Article 498 at 08/01/28 10:21:36 From: sghosh@redhat.com Subject: [users:00498] Re: [ipv6ready-info:22476] [Fwd: Re: IPV6 routing header with type 0 doesn't support by latest kernel]

Index: [Article Count Order] [Thread]
Date: Sun, 27 Jan 2008 20:21:23 -0500
From: Subhendu Ghosh <sghosh@redhat.com>
Subject: [users:00498] Re: [ipv6ready-info:22476] [Fwd:  Re: IPV6 routing header with type 0 doesn't support by latest kernel]
To: users@tahi.org
Cc: Yinghui Yao <Yinghui.Yao@alcatel-lucent.com>, ipv6-info@ipv6ready.org
Message-Id: <479D2E13.4030008@redhat.com>
In-Reply-To: <20080128094307.cd919be6.akisada@tahi.org>
References: <479A5ADC.2050302@alcatel-lucent.com> <20080128094307.cd919be6.akisada@tahi.org>
X-Mail-Count: 00498

Yukiyo Akisada wrote:
> Hi, Yinghui.
> 
> Supporting RFC 5095 is under preparation by IPv6 Ready Program.
> Only what TAHI tester can do is just following that specification.
> 
> If you need LOGO immediately,
> submitting the current results including FAIL with your reason of omission
> can be one of the solutions.
> Becaus RFC 5095 is well-known security fix, your result may accept by examinor.
> 
> In this case, when you get LOGO,
> some texts will be added at approved list
> in order to describe applicant didn't have 100% PASS.
> 

Has not happened for tests submitted last May.

> Otherwise, please wait for their official release.
> 
That's what I am doing - but US DoD certification dates are making the
timeframe really short.

-regards
Subhendu

> The importance is not only ignoring RH0, but also sending back ICMP error.
> 
> v1.4.9 doesn't have verifying ICMP error,
> so it is better way to prepare v1.4.9 and v1.5.0b2 results,
> if you try short path to get the LOGO.
> 
> Thanks,
> 
> 
> On Fri, 25 Jan 2008 14:55:40 -0700
> Yinghui Yao <Yinghui.Yao@alcatel-lucent.com> wrote:
> 
>> Could you answer my question on RH0? Do I need to pass 100% on these RH0 
>> test cases in Self_Test_1.4.9?
>>
>> Thanks,
>> Yinghui Yao
>> Alcatel-Lucent
>>
>>
> 
> On Fri, 25 Jan 2008 14:41:04 -0700
> Yinghui Yao <Yinghui.Yao@alcatel-lucent.com> wrote:
> 
>> I really appreciate your help.
>>
>> We are making a router which has our customized kernel which is derived 
>> from KAME. Our behavior on RH0 is dropping the packet and sending back 
>> ICMP. The failed tests are "IPv6 Specification: 56, 59, 60, 63, 64, 65."
>>
>> Are TAHI folks on this mailing list? Or is there a separate list? I want 
>> to ask them about the "100% pass policy" on this RFC 5095 case. Any 
>> other guys out there having my problems?
>>
>> Thanks,
>> Yinghui Yao
>> Alcatel-Lucent
>>
>> Subhendu Ghosh wrote:
>>> It doesn't matter which kernel version fails or how it fails.
>>>
>>> It is more a question of policy with regards to existing non-beta test 
>>> suite and RFC status.
>>>
>>> Self_Test_1_4_9 has been out for a while and RFC5095 has been out for 
>>> a month.
>>>
>>> Does an intersection of Self_Test_1_4_9 and RFC5095 satisfy Logo 
>>> requirements?
>>>
>>> Does an intersection of Self_Test_1_4_9 and CVE-2007-2242 satisfy Logo 
>>> requirements?
>>>
>>> The consensus for the CVE workaround was to drop the RH0 packets with 
>>> no action. RFC 5095 changes that consensus to require a ICMP parameter 
>>> problem message.
>>>
>>> According to the statements from the TAHI folks after the CVE was 
>>> issued, it seemed to indicate that Self_Test_1_4_9 as shipped had to 
>>> be passed 100% unmodified for Logo requirements.
>>>
>>> -regards
>>> Subhendu Ghosh
>>>
>>> Karsten Keil wrote:
>>>> On Fri, Jan 25, 2008 at 08:56:30AM -0700, Yinghui Yao wrote:
>>>>> Hi,
>>>>>
>>>>> Can anyone please give me an answer for this?
>>>>>
>>>> Which kernel do you use and which test do fail ?
>>>> Afaik here was a wrong securety fix in some kernel versions which
>>>> did disable RH0 handling completely, instead to send correct ICMP
>>>> messages.
>>>>
>>>>
>>>>> Thanks,
>>>>> Yinghui Yao
>>>>> Alcatel-Lucent
>>>>>
>>>>> Yinghui Yao wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Let's not talk about the beta program. I need to pass Self_Test_1_4_9
>>>>>> and now our NUT is dropping the RH0 packet. Is that acceptable in your
>>>>>> evaluation process or we have to modify our program to pass "100%" of
>>>>>> your tests.
>>>>>>
>>>>>> Thanks,
>>>>>> Yinghui Yao
>>>>>> Alcatel-Lucent
>>>>>>
>>>>>> Hiroshi MIYATA wrote:
>>>>>>  
>>>>>>> Hi all,
>>>>>>>
>>>>>>> You know IPv6 Logo Program is planing to update the IPv6 core test
>>>>>>> specification.
>>>>>>> It was under public review.(until 3rd, Jan.)
>>>>>>> And RH0 is covered in the latest version under public review.
>>>>>>> Please visit here.
>>>>>>> http://www.ipv6ready.org/announcement/public_review20071204_p2core.html 
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> And the test tool is compliant to this test test specification.
>>>>>>> http://www.tahi.org/logo/release/Self_Test_1-5-0b1.tgz
>>>>>>>
>>>>>>> Disabling RH0 is not mandated at this moment, but it is selectable.
>>>>>>> We may need some discussion on this.
>>>>>>> Although, the public review is over, if you have some comments about
>>>>>>> this, v6LC welcome your comments.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> ....miyata
>>>>>>>
>>>>>>> On 2008/01/02, at 12:22, sghosh@redhat.com wrote:
>>>>>>>
>>>>>>>    
>>>>>>>> Self Test 1.5.0-b2 (beta)
>>>>>>>> Includes the some of the bits to see if Type0 should be supported or
>>>>>>>> not.
>>>>>>>> See config.txt in the testsuite. RFC5095 was just published on
>>>>>>>> Standards Track
>>>>>>>> deprecating RH0 and specifying the required behavior. ICMP Parameter
>>>>>>>> Problem is
>>>>>>>> now required. The testsuite could not be changed until the RFC was
>>>>>>>> published.
>>>>>>>>
>>>>>>>> The original fix for the CVE in some distributions like RHEL was to
>>>>>>>> silently
>>>>>>>> drop the packet. That behavior needs to be updated.
>>>>>>>>
>>>>>>>> -regards
>>>>>>>> Subhendu Ghosh
>>>>>>>>
>>>>>>>>
>>>>>>>> Quoting Gui Jianfeng <guijianfeng@cn.fujitsu.com>:
>>>>>>>>
>>>>>>>>      
>>>>>>>>> Who knows? :-)
>>>>>>>>>
>>>>>>>>> Gui Jianfeng 写道:
>>>>>>>>>        
>>>>>>>>>> Hi all,
>>>>>>>>>> IPV6 routing header with type 0 doesn't support by latest linux
>>>>>>>>>> kernel any more,
>>>>>>>>>> but some of the IPV6 ct test cases are still based on routing
>>>>>>>>>> header of type 0.
>>>>>>>>>> I'd like to know, whether this kind of test cases will be removed
>>>>>>>>>> or updated?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>> Gui Jianfeng
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>           
>>>>>>>>> -- 
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Gui Jianfeng
>>>>>>>>> --------------------------------------------------
>>>>>>>>> Gui Jianfeng
>>>>>>>>> Development Dept.I
>>>>>>>>> Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
>>>>>>>>> 8/F., Civil Defense Building, No.189 Guangzhou Road,
>>>>>>>>> Nanjing, 210029, China
>>>>>>>>> TEL: +86+25-86630566-838
>>>>>>>>> COINS: 79955-838
>>>>>>>>> FAX: +86+25-83317685
>>>>>>>>> MAIL:guijianfeng@cn.fujitsu.com
>>>>>>>>> --------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>         
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>       
>>>>>>>     
>>>>>>   
>>
>>
> 
> 
> ------------------------------------------------------------------------
> Yukiyo Akisada <akisada@tahi.org>
> 
> 


	498_2.x-vcard (attatchment)(tag is disabled)