IETF Logo Mail Archive

Re: 6MAN WG Last Call: draft-ietf-6man-predictable-fragment-id-01

Fernando Gont <fgont@si6networks.com> Tue, 09 December 2014 08:56 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E15DA1A6F6F for <ipv6@ietfa.amsl.com>; Tue, 9 Dec 2014 00:56:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N8StFAc0FfWJ for <ipv6@ietfa.amsl.com>; Tue, 9 Dec 2014 00:56:25 -0800 (PST)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 828501A6F59 for <ipv6@ietf.org>; Tue, 9 Dec 2014 00:56:25 -0800 (PST)
Received: from cl-1071.udi-01.br.sixxs.net ([2001:1291:200:42e::2]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <fgont@si6networks.com>) id 1XyGae-00069c-HK; Tue, 09 Dec 2014 09:56:16 +0100
Message-ID: <5486B2E1.4050507@si6networks.com>
Date: Tue, 09 Dec 2014 05:29:21 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Ole Troan <otroan@employees.org>, 6man WG <ipv6@ietf.org>
Subject: Re: 6MAN WG Last Call: draft-ietf-6man-predictable-fragment-id-01
References: <CC2EE99E-475C-4DB5-9E7F-ED00B4D48561@employees.org> <86F24DAC-C017-4D09-9431-0C33134B55C2@employees.org>
In-Reply-To: <86F24DAC-C017-4D09-9431-0C33134B55C2@employees.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipv6/ACwyr_5DI53kG3AQ5yBOs8OlVQ8
Cc: 6man Chairs <6man-chairs@tools.ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Dec 2014 08:56:29 -0000

Hi, Ole,

On 12/08/2014 03:16 PM, Ole Troan wrote:
> <nohat>
> 
> let me offer a contrarian view. I don't think we should publish this 
> document. why? because I don't think it is worth the effort required 
> by the community. I think we've pushed the needle too far in 
> publishing 'micro updates'.

FWIW, this document does three things:

* Requiring that the IP ID be unpredictable
* Providing guidance to achieve that
* Document the implications of predictable fragment IDs

At this point, I'd argue that most of the work has been done --
including getting reviews from folks from other communities that have
been dealing with issues associated with predictable IDs for a long time.



> RFC2460 does not have normative language in how the Identification 
> value should be generated. therefore I see no need to update 
> RFC2460.

That's, actually, one of the reasons for publishing it. The implications
of predictable fragment IDs are, as you'll note in the document itself,
non-trivial.

Similar work has happened elsewhere for other protocols. For example,
RFC6056 for port number randomization or RFC6528 (originally RFC1948)
for TCP sequence numbers.

The price of not doing what needs to be done can be seen in the DNS
spoofing attacks that got widely publicized years ago.

Despite, our previous IPv4 experience, we still have IPv6 stacks
employing predictable fragment IDs. This document has already helped a
few implementations change their IPv6 ID generators, and having a proper
requirement will help to avoid the pain -- which tends to result in way
more effort and damage than getting a document published.



> I think the advice may be useful, I'd be happy to see it in an
> RFC2460 update, or an update to the IPv6 Node requirement document.
> or more generally you could see a document in intarea titled "IP
> protocol fields must not be predictable.".

While I will not rehash this discussion (which we did had at the time),
I should note that !alternative paths" were suggested for
<http://tools.ietf.org/id/draft-gont-6man-slaac-dns-config-issues-00.txt> too,
and we haven't achieved anything in that area. IN this particular case,
there's a concrete an mature document that probably just need a few more
looks and a bit of polishing.

Thanks!

Best regards!
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email