[Int-area] stateless firewalls in draft-ietf-intarea-frag-fragile-08
Tom Herbert <tom@herbertland.com> Fri, 01 February 2019 16:37 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9441B130FA9 for <int-area@ietfa.amsl.com>; Fri, 1 Feb 2019 08:37:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.042
X-Spam-Level:
X-Spam-Status: No, score=-2.042 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XxShDYAaXcu9 for <int-area@ietfa.amsl.com>; Fri, 1 Feb 2019 08:37:14 -0800 (PST)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F008D130F9F for <int-area@ietf.org>; Fri, 1 Feb 2019 08:37:13 -0800 (PST)
Received: by mail-qt1-x82f.google.com with SMTP id e5so8131210qtr.12 for <int-area@ietf.org>; Fri, 01 Feb 2019 08:37:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=NtxQZHoQ1iOioZzfrrg54XzBLi93Fj9LwSAhgedZRuU=; b=j3WQOzTqyVmG2N6X8aIH81zXKf10hzc9Ko6ZJt+OWpXkMc9nB/4VT/i2TZiEcEpzsJ JCCqbSXYPH2DFSLu8d9FZQVg6gKKm2jinvb68DM0jJ00rVwxJsyj7MvP02z2X631WIGX 5fq3LoB3DvPdhScYd2SVQjYKOaxpLeFQx31TXroZdEQY8LLl9rXGV52/xl/DkudhAI5N iUE0/xKWxd3XUV2NG+E/MHukhtMD734q4kh5DoIAOdOTkrTI+MFWS7FWyGN3hJLKakXo jXua0PAd9L9yzI6E6eKBZ8Hdnw/OQhy14Ptl/3jpgZBow55SuzwQqGMgLBfm4uXgn2dM lYxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=NtxQZHoQ1iOioZzfrrg54XzBLi93Fj9LwSAhgedZRuU=; b=Ln4WfbCvaq6D/BYrAvQ4WGlekiVA6d/MDpmgO58s1h0L+WJatrDX/ABikVatMrKEp3 /YkFgs3Jo3Hsmz+OUaaTCk24q3w//6eTmF9CRVl66lH3EblfeC39qp3W4o8c1X1dE8MD 8FV50ImFClPOS+5QlPbpcGyqHSL3t8qIp5sFv1Y9P5x/uveMiTd5JILbfcHaafOYOfJM T1FBA3qmjCGuX++NfCkmMvY6zCYs2PccDjHySjVPKOHq8V8N/xTS3Q0J9LHYXyesQ6/g o/PTQb5EM2WTGWQGr7Ly+Mo9UDdrArgfpLrlJhYzrunMuAiycIccGqb40zsOMr/oY68U RgCA==
X-Gm-Message-State: AJcUukfpVkZXpvSIptiGGpZehyXEUiBHnq7h5MZk2CwvASheaSGfd5kx g1kcKY/8gb4aapAGibN7eSYjLsYCrrJ0bEUWrv7xQ1+ODpG7gQ==
X-Google-Smtp-Source: ALg8bN67EsEpOdVO1alZ8crxvHJSCvEYWVPY8gKTCRZzDwKFkjVwxe0H5mvq+bAKOy8yCtwkPdLXPOCmKCBzxVAEKko=
X-Received: by 2002:aed:3c0c:: with SMTP id t12mr39775346qte.226.1549039032792; Fri, 01 Feb 2019 08:37:12 -0800 (PST)
MIME-Version: 1.0
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 01 Feb 2019 08:37:01 -0800
Message-ID: <CALx6S36BZ_FzW_2v6qmi_qdZFJ7weE0KSw5g4hP7W7WUPkf1mA@mail.gmail.com>
To: int-area <int-area@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/kLjDogWlyOF8d6PrNBd-5AdLUeI>
Subject: [Int-area] stateless firewalls in draft-ietf-intarea-frag-fragile-08
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Feb 2019 16:37:16 -0000
Hello, I have a couple of comments regarding the text about stateless firewalls. >From the Section 4.3: "Because port information is not available in the trailing fragments the firewall is limited to the following options: o Accept all trailing fragments, possibly admitting certain classes of attack. o Block all trailing fragments, possibly blocking legitimate traffic." There seems to be a third option described in RFC1858. "Fortunately, we do not need to remove all fragments of an offending packet. Since "interesting" packet information is contained in the headers at the beginning, filters are generally applied only to the first fragment. Non-first fragments are passed without filtering, because it will be impossible for the destination host to complete reassembly of the packet if the first fragment is missing, and therefore the entire packet will be discarded." >From the section 4.6 of the draft: "A stateless firewall cannot protect against the overlapping fragment attack." Isn't this addressed in RFC1858 and RFC5722? (e.g. "4.2 Prevention of the Overlapping Fragment Attack" is a section in RFC1858). Tom