IETF Logo Mail Archive

Re: Chairs Review on <draft-ietf-6man-predictable-fragment-id-02>

Fernando Gont <fgont@si6networks.com> Tue, 19 May 2015 07:16 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 774AF1ACDB0 for <ipv6@ietfa.amsl.com>; Tue, 19 May 2015 00:16:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sysx2KvtXThN for <ipv6@ietfa.amsl.com>; Tue, 19 May 2015 00:16:17 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D44331ACDB9 for <ipv6@ietf.org>; Tue, 19 May 2015 00:15:58 -0700 (PDT)
Received: from [190.113.211.203] (helo=[192.168.43.9]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <fgont@si6networks.com>) id 1Yubkq-0005zL-TH; Tue, 19 May 2015 09:15:57 +0200
Message-ID: <555AE0AF.5050601@si6networks.com>
Date: Tue, 19 May 2015 04:05:19 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Bob Hinden <bob.hinden@gmail.com>
Subject: Re: Chairs Review on <draft-ietf-6man-predictable-fragment-id-02>
References: <6277AC1A-F1ED-4BE9-984E-C424BC9A5136@gmail.com> <54FCDECD.2040609@si6networks.com> <75C9B430-7D39-4466-AB17-0F3553EC6EB4@gmail.com>
In-Reply-To: <75C9B430-7D39-4466-AB17-0F3553EC6EB4@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/cBueK3vFFsw_wEBcr9LXSlqgzw0>
Cc: IPv6 List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2015 07:16:18 -0000

Hi, Bob,

On 05/18/2015 09:59 AM, Bob Hinden wrote:
> Fernando,
> 
> Thanks for making the changes.  I note that the latest draft still
> shows Windows 8 incorrectly.

Oops.. that was the result of an error while editing. Fixed. Thanks!


>> Thanks so much for your comments! Please find my responses
>> in-line....
>> 
>> On 03/03/2015 09:49 PM, Bob Hinden wrote:
>>> 
>>> The biggest issue is if advancing and publishing this draft is 
>>> worthwhile.  We note that in Appendix B "Survey of Fragment 
>>> Identification selection algorithms employed by popular IPv6 
>>> implementations”, of the implementation listed, all of the
>>> current ones (FreeBSD 9, Linux-current, OpenBSD-current) show
>>> unpredictable or random.  While there are many older obsolete
>>> operating systems that have issues, we aren’t going to fix
>>> these by publishing this draft.
>> 
>> FWIW, I'd say that a number of OSes (including Linux and Solaris)
>> were fixed as a result of this I-D, indeed (some even reference the
>> I-D in the code or commit messages). The reason why this happened 
>> earlier than the I-D became an RFC is that I usually socialize the
>> I-Ds I author/co-author with OS developers. However, there are
>> other OSes that still need to be fixed. And since we're talking
>> about IPv6 (not about IPv4), I'd expect new implementations to
>> appear (the word can't just be a handful of OSes, and I expect IPv6
>> to live long enough :-) )-- so this document would be of help to
>> them.
> 
> It’s great you are reaching out to OS developers.  That seems to be
> why it is getting fixed, I am not so sure that publishing an RFC will
> help that much.  I do agree there will be new IPv6 implementations.

It will certainly help in documenting what OSes do, and will certainly
be of help for new implementations, which an learn about the problem of
predictable I-Ds and also find possible approaches to avoid them.



>>> In Section 2 "Security Implications of Predictable Fragment 
>>> Identification values”.  The problems listed seem to us to be 
>>> overstated.  As the draft notes later, the issue with
>>> predictable fragment IDs in IPv6 is only an issue for IPv6
>>> packets with the fragment header.
>> 
>> Yes, but you can trigger fragmentation for any traffic flow (see 
>> draft-ietf-6man-deprecate-atomfrag-generation).
> 
> 
> Yes, if it knows the address of the other side of the connection.
> The attacker would have to be on link, or monitoring the traffic
> between the two hosts.  This make this attack much harder in practice
> for an off link attacker.  If on link, then there are so many better
> attacks.  Hence my comment of the problem being overstated.

It is trivial to know the IPv6 addresses involved for many scenarios.
e.g. BGP peer to BGP peer, secondary DNS to primary DNS, SMTP server to
SMTP server, etc.

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email