IETF Logo Mail Archive

Re: Chairs Review on <draft-ietf-6man-predictable-fragment-id-02>

Bob Hinden <bob.hinden@gmail.com> Fri, 29 May 2015 15:21 UTC

Return-Path: <bob.hinden@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D9A01AC44B for <ipv6@ietfa.amsl.com>; Fri, 29 May 2015 08:21:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3viTY67gFYjk for <ipv6@ietfa.amsl.com>; Fri, 29 May 2015 08:21:37 -0700 (PDT)
Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 513101A90C8 for <ipv6@ietf.org>; Fri, 29 May 2015 08:21:37 -0700 (PDT)
Received: by wgme6 with SMTP id e6so65579826wgm.2 for <ipv6@ietf.org>; Fri, 29 May 2015 08:21:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=KEE5eiZDaM0bvD13+0Cohijd4TCCT6psT1ZLllVk5Lc=; b=qxNkI0UmXoM7BcU8s95Afh4XUnI5OQe774xtktxuKYg02cKxxm17yjou5CYpi9QQva GMbAq/3whJA+2KA87wjR2rxw0jdHWzdIjrgE0uv2BoUV6h+A9kc5NsW4DTdcn9Po7mH3 qX1PLg6MfTNjyXgcGWPLdw58xGudpI+Ojayxh7UXLmEW/NyL6FzzDKRXTdjTEuWUweYZ E/F+XM1eaua0F3Aq6W/PTfC1VutHYDybMLV8aEq66n4eE8RhngKa9/Py+7SXVc+504eH loyVHznksGlilmgHYtofcQtuKXYEjyLXANnFPxu2kgitRPigxHtHNTf+sHf6MSUXCl7A vgXA==
X-Received: by 10.180.90.209 with SMTP id by17mr7486673wib.2.1432912895996; Fri, 29 May 2015 08:21:35 -0700 (PDT)
Received: from ?IPv6:2601:9:400:ac2:45a6:1e7a:b2f0:f3d5? ([2601:9:400:ac2:45a6:1e7a:b2f0:f3d5]) by mx.google.com with ESMTPSA id bh7sm8811572wjb.8.2015.05.29.08.21.33 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 29 May 2015 08:21:35 -0700 (PDT)
Subject: Re: Chairs Review on <draft-ietf-6man-predictable-fragment-id-02>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-Type: multipart/signed; boundary="Apple-Mail=_5F5DC48E-A41A-4875-8D10-F70A19A92075"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5b6
From: Bob Hinden <bob.hinden@gmail.com>
In-Reply-To: <55682029.2040609@si6networks.com>
Date: Fri, 29 May 2015 08:21:30 -0700
Message-Id: <0427FFC3-B085-44B2-BD4E-15991CE6E18C@gmail.com>
References: <6277AC1A-F1ED-4BE9-984E-C424BC9A5136@gmail.com> <54FCDECD.2040609@si6networks.com> <75C9B430-7D39-4466-AB17-0F3553EC6EB4@gmail.com> <555AE0AF.5050601@si6networks.com> <F1464F80-172F-4F83-B10B-F9738B2B1AB3@gmail.com> <55682029.2040609@si6networks.com>
To: Fernando Gont <fgont@si6networks.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/IlyUbSo2ev54FFSmPJTu6VTg_dA>
Cc: IPv6 List <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2015 15:21:39 -0000

Fernando,

> On May 29, 2015, at 1:15 AM, Fernando Gont <fgont@si6networks.com> wrote:
> 
> Hi, Bob,
> 
> On 05/19/2015 05:40 AM, Bob Hinden wrote:
>>>>>> In Section 2 "Security Implications of Predictable Fragment
>>>>>> Identification values”.  The problems listed seem to us to
>>>>>> be overstated.  As the draft notes later, the issue with
>>>>>> predictable fragment IDs in IPv6 is only an issue for IPv6
>>>>>> packets with the fragment header.
>>>>> 
>>>>> Yes, but you can trigger fragmentation for any traffic flow
>>>>> (see draft-ietf-6man-deprecate-atomfrag-generation).
>>>> 
>>>> 
>>>> Yes, if it knows the address of the other side of the
>>>> connection. The attacker would have to be on link, or monitoring
>>>> the traffic between the two hosts.  This make this attack much
>>>> harder in practice for an off link attacker.  If on link, then
>>>> there are so many better attacks.  Hence my comment of the
>>>> problem being overstated.
>>> 
>>> It is trivial to know the IPv6 addresses involved for many
>>> scenarios. e.g. BGP peer to BGP peer, secondary DNS to primary DNS,
>>> SMTP server to SMTP server, etc.
>> 
>> That’s my point.  It’s trivial only if you know the addresses of both
>> side of the connection.  It effects well known nodes.  It does not
>> affect the vast majority of hosts on the Internet.  Hence, I think
>> the text should accurately describe the risk.  I think the current
>> text overstates the problem.  You could say something like you did
>> above.
> 
> I've added text along these lines and rev'ed the I-D.
> 
> P.S.: Ready to ship now?

I will take a look.  This was the last issue I had.

Thanks,
Bob

v2.23.0 | Report a Bug | By Email