IETF Logo Mail Archive

Re: Chairs Review on <draft-ietf-6man-predictable-fragment-id-02>

Fernando Gont <fgont@si6networks.com> Sun, 08 March 2015 23:49 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4E2C1A033B for <ipv6@ietfa.amsl.com>; Sun, 8 Mar 2015 16:49:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Level:
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ogpzcfmsmY4T for <ipv6@ietfa.amsl.com>; Sun, 8 Mar 2015 16:49:25 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA3041A0277 for <ipv6@ietf.org>; Sun, 8 Mar 2015 16:49:24 -0700 (PDT)
Received: from cl-1071.udi-01.br.sixxs.net ([2001:1291:200:42e::2]) by web01.jbserver.net with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from <fgont@si6networks.com>) id 1YUkwj-0002lz-EV; Mon, 09 Mar 2015 00:49:21 +0100
Message-ID: <54FCDECD.2040609@si6networks.com>
Date: Mon, 09 Mar 2015 00:44:13 +0100
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
Subject: Re: Chairs Review on <draft-ietf-6man-predictable-fragment-id-02>
References: <6277AC1A-F1ED-4BE9-984E-C424BC9A5136@gmail.com>
In-Reply-To: <6277AC1A-F1ED-4BE9-984E-C424BC9A5136@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/gy5qvQZkoUXdGxzOD6CDeygxftU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Mar 2015 23:49:28 -0000

Hi, Bob,

Thanks so much for your comments! Please find my responses in-line....

On 03/03/2015 09:49 PM, Bob Hinden wrote:
> 
> The biggest issue is if advancing and publishing this draft is
> worthwhile.  We note that in Appendix B "Survey of Fragment
> Identification selection algorithms employed by popular IPv6
> implementations”, of the implementation listed, all of the current
> ones (FreeBSD 9, Linux-current, OpenBSD-current) show unpredictable
> or random.  While there are many older obsolete operating systems
> that have issues, we aren’t going to fix these by publishing this
> draft.

FWIW, I'd say that a number of OSes (including Linux and Solaris) were
fixed as a result of this I-D, indeed (some even reference the I-D in
the code or commit messages). The reason why this happened
earlier than the I-D became an RFC is that I usually socialize the I-Ds
I author/co-author with OS developers. However, there are other OSes
that still need to be fixed. And since we're talking about IPv6 (not
about IPv4), I'd expect new implementations to appear (the word can't
just be a handful of OSes, and I expect IPv6 to live long enough :-) )--
so this document would be of help to them.


> The report does not list current versions of Windows (9 or
> 10), nor any mobile OS’s (though, IOS and Android are based on BSD
> and Linux respectively). 

The list is not really meant to be exhaustive. However, I've just
augmented it (with 5+ OSes).



> Moderate
> 
> In Section 2 "Security Implications of Predictable Fragment
> Identification values”.  The problems listed seem to us to be
> overstated.  As the draft notes later, the issue with predictable
> fragment IDs in IPv6 is only an issue for IPv6 packets with the
> fragment header.

Yes, but you can trigger fragmentation for any traffic flow (see
draft-ietf-6man-deprecate-atomfrag-generation).


> Traffic that doesn’t include a fragment header is,
> of course, immune.  This alone reduces the severity of the problems
> listed.  We don’t think the draft makes this clear.

Truth is that right now it is trivial to trigger the use of
fragmentation (just fire an ICMPv6 PTB<1280).



> On Page 5 of Section 2, the draft cites problems with Linux 2.6.38-8.
> This is an old version of the Linux kernel and we don’t think it
> justifies the problem, especially since according to the appendix it
> is fixed in later version of the Linux kernel.

FWIW, Linux was fixed in response to this document.


> [CPNI-IPv6]  Gont, F., "Security Assessment of the Internet Protocol 
> version 6 (IPv6)", UK Centre for the Protection of National
> Infrastructure, (available on request).
> 
> Including a reference that isn’t generally available, appears to be
> an issue to us if this is part of the justification for this work.
> Has anyone in the working group reviewed it?  We suggest it be
> removed or the document referenced be made available on a stable web
> site.

The reference (now removed) just elaborated on the vulnerabilities.
Essentially, the problem is well known form the IPv4 world. The only
additional item to consider for th IPv6 case is that you can trigger the
use of fragmentation for any traffic flow, which in IPv4 you simply can't.


> Issue #2: Remove:  [I-D.ietf-6man-deprecate-atomfrag-generation] aims
> at deprecating the generation of IPv6 atomic fragments.

No issues with removing this. But isn't this really relevant?

[All other changes applied]

Thanks so much!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email