[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: shim6 and bit errors in data packet headers
Hi Erik,
some comments below...
El 04/05/2005, a las 1:33, Erik Nordmark escribió:
...
For the part of shim6 which performs the state exchange, locator
changes, and
testing the paths, presumably it is easy to just add the regular 16 bit
checksum.
I am not sure about this yet... i mean for the initial exchange where
the alternative locators are exchanged, the security mechanisms that
are in place would be enough to deal with bit error i guess. I mean, if
there is an error in a bit of the locator, it would be similar than if
an attacker has tried to include a different address in the context i
think. I guess that the question is what to do when the security check
fails...
But in any case, i also agree that it wouldn't be much problem to add a
checksum in those packets, since they are few of them. I guess we could
do a more in depth analysis of this once that we have a clear view of
what information would be included in this packet exchange. (for
instance an error in the messages that informs about the context tag
selected for that context may cause problems, i guess)
But for the data packets adding one more 16 bit checksum would be more
costly,
since if we need it we can't use the flow label, and a destination
option
header would either be 16 bytes (an 8 byte destination option can only
hold
32 bits of payload, and a 16 bit checksum would imply only a 16 bit
context
tag, which is probably too small.)
agree
Let's assume the receiver identifies the shim6 state based on the
<source locator, destination locator, context tag>. This is done
before the
packet is passed to the ULP, that is, the ICMP/UDP/TCP/SCTP checksums
are not of any use to detect a potentially corrupt packet.
As an example, assume that A and B has established shim6 state for
communication between ULID A1 and B1, using the locator sets
<{A1, A2}, {B1, B2}>, and that the communication using <A1, B1> has
failed
so that things switches to the locator pair <A1, B2>.
B will now receive packets with the shim identifying information
being <A1, B2, CT>, which will identify the shim6 state and the state
indicates that the ULIDs should be set to <A1, B1> before passing the
packet
to the ULP.
What happens if there is a bit error in the locators in the packet or
the
context tag field? (Doesn't matter whether the context tag is carried
in
the flow label field or somewhere else for this analysis).
If there is a bit error in B2 (turning it into B2') the packets
wouldn't be
delivered to the host B, but they might be delivered to a different
host, which
would presumably(??), not have any context state for <A1, B2', CT>.
If it does have such shim6 state, it would apply the ULID replacement
from
that context state and pass the packet to the ULP. The ULP checksum
would most
likely fail in this case.
This doesn't seem any different than the case in base IPv6 and a bit
error
in the destination address field; we rely on the ULP checksum to
discard such
packets.
If there is a bit error in A1 or CT, the packet would be delivered to
B,
but most likely B would not have any context state which matches <A1',
B2, CT>
or <A1, B2, CT'>. If there is matching context state, the argument
above
about the ULP checksum applies.
When there is no matching context state at B, the question is what B
does in such a case.
This is a function of how we do state management in shim6. There has
been
little discussion about this. We could do soft state, where there is no
explicit taredown/close message, or we could do something which tries
to
tare down the state at the both ends in a coordinated fashion.
If we assume that we do soft state management, then a host like B
needs to
be prepared to receive shim6 packets where it has no context. This is
because B might have discarded the shim6 state before A did, or B might
have crashes and lost all state while A retained the shim6 state.
This implies that in the bit error case above, since B can't tell the
difference between a bit error and the case when it has lost/discarded
the state, B needs to at least send an error message to A saying "I
have
no matching shim6 context".
why?
i would argue that silently discarding the packet would be enough. I
mean, i think that soft state approach is an interesting approach, but
i would like to explore the possibility of silently discarding packets
that don't match with any existent contexts. I mean, i think that (as i
think you mentioned a while ago) defining a error message in order to
reply to those packets belonging to non existent contexts may introduce
some security issues. In particular, it may allow an attacker to force
to communicating end nodes to re-do the initial exchange, allowing the
attacker to become a MiTM.
So i would think that not defining errors for non existent contexts may
be a good option.
But B probably shouldn't do any more than this, since it doesn't know
whether
the cause was a bit error or it having lost/discarded the shim6 state.
[Note that B can't just silently pass up such packets to the ULP,
because
if B doesn't do the locator->ULID replacement, the packets will (most
likely)
be dropped by the ULP to to a checksum error. Thus there would *not*
be e.g.,
a TCP reset which would tell the peer ULP to restart.]
So in conclusion, if we don't have a checksum for the shim6 context
tag, then
we are constrained on what the shim can do when receiving a packet for
which it has no matching context.
If we add a checksum (covering at least the source locator, destination
locator, and context tag), then the receiving shim6 layer can silently
discard
packets with bit errors,
and we have the flexibility to do something
different in order to recover from lost/discarded state at the
receiver.
Comments?
Erik
Regards, marcelo
PS: nice analysis, thanks