Re: Papers on IPv6 fragmentation

"Vishwas Manral" <vishwas.ietf@gmail.com> Mon, 23 June 2008 04:58 UTC

Return-Path: <ipv6-bounces@ietf.org>
X-Original-To: ipv6-archive@megatron.ietf.org
Delivered-To: ietfarch-ipv6-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 427E73A680E; Sun, 22 Jun 2008 21:58:25 -0700 (PDT)
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 097693A680E for <ipv6@core3.amsl.com>; Sun, 22 Jun 2008 21:44:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FP0h5EGzuhaP for <ipv6@core3.amsl.com>; Sun, 22 Jun 2008 21:44:30 -0700 (PDT)
Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.173]) by core3.amsl.com (Postfix) with ESMTP id 281EF3A67FE for <ipv6@ietf.org>; Sun, 22 Jun 2008 21:44:27 -0700 (PDT)
Received: by wf-out-1314.google.com with SMTP id 27so2085794wfd.31 for <ipv6@ietf.org>; Sun, 22 Jun 2008 21:44:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=al84hHgp8a/+N2/IzP7N0y1Q4Qk/2j5FaJmq8zqBoRw=; b=Mex3Lb9cqQed1XPlJE/6pw1R0TEAOedQC94PQYJxuoADizLjoeFyx9LKmzY6zUXd3a Xc0d4yQMZ9jbNuPEbDH5w37Hafg/1tecnKu/+P0H37/bvy1ubbE5SARdV0RGEYPzMmG2 kcItmYyZ9htKMnnHESP/RQ4Luz4kZVUUFPRDY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=ucd266jfv4TSUfLBH1krtXNSjss+erncqyFvRhkO6IwkloXLUK8qYD3txQRGTIlgnT cJa+MVRPoWgIRIwsz046SDoeKjeXPWkgIhvtF9Ujh6LR+YFkWJ5XPi/hXS/YtIxDgm0n 5tlIl3HjacDElJwqNh/Mmwxi7valgDxJT4dMg=
Received: by 10.142.54.17 with SMTP id c17mr3199220wfa.278.1214196266789; Sun, 22 Jun 2008 21:44:26 -0700 (PDT)
Received: by 10.143.9.18 with HTTP; Sun, 22 Jun 2008 21:44:26 -0700 (PDT)
Message-ID: <77ead0ec0806222144o6135b4b3gf57b53659098873@mail.gmail.com>
Date: Mon, 23 Jun 2008 14:44:26 +1000
From: "Vishwas Manral" <vishwas.ietf@gmail.com>
To: "Fernando Gont" <fernando@gont.com.ar>
Subject: Re: Papers on IPv6 fragmentation
In-Reply-To: <200806230321.m5N3LP1j004622@venus.xmundo.net>
MIME-Version: 1.0
Content-Disposition: inline
References: <200806221050.m5MAoF76005376@venus.xmundo.net> <77ead0ec0806220422v79d8e775n864772131b45b47b@mail.gmail.com> <200806230321.m5N3LP1j004622@venus.xmundo.net>
Cc: IETF IPv6 Mailing List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ipv6-bounces@ietf.org
Errors-To: ipv6-bounces@ietf.org

Hi Fernando,

Thanks for reading through the draft.
> I had a quick look at your document. Here are some quick and dirty comments:
>
> * Your documents talk about specifying a minimum size for non-last
> fragments. Actually, I think one should be concerned only about the *first*
> fragment. That's the one that's used to create state at firewalls, etc.
This is the more liberal approach you adopt to achieve the same thing.
by having a more conservative approach we reduce the attack vectors
further.

> * I don't think imposing such a requirement will, by itself, help to ensure
> that you have in the first packet all the information you need to apply
> firewalls rules. It would be trivial for an attacker to comply with such a
> requirement, but still do not provide all the relevant information that
> would be needed by the firewall to apply its rules. The attacker could just
> add one or several extension headers, with lots of PadN options. Thus, it
> would comply with your requirement, but still avoid sending e.g. the TCP
> source and destination ports.
Fernando, that is correct. However we intend to put limitations
separately on that. Suresh probably had a draft regarding the same.

Thanks,
Vishwas


On Mon, Jun 23, 2008 at 1:18 PM, Fernando Gont <fernando@gont.com.ar>; wrote:
> At 08:22 a.m. 22/06/2008, Vishwas Manral wrote:
>
>> Though this may not be exactly what you are looking for, you may want
>> to look at some of the issues we identified a long while back with
>> IPv6 Tiny Fragments.
>>
>> http://tools.ietf.org/html/draft-manral-v6ops-tiny-fragments-issues-02
>
> I had a quick look at your document. Here are some quick and dirty comments:
>
> * Your documents talk about specifying a minimum size for non-last
> fragments. Actually, I think one should be concerned only about the *first*
> fragment. That's the one that's used to create state at firewalls, etc.
>
> * I don't think imposing such a requirement will, by itself, help to ensure
> that you have in the first packet all the information you need to apply
> firewalls rules. It would be trivial for an attacker to comply with such a
> requirement, but still do not provide all the relevant information that
> would be needed by the firewall to apply its rules. The attacker could just
> add one or several extension headers, with lots of PadN options. Thus, it
> would comply with your requirement, but still avoid sending e.g. the TCP
> source and destination ports.
>
> Kind regards,
>
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@acm.org
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
>
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------