IETF Logo Mail Archive

Re: [EXTERNAL] Re: Transmission of IPv6 Jumbograms as Atomic Fragments

Mark Smith <markzzzsmith@gmail.com> Fri, 19 November 2021 17:06 UTC

Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 925AF3A0897 for <ipv6@ietfa.amsl.com>; Fri, 19 Nov 2021 09:06:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.037
X-Spam-Level:
X-Spam-Status: No, score=-1.037 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.559, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PQo-TN2nUFda for <ipv6@ietfa.amsl.com>; Fri, 19 Nov 2021 09:06:47 -0800 (PST)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99E6B3A088F for <ipv6@ietf.org>; Fri, 19 Nov 2021 09:06:47 -0800 (PST)
Received: by mail-io1-xd2b.google.com with SMTP id y16so13598092ioc.8 for <ipv6@ietf.org>; Fri, 19 Nov 2021 09:06:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=A1192xkYF8Q51LrDrcpw4TLL4Jb2G21CBhmAAFNS9M8=; b=LzlltYyT5LYgFg6lf7+caW5H5o/y2likTIi/bRETcWHplHNzVCa2DBpHQeOuiLt7sD aHRrNiY3OVSR17dIQYe/gwqDEolYEqHX7Fz0qrwLvThfwx9iV95cYVL37tLlfHaFUIKY 6ItunIB+Mc/5ne3U3Y+amDvVDgmmXoSUp829YrzJDIdQoLExvu1GuP5TJtPKVPGRbCE+ sq5Hte7dooeH7x3a8u0fOntTHyVVP6u04lzvOiJFuNEekTMZH2d87UUH2+Xk/Be0yhEu EyIHa+KfWAqWLZhadj8OtQNhcSmSWc8w4UmtWMkhNK6fvMr1fvstI1oC9V/tPMK7mr3f DVWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=A1192xkYF8Q51LrDrcpw4TLL4Jb2G21CBhmAAFNS9M8=; b=fbmkGFsvYNRyxISpmDyDfS+mlMsa/Lm66Z/XhB4HBJT7XdJC4dkUlAewrCUl7gfVQY qdaGXuO82rkoc96e1K08I1uE23zW/erVFZw73vw7kVwa/5vd3QQl/Pivpf2cH+bqG+oe rNGWoMDpzVtlRzYYIPhvynLcif6vQ0CDL8djCdyxul1S2hJKpOBxnJEoKjiNd4+2Xwax EWZmu8553KQHpRZlOKjLzDUH5o6efhW6s2oxZmY/e07wtk8UDalTwRO0MLiZvSHBjWT4 g8RsK8jkDfRc7IhFwGJn8qvgJQLF5NgcAPfsn2AcklaPyh3vvgzNEPOLezBKVgwyGu4k oEYA==
X-Gm-Message-State: AOAM531g/gHUJ8rvI4PaiFZ6KbCM+7mkNVMX/A3+winp8gdoOBTCLVOI yoruyMs46wkoH8CNrPkhR+0KlQtrYKeeo0QyIV/jpcXZ
X-Google-Smtp-Source: ABdhPJxrnxLmRA8oCf1cmdh62LAqkFpe6zE8EL31LUhu90hUWpHJcAaBYco4GVQlJJiLxEiRg0SWDUIr17zV9yRC2pQ=
X-Received: by 2002:a5d:9d92:: with SMTP id ay18mr6735064iob.130.1637341605659; Fri, 19 Nov 2021 09:06:45 -0800 (PST)
MIME-Version: 1.0
References: <01510cc3c19b4b4b8cef41357c975fd9@boeing.com> <CAO42Z2zitj2mOzj80G_SUfukg551A64n9HnOcC2-ukCta4Ohaw@mail.gmail.com> <986ef062d3874a3caf9fbf19dbf55350@boeing.com>
In-Reply-To: <986ef062d3874a3caf9fbf19dbf55350@boeing.com>
From: Mark Smith <markzzzsmith@gmail.com>
Date: Sat, 20 Nov 2021 04:06:33 +1100
Message-ID: <CAO42Z2zfOyd+ApLM4zAKx0Jg8hpSnVVWubC_kJ+cnBOsLQk1zQ@mail.gmail.com>
Subject: Re: [EXTERNAL] Re: Transmission of IPv6 Jumbograms as Atomic Fragments
To: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
Cc: Nick Hilliard <nick@foobar.org>, IPv6 List <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c8073b05d1274cb6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/6Lw5o1Bz1a577cmJBjG9I2wOl_k>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Nov 2021 17:06:53 -0000

On Sat, 20 Nov 2021, 03:18 Templin (US), Fred L, <Fred.L.Templin@boeing.com>
wrote:

> I am sorry Mark, but this is not AH – the AERO/OMNI identification
> mechanism
>
> is modeled after the way TCP peers negotiate sequence number windows, with
>
> the expectation that the peers may renegotiate sequence numbers frequently
> to
>
> keep the attack surface unpredictable. Please do not make blanket
> statements
>
> without reading documents.
>

Did you look up the AH spec? See section 2.5 Sequence Number.

As I said before, your description of replay protection is describing one
of the features of AH.

If you add that functionality to Jumbogram EHs, you are reinventing it
needlessly.

Combine AH EH with JG EH and you've got your jumbo packets with replay
protection.

You're not inventing anything new. The functionality to protect against
packet replaying already exists in AH (and ESP).

Regards,
Mark.


>
> Fred
>
>
>
> *From:* Mark Smith [mailto:markzzzsmith@gmail.com]
> *Sent:* Friday, November 19, 2021 7:53 AM
> *To:* Templin (US), Fred L <Fred.L.Templin@boeing.com>
> *Cc:* Nick Hilliard <nick@foobar.org>; IPv6 List <ipv6@ietf.org>
> *Subject:* [EXTERNAL] Re: Transmission of IPv6 Jumbograms as Atomic
> Fragments
>
>
>
> EXT email: be mindful of links/attachments.
>
>
>
>
>
>
> On Sat, 20 Nov 2021, 02:32 Templin (US), Fred L, <
> Fred.L.Templin@boeing.com> wrote:
>
> Thanks Mark, but I don’t want AH; I want AERO/OMNI. I want the
> Identifications to serve
>
> the dual purpose of supporting the fragmentation/reassembly process and
> providing an
>
> in-window value that recipients can use to detect spurious packets. And, I
> want the same
>
> mechanism used for packets of all sizes, up to and including jumbos.
>
>
>
> AH + JG
>
>
>
> Done. No reinventing wheels.
>
>
>
>
>
> Fred
>
>
>
> *From:* Mark Smith [mailto:markzzzsmith@gmail.com]
> *Sent:* Thursday, November 18, 2021 4:11 PM
> *To:* Templin (US), Fred L <Fred.L.Templin@boeing.com>
> *Cc:* Nick Hilliard <nick@foobar.org>; IPv6 List <ipv6@ietf.org>
> *Subject:* Re: Transmission of IPv6 Jumbograms as Atomic Fragments
>
>
>
> On Fri, 19 Nov 2021, 07:12 Templin (US), Fred L, <
> Fred.L.Templin@boeing.com> wrote:
>
> Nick,
>
> > Do you have a use case in mind for the ID field?
>
> Thank you for this timely question. I just got done posting a major update
> to the
> draft, which now is titled: "IPv6 Packet Identification" and considers all
> forms of
> IPv6 packets and not just Jumbograms. In answer to your question here is
> the new
> Section 2 text from the draft (link provided below):
>
> "2.  IPv6 Packet Identification
>
>    When IPv6 sources and destinations have some way of maintaining
>    "windows" of acceptable Identification values, the destination may be
>    able to examine received packet Identifications to determine whether
>    they likely originated from the source.
>
>
>
> This seems to be describing the sequence number verification used in IPsec
> AH per RFC 4302.
>
>
>
> It may be worth either just using AH as is, and getting all of its other
> benefits, or look at creating a simplified version of it rather than
> modifying the jumbogram EH to start duplicating existing AH functionality.
>
>
>
> According to RFC 4302 there are a range of reserved SPI values (1 through
> 255), you could use one of those to indicate a light weight version of AH
> that just does packet identification, avoiding the need to set up Security
> Associations with IKE.
>
>
>
> Regards,
>
> Mark.
>
>
>
> The AERO
>    [I-D.templin-6man-aero] and OMNI [I-D.templin-6man-omni]
>    specifications discuss methods for maintaining windows of
>    unpredictable values that may reduce attack profiles in some
>    environments."
>
> Thanks, and here is the draft URL:
>
> https://datatracker.ietf.org/doc/draft-templin-6man-jumbofrag/
>
> Fred
>
> > -----Original Message-----
> > From: Nick Hilliard [mailto:nick@foobar.org]
> > Sent: Thursday, November 18, 2021 9:16 AM
> > To: Templin (US), Fred L <Fred.L.Templin@boeing.com>
> > Cc: IPv6 List <ipv6@ietf.org>
> > Subject: Re: Transmission of IPv6 Jumbograms as Atomic Fragments
> >
> >
> > Templin (US), Fred L wrote on 18/11/2021 15:23:
> > > Bob, what I want is exactly the Identification field that is found in
> the Fragment Header
> > > while simply leaving the rest of the fields of that header set to 0
> >
> > Do you have a use case in mind for the ID field?
> >
> > Nick
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
>

v2.23.0 | Report a Bug | By Email