IETF Logo Mail Archive

Re: AD Evaluation: draft-ietf-6man-predictable-fragment-id

Fernando Gont <fgont@si6networks.com> Mon, 24 August 2015 12:46 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 444BC1B348A; Mon, 24 Aug 2015 05:46:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GsADOdVlNi1X; Mon, 24 Aug 2015 05:46:52 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [37.72.100.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFA961B348D; Mon, 24 Aug 2015 05:46:51 -0700 (PDT)
Received: from [186.137.82.224] (helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <fgont@si6networks.com>) id 1ZTr8C-0007v9-4q; Mon, 24 Aug 2015 14:45:44 +0200
Message-ID: <55DB1172.9030901@si6networks.com>
Date: Mon, 24 Aug 2015 09:43:30 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Brian Haberman <brian@innovationslab.net>, draft-ietf-6man-predictable-fragment-id@ietf.org, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: Re: AD Evaluation: draft-ietf-6man-predictable-fragment-id
References: <55D76AFD.2070000@innovationslab.net> <55D7D577.3010301@si6networks.com> <55DB0B87.5030200@innovationslab.net>
In-Reply-To: <55DB0B87.5030200@innovationslab.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/PUgAZzfr2yNT-UUhi3RA-nPKKZM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 12:46:54 -0000

Hi, Brian,

On 08/24/2015 09:18 AM, Brian Haberman wrote:
>> Thanks so much for your feedback! -- Please find my responses in-line....
>>
>> On 08/21/2015 08:16 PM, Brian Haberman wrote:
>>>      I have completed my AD evaluation of this draft as a part of the
>>> publication process.  I only have two comments/questions on this draft.
>>> Once those are resolved, it can move along in the publication process.
>>>
>>> * Section 4 says the following:
>>>
>>>    As a result, at least during the IPv6/IPv4 transition/co-existence
>>>    phase, it is probably safer to assume that only the low-order 16 bits
>>>    of the IPv6 Fragment Identification are of use to the destination
>>>    system.
>>>
>>> I think that statement is making an ill-advised generalization.  The
>>> above is true if one is looking at an atomic fragment. However, even if
>>> we are talking about a transition/co-existence phase, there will still
>>> be significant amounts of fragmented traffic between IPv6 nodes where
>>> the full 32 bits of the fragment id are useful. What was the rationale
>>> for the above generalization?
>>
>> The rationale is that, since you don't really know whether the remote
>> endpoint is really an IPv6 node or an IPv4 node behind a translator, the
>> only safe bet is to assume the worst ("it is a v4 node behind a
>> translator, and hence only the low order 16 bits are meaningful").
> 
> If you are generating atomic fragments, you have a pretty good idea that
> the lower 16 bits are the only ones that are meaningful.

Yes. But if you're generating, say, 1280-byte or even 1500-byte
fragments, you might still be going through a translator.

(i.e., yes, you're right that for the "I'm generating atomic fragments
case" you could infer that you're going through a translator... but
generating atomic fragments is not a necessary condition for going
through a translator -- e.g., think of an 1500-byte MTU on the IPv4 side).



> Has there been
> any data collected on the number of fragmented IPv6 packets that are
> destined for IPv4 nodes where the PMTU is >1280?  Or is this theoretical
> analysis?

I think you cannot really measure that, since you cannot really tell
from the IPv6 address that the corresponding packets are being translated.

So the question really boils down to "is the IPv4 Internet's MTU >1280
in many cases?" (and the answer is, of course, "yes")  -- (in such cases
atomic fragments will not be generated).


>>> * Section 5.3's discussion of a hash-based id generation scheme says
>>> this in the drawbacks:
>>>
>>>    o  Since the Fragment Identification values are predictable by the
>>>       destination host...
>>>
>>> How are the ID values predicted by the destination host?  The source is
>>> using secret values that presumably are not shared with the destination.
>>> So how does this prediction work?
>>
>> These Frag ID values are predictable because the hash-based approach
>> leads to a monotonically-increasing sequence (e.g., 1, 2, 3, 4) then
>> it's easy to predict the sequence *by the destination host*. Of course,
>> such sequence is not predictable by an off-path attacker.
>>
> 
> Monotonically-increasing?  The text in 5.3 clearly says:
> 
>    With such a scheme, the Fragment Identification value of
>    each fragment datagram would be selected with the expression...
> 
> That, to me, indicates that each time a Fragment ID is generated, the
> hash function is invoked.  How is it monotonically increasing if the
> hash is invoked for each packet being fragmented?

A simplified version of the expression in Section 5.3 would be:

   Identification = F(Src IP, Dst IP, secret1)  +  counter.


If you're receiviving packets from the same src IP, to your same dst IP,
those two addresses will be constant. secret1 is also constant. Then the
expression results in:

 ID= F() + counter = random_number +  counter


for each (src IP, dst IP) (whre "counter" is a variable that is
incremented for each fragmented packet that is sent). Hence successive
packets will contain monotonically-increasing IDs (say {1, 2, 3..} ,
{345556, 345557, 345558,..} or whatever ).


FWIW, the expression in Section 5.3 replaces the "counter" variable
(from the simplified expression I wrote above) with an array of
counters, such that we can avoid the use of a single global counter (to
avoid e.g.  [Sanfilippo1998b] and [Sanfilippo1999])

Please let me know if this clarifies your question...

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email