Re: [Int-area] Fwd: IPv4 ID update draft
Julien Laganier <julien.ietf@gmail.com> Wed, 22 June 2011 23:40 UTC
Return-Path: <julien.ietf@gmail.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02D6E11E80BD for <int-area@ietfa.amsl.com>; Wed, 22 Jun 2011 16:40:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 24aB7UgkS-tG for <int-area@ietfa.amsl.com>; Wed, 22 Jun 2011 16:40:28 -0700 (PDT)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id C429C11E80B3 for <int-area@ietf.org>; Wed, 22 Jun 2011 16:40:27 -0700 (PDT)
Received: by bwz13 with SMTP id 13so1314346bwz.31 for <int-area@ietf.org>; Wed, 22 Jun 2011 16:40:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=md0RmygHVuOHpPvIQA6rFe+hzPaEPUwYRhQYd4g6Wls=; b=jKG0tZL9SDDkuJXPkcqZ5fpF5vEf4ZAP7uuZwXa7qxXg1U4pnnWniTWKoZjNeWFI/B 0ugKUkYQOHJQQMpU+OIjE+hofyN/IGSiPfTuLRJyo9ros8wPKQWFSmmRgARLs25eOmtE jVv16xiuJevHymAKk6OsJp9wFhzlzW3Dw8+0c=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=uAYlZ0hLSopbtUEByYMWk8Sw8GS6Qq2oc1rmx6Ib40SHKdffVqzrNZkUDu0mN5IRRS A7vyHKNZcAfOklYkSscXXXsLmInx/rrA9hJfOvlxU3vGLAurvUIH9/pMfvr12HDbvQR+ mCGYX6i9x6le2D1J+AV448gtArJDJkZ2nSZHU=
MIME-Version: 1.0
Received: by 10.204.3.196 with SMTP id 4mr218257bko.188.1308786026798; Wed, 22 Jun 2011 16:40:26 -0700 (PDT)
Received: by 10.204.176.77 with HTTP; Wed, 22 Jun 2011 16:40:26 -0700 (PDT)
In-Reply-To: <4E0250D5.5060701@isi.edu>
References: <BANLkTi=SoZdDMYW5=PffVu+bLN_5+a9Hyg@mail.gmail.com> <4E0250D5.5060701@isi.edu>
Date: Wed, 22 Jun 2011 16:40:26 -0700
Message-ID: <BANLkTikfP1zz+vpWy+vM8mSJjg3wZKykSA@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: Joe Touch <touch@isi.edu>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: int-area@ietf.org
Subject: Re: [Int-area] Fwd: IPv4 ID update draft
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2011 23:40:29 -0000
Hi Joe, On Wed, Jun 22, 2011 at 1:30 PM, Joe Touch <touch@isi.edu> wrote: > Hi, all, > > To discuss some points below... > > On 6/22/2011 11:22 AM, Julien Laganier wrote: >> >> Joe, >> >> Because we' re talking about updating a venerable protocol I want to >> make sure that we get the necessary level of review for this draft >> before we forward it to IESG for publication as proposed standard. >> I've asked a number of people to have a look at it, and below is the >> first review from Erik (Thanks!) >> >> --julien >> >> ---------- Forwarded message ---------- >> From: Erik Nordmark<nordmark@cisco.com> >> Date: Wed, Jun 22, 2011 at 8:49 AM >> Subject: Re: IPv4 ID update draft >> To: Julien Laganier<julien.ietf@gmail.com> >> >> >> On 6/22/11 8:17 AM, Julien Laganier wrote: >>> >>> Hi Erik, >>> >>> Have you read this draft of Joe: >>> >>> http://tools.ietf.org/html/draft-ietf-intarea-ipv4-id-update-02 >>> >>> If so, do you think it is ready for publication? >> >> No, I haven't read it. >> I've sat through numerous presentations around the draft in the intarea >> WG. >> >> I did a quick read. >> >> I see text like >> This document attempts to address the security considerations >> associated with fragmentation in IPv4 [RFC4459]. >> which is confusing given that RFC 4459 talks about e.g., >> router-based >> fragment reassembly could easily lead to (reassembly) buffer memory >> exhaustion >> >> Clearly the id-update shouldn't claim to solve reassembly buffer >> memory exhaustion, hence I think the above text around the reference >> to RFC 4459 should be reworded. > > Will do. I have to look back to find the origin of that particular > component... Ok. >> On network rewrites: >> >> Section 6.2 says >> For atomic datagrams, because the IPv4 ID field is ignored on >> receipt, it can be possible to rewrite the field. Rewriting can be >> useful to prevent use of the field as a covert channel, or to enable >> more efficient header compression. However, the IPv4 ID field needs >> to remain immutable when it is validated by higher layer protocols, >> such as IPsec. As a result: >> >> o>> The IPv4 ID field of non-atomic datagrams, or protected atomic >> datagrams MUST NOT change in transit; the IPv4 ID field of >> unprotected atomic datagrams MAY be changed in transit. >> >> Protected datagrams are defined as those whose header fields are >> covered by integrity validation, such as IPsec AH [RFC4302]. >> >> Section 10 says: >> This document thus does not recommend whether atomic IPv4 >> datagrams should use nonchanging or changing IDs, but rather allows >> those IDs to be modified in transit (as per Sec. 6.2), which can be >> used to accommodate more efficient compression as desired. >> >> >> And section 11 says: >> When the IPv4 ID is ignored on receipt (e.g., for atomic datagrams), >> its value becomes unconstrained; that field then can more easily be >> used as a covert channel. For some atomic datagrams - notably those >> not protected by IPsec Authentication Header (AH) [RFC4302] - it is >> now possible, and may be desirable, to rewrite the IPv4 ID field to >> avoid its use as such a channel. >> >> I don't see any significant benefits in allowing in-transit >> modifications of the IP-ID (I'm not talking about the NAT case, which >> in essence re-originates a datagram with different addresses/ports), >> and I think we should be careful when tweaking this 20+ year old >> protocol. Thus I don't think we should allow for in-transit >> modifications of unprotected datagrams. > > There's actually a very specific reason for allowing in-transit modification > - to avoid the assumption that this field can now be used in atomic packets > for other E2E messaging -- as others have recently proposed, e.g., in > draft-briscoe-intarea-ipv4-id-reuse I don't think that goal was in-scope for this I-D. Also, since NAT may rewrite the I-D, it seems that the I-D can't be used for that reliably, so maybe the I-D can mention that NATs may rewrites IDs - rather than give blanket permission to intermediaries to rewrite the IDs in unprotected atomic packets. > The goal is to make the ID field something the receiver must ignore, solely > to avoid the (often ignored) requirement that the ID be unique within > src/dst/prot tuple within 2MSL. IMHO the proper way to make the receier ignore the ID is to say MUST ignore, rather than allowing intermediaries to rewrite it.... > IMO, we can't "require" the field to be immutable E2E unless it's protected > (e.g., by IPsec or encapsulation and a checksum of some kind). That's the > point of "allowing" it to change - which also means it can change out from > under anyone who uses it anywhere in the net, which prevents it being used > for new mechanisms. Not requiring the field to be immutable doesn' t mean we have to allow it to change... > Given that context, do you think it's still important and/or feasible to > prohibit in-transit mods? It' s not really about prohibiting in-transit mods, since NATs might do that already. It is about not allowing it per this specification. You can stil mention that NATs do rewrite it... --julien
- [Int-area] Fwd: IPv4 ID update draft Julien Laganier
- Re: [Int-area] Fwd: IPv4 ID update draft Joe Touch
- Re: [Int-area] Fwd: IPv4 ID update draft Julien Laganier
- Re: [Int-area] Fwd: IPv4 ID update draft Joe Touch
- Re: [Int-area] Fwd: IPv4 ID update draft Julien Laganier
- Re: [Int-area] Fwd: IPv4 ID update draft Joe Touch
- Re: [Int-area] Fwd: IPv4 ID update draft Julien Laganier
- Re: [Int-area] Fwd: IPv4 ID update draft Joe Touch
- Re: [Int-area] Fwd: IPv4 ID update draft Julien Laganier
- Re: [Int-area] Fwd: IPv4 ID update draft Joe Touch