RE: 6MAN WG Last Call - draft-ietf-6man-deprecate-atomfrag-generation
"Liushucheng (Will)" <liushucheng@huawei.com> Wed, 20 January 2016 07:27 UTC
Return-Path: <liushucheng@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BFF31A873C for <ipv6@ietfa.amsl.com>; Tue, 19 Jan 2016 23:27:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.601
X-Spam-Level:
X-Spam-Status: No, score=-3.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BfGDsH6PmuTE for <ipv6@ietfa.amsl.com>; Tue, 19 Jan 2016 23:27:43 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 194A91A8740 for <ipv6@ietf.org>; Tue, 19 Jan 2016 23:27:41 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml402-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CHD15500; Wed, 20 Jan 2016 07:27:39 +0000 (GMT)
Received: from lhreml704-cah.china.huawei.com (10.201.5.130) by lhreml402-hub.china.huawei.com (10.201.5.241) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 20 Jan 2016 07:27:38 +0000
Received: from SZXEMA412-HUB.china.huawei.com (10.82.72.71) by lhreml704-cah.china.huawei.com (10.201.5.130) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 20 Jan 2016 07:27:37 +0000
Received: from SZXEMA509-MBS.china.huawei.com ([169.254.2.243]) by SZXEMA412-HUB.china.huawei.com ([10.82.72.71]) with mapi id 14.03.0235.001; Wed, 20 Jan 2016 15:27:33 +0800
From: "Liushucheng (Will)" <liushucheng@huawei.com>
To: Tina Tsou <tina.tsou.stds.os@gmail.com>, Fernando Gont <fgont@si6networks.com>
Subject: RE: 6MAN WG Last Call - draft-ietf-6man-deprecate-atomfrag-generation
Thread-Topic: 6MAN WG Last Call - draft-ietf-6man-deprecate-atomfrag-generation
Thread-Index: AQHRNxa4EHl4eocyV0SccTcC9MUYMJ7rL50AgAIqqQCAAOSDgIABbYMAgAd0swCADRhcAA==
Date: Wed, 20 Jan 2016 07:27:33 +0000
Message-ID: <C9B5F12337F6F841B35C404CF0554ACB89666E9C@SZXEMA509-MBS.china.huawei.com>
References: <7BEE06A2-0F6E-493F-B2C6-68DAB3774FD5@gmail.com> <D2B06309.6375D%evyncke@cisco.com> <568C775C.2030300@si6networks.com> <D2B2F41A.63BAC%evyncke@cisco.com> <568E69AA.2090100@si6networks.com> <CAHZxSZiviri=p=6WVQSO9GJoatCyomH+N1atqmO2ZgP82poVVg@mail.gmail.com>
In-Reply-To: <CAHZxSZiviri=p=6WVQSO9GJoatCyomH+N1atqmO2ZgP82poVVg@mail.gmail.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.66.78.84]
Content-Type: multipart/alternative; boundary="_000_C9B5F12337F6F841B35C404CF0554ACB89666E9CSZXEMA509MBSchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020206.569F36EB.0109, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.2.243, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 2094197c4705d1ea19ae1ca744cb09c4
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/4u9d6FR9uyEEfdxrPYxRVv9jv4I>
Cc: Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2016 07:27:46 -0000
Hi Tina, Thanks for your comments. Yes, a number of folks have noted this on the list and off-list. We will put a bit more stress on it in the draft. Regards, Will (Shucheng LIU) From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Tina Tsou Sent: Tuesday, January 12, 2016 3:27 PM To: Fernando Gont Cc: IPv6 List; Bob Hinden Subject: Re: 6MAN WG Last Call - draft-ietf-6man-deprecate-atomfrag-generation Dear all, I support publication of this document. Suggestion: Please note earlier in this document that many popular OS do not support the functionality being deprecated. That is, the aforementioned functionality was never widely supported. Thank you, Tina On Thursday, January 7, 2016, Fernando Gont <fgont@si6networks.com<mailto:fgont@si6networks.com>> wrote: Hi, Eric, On 01/06/2016 12:47 PM, Eric Vyncke (evyncke) wrote: > Fernand (and Bob), > > First thanks for your replies. > ( > About PTB > 1280: I have to read RFC2460bis, but, the 'old' RFC 2460 > states that when the path MTU for one destination is smaller than the > physical MTU, then either fragmentation (bad) or application (preferred) > must adapt. That can't be possible. If it was, Path-MTU Discovery would be impossible: You *always* send packets smaller than the physical MTU. Then PMTU operates between min(IP_MIN_MTU) and min (Physical_MTU, Path-MTU). (where IP_MIN_MTU is 68 for IPv4 and 1280 for IPv6). When you employ a protocol that can segment data (TCP, SCTP, etc) you never fall back to fragmentation (that's the whole point of doing Path-MTU Discovery). You just keep segmenting the app data at the transport layer at appropriate chunk sizes. In IPv4, you never reduce past 68 bytes. In IPv6, you never reduce past 1280 bytes. However, RFC2460 supported a corner case where if you were to receive an ICMPv6 PTB < 1280, you'd not reduce the size of your data chunk, but just start sending atomic fragments. draft-ietf-6man-deprecate-atomfrag-generation discusses why this is not a good idea. But the short version of the answer is that you don't want to employ fragmentation unless you really have to. Hence, generating atomic fragments doesn't make much sense. > To be honest, I do not have any data backing how > hosts/applications react in that case. If hosts commonly do fragmentation > because app is ignorant of the MTU, then the attack is also possible on > non atomic fragment. When an app employs TCP+PMTUD or the like, they would never employ fragmentation, modulo this corner case. > Then, we agree on the fact that fragmentation should really be discouraged > for security and performance reasons :-) And we are also in 'violent' > agreement on the fact that this is really not secure to allow any node to > reduce the MTU between two other parties... OTOH not an easy problem to > fix. This case is actually quite worse, because you're not simply reducing the MTU between two nodes, but also triggering fragmentation. IN IPv6, since the minimum MTU is quite large (1280 bytes), an attacker that reduces the MTU between two node just causes a performance penalty (kind of small if the real PMTU was e.g. 1500 bytes). BUt an attacker that can trigger the use of fragmentation opens the door to a number of fragmentation-based attacks... and, because of the widespread filtering of IPv6 fragments, at times just triggering fragmentation already results in a DoS scenario. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com<javascript:;> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org<javascript:;> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- 6MAN WG Last Call - draft-ietf-6man-deprecate-ato… Bob Hinden
- RE: 6MAN WG Last Call - draft-ietf-6man-deprecate… Templin, Fred L
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… nalini.elkins
- RE: 6MAN WG Last Call - draft-ietf-6man-deprecate… Templin, Fred L
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… nalini.elkins
- RE: 6MAN WG Last Call - draft-ietf-6man-deprecate… Templin, Fred L
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… nalini.elkins
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Eric Vyncke (evyncke)
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Bob Hinden
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Fernando Gont
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Fernando Gont
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Eric Vyncke (evyncke)
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Fernando Gont
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Qiong
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Xing Li
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Congxiao Bao
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Tina Tsou
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Alberto Leiva
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… 神明達哉
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Fernando Gont
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… 神明達哉
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Bob Hinden
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Fernando Gont
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Fernando Gont
- Re: 6MAN WG Last Call - draft-ietf-6man-deprecate… Bob Hinden
- RE: 6MAN WG Last Call - draft-ietf-6man-deprecate… Liushucheng (Will)
- RE: 6MAN WG Last Call - draft-ietf-6man-deprecate… Liushucheng (Will)