IETF Logo Mail Archive

Re: [Int-area] Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)

Ronald Bonica <rbonica@juniper.net> Thu, 14 May 2015 19:44 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 715A41A8AFA; Thu, 14 May 2015 12:44:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.901
X-Spam-Level:
X-Spam-Status: No, score=-101.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bAsNywUMsrsL; Thu, 14 May 2015 12:44:27 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0146.outbound.protection.outlook.com [207.46.100.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A19D1A89A5; Thu, 14 May 2015 12:44:26 -0700 (PDT)
Received: from BLUPR05MB1985.namprd05.prod.outlook.com (25.162.224.27) by BLUPR05MB1988.namprd05.prod.outlook.com (25.162.224.30) with Microsoft SMTP Server (TLS) id 15.1.160.19; Thu, 14 May 2015 19:44:24 +0000
Received: from BLUPR05MB1985.namprd05.prod.outlook.com ([25.162.224.27]) by BLUPR05MB1985.namprd05.prod.outlook.com ([25.162.224.27]) with mapi id 15.01.0160.009; Thu, 14 May 2015 19:44:24 +0000
From: Ronald Bonica <rbonica@juniper.net>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Suresh Krishnan <suresh.krishnan@ericsson.com>
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)
Thread-Index: AQHQjeuraQWLl4q6nUqMr+wRYH60Tp17aEKAgAAciKCAABiOQA==
Date: Thu, 14 May 2015 19:44:23 +0000
Message-ID: <BLUPR05MB19854E65D511F14253556DF3AED80@BLUPR05MB1985.namprd05.prod.outlook.com>
References: <20150514021405.29892.21704.idtracker@ietfa.amsl.com> <CY1PR05MB1994819D2EC000754D69ACFDAED80@CY1PR05MB1994.namprd05.prod.outlook.com> <E87B771635882B4BA20096B589152EF628C0CC2C@eusaamb107.ericsson.se> <CAHbuEH5NEopFBPeATmhhLJ=iLom+2DvtTZUUobax2r3KbW=JcQ@mail.gmail.com> <BLUPR05MB19859D4F490C1744BC9B50F7AED80@BLUPR05MB1985.namprd05.prod.outlook.com>
In-Reply-To: <BLUPR05MB19859D4F490C1744BC9B50F7AED80@BLUPR05MB1985.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;
x-originating-ip: [66.129.241.14]
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR05MB1988;
x-microsoft-antispam-prvs: <BLUPR05MB1988300B40A4CA812DFEF949AED80@BLUPR05MB1988.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BLUPR05MB1988; BCL:0; PCL:0; RULEID:; SRVR:BLUPR05MB1988;
x-forefront-prvs: 0576145E86
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(2656002)(99286002)(230783001)(19300405004)(19609705001)(102836002)(15975445007)(33656002)(19625215002)(106116001)(5001960100002)(2900100001)(46102003)(66066001)(50986999)(76176999)(54356999)(74316001)(189998001)(5001770100001)(92566002)(93886004)(76576001)(122556002)(62966003)(77156002)(16236675004)(2950100001)(40100003)(19580395003)(19617315012)(87936001)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR05MB1988; H:BLUPR05MB1985.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: multipart/alternative; boundary="_000_BLUPR05MB19854E65D511F14253556DF3AED80BLUPR05MB1985namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 May 2015 19:44:23.6794 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR05MB1988
Archived-At: <http://mailarchive.ietf.org/arch/msg/int-area/9FpR1T_2CbdLC67Ns0jjxyyF5Vg>
Cc: "draft-ietf-intarea-gre-mtu@ietf.org" <draft-ietf-intarea-gre-mtu@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>, "draft-ietf-intarea-gre-mtu.ad@ietf.org" <draft-ietf-intarea-gre-mtu.ad@ietf.org>, "draft-ietf-intarea-gre-mtu.shepherd@ietf.org" <draft-ietf-intarea-gre-mtu.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "intarea-chairs@ietf.org" <intarea-chairs@ietf.org>
Subject: Re: [Int-area] Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2015 19:44:29 -0000

Kathleen,

The following is an updated Security Considerations Section. Does this work?

                                                                                Ron

Security Considerations
In the GRE fragmentation solution described above, either the GRE payload or the GRE delivery packet can be fragmented.  If the GRE payload is fragmented, it is typically reassembled at its ultimate destination.  If the GRE delivery packet is fragmented, it is typically reassembled at the GRE egress node.

The packet reassembly process is resource intensive and vulnerable to several denial of service attacks.  In the simplest attack, the attacker sends fragmented packets more quickly than the victim can reassemble them.  In a variation on that attack, the first fragment of each packet is missing, so that no packet can ever be reassembled.


Given that the packet reassembly process is resource intensive and vulnerable to denial of service attacks, operators should decide where reassembly process is best performed.  Having made that decision, they should decide whether to fragment the GRE payload or GRE delivery packet, accordingly.


Some IP implementations are vulnerable to the Overlapping Fragment Attack [RFC 1858]. This vulnerability is not specific to GRE and needs to be considered in all environments where IP fragmentation is present. [RFC 3128] describes a procedure by which IPv4 implementations can partially mitigate the vulnerability. [RFC 5722] mandates a procedure by which IPv6-compliant implementations are required to mitigate the vulnerability. The procedure described in RFC 5722 completely mitigates the vulnerability. Operators SHOULD ensure that the vulnerability is mitigated to their satisfaction on equipment that they deploy.

PMTU Discovery is vulnerable to two denial of service attacks (see Section 8 of [RFC1191]<https://tools.ietf.org/html/rfc1191#section-8> for details).  Both attacks are based upon on a malicious party sending forged ICMPv4 Destination Unreachable or ICMPv6 Packet Too Big messages to a host.  In the first attack, the forged message indicates an inordinately small PMTU.  In the second attack, the forged message indicates an inordinately large MTU.  In both cases, throughput is adversely affected.  On order to mitigate such attacks, GRE implementations include a configuration option to disable PMTU discovery on GRE tunnels.  Also, they can include a configuration option that conditions the behavior of PMTUD to establish a minimum PMTU.

<NEW

v2.23.0 | Report a Bug | By Email