Re: [Pana] on PANA's requirement to use the unspecified address
Thomas Narten <narten@us.ibm.com> Tue, 11 November 2003 15:22 UTC
Received: from optimus.ietf.org ([132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA05316 for <pana-archive@lists.ietf.org>; Tue, 11 Nov 2003 10:22:23 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AJaLB-0007Le-SW; Tue, 11 Nov 2003 10:22:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AJaKR-0007HT-GN for pana@optimus.ietf.org; Tue, 11 Nov 2003 10:21:16 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA05195 for <pana@ietf.org>; Tue, 11 Nov 2003 10:21:02 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AJaKP-0004U2-00 for pana@ietf.org; Tue, 11 Nov 2003 10:21:13 -0500
Received: from e35.co.us.ibm.com ([32.97.110.133]) by ietf-mx with esmtp (Exim 4.12) id 1AJaKO-0004Th-00 for pana@ietf.org; Tue, 11 Nov 2003 10:21:12 -0500
Received: from westrelay01.boulder.ibm.com (westrelay01.boulder.ibm.com [9.17.195.10]) by e35.co.us.ibm.com (8.12.10/8.12.2) with ESMTP id hABFKdcF421858; Tue, 11 Nov 2003 10:20:39 -0500
Received: from cichlid.raleigh.ibm.com (sig-9-65-234-33.mts.ibm.com [9.65.234.33]) by westrelay01.boulder.ibm.com (8.12.9/NCO/VER6.6) with ESMTP id hABFKcwj161832; Tue, 11 Nov 2003 08:20:39 -0700
Received: from cichlid.raleigh.ibm.com (narten@localhost) by cichlid.raleigh.ibm.com (8.11.6/8.9.3) with ESMTP id hABFHW310302; Tue, 11 Nov 2003 09:17:34 -0600
Message-Id: <200311111517.hABFHW310302@cichlid.raleigh.ibm.com>
To: Mohan Parthasarathy <mohanp@sbcglobal.net>
cc: pana@ietf.org
Subject: Re: [Pana] on PANA's requirement to use the unspecified address
In-Reply-To: Message from mohanp@sbcglobal.net of "Fri, 07 Nov 2003 14:10:55 PST." <001d01c3a57c$03f59620$34100a0a@adithya>
Date: Tue, 11 Nov 2003 09:17:28 -0600
From: Thomas Narten <narten@us.ibm.com>
Sender: pana-admin@ietf.org
Errors-To: pana-admin@ietf.org
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
> > > PANA SHOULD not assume that the PaC has acquired an IP address before > > > PANA begins. > It is a "SHOULD" above. Perhaps you are saying that it should be a "MAY" ? What I'd prefer, is that it not be even a MAY. I.e, just drop this completely. The basic problem here is that we are talking about a capability that the PANA protocol would need to support, even if it is only a MAY. It's like being a little pregnant. If there is a need (however rare in practice) that the unspecified address needs to be used, the PANA protocol has to include this and implementations will need to support it. So you have to deal with all the ramifications in the PANA protocol. > > a) the address depletion one is significant in the overall scheme of > > things. > > > > b) using the unspecified address would not leave the network > > vulnerable to other DOS attacks that make solving the previous one > > a waste of time. Note: folk might want to look at > > draft-ietf-vrrp-spec-v2-09.txt where they _removed_ security > > mechanisms after concluding they were useless due to bigger DOS > > issues related to IP's reliance on ARP. > > > The basic idea is to see whether it is possible to mitigate against > address depletion attack assuming there are good tradeoffs. I am > not sure why this DoS attack needs special treatment compared > to other DoS attacks. Yep. That is what I'm trying to understand. > > Second, there are significant stack complications to allowing generic > > communication with an unspecified address. Things to consider: > > > > - IP fragmentation doesn't work reliably anymore (a recieving machine > > might think two fragments that are actually from two different > > machines are from the same machine, and reassemble them improperly). > > > Agreed. Some stacks maintain the reassembly queue per interface which solves > problem with link-local addresses in general. But for unspecified address, > unless mac addresses are used (which may not be reasonable), the problem > will exist. It is not reasonable, IMO, because this is a change to the IP stack itself. Not in the scope of PANA to require. Thomas _______________________________________________ Pana mailing list Pana@ietf.org https://www1.ietf.org/mailman/listinfo/pana
- [Pana] on PANA's requirement to use the unspecifi… Thomas Narten
- Re: [Pana] on PANA's requirement to use the unspe… Mohan Parthasarathy
- Re: [Pana] on PANA's requirement to use the unspe… Alper Yegin
- RE: [Pana] on PANA's requirement to use the unspe… Soliman Hesham
- Re: [Pana] on PANA's requirement to use the unspe… Alper Yegin
- Re: [Pana] on PANA's requirement to use the unspe… Jari Arkko
- RE: [Pana] on PANA's requirement to use the unspe… Soliman Hesham
- Re: [Pana] on PANA's requirement to use the unspe… Alper Yegin
- Re: [Pana] on PANA's requirement to use the unspe… Alper Yegin
- Re: [Pana] on PANA's requirement to use the unspe… Prakash Jayaraman
- RE : [Pana] on PANA's requirement to use the unsp… MORAND Lionel FTRD/DAC/ISS
- Re: [Pana] on PANA's requirement to use the unspe… Mohan Parthasarathy
- RE: [Pana] on PANA's requirement to use the unspe… Soliman Hesham
- Re: [Pana] on PANA's requirement to use the unspe… Thomas Narten