[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC2460 problem - error processing of Routing Header



Hi Ootomo
	See comments inline.

Regards
Suresh

On Thu, 20 May 2004, OOTOMO Hiroyuki wrote:

>Hi Shresh.
>
>> This packet will NEVER reach host-4. Consider the packet when it 
>> reaches router-1
><<< snipped >>>
>> router-1 will follow the algorithm for RH processing. The Segments Left is 
>> greater than 0. So it will check the header ext len and find it to be odd. 
>> It will drop the packet and send an ICMP message back to host-0. I guess 
>> the general idea is that the first destination node will detect the 
>> problem with the header ext len.
>
>Of course what you said is true, but it is the case
>when the first destination node (and all intermediate nodes)
>was normal.
>
>What I said in previous mail is the case when the packet
>reached to End Node unfortunately.
>
>e.g., If all routers via which the packet goes have broken
>(although it is a very rare case) and overlook the invalid
>Hdr.Ext.Len, the trouble will happen.

Even if we check the header length before checking the segments left we 
can still have a problem.

>
>e.g., If an evil node transmit the packet with odd Hdr.Ext.Len
>and zero Segment Left suddenly, the trouble will happen.

The evil node can transmit the packet with an EVEN header ext len which is 
WRONG and the new algorithm can still not catch it. So I guess it is not 
worth it trying to change the algorithm as the cons outweigh the pros.

>
>Isn't it connected with other vulnerabilities and become
>a security hole etc.?
>
>
>

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------