Re: Papers on IPv6 fragmentation
Fernando Gont <fernando@gont.com.ar> Mon, 23 June 2008 03:28 UTC
Return-Path: <ipv6-bounces@ietf.org>
X-Original-To: ipv6-archive@megatron.ietf.org
Delivered-To: ietfarch-ipv6-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9CFFE3A68A8; Sun, 22 Jun 2008 20:28:38 -0700 (PDT)
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3C3213A68A8 for <ipv6@core3.amsl.com>; Sun, 22 Jun 2008 20:21:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.152
X-Spam-Level:
X-Spam-Status: No, score=0.152 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, RCVD_IN_NJABL_PROXY=1.643, SARE_RECV_SPEEDY_AR=0.808]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VZG3fXJWar3A for <ipv6@core3.amsl.com>; Sun, 22 Jun 2008 20:21:45 -0700 (PDT)
Received: from smtp1.xmundo.net (smtp1.xmundo.net [201.216.232.80]) by core3.amsl.com (Postfix) with ESMTP id 1B60A3A688F for <ipv6@ietf.org>; Sun, 22 Jun 2008 20:21:43 -0700 (PDT)
Received: from venus.xmundo.net (venus.xmundo.net [201.216.232.56]) by smtp1.xmundo.net (Postfix) with ESMTP id 42DAC6B6777; Mon, 23 Jun 2008 00:21:47 -0300 (ART)
Received: from notebook.gont.com.ar (201-254-44-225.speedy.com.ar [201.254.44.225] (may be forged)) (authenticated bits=0) by venus.xmundo.net (8.14.1/8.13.8) with ESMTP id m5N3LP1j004622; Mon, 23 Jun 2008 00:21:26 -0300
Message-Id: <200806230321.m5N3LP1j004622@venus.xmundo.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 23 Jun 2008 00:18:21 -0300
To: Vishwas Manral <vishwas.ietf@gmail.com>
From: Fernando Gont <fernando@gont.com.ar>
Subject: Re: Papers on IPv6 fragmentation
In-Reply-To: <77ead0ec0806220422v79d8e775n864772131b45b47b@mail.gmail.co m>
References: <200806221050.m5MAoF76005376@venus.xmundo.net> <77ead0ec0806220422v79d8e775n864772131b45b47b@mail.gmail.com>
Mime-Version: 1.0
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (venus.xmundo.net [201.216.232.56]); Mon, 23 Jun 2008 00:21:45 -0300 (ART)
Cc: IETF IPv6 Mailing List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: ipv6-bounces@ietf.org
Errors-To: ipv6-bounces@ietf.org
At 08:22 a.m. 22/06/2008, Vishwas Manral wrote: >Though this may not be exactly what you are looking for, you may want >to look at some of the issues we identified a long while back with >IPv6 Tiny Fragments. > >http://tools.ietf.org/html/draft-manral-v6ops-tiny-fragments-issues-02 I had a quick look at your document. Here are some quick and dirty comments: * Your documents talk about specifying a minimum size for non-last fragments. Actually, I think one should be concerned only about the *first* fragment. That's the one that's used to create state at firewalls, etc. * I don't think imposing such a requirement will, by itself, help to ensure that you have in the first packet all the information you need to apply firewalls rules. It would be trivial for an attacker to comply with such a requirement, but still do not provide all the relevant information that would be needed by the firewall to apply its rules. The attacker could just add one or several extension headers, with lots of PadN options. Thus, it would comply with your requirement, but still avoid sending e.g. the TCP source and destination ports. Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Papers on IPv6 fragmentation Fernando Gont
- Re: Papers on IPv6 fragmentation Vishwas Manral
- Re: Papers on IPv6 fragmentation Fernando Gont
- Re: Papers on IPv6 fragmentation Vishwas Manral
- Re: Papers on IPv6 fragmentation Fernando Gont
- Re: Papers on IPv6 fragmentation Vishwas Manral
- Re: Papers on IPv6 fragmentation Fernando Gont
- Re: Papers on IPv6 fragmentation Vishwas Manral