Date: Mon, 28 Jan 2008 00:03:49 -0500 From: Subhendu Ghosh <sghosh@redhat.com> Subject: [users:00502] Re: [ipv6ready-info:22476] [Fwd: Re: IPV6 routing header with type 0 doesn't support by latest kernel] To: Yukiyo Akisada <akisada@tahi.org> Cc: ipv6-info@ipv6ready.org, users@tahi.org Message-Id: <479D6235.4040009@redhat.com> In-Reply-To: <20080128105254.fc69b912.akisada@tahi.org> References: <479A5ADC.2050302@alcatel-lucent.com> <20080128094307.cd919be6.akisada@tahi.org> <479D2E13.4030008@redhat.com> <20080128105254.fc69b912.akisada@tahi.org> X-Mail-Count: 00502Yukiyo Akisada wrote: > Hi, Subhendu. > > On Sun, 27 Jan 2008 20:21:23 -0500 > Subhendu Ghosh <sghosh@redhat.com> wrote: > >>> Supporting RFC 5095 is under preparation by IPv6 Ready Program. >>> Only what TAHI tester can do is just following that specification. >>> >>> If you need LOGO immediately, >>> submitting the current results including FAIL with your reason of omission >>> can be one of the solutions. >>> Becaus RFC 5095 is well-known security fix, your result may accept by examinor. >>> >>> In this case, when you get LOGO, >>> some texts will be added at approved list >>> in order to describe applicant didn't have 100% PASS. >>> >> Has not happened for tests submitted last May. > > Because the document was still in I-D, right? > > Yes - but even after RFC 5095 came out, I have had no communications regarding submission status - even a no would be fine. > >>> Otherwise, please wait for their official release. >>> >> That's what I am doing - but US DoD certification dates are making the >> timeframe really short. > > I can understand it. > > But we also have concern. > > The update will be not only for RFC 5095 > but also RFC 4443, RFC 4861 and RFC 4862. > > These changes will have big impact for IPv6 Core Protocols. > So we must be careful to update the test specification. > The test specification of certification must be the absolute one for the tester. True, the update seems to be bigger than 5095 - but the process does not seem that transparent (nor does it seem fast, given it is not transparent). > > Thanks for your understanding. > > Regards, > > >> -regards >> Subhendu >> >>> The importance is not only ignoring RH0, but also sending back ICMP error. >>> >>> v1.4.9 doesn't have verifying ICMP error, >>> so it is better way to prepare v1.4.9 and v1.5.0b2 results, >>> if you try short path to get the LOGO. >>> >>> Thanks, >>> >>> >>> On Fri, 25 Jan 2008 14:55:40 -0700 >>> Yinghui Yao <Yinghui.Yao@alcatel-lucent.com> wrote: >>> >>>> Could you answer my question on RH0? Do I need to pass 100% on these RH0 >>>> test cases in Self_Test_1.4.9? >>>> >>>> Thanks, >>>> Yinghui Yao >>>> Alcatel-Lucent >>>> >>>> >>> On Fri, 25 Jan 2008 14:41:04 -0700 >>> Yinghui Yao <Yinghui.Yao@alcatel-lucent.com> wrote: >>> >>>> I really appreciate your help. >>>> >>>> We are making a router which has our customized kernel which is derived >>>> from KAME. Our behavior on RH0 is dropping the packet and sending back >>>> ICMP. The failed tests are "IPv6 Specification: 56, 59, 60, 63, 64, 65." >>>> >>>> Are TAHI folks on this mailing list? Or is there a separate list? I want >>>> to ask them about the "100% pass policy" on this RFC 5095 case. Any >>>> other guys out there having my problems? >>>> >>>> Thanks, >>>> Yinghui Yao >>>> Alcatel-Lucent >>>> >>>> Subhendu Ghosh wrote: >>>>> It doesn't matter which kernel version fails or how it fails. >>>>> >>>>> It is more a question of policy with regards to existing non-beta test >>>>> suite and RFC status. >>>>> >>>>> Self_Test_1_4_9 has been out for a while and RFC5095 has been out for >>>>> a month. >>>>> >>>>> Does an intersection of Self_Test_1_4_9 and RFC5095 satisfy Logo >>>>> requirements? >>>>> >>>>> Does an intersection of Self_Test_1_4_9 and CVE-2007-2242 satisfy Logo >>>>> requirements? >>>>> >>>>> The consensus for the CVE workaround was to drop the RH0 packets with >>>>> no action. RFC 5095 changes that consensus to require a ICMP parameter >>>>> problem message. >>>>> >>>>> According to the statements from the TAHI folks after the CVE was >>>>> issued, it seemed to indicate that Self_Test_1_4_9 as shipped had to >>>>> be passed 100% unmodified for Logo requirements. >>>>> >>>>> -regards >>>>> Subhendu Ghosh >>>>> >>>>> Karsten Keil wrote: >>>>>> On Fri, Jan 25, 2008 at 08:56:30AM -0700, Yinghui Yao wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Can anyone please give me an answer for this? >>>>>>> >>>>>> Which kernel do you use and which test do fail ? >>>>>> Afaik here was a wrong securety fix in some kernel versions which >>>>>> did disable RH0 handling completely, instead to send correct ICMP >>>>>> messages. >>>>>> >>>>>> >>>>>>> Thanks, >>>>>>> Yinghui Yao >>>>>>> Alcatel-Lucent >>>>>>> >>>>>>> Yinghui Yao wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Let's not talk about the beta program. I need to pass Self_Test_1_4_9 >>>>>>>> and now our NUT is dropping the RH0 packet. Is that acceptable in your >>>>>>>> evaluation process or we have to modify our program to pass "100%" of >>>>>>>> your tests. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Yinghui Yao >>>>>>>> Alcatel-Lucent >>>>>>>> >>>>>>>> Hiroshi MIYATA wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> You know IPv6 Logo Program is planing to update the IPv6 core test >>>>>>>>> specification. >>>>>>>>> It was under public review.(until 3rd, Jan.) >>>>>>>>> And RH0 is covered in the latest version under public review. >>>>>>>>> Please visit here. >>>>>>>>> http://www.ipv6ready.org/announcement/public_review20071204_p2core.html >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> And the test tool is compliant to this test test specification. >>>>>>>>> http://www.tahi.org/logo/release/Self_Test_1-5-0b1.tgz >>>>>>>>> >>>>>>>>> Disabling RH0 is not mandated at this moment, but it is selectable. >>>>>>>>> We may need some discussion on this. >>>>>>>>> Although, the public review is over, if you have some comments about >>>>>>>>> this, v6LC welcome your comments. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> ....miyata >>>>>>>>> >>>>>>>>> On 2008/01/02, at 12:22, sghosh@redhat.com wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>>> Self Test 1.5.0-b2 (beta) >>>>>>>>>> Includes the some of the bits to see if Type0 should be supported or >>>>>>>>>> not. >>>>>>>>>> See config.txt in the testsuite. RFC5095 was just published on >>>>>>>>>> Standards Track >>>>>>>>>> deprecating RH0 and specifying the required behavior. ICMP Parameter >>>>>>>>>> Problem is >>>>>>>>>> now required. The testsuite could not be changed until the RFC was >>>>>>>>>> published. >>>>>>>>>> >>>>>>>>>> The original fix for the CVE in some distributions like RHEL was to >>>>>>>>>> silently >>>>>>>>>> drop the packet. That behavior needs to be updated. >>>>>>>>>> >>>>>>>>>> -regards >>>>>>>>>> Subhendu Ghosh >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Quoting Gui Jianfeng <guijianfeng@cn.fujitsu.com>: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Who knows? :-) >>>>>>>>>>> >>>>>>>>>>> Gui Jianfeng 写道: >>>>>>>>>>> >>>>>>>>>>>> Hi all, >>>>>>>>>>>> IPV6 routing header with type 0 doesn't support by latest linux >>>>>>>>>>>> kernel any more, >>>>>>>>>>>> but some of the IPV6 ct test cases are still based on routing >>>>>>>>>>>> header of type 0. >>>>>>>>>>>> I'd like to know, whether this kind of test cases will be removed >>>>>>>>>>>> or updated? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Regards >>>>>>>>>>>> Gui Jianfeng >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Regards >>>>>>>>>>> Gui Jianfeng >>>>>>>>>>> -------------------------------------------------- >>>>>>>>>>> Gui Jianfeng >>>>>>>>>>> Development Dept.I >>>>>>>>>>> Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST) >>>>>>>>>>> 8/F., Civil Defense Building, No.189 Guangzhou Road, >>>>>>>>>>> Nanjing, 210029, China >>>>>>>>>>> TEL: +86+25-86630566-838 >>>>>>>>>>> COINS: 79955-838 >>>>>>>>>>> FAX: +86+25-83317685 >>>>>>>>>>> MAIL:guijianfeng@cn.fujitsu.com >>>>>>>>>>> -------------------------------------------------- >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>> >>> >>> ------------------------------------------------------------------------ >>> Yukiyo Akisada <akisada@tahi.org> >>> >>> >> > > > ------------------------------------------------------------------------ > Yukiyo Akisada <akisada@tahi.org>502_2.x-vcard (attatchment)(tag is disabled)