IETF Logo Mail Archive

RE: Next steps for draft-gont-6man-predictable-fragment-id

Ronald Bonica <rbonica@juniper.net> Sun, 10 March 2013 21:56 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CDD121F8765 for <ipv6@ietfa.amsl.com>; Sun, 10 Mar 2013 14:56:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.188
X-Spam-Level:
X-Spam-Status: No, score=-103.188 tagged_above=-999 required=5 tests=[AWL=0.279, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DVCDehxZT+hr for <ipv6@ietfa.amsl.com>; Sun, 10 Mar 2013 14:56:47 -0700 (PDT)
Received: from exprod7og112.obsmtp.com (exprod7og112.obsmtp.com [64.18.2.177]) by ietfa.amsl.com (Postfix) with ESMTP id 30C6E21F8714 for <ipv6@ietf.org>; Sun, 10 Mar 2013 14:56:47 -0700 (PDT)
Received: from P-EMHUB01-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob112.postini.com ([64.18.6.12]) with SMTP ID DSNKUT0Bnl8n2QUvDQPdzSGJyISP5YeY/BbD@postini.com; Sun, 10 Mar 2013 14:56:47 PDT
Received: from P-CLDFE02-HQ.jnpr.net (172.24.192.60) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server (TLS) id 8.3.213.0; Sun, 10 Mar 2013 14:54:16 -0700
Received: from o365mail.juniper.net (207.17.137.149) by o365mail.juniper.net (172.24.192.60) with Microsoft SMTP Server id 14.1.355.2; Sun, 10 Mar 2013 14:54:16 -0700
Received: from TX2EHSOBE001.bigfish.com (65.55.88.11) by o365mail.juniper.net (207.17.137.149) with Microsoft SMTP Server (TLS) id 14.1.355.2; Sun, 10 Mar 2013 14:56:58 -0700
Received: from mail176-tx2-R.bigfish.com (10.9.14.227) by TX2EHSOBE001.bigfish.com (10.9.40.21) with Microsoft SMTP Server id 14.1.225.23; Sun, 10 Mar 2013 21:54:15 +0000
Received: from mail176-tx2 (localhost [127.0.0.1]) by mail176-tx2-R.bigfish.com (Postfix) with ESMTP id 5579F2E01E8 for <ipv6@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Sun, 10 Mar 2013 21:54:15 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.238.5; KIP:(null); UIP:(null); (null); H:BY2PRD0512HT002.namprd05.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -23
X-BigFish: PS-23(zz9371I542I1432Izz1f42h1ee6h1de0h1202h1e76h1d1ah1d2ahzz1033IL17326ah8275dhz2dh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1155h)
Received: from mail176-tx2 (localhost.localdomain [127.0.0.1]) by mail176-tx2 (MessageSwitch) id 1362952453419716_12384; Sun, 10 Mar 2013 21:54:13 +0000 (UTC)
Received: from TX2EHSMHS007.bigfish.com (unknown [10.9.14.230]) by mail176-tx2.bigfish.com (Postfix) with ESMTP id 59358260086; Sun, 10 Mar 2013 21:54:13 +0000 (UTC)
Received: from BY2PRD0512HT002.namprd05.prod.outlook.com (157.56.238.5) by TX2EHSMHS007.bigfish.com (10.9.99.107) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sun, 10 Mar 2013 21:54:12 +0000
Received: from BY2PRD0512MB653.namprd05.prod.outlook.com ([169.254.5.174]) by BY2PRD0512HT002.namprd05.prod.outlook.com ([10.255.243.35]) with mapi id 14.16.0275.006; Sun, 10 Mar 2013 21:54:12 +0000
From: Ronald Bonica <rbonica@juniper.net>
To: Ole Troan <otroan@employees.org>, "ipv6@ietf.org 6man-wg" <ipv6@ietf.org>
Subject: RE: Next steps for draft-gont-6man-predictable-fragment-id
Thread-Topic: Next steps for draft-gont-6man-predictable-fragment-id
Thread-Index: AQHOFe0UaUGXQfKRVUyxWSe+TIdKBpiffTJw
Date: Sun, 10 Mar 2013 21:54:12 +0000
Message-ID: <2CF4CB03E2AA464BA0982EC92A02CE25068CD2C3@BY2PRD0512MB653.namprd05.prod.outlook.com>
References: <1D5AC9C6-2FC2-455D-930E-A8BA83C37D5B@employees.org>
In-Reply-To: <1D5AC9C6-2FC2-455D-930E-A8BA83C37D5B@employees.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.232.2]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%12219$Dn%EMPLOYEES.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Mar 2013 21:56:48 -0000

Ole,

There may exist at least one attack scenario that is sufficiently serious to motivate this work. I will describe the scenario and invite DNSSEC and security types to correct me if I have it all wrong.

Name Servers running DNSSEC frequently send very long packets over UDP. Even in the absence of an attack, many of these packets will be fragmented.

Now assume an attack scenario in which the victim is a legitimate client of that Name Server. An attacker seeks to prevent the victim from receiving fragmented packets from the Name Server. In order to achieve that goal, the attacker:

- determines the range of fragment-ids that the Name Server is likely to emit in the next second or so
- sends a stream of packets to the victim, spoofing the Name Server's address and using each member of the fragment-ID range
- repeat periodically

The attacker will prevent a legitimate packet from the Name Server from being reassembled if he delivers a packet with the correct fragment-id to the victim between the time that the victim receives the first and last fragments of the legitimate packet. The attacker may not be able to corrupt every fragmented packet from the Name Server to the victim, but his chances of success improve as:

- the range of fragment-ids that the Name Server is likely to emit decreases
- the time between the arrival of the first and last fragments of the legitimate packets increases

In any event, since DNSSEC contributes significantly to the security posture of the Internet, we should probably address the issue of predictable fragment-IDs.

                                               Ron


> -----Original Message-----
> From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On Behalf Of
> Ole Troan
> Sent: Thursday, February 28, 2013 2:52 PM
> To: ipv6@ietf.org 6man-wg
> Subject: Next steps for draft-gont-6man-predictable-fragment-id
> 
> Hi,
> 
> The draft-gont-6man-predictable-fragment-id document has been discussed
> a few times.
> At the IETF84 (minutes attached below), and in the thread:
> http://www.ietf.org/mail-archive/web/ipv6/current/msg15836.html
> 
> Could we get the working groups opinion on what to do with the
> document?
> 
> - Is there interest in working on it in 6man?
>   (if yes, you must be willing to contribute, if no, then say why)
> 
> Best regards,
> Ole & Bob
> 
> 
> 
> IETF84 minutes:
> ============
> Fernando Gont presented the draft about Security Implications of
> Predictable Fragment Identification Values,
> (draft-gont-6man-predictable-fragment-id-02.txt)
> 
> Ole Troan wanted to make this document more generic and discuss the
> implications of using predictable values in Internet protocols.
> Fernando
> 
> Bob Hinden wanted to see a longer list of OSs. He was also curious as
> to whether this was problem that needed to be fixed in IETF or was this
> already common knowledge.
> 
> Erik Kline wanted to know if there was an IAB document that recommended
> the use of non-predictable values if there was an integer field that
> did not need specific values.
> 
> Thomas Narten was not sure what to do with this. This fell under the
> category of "don't do anything stupid". e.g. Why do a document for
> IPv6 for things that were well known in IPv4?
> 
> Lorenzo Colitti thought that this work was not harmful and should be
> pursued irrespective of any iab work.
> 
> Brian Haberman did not want to have a point solution for every field
> and he would like to see a more general document applicable across the
> IETF. Fernando was concerned on whether implementers would read this
> generic document. Brian believed that this generic document could be
> referred to in the node requirements document, thus ensuring that IPv6
> implementers would read it.
> 
> Joel Jaeggli thought that it was a worthwhile activity to look at
> existing implementations and flag this as a potential issue that was
> common across multiple implementations. Thomas Narten and Erik Kline
> agreed with Joel.
> 
> Dave mentioned that RFC4732 (Internet DOS considerations) talked about
> using unpredictable values for session ids. Fernando talked about other
> issues discovered after 4732 that still had this issue. Dave believed
> that this sort of work needs to be done by the saag and if this was
> included in a statement from saag as something to look for in SecDir
> reviews, it would have the largest impact.
> 
> Chairs wanted to continue discussion on mailing list and requested
> Fernando to discuss potential changes with Joel J.
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email