Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile

Toerless Eckert <tte@cs.fau.de> Mon, 27 August 2018 00:09 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 259F612DD85; Sun, 26 Aug 2018 17:09:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FKKe80AZWFOC; Sun, 26 Aug 2018 17:09:36 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 836551277C8; Sun, 26 Aug 2018 17:09:36 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 280BA548326; Mon, 27 Aug 2018 02:09:32 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 1BAFE440054; Mon, 27 Aug 2018 02:09:32 +0200 (CEST)
Date: Mon, 27 Aug 2018 02:09:32 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Tom Herbert <tom@herbertland.com>
Cc: Joe Touch <touch@strayalpha.com>, Christian Huitema <huitema@huitema.net>, int-area <int-area@ietf.org>, intarea-chairs@ietf.org
Message-ID: <20180827000932.izgr2mzwqdsbro75@faui48f.informatik.uni-erlangen.de>
References: <137751A3-7C52-4CCF-AE9C-B99C4A85EFC1@strayalpha.com> <alpine.DEB.2.20.1808021749020.19688@uplift.swm.pp.se> <CALx6S35kw2dodgG2L3LE3A5y8RYEXy6izQWgrQTwg7-yPqpzOg@mail.gmail.com> <alpine.DEB.2.20.1808030857370.19688@uplift.swm.pp.se> <20180825032457.ol5rlrr7h2kqi6px@faui48f.informatik.uni-erlangen.de> <CALx6S35-n_ROEZv0NReVEWTUhnyc25SNJb5DaeqtnxPAPk6QjQ@mail.gmail.com> <CAF493D3-37A2-4A89-BA88-81567E5B88F1@huitema.net> <538A6193-2BD7-4E72-BD28-736B81F97B33@strayalpha.com> <20180826215558.6hzff2povrxuis3y@faui48f.informatik.uni-erlangen.de> <CALx6S36sUCoBfh+X_USs-FDQAhdqE7XGP7sY+Df97EW9L8+n5Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CALx6S36sUCoBfh+X_USs-FDQAhdqE7XGP7sY+Df97EW9L8+n5Q@mail.gmail.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/edYrgUiIXyFp9xvTchDKiZAqkmE>
Subject: Re: [Int-area] WG Adoption Call: IP Fragmentation Considered Fragile
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2018 00:09:38 -0000

On Sun, Aug 26, 2018 at 04:16:39PM -0700, Tom Herbert wrote:
> When the host stack pundits are asking network device stack builders
> to conform to the standard protocols then I believe that is
> reasonable. If firewalls were standard and ubiquitous, and standards
> were adhered to, then host stacks would have no problem. But alas
> they're not, so we're forced to implement the host stack per the least
> common denominator functionality of network devices.

[RANT]
Sure. And now we've got internet highways full of speeding, black, armored,
window tinted and removed license plate SUV packets. And given how
the road authorities are seen as commerical competitors to the business
models of those attack SUV packet companies they even manage to bribe 
congress into thinking that the road authorities should simply get out
of the way. And whenever you open one of those SUV cars, it's
full of little "net neutrality" crybabies running lacrimal gland 
attacks against the voting public.
[/RANT]

Aka: Its a commercial issue and standards are built these days to prohibit others
to do what you want to exclusively do yourself. I am saying this not
to discount the good standard results we have, but primarily to explain
why we do not also get other good standards.

> Conversely, do you allow your smartphone to connect to a network
> before you've verified that a firewall is being run in the network,
> what vendor provided it, and what the configured rules are?

When pacemaker companies do willfully reject to fix security attack
vectors against their devices for years, the IETF should really start
focussing more on what it can do to create more network security
and the right architectures for it.

There should be a lot of business for all those crappy embedded
endpoint vendors to outsource security in a trusted fashion to
someone who cares about it.

Toerless

> Tom
> 
> > Cheers
> >     Toerless
> >
> >> Using part of the IPv6 space for this solution would then break per-address network management (different UDP ports would use different IPv6 addresses, presumably).
> >>
> >> The ???disease" is that NATs don???t reassemble (or emulate it). It???s not useful to try to address the symptoms of that disease individually.
> >>
> >> Joe