Re: AD Evaluation: draft-ietf-6man-predictable-fragment-id
Fernando Gont <fgont@si6networks.com> Mon, 24 August 2015 12:46 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 444BC1B348A; Mon, 24 Aug 2015 05:46:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GsADOdVlNi1X; Mon, 24 Aug 2015 05:46:52 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [37.72.100.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFA961B348D; Mon, 24 Aug 2015 05:46:51 -0700 (PDT)
Received: from [186.137.82.224] (helo=[192.168.3.107]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <fgont@si6networks.com>) id 1ZTr8C-0007v9-4q; Mon, 24 Aug 2015 14:45:44 +0200
Message-ID: <55DB1172.9030901@si6networks.com>
Date: Mon, 24 Aug 2015 09:43:30 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Brian Haberman <brian@innovationslab.net>, draft-ietf-6man-predictable-fragment-id@ietf.org, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: Re: AD Evaluation: draft-ietf-6man-predictable-fragment-id
References: <55D76AFD.2070000@innovationslab.net> <55D7D577.3010301@si6networks.com> <55DB0B87.5030200@innovationslab.net>
In-Reply-To: <55DB0B87.5030200@innovationslab.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/PUgAZzfr2yNT-UUhi3RA-nPKKZM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 12:46:54 -0000
Hi, Brian, On 08/24/2015 09:18 AM, Brian Haberman wrote: >> Thanks so much for your feedback! -- Please find my responses in-line.... >> >> On 08/21/2015 08:16 PM, Brian Haberman wrote: >>> I have completed my AD evaluation of this draft as a part of the >>> publication process. I only have two comments/questions on this draft. >>> Once those are resolved, it can move along in the publication process. >>> >>> * Section 4 says the following: >>> >>> As a result, at least during the IPv6/IPv4 transition/co-existence >>> phase, it is probably safer to assume that only the low-order 16 bits >>> of the IPv6 Fragment Identification are of use to the destination >>> system. >>> >>> I think that statement is making an ill-advised generalization. The >>> above is true if one is looking at an atomic fragment. However, even if >>> we are talking about a transition/co-existence phase, there will still >>> be significant amounts of fragmented traffic between IPv6 nodes where >>> the full 32 bits of the fragment id are useful. What was the rationale >>> for the above generalization? >> >> The rationale is that, since you don't really know whether the remote >> endpoint is really an IPv6 node or an IPv4 node behind a translator, the >> only safe bet is to assume the worst ("it is a v4 node behind a >> translator, and hence only the low order 16 bits are meaningful"). > > If you are generating atomic fragments, you have a pretty good idea that > the lower 16 bits are the only ones that are meaningful. Yes. But if you're generating, say, 1280-byte or even 1500-byte fragments, you might still be going through a translator. (i.e., yes, you're right that for the "I'm generating atomic fragments case" you could infer that you're going through a translator... but generating atomic fragments is not a necessary condition for going through a translator -- e.g., think of an 1500-byte MTU on the IPv4 side). > Has there been > any data collected on the number of fragmented IPv6 packets that are > destined for IPv4 nodes where the PMTU is >1280? Or is this theoretical > analysis? I think you cannot really measure that, since you cannot really tell from the IPv6 address that the corresponding packets are being translated. So the question really boils down to "is the IPv4 Internet's MTU >1280 in many cases?" (and the answer is, of course, "yes") -- (in such cases atomic fragments will not be generated). >>> * Section 5.3's discussion of a hash-based id generation scheme says >>> this in the drawbacks: >>> >>> o Since the Fragment Identification values are predictable by the >>> destination host... >>> >>> How are the ID values predicted by the destination host? The source is >>> using secret values that presumably are not shared with the destination. >>> So how does this prediction work? >> >> These Frag ID values are predictable because the hash-based approach >> leads to a monotonically-increasing sequence (e.g., 1, 2, 3, 4) then >> it's easy to predict the sequence *by the destination host*. Of course, >> such sequence is not predictable by an off-path attacker. >> > > Monotonically-increasing? The text in 5.3 clearly says: > > With such a scheme, the Fragment Identification value of > each fragment datagram would be selected with the expression... > > That, to me, indicates that each time a Fragment ID is generated, the > hash function is invoked. How is it monotonically increasing if the > hash is invoked for each packet being fragmented? A simplified version of the expression in Section 5.3 would be: Identification = F(Src IP, Dst IP, secret1) + counter. If you're receiviving packets from the same src IP, to your same dst IP, those two addresses will be constant. secret1 is also constant. Then the expression results in: ID= F() + counter = random_number + counter for each (src IP, dst IP) (whre "counter" is a variable that is incremented for each fragmented packet that is sent). Hence successive packets will contain monotonically-increasing IDs (say {1, 2, 3..} , {345556, 345557, 345558,..} or whatever ). FWIW, the expression in Section 5.3 replaces the "counter" variable (from the simplified expression I wrote above) with an array of counters, such that we can avoid the use of a single global counter (to avoid e.g. [Sanfilippo1998b] and [Sanfilippo1999]) Please let me know if this clarifies your question... Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- AD Evaluation: draft-ietf-6man-predictable-fragme… Brian Haberman
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Fernando Gont
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Brian Haberman
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Fernando Gont
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Brian Haberman
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Fernando Gont
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Brian Haberman
- Re: AD Evaluation: draft-ietf-6man-predictable-fr… Fernando Gont