Pointer is probably an unfortunate term. Would have been better if this was originally described as an offset. In any case, the text is clear, the offset of the byte in error (pointer) can be beyond the extent of the packet, and the implementation needs to correctly deal with that.
Tom
On Tue, Feb 25, 2020, 8:02 PM Suresh Krishnan <suresh.krishnan@xxxxxxxxx> wrote:
Hi Bernard/Ben,--------------------------------------------------------------------Thanks for your review. Just responding to one point below.Hmm. This is exactly how base ICMPv6 (RFC4443 and prior to that RFC2463 and RFC1885) defines and uses the Pointer field. And the intent is specifically to be able to point past the end of the packet since the “offending” packet may not be able to fit into the reporting packet. Is there something specific that you think is being enabled by this draft and needs to be addressed?On Feb 25, 2020, at 2:34 PM, Benjamin Kaduk <kaduk@xxxxxxx> wrote:On Tue, Feb 18, 2020 at 01:02:21PM -0800, Bernard Aboba via Datatracker wrote:Reviewer: Bernard Aboba
Review result: Ready with Issues
TSV-ART Review of draft-ietf-6man-icmp-limits
Bernard Aboba
Result: Ready with Issues
This document specifies several new ICMPv6 errors that can be sent
when a node discards a packet due to it being unable to process the
necessary protocol headers because of processing constraints or
limits. Reasons include:
Code (pertinent to this specification)
1 - Unrecognized Next Header type encountered
TBA - Extension header too big
TBA - Extension header chain too long
TBA - Too many options in extension header
TBA - Option too big
ICMP Reliability
Section 5.2 states:
" ICMP is fundamentally an unreliable protocol and in real deployment
it may consistently fail over some paths. As with any other use of
ICMP, it is assumed that the errors defined in this document are only
best effort to be delivered. No protocol should be implemented that
relies on reliable delivery of ICMP messages. If necessary,
alternative or additional mechanisms may used to augment the
processes used to to deduce the reason that packets are being
discarded. Such alternative mechanisms are out of scope of this
specification."
[BA] The last sentence is a bit vague. My assumption is that this is
referring to techniques such as are used in Path MTU discovery (e.g.
tweaking of packets so as to determine potential reasons why packets
are being discarded). However, a reference might be helpful.
Security Concerns
Pointer field
In Section 3.1, the description of the Pointer field states:
" Pointer
Identifies the octet offset within the invoking packet where
the problem occurred..
The pointer will point beyond the end of the ICMPv6 packet if
the field having a problem is beyond what can fit in the
maximum size of an ICMPv6 error message."
[BA] I worry about attackers using the Pointer field for
mischief, such as buffer overflows. The draft currently
does not provide advice to implementers about validating
the Pointer field (e.g. checking it against the length of
the offending packet).. Do we really need a 32-bit Pointer field?
Very reminiscent of heartbleed, even with the note that "The pointer will
point beyond the end of the ICMPv6 packet if the field having a problem is
beyond what can fit in the maximum size of an ICMPv6 error message."RegardsSuresh
IETF IPv6 working group mailing list
ipv6@xxxxxxxx
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
