Re: Predictable IP protocol values
"Joel M. Halpern" <jmh@joelhalpern.com> Sat, 28 April 2012 20:27 UTC
Return-Path: <jmh@joelhalpern.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 974E021F8630 for <ipv6@ietfa.amsl.com>; Sat, 28 Apr 2012 13:27:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.218
X-Spam-Level:
X-Spam-Status: No, score=-102.218 tagged_above=-999 required=5 tests=[AWL=-0.253, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1XLoiVq9a5ft for <ipv6@ietfa.amsl.com>; Sat, 28 Apr 2012 13:27:40 -0700 (PDT)
Received: from morbo.mail.tigertech.net (morbo.mail.tigertech.net [67.131.251.54]) by ietfa.amsl.com (Postfix) with ESMTP id E927921F862B for <ipv6@ietf.org>; Sat, 28 Apr 2012 13:27:39 -0700 (PDT)
Received: from mailc2.tigertech.net (mailc2.tigertech.net [208.80.4.156]) by morbo.tigertech.net (Postfix) with ESMTP id B628FA3A49 for <ipv6@ietf.org>; Sat, 28 Apr 2012 13:27:39 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailc2.tigertech.net (Postfix) with ESMTP id 510801BD1FC8; Sat, 28 Apr 2012 13:27:39 -0700 (PDT)
X-Virus-Scanned: Debian amavisd-new at c2.tigertech.net
Received: from [10.10.10.100] (pool-71-161-51-182.clppva.btas.verizon.net [71.161.51.182]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailc2.tigertech.net (Postfix) with ESMTPSA id 434CA1BD1FC7; Sat, 28 Apr 2012 13:27:38 -0700 (PDT)
Message-ID: <4F9C52EF.2080401@joelhalpern.com>
Date: Sat, 28 Apr 2012 16:28:31 -0400
From: "Joel M. Halpern" <jmh@joelhalpern.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20120420 Thunderbird/12.0
MIME-Version: 1.0
To: Ole Trøan <otroan@employees.org>
Subject: Re: Predictable IP protocol values
References: <401EA98A-C229-4ED3-8CBE-3C6CAE5D37B7@gmail.com> <4F87BBD6.8090809@si6networks.com> <5858DFD5-7A62-478E-8F13-B62CB02D3EE7@employees.org> <4F99B5C8.1010108@si6networks.com> <5E6FD71A-0A84-4B20-AF5A-16DCBCD7ED76@employees.org>
In-Reply-To: <5E6FD71A-0A84-4B20-AF5A-16DCBCD7ED76@employees.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: Fernando Gont <fgont@si6networks.com>, "ipv6@ietf.org Mailing List" <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Apr 2012 20:27:40 -0000
It seems to me that the proposed document is a partial fix to a marginal problem. Yes, I take it as given that if I followed the references I wind find descriptions of the attacks. I do see how one could force fragmented packets if one knew that A was talking to B at the current moment. However, it seems to me that in the vast majority of cases, if the attacker knows that A is talking to B, he can probably observe the packets between A and B (and it must be a conversation of many round trips to allow for observation, triggered behavior, and useful attack.) As such, none of the specified solutions would seem to help much. Hence, I am left concluding that the right answer is not to publish any recommendations in this space. Yours, Joel On 4/27/2012 4:21 AM, Ole Trøan wrote: > working group, > > [changed subject] > > in the context of http://tools.ietf.org/html/draft-gont-6man-predictable-fragment-id-02 > any opinion on how to proceed? > > - document covering predictable values in IETF protocols in general > - document predictable IP ID fields in both IPv4 and IPv6 > - fix the predictable fragment ID problem in IPv6 > - do nothing? > > cheers, > Ole > > > On Apr 26, 2012, at 22:53 , Fernando Gont wrote: > >> Hi, Ole, >> >> On 04/26/2012 08:50 AM, Ole Trøan wrote: >>>> I think that draft-gont-6man-predictable-fragment-id is also ready >>>> for wg call for adoption as wg document -- I've rev'ed the >>>> document since IETF 83 in response to the feedback received during >>>> my presentation (i.e., just require the Frag ID to be >>>> unpredictable, without mandating any particular algorithm). >>> >>> the chairs have an action item on taking this to the mailing list. >>> there was an issue that I believe Bob raised, if we were going to >>> have publish RFCs on every field in TCP/IP protocols that should >>> have unpredictable values, or if we should have a generic >>> recommendation applying to protocol design in general. >> >> I believe that a generic document about protocol design that discusses >> this issue would be valuable, such that *new* protocols and protocol >> implementations do not incur into this problem. However, in this >> particular case (Fragment ID), the IPv6 standard itself is suggesting >> to use a counter, and hence the spec should be fixed. >> >> That aside, different fields have different requirements. For example, >> the constraints for randomizing the transport protocol ports are >> different from those of producing unpredictable IDs, and different from >> those of say, randomizing the TCP sequence numbers, or randomizing the >> IPv6 Flow Label. The consequences of the particular approach that you >> follow vary quite a bit in each case. >> >> Thanks, >> -- >> Fernando Gont >> SI6 Networks >> e-mail: fgont@si6networks.com >> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 >> >> >> > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
- 6MAN Minutes, Actions, and Document Status Bob Hinden
- Re: 6MAN Minutes, Actions, and Document Status Fernando Gont
- Re: 6MAN Minutes, Actions, and Document Status Ole Trøan
- Re: 6MAN Minutes, Actions, and Document Status Fernando Gont
- Predictable IP protocol values Ole Trøan
- Re: Predictable IP protocol values Fernando Gont
- Re: Predictable IP protocol values Joel M. Halpern
- Re: Predictable IP protocol values Fernando Gont