IETF Logo Mail Archive

Re: [savi] Potential issue for all SAVI mechanisms?

Fred Baker <fred@cisco.com> Fri, 09 September 2011 16:50 UTC

Return-Path: <fred@cisco.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA1E721F8802 for <savi@ietfa.amsl.com>; Fri, 9 Sep 2011 09:50:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.792
X-Spam-Level:
X-Spam-Status: No, score=-102.792 tagged_above=-999 required=5 tests=[AWL=-0.193, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C5bo51qVQUZi for <savi@ietfa.amsl.com>; Fri, 9 Sep 2011 09:50:45 -0700 (PDT)
Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id 339F321F87D3 for <savi@ietf.org>; Fri, 9 Sep 2011 09:50:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=fred@cisco.com; l=1196; q=dns/txt; s=iport; t=1315587161; x=1316796761; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to:content-transfer-encoding; bh=P+7UgzY46eEwRlgR4XWVYAqLyW+4eHmPByycE1AM/uA=; b=NrNilz2UJRYPZRtwqGBuas4V8bA64QnudDzehi1G8PPeBC7wMUMH/rAb u1zqe8pAUaeoUsvc8p9sKMET/tBpYU/H/QNiNiFqyw6IUeqAY2WWfto53 FuWR2rfa5yq13PouhLsLit+DAmzMu5aTsKvsYi3Hz1ni9RQLqDPsNv7H9 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AmAHAFpDak6rRDoH/2dsb2JhbABBoVaGO3iBUgEBAQECAQEBAQ8BJzQLBQsLGC4nMAYTGweHVASYMAGeUoYOYASHbYtLhRWMJQ
X-IronPort-AV: E=Sophos;i="4.68,357,1312156800"; d="scan'208";a="1194263"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-4.cisco.com with ESMTP; 09 Sep 2011 16:52:40 +0000
Received: from stealth-10-32-244-219.cisco.com (stealth-10-32-244-219.cisco.com [10.32.244.219]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p89GqdOm011123; Fri, 9 Sep 2011 16:52:40 GMT
Received: from [127.0.0.1] by stealth-10-32-244-219.cisco.com (PGP Universal service); Fri, 09 Sep 2011 09:52:40 -0700
X-PGP-Universal: processed; by stealth-10-32-244-219.cisco.com on Fri, 09 Sep 2011 09:52:40 -0700
Mime-Version: 1.0 (Apple Message framework v1084)
From: Fred Baker <fred@cisco.com>
In-Reply-To: <CAA7e52oYxY0K+e2NpmMnybdPajXAY3pcgno5Cj_zg+Mw+YqFcA@mail.gmail.com>
Date: Fri, 09 Sep 2011 09:52:30 -0700
Message-Id: <6808F94D-BDE1-464A-99D7-491D7174EE57@cisco.com>
References: <4E01F2FF.7030108@acm.org> <BANLkTikn45azMHnnduE3BG2o2ttB2Q7syg@mail.gmail.com> <4E0A11D8.5010300@joelhalpern.com> <BANLkTik0fM4xF_iYbZBv6uQ5LwnTS+foyg@mail.gmail.com> <CAA7e52oei4d9A2BcBnpGikreQ575Z1na7U+7oWCwsEvcosQPyg@mail.gmail.com> <000001cc6c8a$a4857c80$ed907580$@it.uc3m.es> <4E662CAF.1010905@joelhalpern.com> <003c01cc6cb7$238670d0$6a935270$@it.uc3m.es> <4E665A4F.9080608@joelhalpern.com> <B31B8DE2-F666-4C71-9509-AE1DB43520CC@cisco.com> <CAA7e52oYxY0K+e2NpmMnybdPajXAY3pcgno5Cj_zg+Mw+YqFcA@mail.gmail.com>
To: Jean-Michel Combes <jeanmichel.combes@gmail.com>
X-Mailer: Apple Mail (2.1084)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Cc: SAVI Mailing List <savi@ietf.org>, Alberto García <alberto@it.uc3m.es>
Subject: Re: [savi] Potential issue for all SAVI mechanisms?
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2011 16:50:46 -0000

On Sep 9, 2011, at 8:06 AM, Jean-Michel Combes wrote:

> Hi Fred,
> 
> same clarification: from your point of view, we have just to mention
> the issue without adding a potential solution to
> mitigate it, correct?

Yes. From my perspective, the most likely solution to be developed in 6man is to ignore ICMP messages with headers or which arrive fragmented, so that sending the messages is at most a bandwidth dos but has no other real effect. In SAVI, however, it makes sense to mention that there is a problem.

> Thanks.
> 
> Yours,
> 
> JMC.
> 
> 2011/9/6 Fred Baker <fred@cisco.com>:
>> 
>> On Sep 6, 2011, at 10:37 AM, Joel M. Halpern wrote:
>>> It seems to me much better to note this vulnerability in SAVI, and leave it there.
>>> If we want it fixed, 6man should simply instruct hosts not to accept RAs or DHCPs in fragmented packets.
>> 
>> having 6man fix it makes sense to me. I'm not sure how we can fix it in SAVI without asking the switch to reassemble fragmented messages.
>> _______________________________________________
>> savi mailing list
>> savi@ietf.org
>> https://www.ietf.org/mailman/listinfo/savi
>>

v2.23.0 | Report a Bug | By Email