[secdir] review of draft-ietf-6man-deprecate-atomfrag-generation-06

"Klaas Wierenga (kwiereng)" <kwiereng@cisco.com> Wed, 17 August 2016 13:04 UTC

Return-Path: <kwiereng@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ED1012D780; Wed, 17 Aug 2016 06:04:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.767
X-Spam-Level:
X-Spam-Status: No, score=-15.767 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o91mxZHljaXV; Wed, 17 Aug 2016 06:04:24 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95A0612D6AD; Wed, 17 Aug 2016 06:04:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9202; q=dns/txt; s=iport; t=1471439064; x=1472648664; h=from:to:subject:date:message-id:mime-version; bh=iSwDUVji15zZXa3EeynACvfzzGhf4rgAmLjzSNT6V0E=; b=m0sX/pI8hnyBJZeu1LKJ7cE1HYWJ6EpFYJyUe7PcjlIVCu/vJoUXbb6m PLYoBjZRq1sBnrJss8NuqxAjpnOe/v/+QpgOwUnfmmbjxZQ0yjtTVV1va qrBlL/0b13RdWInmDJbZqh9pjrWHT5jbM81Fq1RGSYEDoqT0HXPXKR4FC s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BDAgBnX7RX/4YNJK1VCYJ1ToFZi0+oW?= =?us-ascii?q?oUHgX2GO4FLOBQCAQEBAQEBAV4nhGUjSCABSgIEMCcEAYhDrjOQLgEBAQEGAQE?= =?us-ascii?q?BASOGKoIAgk2EGYMogloFmUQBjx2PSZAyAR42g3qGY38BAQE?=
X-IronPort-AV: E=Sophos;i="5.28,529,1464652800"; d="scan'208,217";a="311073992"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Aug 2016 13:04:23 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id u7HD4NmT020687 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 17 Aug 2016 13:04:23 GMT
Received: from xch-aln-004.cisco.com (173.36.7.14) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 17 Aug 2016 08:04:23 -0500
Received: from xch-aln-004.cisco.com ([173.36.7.14]) by XCH-ALN-004.cisco.com ([173.36.7.14]) with mapi id 15.00.1210.000; Wed, 17 Aug 2016 08:04:22 -0500
From: "Klaas Wierenga (kwiereng)" <kwiereng@cisco.com>
To: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-6man-deprecate-atomfrag-generation.all@ietf.org" <draft-ietf-6man-deprecate-atomfrag-generation.all@ietf.org>
Thread-Topic: review of draft-ietf-6man-deprecate-atomfrag-generation-06
Thread-Index: AQHR+IffhO+j7nLtxUCRf8HX0u4//A==
Date: Wed, 17 Aug 2016 13:04:22 +0000
Message-ID: <etPan.57b460d6.1be7de06.13067@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.61.229.191]
Content-Type: multipart/alternative; boundary="_000_etPan57b460d61be7de0613067ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/YA_PIQLxRHIB0fZIxSz3h4uFb30>
Subject: [secdir] review of draft-ietf-6man-deprecate-atomfrag-generation-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 13:04:26 -0000

Hi,


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.


Note: I noticed that there is also a version 07, and i have looked at that. My comments pertain to both versions.

IPv6 allows for specifying ‘atomic fragments’, where the packet is not really fragmented but the ‘fragmented’ header is to indicate that on the path there are network elements in the path that have an MTU size below the mandatory minimum of 1280 for IPv6 (for example IPv4/IPv6 translators). According to draft-ietf-6man-deprecate-atomfrag-generation-06 this introduces security risks, and has no benefits, and therefore proposes to remove atomic fragments from IPv6.

I am not at all an IPv6 expert, so my comments may not be valid and feel free to ignore them. But I can’t help thinking that much of the motivation for removal of this feature is in the fact that implementations misbehave. I find that a weak argument. Not being an expert, I can not judge well whether removing the feature is harmless, but I would be very cautious with removing extension headers for that reason.

Fragmentation in itself is an attack vector, but I don’t understand why that is more of a problem with atomic fragments, apart from the aforementioned implementation errors.

Apart from that, I see no glaring security issues, so if there is broad consensus in the WG that this is the right thing to do, I consider the document ready.

Klaas



--
Klaas Wierenga
Identity Architect
Cisco Cloud Services