RE: I-D Action: draft-ietf-6man-ipv6-atomic-fragments-01.txt
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 14 August 2012 14:14 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94F5621F86EE; Tue, 14 Aug 2012 07:14:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.367
X-Spam-Level:
X-Spam-Status: No, score=-10.367 tagged_above=-999 required=5 tests=[AWL=0.232, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yIX709Ss7ZNf; Tue, 14 Aug 2012 07:14:14 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id 79B3421F86E4; Tue, 14 Aug 2012 07:14:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=evyncke@cisco.com; l=3712; q=dns/txt; s=iport; t=1344953654; x=1346163254; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=3Zo+KJz1J8KuLklYaNIU0ABBZSgtqdSBBqUGFIJzmrA=; b=FhZLvrS/DplTATxxZdO6vWpAc6a4tV+v9ExkFB006O1a82QG4WtHqn2c uIGSRs4v8gZliFc8lX1/fuBL0FQdbK2xSTI3HCVZHMC4yfX7U+F7eDyhK b4dmD4ufHzSdFmxOVZ6VJace6m2rAJkQ5zxXLY6Ku4KPna+zrcGZ2eclb I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAO1bKlCtJV2a/2dsb2JhbABEuhCBB4IgAQEBBAEBAQ8BWwsMBAIBCBEEAQELHQcnCxQJCAIEAQ0FCAEZh2sLmCmgfosFhVFgA4gZjkaNFoFmgl+BWCM
X-IronPort-AV: E=Sophos;i="4.77,766,1336348800"; d="scan'208";a="111433678"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-6.cisco.com with ESMTP; 14 Aug 2012 14:14:14 +0000
Received: from xhc-rcd-x09.cisco.com (xhc-rcd-x09.cisco.com [173.37.183.83]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id q7EEED1f029535 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 14 Aug 2012 14:14:13 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.72]) by xhc-rcd-x09.cisco.com ([173.37.183.83]) with mapi id 14.02.0298.004; Tue, 14 Aug 2012 09:14:13 -0500
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: "internet-drafts@ietf.org" <internet-drafts@ietf.org>, "i-d-announce@ietf.org" <i-d-announce@ietf.org>
Subject: RE: I-D Action: draft-ietf-6man-ipv6-atomic-fragments-01.txt
Thread-Topic: I-D Action: draft-ietf-6man-ipv6-atomic-fragments-01.txt
Thread-Index: AQHNduSITSOnCBL6rUikafVYIuM39ZdZW8KA
Date: Tue, 14 Aug 2012 14:14:13 +0000
Message-ID: <97EB7536A2B2C549846804BBF3FD47E10C4748@xmb-aln-x02.cisco.com>
References: <20120810103916.17649.29017.idtracker@ietfa.amsl.com>
In-Reply-To: <20120810103916.17649.29017.idtracker@ietfa.amsl.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.185.71]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19112.005
x-tm-as-result: No--44.149500-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2012 14:14:15 -0000
Hello Fernando, A couple of quick comments: - section 2: I would love to have data to back the point of 'Many implementations fail to perform validation checks on the received ICMPv6 error messages' (such as adding a reference to your appendix) - section 3: it would be nice to add some text about the case where a packet is duplicated by the network (could occur in rare circumstances) and one copy is fragmented (not an atomic fragment) and the other copy is not (atomic fragment) because of different path - section 3: not sure what is meant by 'FH should (no uppercase?) be removed by the receiving host', on the contrary, I would prefer to keep the FH in the packet (some apps may need it) but immediately deliver the full packet to the upper layer - section 3: it would be nice if some explanations were given why a host receiving such an atomic fragment should not discard the matching real fragments... I tend to believe that upper layer (TCP notably) will reject the second one if the sequence number match May I also suggest to integrate this I-D into the more generic draft-gont-6man-predictable-fragment-id ? It will make the task of implementers easier if both I-D are merged. Hope it helps Regards -éric > -----Original Message----- > From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On Behalf Of > internet-drafts@ietf.org > Sent: vendredi 10 août 2012 12:39 > To: i-d-announce@ietf.org > Cc: ipv6@ietf.org > Subject: I-D Action: draft-ietf-6man-ipv6-atomic-fragments-01.txt > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the IPv6 Maintenance Working Group of the > IETF. > > Title : Processing of IPv6 "atomic" fragments > Author(s) : Fernando Gont > Filename : draft-ietf-6man-ipv6-atomic-fragments-01.txt > Pages : 13 > Date : 2012-08-10 > > Abstract: > The IPv6 specification allows packets to contain a Fragment Header > without the packet being actually fragmented into multiple pieces. > Such packets typically result from hosts that have received an ICMPv6 > "Packet Too Big" error message that advertises a "Next-Hop MTU" > smaller than 1280 bytes, and are currently processed by some > implementations as "fragmented traffic". Thus, by forging ICMPv6 > "Packet Too Big" error messages an attacker can cause hosts to employ > "atomic fragments", and then launch any fragmentation-based attacks > against such traffic. This document discusses the generation of the > aforementioned "atomic fragments", the corresponding security > implications, and formally updates RFC 2460 and RFC 5722 such that > fragmentation-based attack vectors against traffic employing "atomic > fragments" are completely eliminated. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-6man-ipv6-atomic-fragments > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-6man-ipv6-atomic-fragments-01 > > A diff from the previous version is available at: > http://www.ietf.org/rfcdiff?url2=draft-ietf-6man-ipv6-atomic-fragments-01 > > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > --------------------------------------------------------------------
- I-D Action: draft-ietf-6man-ipv6-atomic-fragments… internet-drafts
- RE: I-D Action: draft-ietf-6man-ipv6-atomic-fragm… Eric Vyncke (evyncke)
- Re: I-D Action: draft-ietf-6man-ipv6-atomic-fragm… Fernando Gont