Re: {Blocked Content} Overlapping fragments in IPv6 and firewalls
Doug Montgomery <dougm@nist.gov> Wed, 30 July 2008 11:28 UTC
Return-Path: <ipv6-bounces@ietf.org>
X-Original-To: ipv6-archive@megatron.ietf.org
Delivered-To: ietfarch-ipv6-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E0CC3A6AA9; Wed, 30 Jul 2008 04:28:56 -0700 (PDT)
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C2E1728C1A0 for <ipv6@core3.amsl.com>; Wed, 30 Jul 2008 04:28:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oOIEymBebCuC for <ipv6@core3.amsl.com>; Wed, 30 Jul 2008 04:28:53 -0700 (PDT)
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by core3.amsl.com (Postfix) with ESMTP id A46563A67B7 for <ipv6@ietf.org>; Wed, 30 Jul 2008 04:28:53 -0700 (PDT)
Received: from [127.0.0.1] ([129.6.220.94]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id m6UBSiQR002415; Wed, 30 Jul 2008 07:28:46 -0400
Message-ID: <48905073.2060500@nist.gov>
Date: Wed, 30 Jul 2008 07:28:51 -0400
From: Doug Montgomery <dougm@nist.gov>
Organization: http://www.antd.nist.gov/
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Suresh Krishnan <suresh.krishnan@ericsson.com>
Subject: Re: {Blocked Content} Overlapping fragments in IPv6 and firewalls
References: <487BE16C.4030103@ericsson.com>
In-Reply-To: <487BE16C.4030103@ericsson.com>
X-Enigmail-Version: 0.95.6
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: dougm@nist.gov
Cc: IETF IPv6 Mailing List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: ipv6-bounces@ietf.org
Errors-To: ipv6-bounces@ietf.org
Suresh Krishnan wrote: > > > Hi Folks, > This draft describes how to use overlapping fragments in IPv6 to > bypass firewalling restrictions. It recommends disallowing overlapping > fragments in IPv6. > > Thanks > Suresh The following two documents provide fairly detailed analysis of this (and other issues) that IPv6 Firewalls should consider: Firewall Design Considerations for IPv6 http://www.nsa.gov/snac/ipv6/I733-041R-2007.pdf A Filtering Strategy for Mobile IPv6 http://www.nsa.gov/snac/ipv6/I733-040R-2007.pdf The first document covers other interesting issues with fragments, including the possibility of tunneled fragments being fragmented again ... header option ordering, etc. As far as specsmanship to "prohibit" overlapping fragments, if the motivation is to change/ensure the behavior of all end nodes, updating 2460 (or some other vehicle) might make sense. If the goal is to effect the behavior of firewalls, what we really need is a firewalls capability spec. As far as I know, firewalls are not required to enforce all aspects of protocol correctness ... nor are they required to follow all aspects of end to end protocol specs. So it is questionable if changing 2460 will impact firewall behavior ... unless the firewall community decides on its own that it is a useful/necessary feature to implement. Maybe it would some leverage that customers could use to lean on FW implementors .... but it would be indirect. dougm -- +----------------------------------------------------------------------------+ | Doug Montgomery Manager, Internetworking Technologies Research Group | | Advanced Network Technologies Division WWW: http://www.antd.nist.gov/ | | National Institute of Standards and Technology Email: dougm@nist.gov | | 100 Bureau Drive Voice: +1-301-975-3630 | | Gaithersburg, MD 20899-8920 USA Fax: +1-301-975-6238 | | Key fingerprint = 3BCA EDD0 585D D068 CD46 E578 BD01 92A3 D1B0 04BB | +----------------------------------------------------------------------------+ -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Overlapping fragments in IPv6 and firewalls Suresh Krishnan
- Re: {Blocked Content} Overlapping fragments in IP… Doug Montgomery