IETF Logo Mail Archive

Re: Chairs Review on <draft-ietf-6man-predictable-fragment-id-02>

Bob Hinden <bob.hinden@gmail.com> Mon, 18 May 2015 12:59 UTC

Return-Path: <bob.hinden@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E8781ACD12 for <ipv6@ietfa.amsl.com>; Mon, 18 May 2015 05:59:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oIHG1wFvsKfF for <ipv6@ietfa.amsl.com>; Mon, 18 May 2015 05:59:14 -0700 (PDT)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0302A1AC82C for <ipv6@ietf.org>; Mon, 18 May 2015 05:59:14 -0700 (PDT)
Received: by wicmx19 with SMTP id mx19so78177108wic.0 for <ipv6@ietf.org>; Mon, 18 May 2015 05:59:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=LgGH5Be9APNgC2zoxKKN80nueKe4oeV5PaNSSoqv2D8=; b=Zoyes8M7AZjxeinYy+oqY/mrGDr44QhmCUxAqJ3215CdkMOv6gbU4LI4aXdhtaOzGf xtDy5iNJINpcCDdg0JqP78JWV6Vnh2WMIyCptAHlRmyHNIvEcyUcKydGVuuS7tZ2KLXT 7HRB1oBpwvEfh3jwqolW4gd4QK8bNzx3jHoGnAJRJHm3+d63xGqUulqa//8rH3PhAOaS nwLLzkqnIQd4cdI+8E8IegDXE1Pwpv5YBOK8970eMcWEGpym+4oGXoR4hiOTH++3uolg xPDtfvqqXj2mvbYoQrz1otmyE/TKkPoirVUlzg8Qlmnw6+2+OivHGJmKyQMSWMe6Q3pj y76A==
X-Received: by 10.180.82.169 with SMTP id j9mr8401889wiy.54.1431953952741; Mon, 18 May 2015 05:59:12 -0700 (PDT)
Received: from [172.24.249.34] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id u6sm16817929wjy.13.2015.05.18.05.59.10 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 18 May 2015 05:59:11 -0700 (PDT)
Subject: Re: Chairs Review on <draft-ietf-6man-predictable-fragment-id-02>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-Type: multipart/signed; boundary="Apple-Mail=_7497ED9A-CCF4-4848-A025-E4C30CDA10A5"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5b6
From: Bob Hinden <bob.hinden@gmail.com>
In-Reply-To: <54FCDECD.2040609@si6networks.com>
Date: Mon, 18 May 2015 15:59:01 +0300
Message-Id: <75C9B430-7D39-4466-AB17-0F3553EC6EB4@gmail.com>
References: <6277AC1A-F1ED-4BE9-984E-C424BC9A5136@gmail.com> <54FCDECD.2040609@si6networks.com>
To: Fernando Gont <fgont@si6networks.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/eMLlLyfMvl5Bhn58eyR6ER5lF-g>
Cc: IPv6 List <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2015 12:59:16 -0000

Fernando,

Thanks for making the changes.  I note that the latest draft still shows Windows 8 incorrectly.

A few comments on your comments below.

Bob


> On Mar 9, 2015, at 1:44 AM, Fernando Gont <fgont@si6networks.com> wrote:
> 
> Hi, Bob,
> 
> Thanks so much for your comments! Please find my responses in-line....
> 
> On 03/03/2015 09:49 PM, Bob Hinden wrote:
>> 
>> The biggest issue is if advancing and publishing this draft is
>> worthwhile.  We note that in Appendix B "Survey of Fragment
>> Identification selection algorithms employed by popular IPv6
>> implementations”, of the implementation listed, all of the current
>> ones (FreeBSD 9, Linux-current, OpenBSD-current) show unpredictable
>> or random.  While there are many older obsolete operating systems
>> that have issues, we aren’t going to fix these by publishing this
>> draft.
> 
> FWIW, I'd say that a number of OSes (including Linux and Solaris) were
> fixed as a result of this I-D, indeed (some even reference the I-D in
> the code or commit messages). The reason why this happened
> earlier than the I-D became an RFC is that I usually socialize the I-Ds
> I author/co-author with OS developers. However, there are other OSes
> that still need to be fixed. And since we're talking about IPv6 (not
> about IPv4), I'd expect new implementations to appear (the word can't
> just be a handful of OSes, and I expect IPv6 to live long enough :-) )--
> so this document would be of help to them.

It’s great you are reaching out to OS developers.  That seems to be why it is getting fixed, I am not so sure that publishing an RFC will help that much.  I do agree there will be new IPv6 implementations.

> 
>> The report does not list current versions of Windows (9 or
>> 10), nor any mobile OS’s (though, IOS and Android are based on BSD
>> and Linux respectively).
> 
> The list is not really meant to be exhaustive. However, I've just
> augmented it (with 5+ OSes).
> 
> 
> 
>> Moderate
>> 
>> In Section 2 "Security Implications of Predictable Fragment
>> Identification values”.  The problems listed seem to us to be
>> overstated.  As the draft notes later, the issue with predictable
>> fragment IDs in IPv6 is only an issue for IPv6 packets with the
>> fragment header.
> 
> Yes, but you can trigger fragmentation for any traffic flow (see
> draft-ietf-6man-deprecate-atomfrag-generation).


Yes, if it knows the address of the other side of the connection.  The attacker would have to be on link, or monitoring the traffic between the two hosts.  This make this attack much harder in practice for an off link attacker.  If on link, then there are so many better attacks.  Hence my comment of the problem being overstated.

> 
> 
>> Traffic that doesn’t include a fragment header is,
>> of course, immune.  This alone reduces the severity of the problems
>> listed.  We don’t think the draft makes this clear.
> 
> Truth is that right now it is trivial to trigger the use of
> fragmentation (just fire an ICMPv6 PTB<1280).
> 

Same as above.

> 
> 
>> On Page 5 of Section 2, the draft cites problems with Linux 2.6.38-8.
>> This is an old version of the Linux kernel and we don’t think it
>> justifies the problem, especially since according to the appendix it
>> is fixed in later version of the Linux kernel.
> 
> FWIW, Linux was fixed in response to this document.

Good!

> 
> 
>> [CPNI-IPv6]  Gont, F., "Security Assessment of the Internet Protocol
>> version 6 (IPv6)", UK Centre for the Protection of National
>> Infrastructure, (available on request).
>> 
>> Including a reference that isn’t generally available, appears to be
>> an issue to us if this is part of the justification for this work.
>> Has anyone in the working group reviewed it?  We suggest it be
>> removed or the document referenced be made available on a stable web
>> site.
> 
> The reference (now removed) just elaborated on the vulnerabilities.
> Essentially, the problem is well known form the IPv4 world. The only
> additional item to consider for th IPv6 case is that you can trigger the
> use of fragmentation for any traffic flow, which in IPv4 you simply can’t.

Thanks, the problem was that the document was not accessible.

> 
> 
>> Issue #2: Remove:  [I-D.ietf-6man-deprecate-atomfrag-generation] aims
>> at deprecating the generation of IPv6 atomic fragments.
> 
> No issues with removing this. But isn't this really relevant?
> 
> [All other changes applied]

Thanks!

> 
> Thanks so much!
> 
> Best regards,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> 
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email