Re: Chairs Review on <draft-ietf-6man-predictable-fragment-id-02>
Fernando Gont <fgont@si6networks.com> Sun, 08 March 2015 23:49 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4E2C1A033B for <ipv6@ietfa.amsl.com>; Sun, 8 Mar 2015 16:49:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Level:
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ogpzcfmsmY4T for <ipv6@ietfa.amsl.com>; Sun, 8 Mar 2015 16:49:25 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA3041A0277 for <ipv6@ietf.org>; Sun, 8 Mar 2015 16:49:24 -0700 (PDT)
Received: from cl-1071.udi-01.br.sixxs.net ([2001:1291:200:42e::2]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <fgont@si6networks.com>) id 1YUkwj-0002lz-EV; Mon, 09 Mar 2015 00:49:21 +0100
Message-ID: <54FCDECD.2040609@si6networks.com>
Date: Mon, 09 Mar 2015 00:44:13 +0100
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
Subject: Re: Chairs Review on <draft-ietf-6man-predictable-fragment-id-02>
References: <6277AC1A-F1ED-4BE9-984E-C424BC9A5136@gmail.com>
In-Reply-To: <6277AC1A-F1ED-4BE9-984E-C424BC9A5136@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/gy5qvQZkoUXdGxzOD6CDeygxftU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Mar 2015 23:49:28 -0000
Hi, Bob, Thanks so much for your comments! Please find my responses in-line.... On 03/03/2015 09:49 PM, Bob Hinden wrote: > > The biggest issue is if advancing and publishing this draft is > worthwhile. We note that in Appendix B "Survey of Fragment > Identification selection algorithms employed by popular IPv6 > implementationsâ, of the implementation listed, all of the current > ones (FreeBSD 9, Linux-current, OpenBSD-current) show unpredictable > or random. While there are many older obsolete operating systems > that have issues, we arenât going to fix these by publishing this > draft. FWIW, I'd say that a number of OSes (including Linux and Solaris) were fixed as a result of this I-D, indeed (some even reference the I-D in the code or commit messages). The reason why this happened earlier than the I-D became an RFC is that I usually socialize the I-Ds I author/co-author with OS developers. However, there are other OSes that still need to be fixed. And since we're talking about IPv6 (not about IPv4), I'd expect new implementations to appear (the word can't just be a handful of OSes, and I expect IPv6 to live long enough :-) )-- so this document would be of help to them. > The report does not list current versions of Windows (9 or > 10), nor any mobile OSâs (though, IOS and Android are based on BSD > and Linux respectively). The list is not really meant to be exhaustive. However, I've just augmented it (with 5+ OSes). > Moderate > > In Section 2 "Security Implications of Predictable Fragment > Identification valuesâ. The problems listed seem to us to be > overstated. As the draft notes later, the issue with predictable > fragment IDs in IPv6 is only an issue for IPv6 packets with the > fragment header. Yes, but you can trigger fragmentation for any traffic flow (see draft-ietf-6man-deprecate-atomfrag-generation). > Traffic that doesnât include a fragment header is, > of course, immune. This alone reduces the severity of the problems > listed. We donât think the draft makes this clear. Truth is that right now it is trivial to trigger the use of fragmentation (just fire an ICMPv6 PTB<1280). > On Page 5 of Section 2, the draft cites problems with Linux 2.6.38-8. > This is an old version of the Linux kernel and we donât think it > justifies the problem, especially since according to the appendix it > is fixed in later version of the Linux kernel. FWIW, Linux was fixed in response to this document. > [CPNI-IPv6] Gont, F., "Security Assessment of the Internet Protocol > version 6 (IPv6)", UK Centre for the Protection of National > Infrastructure, (available on request). > > Including a reference that isnât generally available, appears to be > an issue to us if this is part of the justification for this work. > Has anyone in the working group reviewed it? We suggest it be > removed or the document referenced be made available on a stable web > site. The reference (now removed) just elaborated on the vulnerabilities. Essentially, the problem is well known form the IPv4 world. The only additional item to consider for th IPv6 case is that you can trigger the use of fragmentation for any traffic flow, which in IPv4 you simply can't. > Issue #2: Remove: [I-D.ietf-6man-deprecate-atomfrag-generation] aims > at deprecating the generation of IPv6 atomic fragments. No issues with removing this. But isn't this really relevant? [All other changes applied] Thanks so much! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- Chairs Review on <draft-ietf-6man-predictable-fra… Bob Hinden
- Re: Chairs Review on <draft-ietf-6man-predictable… Fernando Gont
- Re: Chairs Review on <draft-ietf-6man-predictable… Bob Hinden
- Re: Chairs Review on <draft-ietf-6man-predictable… Fernando Gont
- Re: Chairs Review on <draft-ietf-6man-predictable… Bob Hinden
- Re: Chairs Review on <draft-ietf-6man-predictable… Fernando Gont
- Re: Chairs Review on <draft-ietf-6man-predictable… Bob Hinden
- Re: Chairs Review on <draft-ietf-6man-predictable… Fernando Gont