July 2017. (Format: TXT=93658 HTML= bytes) (Obsoletes RFC2460) (Also RFC8200)

  9. Internet Draft Purpose “In-Flight IPv6 Extension Header Insertion Considered Harmful” Record reasons and motivation for RFC1883/RFC2460 and RFC 8200 text. Describe IPv6 architecturally compliant solution.

  10. In-Flight EH Insertion Defined A B C Insert Remove P.L. SA.A, DA.C I.EH P.L. SA.A, DA.C I.EH P.L. P.L. SA.A, DA.C SA.A, DA.C SA.A, DA.C SA.A, DA.C Packet Path

  11. Key Observations Original SA and DA are not modified during insertion/removal. Packets are being modified without attribution - “anonymous modification”. Packet size got larger. Immutable Next Header field got modified.

  12. Motivation? Has never been specifically stated in draft-voyer- 6man-extension-header-insertion . A set of 128 bit Segment Routing Segment IDs (SIDs) is definitely going to add significant overhead. Try to save overhead somewhere else instead of having smaller SIDs?

  13. Internet Draft Theory “Since the SRH inserted within an intermediate node MUST be removed when all segments within the SRH have been visited, it is not possible to leak the SRH to the destination outside the source domain.” draft-voyer-6man-extension-header-insertion-06, July 2019

  14. Actual Network Practice Implementation Bugs Partial Device Failures Device Misconfiguration by Network Operator

  15. “Since the SRH inserted within an intermediate node MUST be removed when all segments within the SRH have been visited, ...” This MUST is an aspiration , not an assurance.

  16. Single Point of Failure The boundary of the EH insertion domain is likely to be defined by a single level of boundary devices. That means the boundary is possible Single Point of Failure.

  17. Failed EH Removal Scenario Internet Path Src Dst AS2 AS3 AS4 AS1 AS AS Brokenness occurs here. Who added/ Anonymous Failed EH inserted EH insertion removal EH that broke my traffic?

  18. Consequences and Impacts

  19. Ignores Source Address Field Semantics Once the EH is inserted, the packet’s unchanged Source Address field is now not correctly identifying all of the sources of the packet’s contents. Two devices are now responsible for the contents of the packet. One is anonymous. Mechanisms and protocols that rely on using the Source Address, if triggered by the inserted EH, may fail.

  20. Breaks ICMPv6 ICMPv6 sends messages back to trigger packet’s Source Address. ICMPv6 message triggered by inserted EH will not be sent to the EH insertion device, as it is not identified in the packet’s Source Address field.

  21. Breaks ICMPv6 PMTUD Packet size increase due to inserted EH could trigger PMTUD. ICMPv6 Packet Too Big not sent to EH insertion device, as packet’s SA is not EH insertion device.

  22. Breaks IPsec If the inserted EH fails to be removed, it will look like unauthorised packet modification to IPsec.

  23. Fault in Subsequent Transit Network If an inserted EH fails to be removed, and the packet travels through a subsequent transit network that is also inserting EHs, the non- removed EH may interfere.

  24. Incorrect Destination Host Processing Non-removed EH could cause packet to be discarded when it shouldn’t be e.g. unknown EH skipped over to next EH or UDP/TCP etc. header. Non-removed EH could cause packet to be processed when it should be discarded. Handling of unknown EHs is described in high order two bits of EH type. Non-removed EH type high order bits could be incorrect for packet’s payload and use.

  25. Implementation Complexity An EH insertion domain egress device will have to look into each and every packet’s EH chain to see if there is an EH to remove. This is more complex than using simple packet Destination Address value match to select either further simple forwarding or deeper EH processing.

  26. Postel’s Law or The Robustness Principle "Be conservative in what you send, be liberal in what you accept" Inserted EHs are not expected by RFC 8200 compliant receivers, as RFC 8200 prohibits them. Purposely sending them is not being “conservative in what you send”.

  27. Solution: Encapsulation Encapsulation is the tried, tested and proven method used to add new information to existing PDUs in the Internet architecture. e.g. TCP encaps application PDU, IP encaps TCP, Link-Layer encaps IP.

  28. Adding new EH via IPv6 tunnel encapsulation RFC 2473, “Generic Packet Tunneling in IPv6 Specification.”

  29. RFC 2473 provides EH addition attribution, via outer IPv6 packet Source Address Correctly working PMTUD as tunnel end-point that increased packet size is in outer SA.

  30. “IP Tunnels in the Internet Architecture” draft-ietf-intarea-tunnels

  31. Reducing Tunnelling Overhead Common IPv6 Packet Link-Layer Header IPv6 Header IPv6 Payload IPv6-in-IPv6 Packet IPv6 Header IPv6 Header IPv6 Payload Outer IPv6 header is a Link-Layer header in the context of the inner IPv6 packet. Coincidence that the Link-Layer header and the IPv6 packet’s header have the same structure and field semantics. Use suitable Link-Layer compression on link-layer “payload” inner IPv6 packet while in flight over tunnel.

  32. Link-Layer payload inner IPv6 packet compression ROHC: “The Robust Header Compression (ROHC) protocol provides an efficient, flexible, and future- proof header compression concept. It is designed to operate efficiently and robustly over various link technologies with different characteristics.” [RFC5795]

  33. Link-Layer payload inner IPv6 packet compression Skinny IPv6-in-IPv6 Tunnelling (draft-smith-skinny-ipv6-in-ipv6-tunnelling): - Leverages common inner and outer IPv6 header field semantics to carry many inner header field values in outer header. - Uses /64s to identify tunnel endpoints, allowing outer header address IID parts to carry inner packet IID field values.

  34. Thoughts? Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Measurement of IPv6 Extension Header Support Geoff Huston APNIC Labs IPv6 Extension Header The

Measurement of IPv6 Extension Header Support Geoff Huston APNIC Labs IPv6 Extension Header The

Measurement of IPv6 Extension Header Support Geoff Huston APNIC Labs IPv6 Extension Header The extension header sits between the IPv6 packet header and the upper level protocol header for the leading fragged packet, and sits between the

830 views • 21 slides
IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

Outline IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer Science and IPv6 Autoconfiguration Institute of Communications Engineering National Tsing Hua University jcchen@cs.nthu.edu.tw

783 views • 11 slides
IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org /

IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org /

IPv6 prerequisite All about Routing Header extension Security implications Solutions and workaround IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org / philippe.biondi(at)eads.net arno(at)natisbad.org /

896 views • 61 slides
IPPM Considerations for the IPv6 PDM Destination Option Nalini Elkins Inside Products, Inc.

IPPM Considerations for the IPv6 PDM Destination Option Nalini Elkins Inside Products, Inc.

IPPM Considerations for the IPv6 PDM Destination Option Nalini Elkins Inside Products, Inc. We propose: Solution Requirement Implementation of In basic IP existing extension header: Destination transport Options Header (DOH)

558 views • 22 slides
1 IPv6 Packet Format IPv6 Packet Format 40 Byte minimum 0 8 16 31 Mandatory fields

1 IPv6 Packet Format IPv6 Packet Format 40 Byte minimum 0 8 16 31 Mandatory fields

IPv6 IPv6, MPLS History Next generation IP (AKA IPng) Intended to extend address space and routing limitations of IPv4 Requires header change Attempted to include everything new in one change IETF moderated Based

506 views • 5 slides
TRILL Header Extension Simplifica8ons Donald Eastlake 3 rd

TRILL Header Extension Simplifica8ons Donald Eastlake 3 rd

TRILL Header Extension Simplifica8ons Donald Eastlake 3 rd Huawei Technologies d3e3e3@gmail.com July 2011 1 TRILL Data Frame Format Link Specific Header TRILL

576 views • 14 slides
IPv6 Extension headers Suresh Krishnan James Woodyatt Erik Kline James Hoagland Extension

IPv6 Extension headers Suresh Krishnan James Woodyatt Erik Kline James Hoagland Extension

IPv6 Extension headers Suresh Krishnan James Woodyatt Erik Kline James Hoagland Extension headers The base IPv6 standard [RFC2460] defines extension headers An expansion mechanism to carry optional internet layer information.

638 views • 8 slides
Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security

689 views • 66 slides
1 Problems with IPv4: Header Limitations Problems with IPv4: Header Limitations Problems with

1 Problems with IPv4: Header Limitations Problems with IPv4: Header Limitations Problems with

Outline Outline IPv6: An Introduction IPv6: An Introduction Problems with IPv4 Problems with IPv4 Basic IPv6 Protocol Basic IPv6 Protocol IPv6 features IPv6 features Dheeraj Sanghi Dheeraj Sanghi Auto

512 views • 7 slides
IPv6 (RFC 2460) Expanded addressing capabilities (128 bits). Header format simplification.

IPv6 (RFC 2460) Expanded addressing capabilities (128 bits). Header format simplification.

IPv6 (RFC 2460) Expanded addressing capabilities (128 bits). Header format simplification. Improved support for extensions and options. Flow labeling capability. Authenitication and privacy capabilities. 18 UTD, CS 6390 Ravi

506 views • 11 slides
Introduction to IPv6 - I Basics of IPv6 Alvaro Vives | 26 June 2017 | Workshop on Open Source

Introduction to IPv6 - I Basics of IPv6 Alvaro Vives | 26 June 2017 | Workshop on Open Source

Introduction to IPv6 - I Basics of IPv6 Alvaro Vives | 26 June 2017 | Workshop on Open Source Solutions for the IoT Contents Digital Data Transmission Packet-Switched Networks Layered Model IPv4 and IPv6 basics - IPv4 Header -

1.38k views • 32 slides
IPv6 Jyh-Cheng Chen Department of Computer Science and Institute of Communications Engineering

IPv6 Jyh-Cheng Chen Department of Computer Science and Institute of Communications Engineering

IPv6 Jyh-Cheng Chen Department of Computer Science and Institute of Communications Engineering National Tsing Hua University jcchen@cs.nthu.edu.tw http://www.cs.nthu.edu.tw/~jcchen Outline IPv6 Header IPv6 Addressing IPv6 Neighbor

582 views • 31 slides
IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space

IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space

IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space and routing limitations of IPv4 Requires header change Attempted to include everything new in one change IETF moderated Based

775 views • 46 slides
AARNet's experience with IPv6 Glen Turner 2007-11-20 Australian 2007 IPv6 Summit aar net

AARNet's experience with IPv6 Glen Turner 2007-11-20 Australian 2007 IPv6 Summit aar net

AARNet's experience with IPv6 Glen Turner 2007-11-20 Australian 2007 IPv6 Summit aar net Australia's Academic and Research Network Motivation Universities take a long time to turn around IPv4 address exhaustion, an iceberg? Want considered

712 views • 23 slides
Introduction to the TEI header What is the TEI header? The TEI header (<teiHeader>) is the

Introduction to the TEI header What is the TEI header? The TEI header (<teiHeader>) is the

Introduction to the TEI header What is the TEI header? The TEI header (<teiHeader>) is the virtual ttle page of a TEI document. It contains metadata (informaton about the TEI document). <teiHeader> is the frst, mandatory child

543 views • 21 slides
Introduction to the TEI header What is the TEI header?

Introduction to the TEI header What is the TEI header?

Introduction to the TEI header What is the TEI header? TheTEIheader(<teiHeader>)isthevirtual6tle pageofaTEIdocument.Itcontainsmetadata (informa6onabouttheTEIdocument).

1.04k views • 31 slides
CSE 326: Data Structures AVL Trees Richard Anderson, Steve Seitz Winter 2014 1 Announcements

CSE 326: Data Structures AVL Trees Richard Anderson, Steve Seitz Winter 2014 1 Announcements

CSE 326: Data Structures AVL Trees Richard Anderson, Steve Seitz Winter 2014 1 Announcements HW 2 due now HW 3 out today 2 Balanced BST Complexity of operations depend on tree height For a BST with n nodes Want height to be ~

1.01k views • 42 slides
SmartCuckoo: A Fast and Cost-Efficient Hashing Index Scheme for Cloud Storage Systems Yuanyuan

SmartCuckoo: A Fast and Cost-Efficient Hashing Index Scheme for Cloud Storage Systems Yuanyuan

SmartCuckoo: A Fast and Cost-Efficient Hashing Index Scheme for Cloud Storage Systems Yuanyuan Sun, Yu Hua, Song Jiang*, Qiuyu Li, Shunde Cao, Pengfei Zuo Huazhong University of Science and Technology *University of Texas, Arlington Presented

363 views • 32 slides
Topic 23 Red Black Trees "People in every direction No words exchanged No time to exchange

Topic 23 Red Black Trees "People in every direction No words exchanged No time to exchange

Topic 23 Red Black Trees "People in every direction No words exchanged No time to exchange And all the little ants are marching Red and Black antennas waving" - Ants Marching, Dave Matthew's Band "Welcome to L.A.'s Automated

455 views • 44 slides
ClickHouse Deep Dive Aleksei Milovidov ClickHouse use cases A stream of events Actions of

ClickHouse Deep Dive Aleksei Milovidov ClickHouse use cases A stream of events Actions of

ClickHouse Deep Dive Aleksei Milovidov ClickHouse use cases A stream of events Actions of website visitors Ad impressions DNS queries E-commerce transactions We want to save info about these events and then glean some

724 views • 34 slides
CS 225 Data Structures Ma March 4 AV AVL Trees G G Carl Evans Resources on the Website

CS 225 Data Structures Ma March 4 AV AVL Trees G G Carl Evans Resources on the Website

CS 225 Data Structures Ma March 4 AV AVL Trees G G Carl Evans Resources on the Website https://courses.engr.illinois.edu/cs225/fa2019/pages/lectures.html Le Left R Rot otation on 38 13 51 10 25 40 84 66 89 95 38 13 51

889 views • 21 slides
B-trees (Bayer-McCreight, 1972) B tree of order m is a tree with the following properties

B-trees (Bayer-McCreight, 1972) B tree of order m is a tree with the following properties

B-trees (Bayer-McCreight, 1972) B tree of order m is a tree with the following properties Height-balanced trees 1 The root has at least two children unless it is a leaf 2 No node in the tree has more than m children B trees 3 Every node except

1.02k views • 4 slides
Example We would like to keep a list of inventory records but only as many as we need

Example We would like to keep a list of inventory records but only as many as we need

Example We would like to keep a list of inventory records but only as many as we need Linked Lists An array is a fixed size Instead use a linked list What are the disadvantages of using a linked list? Linked List

1.48k views • 3 slides
Asynchronous Circuits in W ORKCRAFT Victor Khomenko, Danil Sokolov, Alex Yakovlev Motivation

Asynchronous Circuits in W ORKCRAFT Victor Khomenko, Danil Sokolov, Alex Yakovlev Motivation

Logic Decomposition of Asynchronous Circuits in W ORKCRAFT Victor Khomenko, Danil Sokolov, Alex Yakovlev Motivation Logic decomposition is one of the most difficult tasks in the design flow Much more difficult than for synchronous

684 views • 31 slides

More recommend