IETF Logo Mail Archive

Re: [Int-area] Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 14 May 2015 12:33 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CE331A903B; Thu, 14 May 2015 05:33:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1D3HItMzN6Br; Thu, 14 May 2015 05:33:40 -0700 (PDT)
Received: from mail-la0-x22c.google.com (mail-la0-x22c.google.com [IPv6:2a00:1450:4010:c03::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C39741A906B; Thu, 14 May 2015 05:32:37 -0700 (PDT)
Received: by layy10 with SMTP id y10so65168982lay.0; Thu, 14 May 2015 05:32:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KJ8m+ActsxcpFXMff5p+HwLdINoEoI/rIJlNi7eJb1g=; b=K0fc42GWsvOnBObfRkEXQSlOKpbgM8uvCW8qXFh7HzLAHx8y+ErC+CQSJn6sjzswMa nUIlgWxnavmdhfD+pxp3zLJZNkrBCI/Mlcm8l8q7nFSkWKaPfZrjbJxILOOiVQS6kgob XekOoPwcDxKvlFF36BQY6lBh9yJxO1edRgDk23jqb5uq8qZNLRC5uyo1WmAptjZ/MVpM i87JuQzt92XPt26YLZ2J6TFDW8bS/gNF1hPDexBOrbPF2M3aqshd23xN+P+lGNo8DKJa /FCvR/i8ZzxCM3jky84iubbeE+mfBBTXzc2ZwVuaXUv60a+NuhxOYEjg2PDPeYQ/VbCB H6bw==
MIME-Version: 1.0
X-Received: by 10.153.6.36 with SMTP id cr4mr3084139lad.56.1431606753409; Thu, 14 May 2015 05:32:33 -0700 (PDT)
Received: by 10.112.11.199 with HTTP; Thu, 14 May 2015 05:32:33 -0700 (PDT)
In-Reply-To: <E87B771635882B4BA20096B589152EF628C0CC2C@eusaamb107.ericsson.se>
References: <20150514021405.29892.21704.idtracker@ietfa.amsl.com> <CY1PR05MB1994819D2EC000754D69ACFDAED80@CY1PR05MB1994.namprd05.prod.outlook.com> <E87B771635882B4BA20096B589152EF628C0CC2C@eusaamb107.ericsson.se>
Date: Thu, 14 May 2015 08:32:33 -0400
Message-ID: <CAHbuEH5NEopFBPeATmhhLJ=iLom+2DvtTZUUobax2r3KbW=JcQ@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Suresh Krishnan <suresh.krishnan@ericsson.com>
Content-Type: multipart/alternative; boundary="001a11348c38fec151051609eb00"
Archived-At: <http://mailarchive.ietf.org/arch/msg/int-area/ntwTE_mEEKPUuJcx53iK2Xt4Xbo>
Cc: "draft-ietf-intarea-gre-mtu@ietf.org" <draft-ietf-intarea-gre-mtu@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>, "draft-ietf-intarea-gre-mtu.ad@ietf.org" <draft-ietf-intarea-gre-mtu.ad@ietf.org>, Ronald Bonica <rbonica@juniper.net>, "draft-ietf-intarea-gre-mtu.shepherd@ietf.org" <draft-ietf-intarea-gre-mtu.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "intarea-chairs@ietf.org" <intarea-chairs@ietf.org>
Subject: Re: [Int-area] Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2015 12:33:41 -0000

On Wed, May 13, 2015 at 11:59 PM, Suresh Krishnan <
suresh.krishnan@ericsson.com> wrote:

> Hi Ron,
>
> On 05/13/2015 11:39 PM, Ronald Bonica wrote:
> > Kathleen,
> >
> > AFAIK, most IP stacks include code that detects fragmentation overlap
> attacks. (Do I have that right?)
> >
> > So, reassembly attacks shouldn't be effective whether reassembly is
> performed at the GRE egress or the ultimate destination.
> >
> > If reassembly is performed at the ultimate destination, the two
> endpoints might be alerted. However, if reassembly is performed at the GRE
> ingress, the endpoints might never be alerted.
> >
> > Should we add a paragraph about this in Section 5 (Security
> Considerations). Or is this just another type of DoS attack, which we have
> already mentioned?
>
> I think it might merit a separate mention since the draft is concerned
> with fragmentation. You can use RFC1858 as a reference for IPv4 and
> RFC5722 as a reference for IPv6 for handling of the overlapping fragment
> problem.
>

A separate paragraph would be helpful, thanks.  This attack type could lead
to a compromise, so the concern (for me at least) is much higher than a
DoS.  I'm glad it's addressed in code and it would just be good to mention
considerations.

Thank you,
Kathleen


>
> Thanks
> Suresh
>
>


-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email