idnits 2.17.00 (12 Aug 2021) /tmp/idnits38086/draft-bormann-rohc-shutdown-profile-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 290. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 301. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 308. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 314. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 133: '... decompressor MUST treat non-IR pack...' RFC 2119 keyword, line 140: '... decompressor SHOULD send back the n...' RFC 2119 keyword, line 146: '...nd six bits that MUST be zero. In eff...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 31, 2007) is 5401 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: draft-ietf-rohc-rfc3095bis-framework has been published as RFC 4995 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Robust Header Compression C. Bormann 3 Internet-Draft Universitaet Bremen TZI 4 Intended status: Standards Track July 31, 2007 5 Expires: February 1, 2008 7 A ROHC Profile for CID shutdown (ROHC-DOWN) 8 draft-bormann-rohc-shutdown-profile-00.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on February 1, 2008. 35 Copyright Notice 37 Copyright (C) The IETF Trust (2007). 39 Abstract 41 This document specifies a ROHC (Robust Header Compression) profile 42 for shutting down context IDs (CIDs). The profile, called ROHC-DOWN, 43 enables the decompressor to free resources and the compressor to be 44 sure no residual state from a previous use survives on a CID. 46 $Id: draft-bormann-rohc-shutdown-profile.xml,v 1.5 2007/07/31 47 15:40:11 cabo Exp $ 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2. Profile Operation . . . . . . . . . . . . . . . . . . . . . . . 3 53 2.1. Creating Contexts . . . . . . . . . . . . . . . . . . . . . 3 54 2.2. Using Contexts . . . . . . . . . . . . . . . . . . . . . . 4 55 2.3. Feedback . . . . . . . . . . . . . . . . . . . . . . . . . 4 56 3. Security considerations . . . . . . . . . . . . . . . . . . . . 6 57 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 58 5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 7 59 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 60 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 61 7.1. Normative References . . . . . . . . . . . . . . . . . . . 7 62 7.2. Informative References . . . . . . . . . . . . . . . . . . 7 63 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 7 64 Intellectual Property and Copyright Statements . . . . . . . . . . 8 66 1. Introduction 68 Both the original ROHC standard [RFC3095] and the current work on the 69 now separately defined framework 70 [I-D.ietf-rohc-rfc3095bis-framework], have an issue with ambiguities 71 in the re-use of context IDs (CIDs) induced by packet losses and 72 reordering. 74 While the current mechanisms as defined in the cited specifications 75 suffice for the detection of accidental confusion about the current 76 use of a CID, they might be circumvented in a malicious "decompressor 77 confusion attack" to subvert the integrity protection of channels 78 carrying header-compressed flows. 80 The ROHC shutdown profile (ROHC-DOWN) provides a reliable way for a 81 compressor to prepare a CID for reuse, without the danger of that CID 82 reuse to be misused for a decompressor confusion attack. 84 As a secondary consideration, ROHC-DOWN provides a compressor the 85 generally useful ability to indicate to the decompressor when the use 86 of a CID has ended in order to allow it to free associated resources. 88 2. Profile Operation 90 This section gives an overview of the operation of ROHC-DOWN. 92 The ROHC-DOWN profile operates by not allowing any packet to be 93 decompressed from a context in this profile; it is thus 94 indistinguishable from an uninitialized context. 96 To allow the compressor to ascertain that a CID is indeed shut down, 97 the IR packet may include a (possibly empty) nonce to be echoed in a 98 feedback item. 100 2.1. Creating Contexts 102 A ROHC-DOWN context is created using an IR (initialization/refresh) 103 packet, which contains a ROHC framework header followed by the ROHC- 104 DOWN nonce: 106 If the x bit is set to 1, the compressor expects the decompressor to 107 echo back the (0-or-more byte) nonce in a feedback item. If the x 108 bit is set to 0, no such feedback is expected (the nonce can still be 109 supplied, but has no effect). 111 0 1 2 3 4 5 6 7 112 --- --- --- --- --- --- --- --- 113 : Add-CID octet : if CID 1-15 and small CID 114 +---+---+---+---+---+---+---+---+ 115 | 1 1 1 1 1 1 0 | x | IR type octet 116 +---+---+---+---+---+---+---+---+ 117 : : 118 / 0-2 octets of CID / 1 or 2 octets if large CIDs 119 : : 120 +---+---+---+---+---+---+---+---+ 121 | Profile | 1 octet 122 +---+---+---+---+---+---+---+---+ 123 | CRC | 1 octet 124 +---+---+---+---+---+---+---+---+ 125 : : 126 / NONCE / 0-or-more bytes of Nonce 127 : : 128 +---+---+---+---+---+---+---+---+ 130 2.2. Using Contexts 132 No ROHC-DOWN packet types other than IR are defined. The 133 decompressor MUST treat non-IR packet types in a context initialized 134 for the ROHC-DOWN profile as it would treat them in an uninitialized 135 context. 137 2.3. Feedback 139 If a reply is requested in an IR packet by setting x to 1, the 140 decompressor SHOULD send back the nonce byte-string in a ROHC 141 feedback message. If the nonce is empty (zero bytes), the feedback 142 is sent as a ROHC FEEDBACK-1 message consisting of a single zero 143 byte. If the nonce is at least one byte, the feedback is sent as a 144 ROHC FEEDBACK-2 message, preceded by one zero byte. The zero byte is 145 composed of the ROHC framework Acktype of 0 (ACK, see ROHC framework) 146 and six bits that MUST be zero. In effect, the nonce is prefixed by 147 a zero byte in both cases. In both cases, the feedback is not to be 148 received as a valid acknowledgement if this byte is not actually 149 zero. 151 0 1 2 3 4 5 6 7 152 +---+---+---+---+---+---+---+---+ 153 | 1 1 1 1 0 | Code | feedback type 154 +---+---+---+---+---+---+---+---+ 155 : Size : if Code = 0 156 +---+---+---+---+---+---+---+---+ 157 : Add-CID octet : for small CIDs and (CID != 0) 158 +---+---+---+---+---+---+---+---+ 159 : : 160 / large CID (5.3.2 encoding) / 1-2 octets if for large CIDs 161 : : 162 +---+---+---+---+---+---+---+---+ 163 / FEEDBACK data / variable length 164 +---+---+---+---+---+---+---+---+ 166 FEEDBACK-1: 168 0 1 2 3 4 5 6 7 169 +---+---+---+---+---+---+---+---+ 170 | 0 | 1 octet 171 +---+---+---+---+---+---+---+---+ 173 FEEDBACK-2: 175 0 1 2 3 4 5 6 7 176 +---+---+---+---+---+---+---+---+ 177 |Acktype| 0 | 178 +---+---+---+---+---+---+---+---+ at least 2 octets 179 : : 180 / NONCE / 0-or-more bytes of Nonce 181 : : 182 +---+---+---+---+---+---+---+---+ 184 Acktype: 0 = ACK 186 3. Security considerations 188 The security considerations of [RFC3095] apply. 190 The objective of this draft is mainly to mitigate a potential attack 191 based on confusing the decompressor sufficiently that it accidentally 192 forwards information to receivers of packets previously sent on a 193 context. By waiting for positive acknowledgement of channel shutdown 194 before re-using a channel, this attack can be effectively prevented. 196 Note that in an HCoIPsec environment, there is never a pressing need 197 to re-use a context; a compressor that is somehow running out of CIDs 198 can always negotiate a new SA and thus a new ROHC channel. For some 199 applications, a new SA will be set up for each new flow in any case. 200 Being able to re-use contexts may, however, simplify running more 201 long-term SAs as ROHC channels. 203 Apart from the uses described above, the ROHC-DOWN profile can also 204 be used as a way to probe the channel at various packet sizes and to 205 send traffic obfuscating the packet size signature. For the first 206 use, sending a ROHC-DOWN IR packet on an unused CID with x==1 acts as 207 a kind of ping mechanism. A compressor can use this mechanism to 208 regularly probe a channel, investigating whether it is subject to 209 malicious packet dropping at particular (larger) packet sizes. For 210 the second use, sending a ROHC-DOWN IR packet in an unused CID with 211 x==0 acts as a no-operation, allowing to randomly add packets of 212 otherwise possibly telltale sizes to the channel. 214 4. IANA Considerations 216 The ROHC profile identifier 0x0099 [# Editor's Note: To be replaced 217 before publication #] has been reserved by the IANA for the profile 218 defined in this document. 220 [# Editor's Note: rest of this section to be removed before 221 publication: #] 223 Two ROHC profile identifiers must be reserved by the IANA for the new 224 profile defined in this document. A suggested registration in the 225 "RObust Header Compression (ROHC) Profile Identifiers" name space 226 would then be: 228 Profile Usage Reference 229 0x0099 ROHC DOWN [RFC XXXX (this)] 231 Author's note: This suggestion must be updated before sending to 232 IANA. 234 5. Contributors 236 The author would like to thank Pasi Eronen, who emphasized the 237 importance of the decompressor confusion attack in his comments to 238 HCoIPsec, and Jonah Pezeshki, who narrowed down the problem 239 sufficiently for the author to find this solution. 241 6. Acknowledgements 243 This document was prompted by the work on HCoIPsec by Emre Ertekin, 244 Chris Christou, and others. 246 7. References 248 7.1. Normative References 250 [I-D.ietf-rohc-rfc3095bis-framework] 251 Jonsson, L., "The RObust Header Compression (ROHC) 252 Framework", draft-ietf-rohc-rfc3095bis-framework-04 (work 253 in progress), November 2006. 255 7.2. Informative References 257 [RFC3095] Bormann, C., Burmeister, C., Degermark, M., Fukushima, H., 258 Hannu, H., Jonsson, L-E., Hakenberg, R., Koren, T., Le, 259 K., Liu, Z., Martensson, A., Miyazaki, A., Svanbro, K., 260 Wiebke, T., Yoshimura, T., and H. Zheng, "RObust Header 261 Compression (ROHC): Framework and four profiles: RTP, UDP, 262 ESP, and uncompressed", RFC 3095, July 2001. 264 Author's Address 266 Carsten Bormann 267 Universitaet Bremen TZI 268 Postfach 330440 269 Bremen D-28334 270 Germany 272 Phone: +49 421 218 7024 273 Fax: +49 421 218 7000 274 Email: cabo@tzi.org 276 Full Copyright Statement 278 Copyright (C) The IETF Trust (2007). 280 This document is subject to the rights, licenses and restrictions 281 contained in BCP 78, and except as set forth therein, the authors 282 retain all their rights. 284 This document and the information contained herein are provided on an 285 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 286 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 287 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 288 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 289 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 290 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 292 Intellectual Property 294 The IETF takes no position regarding the validity or scope of any 295 Intellectual Property Rights or other rights that might be claimed to 296 pertain to the implementation or use of the technology described in 297 this document or the extent to which any license under such rights 298 might or might not be available; nor does it represent that it has 299 made any independent effort to identify any such rights. Information 300 on the procedures with respect to rights in RFC documents can be 301 found in BCP 78 and BCP 79. 303 Copies of IPR disclosures made to the IETF Secretariat and any 304 assurances of licenses to be made available, or the result of an 305 attempt made to obtain a general license or permission for the use of 306 such proprietary rights by implementers or users of this 307 specification can be obtained from the IETF on-line IPR repository at 308 http://www.ietf.org/ipr. 310 The IETF invites any interested party to bring to its attention any 311 copyrights, patents or patent applications, or other proprietary 312 rights that may cover technology that may be required to implement 313 this standard. Please address the information to the IETF at 314 ietf-ipr@ietf.org. 316 Acknowledgment 318 Funding for the RFC Editor function is provided by the IETF 319 Administrative Support Activity (IASA).