IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-ietf-6lo-fragment-recovery-08

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 10 February 2020 08:38 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43B9E1200B2 for <secdir@ietfa.amsl.com>; Mon, 10 Feb 2020 00:38:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OrdJ6ux9FkFN for <secdir@ietfa.amsl.com>; Mon, 10 Feb 2020 00:38:29 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA86312008C for <secdir@ietf.org>; Mon, 10 Feb 2020 00:38:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1581323908; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Q3FW3vWcwydo1rnw/OAaVHiNc5TZDcOL0fgRMb5bNZM=; b=EIKHgVhhaP+NWCqlJK7maT1CbfXU9iQna8n+pQIts62Cu+CNjAKkyiUn3tNxLSC4zrNOEc X7rn8N623gKQmJCAcIjt9TbjvzsonQ/uooQBaoAeAbEGJ0QAdUQRnJ8bxAhLWiRWHkbkq6 0J0JbmCsfHERS0083UToXVgxJdu0o5Y=
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2172.outbound.protection.outlook.com [104.47.57.172]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-171-j7vldyXpO0WhZXN4VsCWQQ-1; Mon, 10 Feb 2020 03:38:25 -0500
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (10.172.118.12) by CY4PR1601MB1160.namprd16.prod.outlook.com (10.172.115.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2707.21; Mon, 10 Feb 2020 08:38:23 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::e851:20e8:57bd:fedd]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::e851:20e8:57bd:fedd%12]) with mapi id 15.20.2707.028; Mon, 10 Feb 2020 08:38:23 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-6lo-fragment-recovery.all@ietf.org" <draft-ietf-6lo-fragment-recovery.all@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-6lo-fragment-recovery-08
Thread-Index: AdXalCLFRlrAAOY/RCW/KaF9W1FCvAFSSLMwAAIQbvA=
Date: Mon, 10 Feb 2020 08:38:23 +0000
Message-ID: <CY4PR1601MB1254EEDFF6B78FC0BC2BF3D0EA190@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <CY4PR1601MB1254AAB128CD71BB283BDA72EA000@CY4PR1601MB1254.namprd16.prod.outlook.com> <MN2PR11MB35652608BABFC6B1EB0B1A9FD8190@MN2PR11MB3565.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB35652608BABFC6B1EB0B1A9FD8190@MN2PR11MB3565.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d5cc5d13-61fc-4de3-6bf0-08d7ae0496f8
x-ms-traffictypediagnostic: CY4PR1601MB1160:
x-microsoft-antispam-prvs: <CY4PR1601MB11600E0B9FA6C81BB86B7102EA190@CY4PR1601MB1160.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03094A4065
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(136003)(346002)(376002)(396003)(39860400002)(32952001)(189003)(199004)(33656002)(316002)(71200400001)(9326002)(52536014)(8936002)(81156014)(26005)(86362001)(81166006)(186003)(478600001)(2906002)(966005)(5660300002)(8676002)(53546011)(6506007)(76116006)(66946007)(55016002)(66476007)(64756008)(66446008)(66556008)(7696005)(110136005)(9686003)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1601MB1160; H:CY4PR1601MB1254.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Q4gSkDZRjdpwFxeXvwZIGyOgA/lgiS1LYvjyuLN6UvPnyNIbA3JSJEun4lTHe977dUj5k1Uwmb/ELFFJ4Bcr0FAzZwt7gnDjYsWdThJvMz++14XgR+XuSclwc4yVhhgafkJzeQ0He7wPYJ2AjOzJUx1ihHR1m2s7g8NUSqxxy88Ks8+/M4cunF1iY73wQpen2L+2DnEcDyWtbs137sFyUOvvRsCLC6rSvxUJxcKyI6DJxDqZdTkuEUrhsbyPDzjeXaT8Bwj1SbIhaQYcA4pO9fP6jio36i8Sb4MgGsYnABqbRqtv2e6ypsD+HlaLHJ6IuOXEdkCsjxfmJ0iMqmRfrnsjpX2Div3F5YfFVC6ZynorUzwjTU2BqH4/VJPQqJHYlMQIqq+VupDndW3DB/QT3pbKcmkC89We4QJ8O+vqPTf+EA9Hbywxa+Eyz4/e+QILtOt+rfGXdgNljcltBaFfQtoTaaHfEAgmCElKEW/G24MEoqBOSgNa1NWTJOiTLp1Uif2J45EsLSHIfYokzq/EbbNgeH9O797Kb/PTU5LfS5YwnozmgRq1W+c5QORGA9pDawKlM4Vpl9AIp8gi1qyP4Qy7bpenckrcMsjIaoT53DQ=
x-ms-exchange-antispam-messagedata: yoi9TdRKVP5BtObkcPn3I0OE91M72JLYUuImAHkjHZHqa1oNcsTd3YHtJ9xhU9LnYEPT5IHJ9fIkF2C5SNZSBqgkRA3M8mKmG0kdkY6u7152OzT+uSkGcl6VPmM56zA7yIepUKVXF38gqN54bpcrEA==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d5cc5d13-61fc-4de3-6bf0-08d7ae0496f8
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2020 08:38:23.1170 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TaAZjotMZRQ4kjVu97ogCuXowOK8hyLCLYnXuk/XoSJA3J9Fji6rcT3oa/7x6Rk3ARK8cZ3/2Gk4c4rdU/VdS1IBbqWZvu4QJ4ZFajMcdhCCYzBBxdHekg6bjUcOA9dY
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1160
X-MC-Unique: j7vldyXpO0WhZXN4VsCWQQ-1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: mcafee.com
Content-Type: multipart/alternative; boundary="_000_CY4PR1601MB1254EEDFF6B78FC0BC2BF3D0EA190CY4PR1601MB1254_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/afsOC2eTELfSqay7P9esaMpJAHQ>
Subject: Re: [secdir] Secdir last call review of draft-ietf-6lo-fragment-recovery-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2020 08:38:32 -0000

Hi Pascal,

Please see inline

From: Pascal Thubert (pthubert) <pthubert@cisco.com>
Sent: Monday, February 10, 2020 1:06 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>; secdir@ietf.org; draft-ietf-6lo-fragment-recovery.all@ietf.org
Subject: RE: Secdir last call review of draft-ietf-6lo-fragment-recovery-08


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

________________________________
Hello Tiru;

Many thanks for your review!

Please see below

> [1] It is not clear to me how the Security sections of I-D.ietf-core-cocoa apply to this specification ?

The specification depends on a Retransmission TimeOut (RTO) estimation that can be attacked. Adding the reference to cocoa was a earlier review comment that we got. Cocoa computes an RTO in a similar type of network. I agreed that the recommendation made sense but still, I can probably dig that email and start a thread with the reviewer if you think it is irrelevant.

If coca is relevant, please add more details on how it is relevant. The security considerations in cocao is only discussing network access control to prevent an attacker from dropping packets to eventually increase the RTO.

> [2] The security considerations section discusses I-D.ietf-lwig-6lowpan-virtual-reassembly but that document does not discuss any security considerations yet.

Correct. When it does I hope it describes the issue that this specification discusses. In any fashion we use it to explain a difference: "here's a traditional drawback of fragments and here's why it does not hurt us", as opposed to an inheritance.
If you think that the text is not helpful, we can open another thread on that.

Thanks for the clarification.

> [3] It is not clear how the DoS attack of bogus first fragments is handled and other attacks discussed in https://tools.ietf.org/html/draft-ietf-intarea-frag-fragile-17#section-3.7 are tackled ?

They are not, apart from whatever protection we get from the requirement in L2 security (we are talking about an homogeneous mesh). This section is highly relevant. This is all detailed in section 7 of draft-ietf-6lo-minimal-fragment that this specification inherits.

Okay.

> [4] How does the document align with the recommendations given in https://tools.ietf.org/html/draft-ietf-intarea-frag-fragile-17#section-6 ?

Section 6 says that IP fragmentation should be avoided by new protocols. This Is not IP fragmentation, it is lower layer. We cannot avoid it if we are to support IPv6 that has a MIN MTU of 1280 bytes and the 6LoWPAN MTU is lower than that, see RFC 4944.

Got it.

Cheers,
-Tiru

Please let me know if you have a recommendation for a change, I saw questions but not real hiunt on how to act on them.


Many thanks again!

Pascal

v2.23.0 | Report a Bug | By Email