Re: Chairs Review on <draft-ietf-6man-predictable-fragment-id-02>
Bob Hinden <bob.hinden@gmail.com> Tue, 19 May 2015 08:40 UTC
Return-Path: <bob.hinden@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BFF11A1ADD for <ipv6@ietfa.amsl.com>; Tue, 19 May 2015 01:40:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTdQRxBI2qBH for <ipv6@ietfa.amsl.com>; Tue, 19 May 2015 01:40:32 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EED7F1A1AD0 for <ipv6@ietf.org>; Tue, 19 May 2015 01:40:31 -0700 (PDT)
Received: by wibt6 with SMTP id t6so12943523wib.0 for <ipv6@ietf.org>; Tue, 19 May 2015 01:40:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=z80vR34vtZRDoArjvICzW+dO6snDsWJnw8pJdjIitiY=; b=f1fF/9GFYwm7yXov9Y4VsitVnKkNl7gwYnmgkebNT3twPZYWbIyrl5Kr2oFLY1V/2Q X1veInxPoaTFLNPvp6Ch7S8PEu4gHpqVly8z+AvZo8LoUqGuybR1e9G9EHWA3g5oCVr+ awAAtblVY1gOTLgZSsLqx43Plu1MWnC4C1G+Gawr8pqRiPx+qy76gWfMgdml4cYVwy45 66fxLA+nNb1De5AThhP9uqYCE6EbNpc9yx0lAvDgctPTUOrMWPdQaprz2JbUb35Yda/L PJbaN+PyXfXyfDD9R87Azg8uqI8fN3vzWztNZBKUvkibN/6D52KRVULB/LtdH5PV7H9S 8UbA==
X-Received: by 10.180.102.74 with SMTP id fm10mr6575368wib.25.1432024830742; Tue, 19 May 2015 01:40:30 -0700 (PDT)
Received: from [172.24.249.34] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id y7sm20670859wjw.16.2015.05.19.01.40.28 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 19 May 2015 01:40:29 -0700 (PDT)
Subject: Re: Chairs Review on <draft-ietf-6man-predictable-fragment-id-02>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-Type: multipart/signed; boundary="Apple-Mail=_2A0149AD-A7AD-45E6-AE83-7E31375109B3"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5b6
From: Bob Hinden <bob.hinden@gmail.com>
In-Reply-To: <555AE0AF.5050601@si6networks.com>
Date: Tue, 19 May 2015 11:40:21 +0300
Message-Id: <F1464F80-172F-4F83-B10B-F9738B2B1AB3@gmail.com>
References: <6277AC1A-F1ED-4BE9-984E-C424BC9A5136@gmail.com> <54FCDECD.2040609@si6networks.com> <75C9B430-7D39-4466-AB17-0F3553EC6EB4@gmail.com> <555AE0AF.5050601@si6networks.com>
To: Fernando Gont <fgont@si6networks.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/BVUVYlfMxw_qEmMvOrX957xd26A>
Cc: IPv6 List <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2015 08:40:35 -0000
Fernando, > On May 19, 2015, at 10:05 AM, Fernando Gont <fgont@si6networks.com> wrote: > > Hi, Bob, > > On 05/18/2015 09:59 AM, Bob Hinden wrote: >> Fernando, >> >> Thanks for making the changes. I note that the latest draft still >> shows Windows 8 incorrectly. > > Oops.. that was the result of an error while editing. Fixed. Thanks! Thanks! > > >>> Thanks so much for your comments! Please find my responses >>> in-line.... >>> >>> On 03/03/2015 09:49 PM, Bob Hinden wrote: >>>> >>>> The biggest issue is if advancing and publishing this draft is >>>> worthwhile. We note that in Appendix B "Survey of Fragment >>>> Identification selection algorithms employed by popular IPv6 >>>> implementationsâ, of the implementation listed, all of the >>>> current ones (FreeBSD 9, Linux-current, OpenBSD-current) show >>>> unpredictable or random. While there are many older obsolete >>>> operating systems that have issues, we arenât going to fix >>>> these by publishing this draft. >>> >>> FWIW, I'd say that a number of OSes (including Linux and Solaris) >>> were fixed as a result of this I-D, indeed (some even reference the >>> I-D in the code or commit messages). The reason why this happened >>> earlier than the I-D became an RFC is that I usually socialize the >>> I-Ds I author/co-author with OS developers. However, there are >>> other OSes that still need to be fixed. And since we're talking >>> about IPv6 (not about IPv4), I'd expect new implementations to >>> appear (the word can't just be a handful of OSes, and I expect IPv6 >>> to live long enough :-) )-- so this document would be of help to >>> them. >> >> It’s great you are reaching out to OS developers. That seems to be >> why it is getting fixed, I am not so sure that publishing an RFC will >> help that much. I do agree there will be new IPv6 implementations. > > It will certainly help in documenting what OSes do, and will certainly > be of help for new implementations, which an learn about the problem of > predictable I-Ds and also find possible approaches to avoid them. > > I agree. > >>>> In Section 2 "Security Implications of Predictable Fragment >>>> Identification valuesâ. The problems listed seem to us to be >>>> overstated. As the draft notes later, the issue with >>>> predictable fragment IDs in IPv6 is only an issue for IPv6 >>>> packets with the fragment header. >>> >>> Yes, but you can trigger fragmentation for any traffic flow (see >>> draft-ietf-6man-deprecate-atomfrag-generation). >> >> >> Yes, if it knows the address of the other side of the connection. >> The attacker would have to be on link, or monitoring the traffic >> between the two hosts. This make this attack much harder in practice >> for an off link attacker. If on link, then there are so many better >> attacks. Hence my comment of the problem being overstated. > > It is trivial to know the IPv6 addresses involved for many scenarios. > e.g. BGP peer to BGP peer, secondary DNS to primary DNS, SMTP server to > SMTP server, etc. That’s my point. It’s trivial only if you know the addresses of both side of the connection. It effects well known nodes. It does not affect the vast majority of hosts on the Internet. Hence, I think the text should accurately describe the risk. I think the current text overstates the problem. You could say something like you did above. Thanks, Bob
- Chairs Review on <draft-ietf-6man-predictable-fra… Bob Hinden
- Re: Chairs Review on <draft-ietf-6man-predictable… Fernando Gont
- Re: Chairs Review on <draft-ietf-6man-predictable… Bob Hinden
- Re: Chairs Review on <draft-ietf-6man-predictable… Fernando Gont
- Re: Chairs Review on <draft-ietf-6man-predictable… Bob Hinden
- Re: Chairs Review on <draft-ietf-6man-predictable… Fernando Gont
- Re: Chairs Review on <draft-ietf-6man-predictable… Bob Hinden
- Re: Chairs Review on <draft-ietf-6man-predictable… Fernando Gont