IETF Logo Mail Archive

Re: AUTH48 changes to draft-ietf-6man-rfc6434-bis-09

Tim Chown <Tim.Chown@jisc.ac.uk> Wed, 02 January 2019 12:52 UTC

Return-Path: <tim.chown@jisc.ac.uk>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 911C2127AC2 for <ipv6@ietfa.amsl.com>; Wed, 2 Jan 2019 04:52:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jisc.ac.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LWvk8EYrTbDz for <ipv6@ietfa.amsl.com>; Wed, 2 Jan 2019 04:52:30 -0800 (PST)
Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [146.101.78.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE6861277D2 for <ipv6@ietf.org>; Wed, 2 Jan 2019 04:52:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc.ac.uk; s=mimecast20170213; t=1546433547; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=l36bQ+TJf0/DdmRHYTuzXnJkzGQKen1eZFy2z3JY2zg=; b=dHLWXCJxTNqU8TtSiwTUf25gMw/0ywSWsOGr+PtEusNzl+sD5HACwCw1qRZ+J3WZVr1ONNpqdpGnSatfZf1QFRIGq/iMnyCE2iNfUReaNYwepP6ODAoyhc2C3pflxcbb4qkc3SAefIjLRGNRWVBBHOWRCL3v5CHHvrz3E80I1pA=
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-he1eur02lp2050.outbound.protection.outlook.com [104.47.5.50]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-129-h0soJqiuOuCLqBA5Mi0pMA-1; Wed, 02 Jan 2019 12:52:22 +0000
Received: from AM0PR07MB4177.eurprd07.prod.outlook.com (52.133.59.156) by AM0PR07MB5953.eurprd07.prod.outlook.com (20.178.83.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1495.6; Wed, 2 Jan 2019 12:52:20 +0000
Received: from AM0PR07MB4177.eurprd07.prod.outlook.com ([fe80::2136:60d1:2238:55ed]) by AM0PR07MB4177.eurprd07.prod.outlook.com ([fe80::2136:60d1:2238:55ed%2]) with mapi id 15.20.1495.005; Wed, 2 Jan 2019 12:52:20 +0000
From: Tim Chown <Tim.Chown@jisc.ac.uk>
To: Bob Hinden <bob.hinden@gmail.com>
CC: Carsten Bormann <cabo@tzi.org>, Suresh Krishnan <suresh.krishnan@gmail.com>, IPv6 List <ipv6@ietf.org>, "draft-ietf-6man-rfc6434-bis@ietf.org" <draft-ietf-6man-rfc6434-bis@ietf.org>, 6man Chairs <6man-chairs@ietf.org>
Subject: Re: AUTH48 changes to draft-ietf-6man-rfc6434-bis-09
Thread-Topic: AUTH48 changes to draft-ietf-6man-rfc6434-bis-09
Thread-Index: AQHUmCwu7+0I1/VfIUe5UAFXaYt4KKWH5HmAgAALkYCAFBObgA==
Date: Wed, 02 Jan 2019 12:52:20 +0000
Message-ID: <6AD6AED9-9436-4441-B93D-F6954FFD6F64@jisc.ac.uk>
References: <8A9ACE0F-8EF7-48D7-AB1A-309D05A350CC@gmail.com> <163A5F42-1D04-4B4A-8EE0-844BC76F0E7B@tzi.org> <9EFEE299-0BE6-4FBF-BA7B-AA4727F9F752@gmail.com>
In-Reply-To: <9EFEE299-0BE6-4FBF-BA7B-AA4727F9F752@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.102.3)
x-originating-ip: [2001:a88:d510:1101:ca3:6b7:4581:fc3f]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM0PR07MB5953; 20:TwhGni62UKN+51H+0B77WLA39f+INy1JRa5kX3n2Bnn3Qwl/z8gewxp4F/7X5kTMSvXmIll/B5iEcITQFZs9os2RU2p6MxBE3oenEoG4+UoktzbTVzJBIahx+Oa4s1LYspTbyeGSHEsTgD+jXZWxlJTFKYjJVO1srmF6cVwSYq0=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: f1b1579e-fbf8-4cf8-d1f3-08d670b12205
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:AM0PR07MB5953;
x-ms-traffictypediagnostic: AM0PR07MB5953:
x-microsoft-antispam-prvs: <AM0PR07MB59531783E8C68B20821FD29CD68C0@AM0PR07MB5953.eurprd07.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(3230021)(908002)(999002)(5005026)(6040522)(8220060)(2401047)(8121501046)(10201501046)(93006095)(93001095)(3002001)(3231475)(944501520)(52105112)(6041310)(20161123562045)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(201702281529075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:AM0PR07MB5953; BCL:0; PCL:0; RULEID:; SRVR:AM0PR07MB5953;
x-forefront-prvs: 0905A6B2C7
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(136003)(346002)(376002)(39850400004)(189003)(199004)(2906002)(186003)(99286004)(316002)(786003)(229853002)(256004)(6486002)(6436002)(305945005)(74482002)(6506007)(53546011)(86362001)(5660300001)(11346002)(486006)(102836004)(50226002)(8676002)(8936002)(57306001)(76176011)(6346003)(81156014)(81166006)(476003)(68736007)(54906003)(46003)(2616005)(446003)(7736002)(6116002)(71190400001)(83716004)(71200400001)(97736004)(82746002)(6246003)(33656002)(53936002)(6916009)(6512007)(478600001)(66574012)(39060400002)(4326008)(14454004)(72206003)(105586002)(106356001)(36756003)(25786009); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB5953; H:AM0PR07MB4177.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: TtnMTC+T+kdf3YQQ82Oope3DdtckfQyPocv7SwDvMFuZgouAXIQajNKiHIA8ZPT2Mz+rc4Dhw0yA2AWpsNQiephLOqxPaRmXkQX56kHWYGbUesqVy63vpgg4l/+Ogjl6DL34Qp8zahXR0L+8uWVyu9UfMoXLtG2E7v7ObTJ8RaCB4Z23whkPL/JkqSufA1hHLr6tb0QxYwYOS1Yv4g4HsTHCmzcAUMAPElENpZeJDXyc8YOAsFKNRMpsmdTCxgfrJ9lIfnOjFX76GNG1LHPTRkGlqZLR6IpBopLYppOZIPLyROO1BTaCehRvDY0ff6m8
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-ID: <8833507A159DF14FB722E2F014653E61@eurprd07.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: f1b1579e-fbf8-4cf8-d1f3-08d670b12205
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jan 2019 12:52:20.0481 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB5953
X-MC-Unique: h0soJqiuOuCLqBA5Mi0pMA-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/OsaEXGKa5tRkdvGA6hURBxss8SQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2019 12:52:33 -0000

> On 20 Dec 2018, at 18:16, Bob Hinden <bob.hinden@gmail.com> wrote:
> 
> Carsten,
> 
>> On Dec 20, 2018, at 9:35 AM, Carsten Bormann <cabo@tzi.org> wrote:
>> 
>> On Dec 20, 2018, at 07:20, Suresh Krishnan <suresh.krishnan@gmail.com> wrote:
>>> 
>>> NEW:
>>> 
>>> As per RFC 6980, hosts MUST NOT employ IPv6 fragmentation for sending any of the following Neighbor Discovery and SEcure Neighbor Discovery messages: Neighbor Solicitation, Neighbor Advertisement, Router Solicitation, Router Advertisement, Redirect, or Certification Path Solicitation.
>> 
>> Is it intentional that this places a requirement only on senders, not on receivers?
>> It’s the receivers that are subject to the attacks enabled by fragmentation, so they are the ones that would need to ignore fragmented ND messages.
> 
> Good point, RFC6980 describes senders and receivers.   Maybe something like:
> 
> As specified in RFC 6980, nodes MUST NOT employ IPv6 fragmentation for sending any of the following Neighbor Discovery and SEcure Neighbor Discovery messages: Neighbor Solicitation, Neighbor Advertisement, Router Solicitation, Router Advertisement, Redirect, or Certification Path Solicitation.  Nodes MUST silently ignore any of these messages on receipt if fragmented.  See RFC 6980 for details and motivation.

Looks good to me.

Tim

v2.23.0 | Report a Bug | By Email