IETF Logo Mail Archive

Re: draft-bonica-6man-frag-deprecate

Mark Andrews <marka@isc.org> Thu, 27 June 2013 23:31 UTC

Return-Path: <marka@isc.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E32D011E8144 for <ipv6@ietfa.amsl.com>; Thu, 27 Jun 2013 16:31:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tMaOthPcjVZp for <ipv6@ietfa.amsl.com>; Thu, 27 Jun 2013 16:31:48 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id EE0B111E8132 for <ipv6@ietf.org>; Thu, 27 Jun 2013 16:31:44 -0700 (PDT)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id C3D9EC94EF; Thu, 27 Jun 2013 23:31:36 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1372375904; bh=E+6zaCNJTaBRuB2qhQIcJ28/r+2JK40ZWsiv16GLBhw=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=r/0Y69bEAkGQ1wOC7f+YFIMX5p8/kfahyqjyrq8ckqMdKcgeiNR0uX2SPg37DMIaY /Q5xP64q5ZrH3Ul0DsurRgGDIaBe5AH7qmkPbcpdbAroKOAtgMWYg2z3WpH1z4HLLX qz43KmvJtqcoUGh9XR21JGtkfHHwiDzPZQPwTyFQ=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Thu, 27 Jun 2013 23:31:36 +0000 (UTC) (envelope-from marka@isc.org)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 569EB1600A4; Thu, 27 Jun 2013 23:32:55 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id BlPwBHbjer23; Thu, 27 Jun 2013 23:32:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 719631600A3; Thu, 27 Jun 2013 23:32:54 +0000 (UTC)
X-Virus-Scanned: amavisd-new at zmx1.isc.org
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id K4INT1VkCOIG; Thu, 27 Jun 2013 23:32:54 +0000 (UTC)
Received: from drugs.dv.isc.org (c211-30-172-21.carlnfd1.nsw.optusnet.com.au [211.30.172.21]) by zmx1.isc.org (Postfix) with ESMTPSA id 1056A16004A; Thu, 27 Jun 2013 23:32:54 +0000 (UTC)
Received: from drugs.dv.isc.org (localhost [IPv6:::1]) by drugs.dv.isc.org (Postfix) with ESMTP id 345EB36613EA; Fri, 28 Jun 2013 09:31:30 +1000 (EST)
To: Tony Hain <alh-ietf@tndh.net>
From: Mark Andrews <marka@isc.org>
References: <2CF4CB03E2AA464BA0982EC92A02CE2509F85151@BY2PRD0512MB653.namprd05.prod.outlook.com> <51C32FA9.1090207@gmail.com> <2CF4CB03E2AA464BA0982EC92A02CE2509F85F38@BY2PRD0512MB653.namprd05.prod.outlook.com> <20130624204008.GB3647@virgo.local> <20130624205226.GC3647@virgo.local> <2CF4CB03E2AA464BA0982EC92A02CE2509F8761C@BY2PRD0512MB653.namprd05.prod.outlook.com> <51C902DC.9000408@gmail.com> <m24ncmaozs.wl%randy@psg.com> <2EA20F89-02F5-4D06-90EE-A7D2974045A3@employees.org> <m2li5yj7u3.wl%randy@psg.com> <8C48B86A895913448548E6D15DA7553B9268E3@xmb-rcd-x09.cisco.com> <m2ehbpij86.wl%randy@psg.com> <51CB91E4.5090603@gmail.com> <CADoTVZLe=dm+JhMSAxFiAYpUMG=T-cUFdtkdHtmzmebG9=Dujw@mail.gmail.com> <2134F8430051B64F815C691A62D983180AECDE@XCH-BLV-504.nw.nos.boeing.com> <CADoTVZLEKt1FdB+UadvAM6AeVZ3Weacm+0o74F9aYqxmrisBqg@mail.gmail.com> <00de01ce7385$15428a50$3fc79ef0$@tndh.net>
Subject: Re: draft-bonica-6man-frag-deprecate
In-reply-to: Your message of "Thu, 27 Jun 2013 15:24:26 -0700." <00de01ce7385$15428a50$3fc79ef0$@tndh.net>
Date: Fri, 28 Jun 2013 09:31:30 +1000
Message-Id: <20130627233130.345EB36613EA@drugs.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
Cc: ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 23:31:53 -0000

In message <00de01ce7385$15428a50$3fc79ef0$@tndh.net>, "Tony Hain" writes:
> Antonios Atlasis wrote:
> ...
> > Again, generally speaking (and not just for SEAL) RFC 5722 "allows"
> > the abuse of its recommended policy for launching DoS attacks (a
> > single overlapping fragment will result in discarding a whole
> > datagram). On the contrary, if  only the overlapping fragment is
> > discarded, at least DoS will be slightly more difficult.
>
> DoS is more difficult, but packet hijack is easier. All an attacker needs
> to do is inject a set of fragments before the next one from the source to
> cause it to appear to be an overlap and rejected. Once the attacker can get
> the real fragments rejected as overlaps, the rest of the packet is filled
> with bogus attack fragments. Wouldn't it have been better to drop the whole
> datagram? DoS is a problem, but undetected malicious data is worse.

Then add a cryptographic checksum of the original packet when fragmenting.
48 bits in a HBH should be enough.

> Tony
> 
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email