Re: Next steps for draft-gont-6man-predictable-fragment-id

I believe the doc describes nicely the possible security issues of predictable fragment ids in IPv6.
Although the attack scenarios aren't so common/easy as in IPv4 and various operating systems have fixed most of them, i still find urgent to need to standardize this behavior, now that IPv6 is still not thoroughly exposed to the wild. Thinking some years ahead, the internet of things multiplies the chances of something bad happening due to this.
I'm having a doubt about the title though, because "Security Implications of Predictable Fragment Identification Values" gives the impression of a BCP or informational.

Lastly,  i would also vote for another doc giving general directions for usage of such fields (ids, sequence numbers, ports, etc) in future protocols. It feels strange to meet the same issues again and again.

PS: it would be good to find a way to somehow authenticate/verify ICMPv6 PTB messages; then many fragment-related issues would probably be solved in advance.

--
Tassos

Ole Troan wrote on 28/02/2013 21:51:
> Hi,
>
> The draft-gont-6man-predictable-fragment-id document has been discussed a few times.
> At the IETF84 (minutes attached below), and in the thread:
> http://www.ietf.org/mail-archive/web/ipv6/current/msg15836.html
>
> Could we get the working groups opinion on what to do with the document?
>
> - Is there interest in working on it in 6man?
>   (if yes, you must be willing to contribute, if no, then say why)
>
> Best regards,
> Ole & Bob
>
>
>
> IETF84 minutes:
> ============
> Fernando Gont presented the draft about Security Implications of
> Predictable Fragment Identification Values,
> (draft-gont-6man-predictable-fragment-id-02.txt)
>
> Ole Troan wanted to make this document more generic and discuss the
> implications of using predictable values in Internet
> protocols. Fernando 
>
> Bob Hinden wanted to see a longer list of OSs. He was also curious as
> to whether this was problem that needed to be fixed in IETF or was
> this already common knowledge.
>
> Erik Kline wanted to know if there was an IAB document that
> recommended the use of non-predictable values if there was an integer
> field that did not need specific values.
>
> Thomas Narten was not sure what to do with this. This fell under the
> category of "don't do anything stupid". e.g. Why do a document for
> IPv6 for things that were well known in IPv4?
>
> Lorenzo Colitti thought that this work was not harmful and should be
> pursued irrespective of any iab work.
>
> Brian Haberman did not want to have a point solution for every field
> and he would like to see a more general document applicable across the
> IETF. Fernando was concerned on whether implementers would read this
> generic document. Brian believed that this generic document could be
> referred to in the node requirements document, thus ensuring that IPv6
> implementers would read it.
>
> Joel Jaeggli thought that it was a worthwhile activity to look at
> existing implementations and flag this as a potential issue that was
> common across multiple implementations. Thomas Narten and Erik Kline
> agreed with Joel.
>
> Dave mentioned that RFC4732 (Internet DOS considerations) talked about
> using unpredictable values for session ids. Fernando talked about
> other issues discovered after 4732 that still had this issue. Dave
> believed that this sort of work needs to be done by the saag and if
> this was included in a statement from saag as something to look for in
> SecDir reviews, it would have the largest impact.
>
> Chairs wanted to continue discussion on mailing list and requested
> Fernando to discuss potential changes with Joel J.
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>