Article 500 at 08/01/28 10:49:32 From: miyata@tahi.org Subject: [users:00500] Re: [ipv6ready-info:22731] Re: Re: [Fwd: Re: IPV6 routing header with type 0 doesn't support by latest kernel]

Index: [Article Count Order] [Thread]
Date: Mon, 28 Jan 2008 10:45:37 +0900
From: Hiroshi MIYATA <miyata@tahi.org>
Subject: [users:00500] Re: [ipv6ready-info:22731] Re:  Re:  [Fwd:  Re: IPV6 routing header with type 0 doesn't support by latest kernel]
To: users@tahi.org, Yinghui Yao <Yinghui.Yao@alcatel-lucent.com>
Cc: ipv6-info@ipv6ready.org
Message-Id: <5B828A69-D849-4514-B7A6-F3AB60811A45@tahi.org>
In-Reply-To: <479D2E13.4030008@redhat.com>
References: <479A5ADC.2050302@alcatel-lucent.com> <20080128094307.cd919be6.akisada@tahi.org> <479D2E13.4030008@redhat.com>
X-Mail-Count: 00500

Hi Subhendu,

Could you please explain the DoD certification dates?
Logically., our IPv6 Ready Logo is independent from other programs.
I would like to know how it is combined with DoD certification.
Especially, regarding the certification "dates".

It may affect our logo program schedule.

Thanks,

...miyata


On 2008/01/28, at 10:21, Subhendu Ghosh wrote:

> Yukiyo Akisada wrote:
>> Hi, Yinghui.
>>
>> Supporting RFC 5095 is under preparation by IPv6 Ready Program.
>> Only what TAHI tester can do is just following that specification.
>>
>> If you need LOGO immediately,
>> submitting the current results including FAIL with your reason of  
>> omission
>> can be one of the solutions.
>> Becaus RFC 5095 is well-known security fix, your result may accept  
>> by examinor.
>>
>> In this case, when you get LOGO,
>> some texts will be added at approved list
>> in order to describe applicant didn't have 100% PASS.
>>
>
> Has not happened for tests submitted last May.
>
>> Otherwise, please wait for their official release.
>>
> That's what I am doing - but US DoD certification dates are making the
> timeframe really short.
>
> -regards
> Subhendu
>
>> The importance is not only ignoring RH0, but also sending back ICMP  
>> error.
>>
>> v1.4.9 doesn't have verifying ICMP error,
>> so it is better way to prepare v1.4.9 and v1.5.0b2 results,
>> if you try short path to get the LOGO.
>>
>> Thanks,
>>
>>
>> On Fri, 25 Jan 2008 14:55:40 -0700
>> Yinghui Yao <Yinghui.Yao@alcatel-lucent.com> wrote:
>>
>>> Could you answer my question on RH0? Do I need to pass 100% on  
>>> these RH0
>>> test cases in Self_Test_1.4.9?
>>>
>>> Thanks,
>>> Yinghui Yao
>>> Alcatel-Lucent
>>>
>>>
>>
>> On Fri, 25 Jan 2008 14:41:04 -0700
>> Yinghui Yao <Yinghui.Yao@alcatel-lucent.com> wrote:
>>
>>> I really appreciate your help.
>>>
>>> We are making a router which has our customized kernel which is  
>>> derived
>>> from KAME. Our behavior on RH0 is dropping the packet and sending  
>>> back
>>> ICMP. The failed tests are "IPv6 Specification: 56, 59, 60, 63,  
>>> 64, 65."
>>>
>>> Are TAHI folks on this mailing list? Or is there a separate list?  
>>> I want
>>> to ask them about the "100% pass policy" on this RFC 5095 case. Any
>>> other guys out there having my problems?
>>>
>>> Thanks,
>>> Yinghui Yao
>>> Alcatel-Lucent
>>>
>>> Subhendu Ghosh wrote:
>>>> It doesn't matter which kernel version fails or how it fails.
>>>>
>>>> It is more a question of policy with regards to existing non-beta  
>>>> test
>>>> suite and RFC status.
>>>>
>>>> Self_Test_1_4_9 has been out for a while and RFC5095 has been out  
>>>> for
>>>> a month.
>>>>
>>>> Does an intersection of Self_Test_1_4_9 and RFC5095 satisfy Logo
>>>> requirements?
>>>>
>>>> Does an intersection of Self_Test_1_4_9 and CVE-2007-2242 satisfy  
>>>> Logo
>>>> requirements?
>>>>
>>>> The consensus for the CVE workaround was to drop the RH0 packets  
>>>> with
>>>> no action. RFC 5095 changes that consensus to require a ICMP  
>>>> parameter
>>>> problem message.
>>>>
>>>> According to the statements from the TAHI folks after the CVE was
>>>> issued, it seemed to indicate that Self_Test_1_4_9 as shipped had  
>>>> to
>>>> be passed 100% unmodified for Logo requirements.
>>>>
>>>> -regards
>>>> Subhendu Ghosh
>>>>
>>>> Karsten Keil wrote:
>>>>> On Fri, Jan 25, 2008 at 08:56:30AM -0700, Yinghui Yao wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Can anyone please give me an answer for this?
>>>>>>
>>>>> Which kernel do you use and which test do fail ?
>>>>> Afaik here was a wrong securety fix in some kernel versions which
>>>>> did disable RH0 handling completely, instead to send correct ICMP
>>>>> messages.
>>>>>
>>>>>
>>>>>> Thanks,
>>>>>> Yinghui Yao
>>>>>> Alcatel-Lucent
>>>>>>
>>>>>> Yinghui Yao wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Let's not talk about the beta program. I need to pass  
>>>>>>> Self_Test_1_4_9
>>>>>>> and now our NUT is dropping the RH0 packet. Is that acceptable  
>>>>>>> in your
>>>>>>> evaluation process or we have to modify our program to pass  
>>>>>>> "100%" of
>>>>>>> your tests.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Yinghui Yao
>>>>>>> Alcatel-Lucent
>>>>>>>
>>>>>>> Hiroshi MIYATA wrote:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> You know IPv6 Logo Program is planing to update the IPv6 core  
>>>>>>>> test
>>>>>>>> specification.
>>>>>>>> It was under public review.(until 3rd, Jan.)
>>>>>>>> And RH0 is covered in the latest version under public review.
>>>>>>>> Please visit here.
>>>>>>>> http://www.ipv6ready.org/announcement/public_review20071204_p2core.html
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> And the test tool is compliant to this test test specification.
>>>>>>>> http://www.tahi.org/logo/release/Self_Test_1-5-0b1.tgz
>>>>>>>>
>>>>>>>> Disabling RH0 is not mandated at this moment, but it is  
>>>>>>>> selectable.
>>>>>>>> We may need some discussion on this.
>>>>>>>> Although, the public review is over, if you have some  
>>>>>>>> comments about
>>>>>>>> this, v6LC welcome your comments.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> ....miyata
>>>>>>>>
>>>>>>>> On 2008/01/02, at 12:22, sghosh@redhat.com wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>> Self Test 1.5.0-b2 (beta)
>>>>>>>>> Includes the some of the bits to see if Type0 should be  
>>>>>>>>> supported or
>>>>>>>>> not.
>>>>>>>>> See config.txt in the testsuite. RFC5095 was just published on
>>>>>>>>> Standards Track
>>>>>>>>> deprecating RH0 and specifying the required behavior. ICMP  
>>>>>>>>> Parameter
>>>>>>>>> Problem is
>>>>>>>>> now required. The testsuite could not be changed until the  
>>>>>>>>> RFC was
>>>>>>>>> published.
>>>>>>>>>
>>>>>>>>> The original fix for the CVE in some distributions like RHEL  
>>>>>>>>> was to
>>>>>>>>> silently
>>>>>>>>> drop the packet. That behavior needs to be updated.
>>>>>>>>>
>>>>>>>>> -regards
>>>>>>>>> Subhendu Ghosh
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Quoting Gui Jianfeng <guijianfeng@cn.fujitsu.com>:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Who knows? :-)
>>>>>>>>>>
>>>>>>>>>> Gui Jianfeng 写道:
>>>>>>>>>>
>>>>>>>>>>> Hi all,
>>>>>>>>>>> IPV6 routing header with type 0 doesn't support by latest  
>>>>>>>>>>> linux
>>>>>>>>>>> kernel any more,
>>>>>>>>>>> but some of the IPV6 ct test cases are still based on  
>>>>>>>>>>> routing
>>>>>>>>>>> header of type 0.
>>>>>>>>>>> I'd like to know, whether this kind of test cases will be  
>>>>>>>>>>> removed
>>>>>>>>>>> or updated?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Regards
>>>>>>>>>>> Gui Jianfeng
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>> Gui Jianfeng
>>>>>>>>>> --------------------------------------------------
>>>>>>>>>> Gui Jianfeng
>>>>>>>>>> Development Dept.I
>>>>>>>>>> Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
>>>>>>>>>> 8/F., Civil Defense Building, No.189 Guangzhou Road,
>>>>>>>>>> Nanjing, 210029, China
>>>>>>>>>> TEL: +86+25-86630566-838
>>>>>>>>>> COINS: 79955-838
>>>>>>>>>> FAX: +86+25-83317685
>>>>>>>>>> MAIL:guijianfeng@cn.fujitsu.com
>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------
>> Yukiyo Akisada <akisada@tahi.org>
>>
>>
>
> <sghosh.vcf>