IETF Logo Mail Archive

Re: Is Fragmentation at IP layer even needed ?

Mark Andrews <marka@isc.org> Thu, 18 February 2016 20:15 UTC

Return-Path: <marka@isc.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 249571B3549 for <ietf@ietfa.amsl.com>; Thu, 18 Feb 2016 12:15:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lcz-mwFsQKeI for <ietf@ietfa.amsl.com>; Thu, 18 Feb 2016 12:15:28 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8EBC1B3544 for <ietf@ietf.org>; Thu, 18 Feb 2016 12:15:28 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id E50923494EC; Thu, 18 Feb 2016 20:15:21 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id DB97E16008D; Thu, 18 Feb 2016 20:15:21 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id CEA6E16008C; Thu, 18 Feb 2016 20:15:21 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id g7Aoqr7wHy1q; Thu, 18 Feb 2016 20:15:21 +0000 (UTC)
Received: from rock.dv.isc.org (c110-21-49-25.carlnfd1.nsw.optusnet.com.au [110.21.49.25]) by zmx1.isc.org (Postfix) with ESMTPSA id 8CA12160045; Thu, 18 Feb 2016 20:15:21 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id D4F1242AA405; Fri, 19 Feb 2016 07:15:19 +1100 (EST)
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
From: Mark Andrews <marka@isc.org>
References: <CAOJ6w=EvzE3dM4Y2mFFR=9YyPBdmFu_jkF4-42LjkdbRd3yz_w@mail.gmail.com> <20160208200943.A615941B5B96@rock.dv.isc.org> <CAMm+LwgLoYpQ1TNOTOuJzh+cu+GyRBf9=y_K7K35boQ9WcZKjA@mail.gmail.com> <56B92A96.9050200@si6networks.com> <CAMm+LwifTXvVd1mPZOfcOOR03Fnj-82H9aDVS01=wGezePtnXw@mail.gmail.com> <56BA4BC7.1010002@isi.edu> <CAMm+Lwi-n=be4AWGibs+Zq9egYw5pSDmPGb-4P0LDEcX1E6osA@mail.gmail.com> <56BA68CE.7090304@isi.edu> <CAMm+LwiM2sFUeejgJZe650UQbVHrh7EHrEF2omvPrZJPodgJLA@mail.gmail.com> <56BA739D.7060309@isi.edu> <CAMm+Lwij1dOkK0b2ZnJiPMtba=wc823WgYjqw0iwAApa3KBYcg@mail.gmail.com> <56BA95C7.8060109@isi.edu> <56BAD6CC.2030209@necom830.hpcl.titech.ac.jp> <56BBAAF7.6020903@isi.edu> <56BC9516.6050305@necom830.hpcl.titech.ac.jp> <56BCCBB4.4050909@isi.edu> <56BCF514.6040401@necom830.hpcl.titech.ac.jp> <56BE23F0.4090403@isi.edu> <56BFD7B3.9080505@necom830.hpcl.titech.ac.jp> <56C14D50.4040802@isi.edu> <56C21C4B.50304@gmail.com> <56C42A84.1040207@necom830.hpcl.titech.ac.jp> <56C5808C.1090906@ necom830.hpcl.titech.ac.jp>
Subject: Re: Is Fragmentation at IP layer even needed ?
In-reply-to: Your message of "Thu, 18 Feb 2016 17:27:56 +0900." <56C5808C.1090906@necom830.hpcl.titech.ac.jp>
Date: Fri, 19 Feb 2016 07:15:19 +1100
Message-Id: <20160218201519.D4F1242AA405@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/-0pcswRGl8ckuUueaRLI8eDhw2k>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2016 20:15:30 -0000

In message <56C5808C.1090906@necom830.hpcl.titech.ac.jp>, Masataka Ohta writes:
> Masataka Ohta (I) wrote:
> 
> > The RFC is a complete mess, in various ways. It says flow IDs are
> > good because it is random, but, at the same time, it says flow
> > IDs may not be random.
> 
> I found the rfc is even worse.
> 
> The most important thing the rfc must have stated (it
> does not, of course) is:
> 
> 	(SRC1, DST1, flow_ID1)
> 
> of a stateful flow MUST be unique (not used by packets
> not belonging to the flow) within the Internet,
> which can be guaranteed only by an end (source or
> destination), which is a straight forward manifestation
> of the end to end argument.
> 
> But, the rfc allow routers (firewalls) change flow IDs to
> nonzero value.
> 
> So, if a router changes flow ID of (SRC1, DST1, flow_ID2),
> from flow_ID2 to flow_ID3, then, there is a possibility
> that flow_ID1==flow_ID3, which is fatal for the stateful
> flow, if the modified packets are merged to the stateful
> flow (certain protection against merging possible but
> not robust against route changes).
> 
> Of course, section 6.1 of the rfc on covert channels is
> abstract nonsense, because covert channels may be created
> in various ways to carry information, for example, with
> extension headers (fragmentation boundaries, for example,
> can be arbitrary), which means firewalls should reject
> packets with extension headers.

No, it doesn't.  Firewalls have a purpose.  Most of the time the
purpose isn't to block communication.  It is to block wasting
resources or to try to prevent poorly written applications / ip
stacks being compromised.

Often people forget that firewalls need to let packets though that
are part of a legitimate communications flow through.  You don't
actually need to stop *every* potential packet that isn't part of
a communications flow.  You just need to make it hard enough that
it is not worth the effort to find the open paths if you are not
part of a legitimate flow.

> 					Masataka Ohta
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email