IETF Logo Mail Archive

Re: AUTH48 changes to draft-ietf-6man-rfc6434-bis-09

Bob Hinden <bob.hinden@gmail.com> Thu, 20 December 2018 18:17 UTC

Return-Path: <bob.hinden@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BF4513119F; Thu, 20 Dec 2018 10:17:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EgHx8H8y9WLy; Thu, 20 Dec 2018 10:17:01 -0800 (PST)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82367131189; Thu, 20 Dec 2018 10:17:01 -0800 (PST)
Received: by mail-wm1-x330.google.com with SMTP id m1so3022094wml.2; Thu, 20 Dec 2018 10:17:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=kSK2vXuAzUxshAoxitpQAs9cOWA0V47uTq31lx3/ftM=; b=fGDGv9Mp6gvcKe7ktBC3J/FNpHu9cwCliA4WFKTapZs1dyaGElxpsjwbeAAmM10Jd1 WYgHAsq47BPeFFMS4cXEIFkoubnzm8+zmN8a9LFvzUQ6/lxU4Llug2SniE1C1xf5C4Ls cXL11aAHthooqt691LJ55/9iBINDy4I6Ljz1e8RweywbXTnXw9SZKMwXK9UBofoC3Lkn dvXOKKdGZpU2HjW2BtFQPSFChiCkBCDPW4wsf5n8pZ1IY7nTu/ndy5msC97mf+Gx+xTL V+G+0rYim5EjU/BmZbgV6jq6Ut/ITfsRIvYSCDANI7+iJ0Y6y+uUTmn3rSZgFcW/wmBX rd0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=kSK2vXuAzUxshAoxitpQAs9cOWA0V47uTq31lx3/ftM=; b=klDpYzQiV6x/iWaIg/mTLP73HDJJ43efjEyf/8VfArUX8KiYunrNyh7UF1BDRnKNYz E79lLg6AdGEp9ExKMa3VlLmGUT88KkxebTgRFY29RRDHcWVu348K5FYAMrP+MxTmDiBN PyrSKYxB6DWBAN075uam1hqzHjgwcHtAif3u4FzYJlMWk5cMBCiZZkwOmhnNdbiCH79Y /Adf3AIoJ90fYyXaWKGPXT+tmqlpYWoKsWcIsOu1RfZLWF8uabdTIaWpS5sswsm4PLqD KGRPYaE79tsJVDNv6KhXmMhxmJh4g6w+RdNFzVbh1KzF+bmtXsjow56tG9O1pMNWLZjX Ws+g==
X-Gm-Message-State: AA+aEWa1MPVhI23GFBL/wkeQWDiP3CS189hvBEAvKMOSv/y3SSqBzSYh nhukFLC30v8XIHrR/MFg/Ug=
X-Google-Smtp-Source: AFSGD/XTlKKpM2kOkN9X1bbYaUalvu8ZvaNui0EFXeqseI78ZqE+b19ZgNAOFWWG64ivqu3jSudywQ==
X-Received: by 2002:a7b:ce84:: with SMTP id q4mr13063776wmj.105.1545329819938; Thu, 20 Dec 2018 10:16:59 -0800 (PST)
Received: from ?IPv6:2601:647:4d01:f3a:b0dd:a063:a822:c5aa? ([2601:647:4d01:f3a:b0dd:a063:a822:c5aa]) by smtp.gmail.com with ESMTPSA id h10sm8656915wmf.44.2018.12.20.10.16.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Dec 2018 10:16:58 -0800 (PST)
From: Bob Hinden <bob.hinden@gmail.com>
Message-Id: <9EFEE299-0BE6-4FBF-BA7B-AA4727F9F752@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_E0B74064-68FB-4584-AB04-987043B1CB1D"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: AUTH48 changes to draft-ietf-6man-rfc6434-bis-09
Date: Thu, 20 Dec 2018 10:16:57 -0800
In-Reply-To: <163A5F42-1D04-4B4A-8EE0-844BC76F0E7B@tzi.org>
Cc: Bob Hinden <bob.hinden@gmail.com>, Suresh Krishnan <suresh.krishnan@gmail.com>, IPv6 List <ipv6@ietf.org>, draft-ietf-6man-rfc6434-bis@ietf.org, 6man Chairs <6man-chairs@ietf.org>
To: Carsten Bormann <cabo@tzi.org>
References: <8A9ACE0F-8EF7-48D7-AB1A-309D05A350CC@gmail.com> <163A5F42-1D04-4B4A-8EE0-844BC76F0E7B@tzi.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/x-vuZmKA0pIC-e6kZAPdvGYDqIU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2018 18:17:03 -0000

Carsten,

> On Dec 20, 2018, at 9:35 AM, Carsten Bormann <cabo@tzi.org> wrote:
> 
> On Dec 20, 2018, at 07:20, Suresh Krishnan <suresh.krishnan@gmail.com> wrote:
>> 
>> NEW:
>> 
>> As per RFC 6980, hosts MUST NOT employ IPv6 fragmentation for sending any of the following Neighbor Discovery and SEcure Neighbor Discovery messages: Neighbor Solicitation, Neighbor Advertisement, Router Solicitation, Router Advertisement, Redirect, or Certification Path Solicitation.
> 
> Is it intentional that this places a requirement only on senders, not on receivers?
> It’s the receivers that are subject to the attacks enabled by fragmentation, so they are the ones that would need to ignore fragmented ND messages.

Good point, RFC6980 describes senders and receivers.   Maybe something like:

As specified in RFC 6980, nodes MUST NOT employ IPv6 fragmentation for sending any of the following Neighbor Discovery and SEcure Neighbor Discovery messages: Neighbor Solicitation, Neighbor Advertisement, Router Solicitation, Router Advertisement, Redirect, or Certification Path Solicitation.  Nodes MUST silently ignore any of these messages on receipt if fragmented.  See RFC 6980 for details and motivation.

Bob

> 
> Grüße, Carsten
>

v2.23.0 | Report a Bug | By Email