IETF Logo Mail Archive

Re: [Int-area] Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)

Ronald Bonica <rbonica@juniper.net> Thu, 14 May 2015 14:15 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B058A1A88B8; Thu, 14 May 2015 07:15:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.901
X-Spam-Level:
X-Spam-Status: No, score=-101.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kRzFUgok9nmh; Thu, 14 May 2015 07:15:18 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0107.outbound.protection.outlook.com [65.55.169.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 974E71B2A83; Thu, 14 May 2015 07:15:12 -0700 (PDT)
Received: from BLUPR05MB1985.namprd05.prod.outlook.com (25.162.224.27) by BLUPR05MB085.namprd05.prod.outlook.com (10.255.214.12) with Microsoft SMTP Server (TLS) id 15.1.160.19; Thu, 14 May 2015 14:15:04 +0000
Received: from BLUPR05MB1985.namprd05.prod.outlook.com (25.162.224.27) by BLUPR05MB1985.namprd05.prod.outlook.com (25.162.224.27) with Microsoft SMTP Server (TLS) id 15.1.160.19; Thu, 14 May 2015 14:15:04 +0000
Received: from BLUPR05MB1985.namprd05.prod.outlook.com ([25.162.224.27]) by BLUPR05MB1985.namprd05.prod.outlook.com ([25.162.224.27]) with mapi id 15.01.0160.009; Thu, 14 May 2015 14:15:04 +0000
From: Ronald Bonica <rbonica@juniper.net>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Suresh Krishnan <suresh.krishnan@ericsson.com>
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)
Thread-Index: AQHQjeuraQWLl4q6nUqMr+wRYH60Tp17aEKAgAAciKA=
Date: Thu, 14 May 2015 14:15:03 +0000
Message-ID: <BLUPR05MB19859D4F490C1744BC9B50F7AED80@BLUPR05MB1985.namprd05.prod.outlook.com>
References: <20150514021405.29892.21704.idtracker@ietfa.amsl.com> <CY1PR05MB1994819D2EC000754D69ACFDAED80@CY1PR05MB1994.namprd05.prod.outlook.com> <E87B771635882B4BA20096B589152EF628C0CC2C@eusaamb107.ericsson.se> <CAHbuEH5NEopFBPeATmhhLJ=iLom+2DvtTZUUobax2r3KbW=JcQ@mail.gmail.com>
In-Reply-To: <CAHbuEH5NEopFBPeATmhhLJ=iLom+2DvtTZUUobax2r3KbW=JcQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;
x-originating-ip: [66.129.241.14]
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BLUPR05MB1985; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BLUPR05MB085;
x-microsoft-antispam-prvs: <BLUPR05MB19850351CDF3FF57E9ACA29AAED80@BLUPR05MB1985.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BLUPR05MB1985; BCL:0; PCL:0; RULEID:; SRVR:BLUPR05MB1985;
x-forefront-prvs: 0576145E86
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(51704005)(479174004)(377454003)(24454002)(19300405004)(40100003)(122556002)(189998001)(19580395003)(5001960100002)(19580405001)(99286002)(74316001)(230783001)(102836002)(15975445007)(19625215002)(93886004)(16236675004)(76576001)(106116001)(87936001)(2950100001)(2900100001)(2656002)(76176999)(54356999)(46102003)(50986999)(19609705001)(92566002)(33656002)(62966003)(77156002)(5001770100001)(86362001)(66066001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR05MB1985; H:BLUPR05MB1985.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: multipart/alternative; boundary="_000_BLUPR05MB19859D4F490C1744BC9B50F7AED80BLUPR05MB1985namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 May 2015 14:15:03.0689 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR05MB1985
X-OriginatorOrg: juniper.net
Archived-At: <http://mailarchive.ietf.org/arch/msg/int-area/w0ISBnU1TnMltrToOmLAlh5V3V8>
Cc: "draft-ietf-intarea-gre-mtu@ietf.org" <draft-ietf-intarea-gre-mtu@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>, "draft-ietf-intarea-gre-mtu.ad@ietf.org" <draft-ietf-intarea-gre-mtu.ad@ietf.org>, "draft-ietf-intarea-gre-mtu.shepherd@ietf.org" <draft-ietf-intarea-gre-mtu.shepherd@ietf.org>, The IESG <iesg@ietf.org>, "intarea-chairs@ietf.org" <intarea-chairs@ietf.org>
Subject: Re: [Int-area] Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2015 14:15:20 -0000

Hi Kathleen,

I will have text later today.

                                      Ron


From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
Sent: Thursday, May 14, 2015 8:33 AM
To: Suresh Krishnan
Cc: Ronald Bonica; The IESG; draft-ietf-intarea-gre-mtu@ietf.org; draft-ietf-intarea-gre-mtu.ad@ietf.org; draft-ietf-intarea-gre-mtu.shepherd@ietf.org; intarea-chairs@ietf.org; int-area@ietf.org
Subject: Re: Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04: (with DISCUSS)



On Wed, May 13, 2015 at 11:59 PM, Suresh Krishnan <suresh.krishnan@ericsson.com<mailto:suresh.krishnan@ericsson.com>> wrote:
Hi Ron,

On 05/13/2015 11:39 PM, Ronald Bonica wrote:
> Kathleen,
>
> AFAIK, most IP stacks include code that detects fragmentation overlap attacks. (Do I have that right?)
>
> So, reassembly attacks shouldn't be effective whether reassembly is performed at the GRE egress or the ultimate destination.
>
> If reassembly is performed at the ultimate destination, the two endpoints might be alerted. However, if reassembly is performed at the GRE ingress, the endpoints might never be alerted.
>
> Should we add a paragraph about this in Section 5 (Security Considerations). Or is this just another type of DoS attack, which we have already mentioned?

I think it might merit a separate mention since the draft is concerned
with fragmentation. You can use RFC1858 as a reference for IPv4 and
RFC5722 as a reference for IPv6 for handling of the overlapping fragment
problem.

A separate paragraph would be helpful, thanks.  This attack type could lead to a compromise, so the concern (for me at least) is much higher than a DoS.  I'm glad it's addressed in code and it would just be good to mention considerations.

Thank you,
Kathleen


Thanks
Suresh



--

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email