Re: AD Review: draft-ietf-6man-nd-extension-headers
Fernando Gont <fgont@si6networks.com> Mon, 14 January 2013 20:01 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34BD821F8B37 for <ipv6@ietfa.amsl.com>; Mon, 14 Jan 2013 12:01:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.566
X-Spam-Level:
X-Spam-Status: No, score=-2.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id USapG+wYMkVd for <ipv6@ietfa.amsl.com>; Mon, 14 Jan 2013 12:01:45 -0800 (PST)
Received: from web01.jbserver.net (web01.jbserver.net [93.186.182.34]) by ietfa.amsl.com (Postfix) with ESMTP id 5FE2821F8B34 for <ipv6@ietf.org>; Mon, 14 Jan 2013 12:01:45 -0800 (PST)
Received: from [186.134.32.129] (helo=[192.168.123.123]) by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.80.1) (envelope-from <fgont@si6networks.com>) id 1TuqDu-0002M1-4Y; Mon, 14 Jan 2013 21:01:34 +0100
Message-ID: <50F46413.1000207@si6networks.com>
Date: Mon, 14 Jan 2013 17:01:23 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Brian Haberman <brian@innovationslab.net>
Subject: Re: AD Review: draft-ietf-6man-nd-extension-headers
References: <50F41FCC.5020701@innovationslab.net>
In-Reply-To: <50F41FCC.5020701@innovationslab.net>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: 6man Chairs <6man-chairs@tools.ietf.org>, draft-ietf-6man-nd-extension-headers@tools.ietf.org, 6man WG <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2013 20:01:46 -0000
Hi, Brian, Meta-comment: All proposed changes have been applied, and the rev'ed draft has been posted -- readt for IETF LC? More comments in-line... On 01/14/2013 12:10 PM, Brian Haberman wrote: > All, > I have completed my AD evaluation of > draft-ietf-6man-nd-extension-headers. The following comments need to be > addressed prior to progressing this draft to IETF Last Call. > > 1. The first sentence of the Abstract appears to be a remnant of when > this draft discussed Extension Headers in general. It should be updated > to focus on the use of fragmentation within NDP messages. Fixed. > 2. The first sentence of the Introduction is a bit misleading. NDP is > specified in 4861. RFC 4862 specifies SLAAC. They are two different > things, so I am not sure why 4862 is getting put into this statement. Fixed. > 3. The Intro also contains rudimentary discussion of existing tools for > monitoring/protecting NDP traffic. It would be good to also discuss the > KAME rafixd tool, as it as similar capabilities. I've added rafixd.. although the list wasn't meant to be exhaustive -- for instance, all of the listed "tools" can be fooled by employing extension headers and/or fragmentation... > 4. It would also be useful to discuss if there are limitations on simply > blocking fragmented NDP traffic. Please see draft-ietf-6man-oversized-header-chain (and the figures in draft-ietf-v6ops-ra-guard-implementation). Short story: with the current specs, you might not be able to tell whether a packet is NDP or not -- hence your policy ends up being "drop fragmented v6 traffic" (draft-ietf-v6ops-ra-guard-implementation is "as good as it can get" for this specific case) > Since this traffic is limited to a > single L-2 link, dropping fragments may be a simple mechanism for > dealing with fragmentation-based attacks. The current packet structure is a nightmare for any device willing to perform any sort of inspection. So at the very least you need to process the entire IPv6 header chain -- and some devices cannot even do this. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- AD Review: draft-ietf-6man-nd-extension-headers Brian Haberman
- Re: AD Review: draft-ietf-6man-nd-extension-headeā¦ Fernando Gont