Re: AD Evaluation: draft-ietf-6man-predictable-fragment-id
Fernando Gont <fgont@si6networks.com> Sat, 22 August 2015 02:06 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8D521A009C; Fri, 21 Aug 2015 19:06:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PwIGdtX-lkNF; Fri, 21 Aug 2015 19:06:40 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [37.72.100.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D0C91A009B; Fri, 21 Aug 2015 19:06:38 -0700 (PDT)
Received: from [181.29.22.25] (helo=[192.168.89.184]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <fgont@si6networks.com>) id 1ZSyBQ-0006GO-2n; Sat, 22 Aug 2015 04:05:25 +0200
Message-ID: <55D7D577.3010301@si6networks.com>
Date: Sat, 22 Aug 2015 03:50:47 +0200
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Brian Haberman <brian@innovationslab.net>, draft-ietf-6man-predictable-fragment-id@ietf.org, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: Re: AD Evaluation: draft-ietf-6man-predictable-fragment-id
References: <55D76AFD.2070000@innovationslab.net>
In-Reply-To: <55D76AFD.2070000@innovationslab.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/00iK3vCt6mjpMM4dsi-3Lz0dwqo>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Aug 2015 02:06:43 -0000
Hi, Brian,
Thanks so much for your feedback! -- Please find my responses in-line....
On 08/21/2015 08:16 PM, Brian Haberman wrote:
> I have completed my AD evaluation of this draft as a part of the
> publication process. I only have two comments/questions on this draft.
> Once those are resolved, it can move along in the publication process.
>
> * Section 4 says the following:
>
> As a result, at least during the IPv6/IPv4 transition/co-existence
> phase, it is probably safer to assume that only the low-order 16 bits
> of the IPv6 Fragment Identification are of use to the destination
> system.
>
> I think that statement is making an ill-advised generalization. The
> above is true if one is looking at an atomic fragment. However, even if
> we are talking about a transition/co-existence phase, there will still
> be significant amounts of fragmented traffic between IPv6 nodes where
> the full 32 bits of the fragment id are useful. What was the rationale
> for the above generalization?
The rationale is that, since you don't really know whether the remote
endpoint is really an IPv6 node or an IPv4 node behind a translator, the
only safe bet is to assume the worst ("it is a v4 node behind a
translator, and hence only the low order 16 bits are meaningful").
> * Section 5.3's discussion of a hash-based id generation scheme says
> this in the drawbacks:
>
> o Since the Fragment Identification values are predictable by the
> destination host...
>
> How are the ID values predicted by the destination host? The source is
> using secret values that presumably are not shared with the destination.
> So how does this prediction work?
These Frag ID values are predictable because the hash-based approach
leads to a monotonically-increasing sequence (e.g., 1, 2, 3, 4) then
it's easy to predict the sequence *by the destination host*. Of course,
such sequence is not predictable by an off-path attacker.
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- AD Evaluation: draft-ietf-6man-predictable-fragme… Brian Haberman
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Fernando Gont
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Brian Haberman
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Fernando Gont
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Brian Haberman
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Fernando Gont
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Brian Haberman
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Fernando Gont