Re: [Int-area] Fwd: IPv4 ID update draft
Julien Laganier <julien.ietf@gmail.com> Thu, 23 June 2011 01:34 UTC
Return-Path: <julien.ietf@gmail.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB09911E808F for <int-area@ietfa.amsl.com>; Wed, 22 Jun 2011 18:34:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WqteTYtu2sHJ for <int-area@ietfa.amsl.com>; Wed, 22 Jun 2011 18:34:26 -0700 (PDT)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 40C2411E8080 for <int-area@ietf.org>; Wed, 22 Jun 2011 18:34:26 -0700 (PDT)
Received: by bwz13 with SMTP id 13so1373041bwz.31 for <int-area@ietf.org>; Wed, 22 Jun 2011 18:34:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=FZVS9SwaW01llmD3K6Fv4hCOS4Bb0NU3HxBYWKFjhGM=; b=PrqcHgqYQEYrBbZ9qSwTllrRVGJZ6X2I82a77uTMD7aiy9ak8AQr5HT53Te9xoJa7J PIyy558nvaxTbXXcdZtKYqYQ1UjFj7e+/rQBmkXBPBAYDREeUbsFnebMHWFUXD/iQ2he BlsjWyo/83UTSRfWXbvwmshIRNaUFC0bsktF4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=qvBBzfVr9AfiZvUyOdsimFVm5JRyl1Op3Q7BXl/BR8qiiJaGudj5Ts62Vc5CcAgXXn TAVBwA58ssmkfjQLjYHiT71xHS4kd3l22m5arsF0cLvQW/B5ibEGpGDqgdvLOHqKRcBV AVYBgr1OD0pfRz8VrwEKNjKkdkU7qDArnnJAA=
MIME-Version: 1.0
Received: by 10.204.40.80 with SMTP id j16mr313689bke.107.1308792865273; Wed, 22 Jun 2011 18:34:25 -0700 (PDT)
Received: by 10.204.176.77 with HTTP; Wed, 22 Jun 2011 18:34:25 -0700 (PDT)
In-Reply-To: <4E028414.8030700@isi.edu>
References: <BANLkTi=SoZdDMYW5=PffVu+bLN_5+a9Hyg@mail.gmail.com> <4E0250D5.5060701@isi.edu> <BANLkTikfP1zz+vpWy+vM8mSJjg3wZKykSA@mail.gmail.com> <4E028414.8030700@isi.edu>
Date: Wed, 22 Jun 2011 18:34:25 -0700
Message-ID: <BANLkTinhfFSMTEz5D5+69W2R2yXEJPuFbQ@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: Joe Touch <touch@isi.edu>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: int-area@ietf.org
Subject: Re: [Int-area] Fwd: IPv4 ID update draft
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2011 01:34:28 -0000
Joe, Cutting thru a bit: On Wed, Jun 22, 2011 at 5:08 PM, Joe Touch <touch@isi.edu> wrote: > > > On 6/22/2011 4:40 PM, Julien Laganier wrote: >> >> Hi Joe, >> >> On Wed, Jun 22, 2011 at 1:30 PM, Joe Touch<touch@isi.edu> wrote: >>> >>> Hi, all, >>> >>> To discuss some points below... >>> >>> On 6/22/2011 11:22 AM, Julien Laganier wrote: >>>> >>>> Joe, >>>> >>>> Because we' re talking about updating a venerable protocol I want to >>>> make sure that we get the necessary level of review for this draft >>>> before we forward it to IESG for publication as proposed standard. >>>> I've asked a number of people to have a look at it, and below is the >>>> first review from Erik (Thanks!) >>>> >>>> --julien >>>> >>>> ---------- Forwarded message ---------- >>>> From: Erik Nordmark<nordmark@cisco.com> >>>> Date: Wed, Jun 22, 2011 at 8:49 AM >>>> Subject: Re: IPv4 ID update draft >>>> To: Julien Laganier<julien.ietf@gmail.com> >>>> >>>> >>>> On 6/22/11 8:17 AM, Julien Laganier wrote: >>>>> >>>>> Hi Erik, >>>>> >>>>> Have you read this draft of Joe: >>>>> >>>>> http://tools.ietf.org/html/draft-ietf-intarea-ipv4-id-update-02 >>>>> >>>>> If so, do you think it is ready for publication? >>>> >>>> No, I haven't read it. >>>> I've sat through numerous presentations around the draft in the intarea >>>> WG. >>>> >>>> I did a quick read. >>>> >>>> I see text like >>>> This document attempts to address the security considerations >>>> associated with fragmentation in IPv4 [RFC4459]. >>>> which is confusing given that RFC 4459 talks about e.g., >>>> router-based >>>> fragment reassembly could easily lead to (reassembly) buffer memory >>>> exhaustion >>>> >>>> Clearly the id-update shouldn't claim to solve reassembly buffer >>>> memory exhaustion, hence I think the above text around the reference >>>> to RFC 4459 should be reworded. >>> >>> Will do. I have to look back to find the origin of that particular >>> component... >> >> Ok. >> >>>> On network rewrites: >>>> >>>> Section 6.2 says >>>> For atomic datagrams, because the IPv4 ID field is ignored on >>>> receipt, it can be possible to rewrite the field. Rewriting can be >>>> useful to prevent use of the field as a covert channel, or to enable >>>> more efficient header compression. However, the IPv4 ID field needs >>>> to remain immutable when it is validated by higher layer protocols, >>>> such as IPsec. As a result: >>>> >>>> o>> The IPv4 ID field of non-atomic datagrams, or protected atomic >>>> datagrams MUST NOT change in transit; the IPv4 ID field of >>>> unprotected atomic datagrams MAY be changed in transit. >>>> >>>> Protected datagrams are defined as those whose header fields are >>>> covered by integrity validation, such as IPsec AH [RFC4302]. >>>> >>>> Section 10 says: >>>> This document thus does not recommend whether atomic IPv4 >>>> datagrams should use nonchanging or changing IDs, but rather allows >>>> those IDs to be modified in transit (as per Sec. 6.2), which can be >>>> used to accommodate more efficient compression as desired. >>>> >>>> >>>> And section 11 says: >>>> When the IPv4 ID is ignored on receipt (e.g., for atomic datagrams), >>>> its value becomes unconstrained; that field then can more easily be >>>> used as a covert channel. For some atomic datagrams - notably those >>>> not protected by IPsec Authentication Header (AH) [RFC4302] - it is >>>> now possible, and may be desirable, to rewrite the IPv4 ID field to >>>> avoid its use as such a channel. >>>> >>>> I don't see any significant benefits in allowing in-transit >>>> modifications of the IP-ID (I'm not talking about the NAT case, which >>>> in essence re-originates a datagram with different addresses/ports), >>>> and I think we should be careful when tweaking this 20+ year old >>>> protocol. Thus I don't think we should allow for in-transit >>>> modifications of unprotected datagrams. >>> >>> There's actually a very specific reason for allowing in-transit >>> modification >>> - to avoid the assumption that this field can now be used in atomic >>> packets >>> for other E2E messaging -- as others have recently proposed, e.g., in >>> draft-briscoe-intarea-ipv4-id-reuse >> >> I don't think that goal was in-scope for this I-D. > > This point is mostly unchanged from its original discussion in the pre-WG > version of the I-D, FWIW. > >> Also, since NAT may rewrite the I-D, it seems that the I-D can't be >> used for that reliably, so maybe the I-D can mention that NATs may >> rewrites IDs - rather than give blanket permission to intermediaries >> to rewrite the IDs in unprotected atomic packets. > > If we don't give blanket permission to change the ID in unprotected atomic > packets, isn't that requiring them to be immutable? > > I.e., we agree that we need to NOT assume that IDs of atomic packets are > immutable; isn't that the same as allowing them to be modified in transit? > Is there any other way to say "not immutable" than: > > - an intermediate node MAY rewrite the ID of an atomic packet It seems to me that NOT assuming that IDs of atomic packets are immutable is adequately captured by o >> All devices that examine IPv4 headers MUST ignore the IPv4 ID field of atomic datagrams. no? > NATs rewrite src or dst addresses, but also (technically) need to rewrite > IDs to be correct w.r.t. current RFC 791 rules - but they don't. I'm not > clear that whether a NAT can/does rewrite an ID is useful towards this > point. > >>> The goal is to make the ID field something the receiver must ignore, >>> solely >>> to avoid the (often ignored) requirement that the ID be unique within >>> src/dst/prot tuple within 2MSL. >> >> IMHO the proper way to make the receier ignore the ID is to say MUST >> ignore, rather than allowing intermediaries to rewrite it.... >> >>> IMO, we can't "require" the field to be immutable E2E unless it's >>> protected >>> (e.g., by IPsec or encapsulation and a checksum of some kind). That's the >>> point of "allowing" it to change - which also means it can change out >>> from >>> under anyone who uses it anywhere in the net, which prevents it being >>> used >>> for new mechanisms. >> >> Not requiring the field to be immutable doesn' t mean we have to allow >> it to change... > > See above (I.e., I can't see how it doesn't); if you can find a way to > express that as a requirement, I'm game. We don' t require the field to be immutable by making the mutability properties of the field transparent to the receiver that ignores this field in atomic packets... >>> Given that context, do you think it's still important and/or feasible to >>> prohibit in-transit mods? >> >> It' s not really about prohibiting in-transit mods, since NATs might >> do that already. It is about not allowing it per this specification. >> You can stil mention that NATs do rewrite it... > > Well that would kill the entire discussion on header compression. That's > fine if we want to omit that. but if we do say that "ID is not immutable in > atomic packets", that opens the door to a very useful optimization for > compression that ought to be included IMO. I do not think that this draft should update a 20 years old protocol specification with the goal of opening doors to optimization of header compression for that same protocol. I _think_ it was also the sense of Erik's message. --julien
- [Int-area] Fwd: IPv4 ID update draft Julien Laganier
- Re: [Int-area] Fwd: IPv4 ID update draft Joe Touch
- Re: [Int-area] Fwd: IPv4 ID update draft Julien Laganier
- Re: [Int-area] Fwd: IPv4 ID update draft Joe Touch
- Re: [Int-area] Fwd: IPv4 ID update draft Julien Laganier
- Re: [Int-area] Fwd: IPv4 ID update draft Joe Touch
- Re: [Int-area] Fwd: IPv4 ID update draft Julien Laganier
- Re: [Int-area] Fwd: IPv4 ID update draft Joe Touch
- Re: [Int-area] Fwd: IPv4 ID update draft Julien Laganier
- Re: [Int-area] Fwd: IPv4 ID update draft Joe Touch