IETF Logo Mail Archive

RE: [EXTERNAL] Re: Transmission of IPv6 Jumbograms as Atomic Fragments

"Templin (US), Fred L" <Fred.L.Templin@boeing.com> Fri, 19 November 2021 18:01 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FD003A07B1 for <ipv6@ietfa.amsl.com>; Fri, 19 Nov 2021 10:01:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=boeing.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mT-BcTHWyZ0X for <ipv6@ietfa.amsl.com>; Fri, 19 Nov 2021 10:01:50 -0800 (PST)
Received: from clt-mbsout-02.mbs.boeing.net (clt-mbsout-02.mbs.boeing.net [130.76.144.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A60223A0044 for <ipv6@ietf.org>; Fri, 19 Nov 2021 10:01:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by clt-mbsout-02.mbs.boeing.net (8.15.2/8.15.2/DOWNSTREAM_MBSOUT) with SMTP id 1AJI1ihh028496; Fri, 19 Nov 2021 13:01:45 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=boeing.com; s=boeing-s1912; t=1637344905; bh=8fZ3gQ8PuW0Azy1zzF2FSn+5k2sL5uqNaXHSr4AnEiM=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=g9sIgGT5jRYW+9EtcBQ8HWzI5IvqRZWTk61022UDwk+g073LisVJptcbTEL+muTxK O3VdCzveAZJFbpjnLROk5TkgT/D+r0Y31yGt+QY7ar3E7VyErP+qmSYygZmApmma45 Nu0bgcVHKqmNTK6yLHSPQBtVuBedVo8PDead698IST3wp6JekJ/xto0Js9HRrKra5l XZnOr/OsrhMT45NlsuXgJZhC6J4O9vooVIXSFZRU3djof6Q6bUL5rovbd2+F4Reozt +wUNpoDG2th8BU++2BSM2ZoN1/xWv4E/LUOTVq1pMDBbiQkkdgUYdlkjruqIMrCHGE 02GLMJuBbkjWQ==
Received: from XCH16-07-07.nos.boeing.com (xch16-07-07.nos.boeing.com [144.115.66.109]) by clt-mbsout-02.mbs.boeing.net (8.15.2/8.15.2/8.15.2/UPSTREAM_MBSOUT) with ESMTPS id 1AJI1euG028422 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 19 Nov 2021 13:01:40 -0500
Received: from XCH16-07-10.nos.boeing.com (144.115.66.112) by XCH16-07-07.nos.boeing.com (144.115.66.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2308.14; Fri, 19 Nov 2021 10:01:39 -0800
Received: from XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5]) by XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5%2]) with mapi id 15.01.2308.014; Fri, 19 Nov 2021 10:01:39 -0800
From: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
To: Mark Smith <markzzzsmith@gmail.com>
CC: Nick Hilliard <nick@foobar.org>, IPv6 List <ipv6@ietf.org>
Subject: RE: [EXTERNAL] Re: Transmission of IPv6 Jumbograms as Atomic Fragments
Thread-Topic: [EXTERNAL] Re: Transmission of IPv6 Jumbograms as Atomic Fragments
Thread-Index: AdfdWjAHT7wxdQZH70CXpjUTcxCIdQARlzsAABAJdlD//5RRgIAAeK4Q
Date: Fri, 19 Nov 2021 18:01:39 +0000
Message-ID: <e097cd15e4f94814ad90477b7bea06a3@boeing.com>
References: <01510cc3c19b4b4b8cef41357c975fd9@boeing.com> <CAO42Z2zitj2mOzj80G_SUfukg551A64n9HnOcC2-ukCta4Ohaw@mail.gmail.com> <986ef062d3874a3caf9fbf19dbf55350@boeing.com> <CAO42Z2zfOyd+ApLM4zAKx0Jg8hpSnVVWubC_kJ+cnBOsLQk1zQ@mail.gmail.com>
In-Reply-To: <CAO42Z2zfOyd+ApLM4zAKx0Jg8hpSnVVWubC_kJ+cnBOsLQk1zQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [137.137.12.6]
x-tm-snts-smtp: 47FA640ED1C5CE3B792D02C4A2092AD9F19876EDD215417A41A18E81D8F2D9C52000:8
Content-Type: multipart/alternative; boundary="_000_e097cd15e4f94814ad90477b7bea06a3boeingcom_"
MIME-Version: 1.0
X-TM-AS-GCONF: 00
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/JLqQSfWdMLssob9S_Ishj7MKiFQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Nov 2021 18:01:56 -0000

Mark, stop it with AH – the AERO/OMNI Identification sequence number management
scheme has its basis in RFC793. AERO/OMNI make ubiquitous use of the Fragment Header
for both fragmentation and packet identification, and adding an AH on every packet is neither
needed nor wanted.

From: Mark Smith [mailto:markzzzsmith@gmail.com]
Sent: Friday, November 19, 2021 9:07 AM
To: Templin (US), Fred L <Fred.L.Templin@boeing.com>
Cc: Nick Hilliard <nick@foobar.org>; IPv6 List <ipv6@ietf.org>
Subject: Re: [EXTERNAL] Re: Transmission of IPv6 Jumbograms as Atomic Fragments


EXT email: be mindful of links/attachments.





On Sat, 20 Nov 2021, 03:18 Templin (US), Fred L, <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> wrote:
I am sorry Mark, but this is not AH – the AERO/OMNI identification mechanism
is modeled after the way TCP peers negotiate sequence number windows, with
the expectation that the peers may renegotiate sequence numbers frequently to
keep the attack surface unpredictable. Please do not make blanket statements
without reading documents.

Did you look up the AH spec? See section 2.5 Sequence Number.

As I said before, your description of replay protection is describing one of the features of AH.

If you add that functionality to Jumbogram EHs, you are reinventing it needlessly.

Combine AH EH with JG EH and you've got your jumbo packets with replay protection.

You're not inventing anything new. The functionality to protect against packet replaying already exists in AH (and ESP).

Regards,
Mark.


Fred

From: Mark Smith [mailto:markzzzsmith@gmail.com<mailto:markzzzsmith@gmail.com>]
Sent: Friday, November 19, 2021 7:53 AM
To: Templin (US), Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>>
Cc: Nick Hilliard <nick@foobar.org<mailto:nick@foobar.org>>; IPv6 List <ipv6@ietf.org<mailto:ipv6@ietf.org>>
Subject: [EXTERNAL] Re: Transmission of IPv6 Jumbograms as Atomic Fragments


EXT email: be mindful of links/attachments.





On Sat, 20 Nov 2021, 02:32 Templin (US), Fred L, <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> wrote:
Thanks Mark, but I don’t want AH; I want AERO/OMNI. I want the Identifications to serve
the dual purpose of supporting the fragmentation/reassembly process and providing an
in-window value that recipients can use to detect spurious packets. And, I want the same
mechanism used for packets of all sizes, up to and including jumbos.

AH + JG

Done. No reinventing wheels.


Fred

From: Mark Smith [mailto:markzzzsmith@gmail.com<mailto:markzzzsmith@gmail.com>]
Sent: Thursday, November 18, 2021 4:11 PM
To: Templin (US), Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>>
Cc: Nick Hilliard <nick@foobar.org<mailto:nick@foobar.org>>; IPv6 List <ipv6@ietf.org<mailto:ipv6@ietf.org>>
Subject: Re: Transmission of IPv6 Jumbograms as Atomic Fragments

On Fri, 19 Nov 2021, 07:12 Templin (US), Fred L, <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> wrote:
Nick,

> Do you have a use case in mind for the ID field?

Thank you for this timely question. I just got done posting a major update to the
draft, which now is titled: "IPv6 Packet Identification" and considers all forms of
IPv6 packets and not just Jumbograms. In answer to your question here is the new
Section 2 text from the draft (link provided below):

"2.  IPv6 Packet Identification

   When IPv6 sources and destinations have some way of maintaining
   "windows" of acceptable Identification values, the destination may be
   able to examine received packet Identifications to determine whether
   they likely originated from the source.

This seems to be describing the sequence number verification used in IPsec AH per RFC 4302.

It may be worth either just using AH as is, and getting all of its other benefits, or look at creating a simplified version of it rather than modifying the jumbogram EH to start duplicating existing AH functionality.

According to RFC 4302 there are a range of reserved SPI values (1 through 255), you could use one of those to indicate a light weight version of AH that just does packet identification, avoiding the need to set up Security Associations with IKE.

Regards,
Mark.

The AERO
   [I-D.templin-6man-aero] and OMNI [I-D.templin-6man-omni]
   specifications discuss methods for maintaining windows of
   unpredictable values that may reduce attack profiles in some
   environments."

Thanks, and here is the draft URL:

https://datatracker.ietf.org/doc/draft-templin-6man-jumbofrag/

Fred

> -----Original Message-----
> From: Nick Hilliard [mailto:nick@foobar.org<mailto:nick@foobar.org>]
> Sent: Thursday, November 18, 2021 9:16 AM
> To: Templin (US), Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>>
> Cc: IPv6 List <ipv6@ietf.org<mailto:ipv6@ietf.org>>
> Subject: Re: Transmission of IPv6 Jumbograms as Atomic Fragments
>
>
> Templin (US), Fred L wrote on 18/11/2021 15:23:
> > Bob, what I want is exactly the Identification field that is found in the Fragment Header
> > while simply leaving the rest of the fields of that header set to 0
>
> Do you have a use case in mind for the ID field?
>
> Nick

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org<mailto:ipv6@ietf.org>
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email