[dnsext] Some feedback on draft-andrews-dnsext-udp-fragmentation-00.txt
Fernando Gont <fernando@gont.com.ar> Fri, 16 December 2011 19:59 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com
(Postfix) with ESMTP id D9C5F21F8AFD; Fri, 16 Dec 2011 11:59:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
t=1324065593; bh=L5C97RX+OQd/H71X3F5TUJcqz2Tc0Gm7G6PTMM/C1W0=;
h=Message-ID:Date:From:MIME-Version:To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
Content-Type:Content-Transfer-Encoding:Sender;
b=Dw2Tmmzv2hDyjU6nxGWi2YGmvDjUhYeHqP1K8cOjgPDBeCUwZ+P5LdIZ+tOkuOS9+
rbMEwDpxMzx4O6Cf5O8H1bNS5N0bSbcba4l7B3Z3rrNyVO48LldUjzmILBETXJRjGu
KzYvpHAQcC7goYTiRrWfdnZLhMF5Q3Q5uyXhbifQ=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id A629421F8B01 for <dnsext@ietfa.amsl.com>;
Fri, 16 Dec 2011 11:59:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.577
X-Spam-Level:
X-Spam-Status: No, score=-3.577 tagged_above=-999 required=5 tests=[AWL=-0.022,
BAYES_00=-2.599, DATE_IN_PAST_03_06=0.044, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PZn1D4hNuXvd for
<dnsext@ietfa.amsl.com>; Fri, 16 Dec 2011 11:59:52 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com
[209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 1A3A021F8AF8 for
<dnsext@ietf.org>; Fri, 16 Dec 2011 11:59:52 -0800 (PST)
Received: by yenm7 with SMTP id m7so3017554yen.31 for <dnsext@ietf.org>;
Fri, 16 Dec 2011 11:59:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject
:x-enigmail-version:content-type:content-transfer-encoding;
bh=7JGGGV3v2busGR4M1sAfFewsVzueOLiCQRKye2rdarI=;
b=x2PS8yOerY8hAAB1U+TwvEpRSFY/skAZ75QjVNWfT2VsnVcqMZ2nsHO5HjGD6uzDyc
anFYwr2JzC8by/CHhE868PL6TWS4Mzyr4CmC0OGhzBrvu2Y47K6iDw6/iAgo/9ELq7/3
E2Zk/OhZ+IhfNGf2pu8oP/GtwBoxdwkbNfe2o=
Received: by 10.236.80.4 with SMTP id j4mr13071053yhe.65.1324065591757;
Fri, 16 Dec 2011 11:59:51 -0800 (PST)
Received: from [192.168.123.102] ([190.48.201.157]) by mx.google.com with
ESMTPS id a11sm22699339anc.11.2011.12.16.11.59.49 (version=SSLv3
cipher=OTHER); Fri, 16 Dec 2011 11:59:50 -0800 (PST)
Message-ID: <4EEB70EC.50702@gont.com.ar>
Date: Fri, 16 Dec 2011 13:25:16 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.9.2.23) Gecko/20110922 Thunderbird/3.1.15
MIME-Version: 1.0
To: dnsext@ietf.org
X-Enigmail-Version: 1.1.2
Subject: [dnsext] Some feedback on
draft-andrews-dnsext-udp-fragmentation-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>,
<mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>,
<mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
Mark, Here's some feedback about the aforementioned I-D. ** Technical ** Section 3: > It should be noted that even with IPV6_USE_MIN_MTU set to one that a > PTB message may still be received [RFC 2460] which requires a IPv6 to > add a Fragmentation header to subsequent packets. There is currently > no way to avoid this, without using raw sockets, as there is no way > for a application to request that a Fragmentation header be added to > a packet. I understand that this could (at leasst in theory) happen but, out of curiosity: are there any devices that leverage the aforementioned featuer specified in RFC 2460? NAT 64? Othes? Section 5 (Security Considerations): All these IPv4 issues are discussed in detail in RFC 6274. Also, as noted in my feedback about your other I-D: Relying on fragmentation doesn't come for free, either. In aprticular, if implementation use predictable Fragment IDs (see draft-gont-6man-predictable-fragment-id) fragmentation-related attacks become pretty much feasible. ** Editorial ** Abstract: Expand the Abstract briefly outlining the problem. Section 3: > These include, but are > not limited to, setting the interface the packets are being sent over > should be set to the network MTU (1280 bytes), or restricing DNS/UDP > packets to no more than 1280 bytes including IPv6 headers. This does not parse. You should probably rephrase to "setting the MTU of the interface the packets are being sent over to the minimum IPv6 MTU (1280 bytes)" (Note that I've also s/network MTU/minimum IPv6 MTU/) Section 3: > It should be noted that even with IPV6_USE_MIN_MTU set to one that a > PTB message may still be received [RFC 2460] which requires a IPv6 to > add a Fragmentation header to subsequent packets. There is currently > no way to avoid this, without using raw sockets, as there is no way > for a application to request that a Fragmentation header be added to > a packet. Add a pointer to your other I-D specifying a mechanism to achieve this. ** Nits ** Section 1: > network and no PMTUD was performed. With IPv6 fragmentation occurs > in the sending node and PMTUD is alway performed unless the IPv6 > packet is fragmented by the sending node using the network MTU. s/alway/always/ Section 1: > PMTUD discover Replace with "Path-MTU Discovery". Thanks, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] Some feedback on draft-andrews-dnsext-ud… Fernando Gont
- Re: [dnsext] Some feedback on draft-andrews-dnsex… Mark Andrews