[secdir] review of draft-ietf-6man-predictable-fragment-id-09 (was: Re: review of draft-ietf-6man-predictable-fragment-id-09)

"Klaas Wierenga (kwiereng)" <kwiereng@cisco.com> Tue, 20 October 2015 13:55 UTC

Return-Path: <kwiereng@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D00F81A8FD6; Tue, 20 Oct 2015 06:55:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hoDb8ah-DZzy; Tue, 20 Oct 2015 06:55:34 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2253B1A8AC0; Tue, 20 Oct 2015 06:55:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5900; q=dns/txt; s=iport; t=1445349333; x=1446558933; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=5WsKLg+GjFqhichrVvSnPy6q14S09WIf9gx8Lp5lN3c=; b=ISybtWl6dmY5BvmRPUt/t2UoJrJ9wL0Lzbb/KH6rj30w4XwAg9r6TDoS UtL7txpqU5GzHc+k6c3zA8fCk1YL42yqnicz1N217lBmow2tbmuMx1/FM iTK/8hCTtPh0YvqGpm5FGaF4SBGR8X9dMfSX6ecWlmNNllbtrK+r7uHX6 Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D4AQCBRyZW/4kNJK1VCYM2gUMGvhkBDYFahh4CHIEYOBQBAQEBAQEBgQqELQEBAQMBIxE3EwsCASACAh8HAgICMBUQAgQBEogoCLBbkxsBAQEBAQEBAQEBAQEBAQEBAQEBGoEihVWCEIJuhDEEPSKCaTGBFAWWJAGNHoFYh2OSZQEfAQFCghAeFoE/coQfQoEGAQEB
X-IronPort-AV: E=Sophos;i="5.17,707,1437436800"; d="scan'208";a="37358415"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by rcdn-iport-9.cisco.com with ESMTP; 20 Oct 2015 13:55:32 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t9KDtW3I006426 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 20 Oct 2015 13:55:33 GMT
Received: from xch-aln-004.cisco.com (173.36.7.14) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 20 Oct 2015 08:55:14 -0500
Received: from xch-aln-004.cisco.com ([173.36.7.14]) by XCH-ALN-004.cisco.com ([173.36.7.14]) with mapi id 15.00.1104.000; Tue, 20 Oct 2015 08:55:14 -0500
From: "Klaas Wierenga (kwiereng)" <kwiereng@cisco.com>
To: "draft-ietf-6man-predictable-fragment-id.all@tools.ietf.org" <draft-ietf-6man-predictable-fragment-id.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: review of draft-ietf-6man-predictable-fragment-id-09 (was: Re: review of draft-ietf-6man-predictable-fragment-id-09)
Thread-Index: AQHRCz7xTi0UWyR9Q0uLtfztLaAFVQ==
Date: Tue, 20 Oct 2015 13:55:14 +0000
Message-ID: <09C2947A-6387-44C4-91A3-B52610E5CC50@cisco.com>
References: <4F5FD3E9-B5A3-4AAB-A089-61B674B59ECC@cisco.com> <55F010E9.2060606@si6networks.com> <9566C08E-D9B5-4C34-888D-F8D77335B5E3@cisco.com> <560DAAF0.9060708@si6networks.com>
In-Reply-To: <560DAAF0.9060708@si6networks.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.61.89.246]
Content-Type: text/plain; charset="utf-8"
Content-ID: <0F785423AF197149BCC0CF29224E39E4@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/jcEcqLr3ChkALoxuKIRMZuzquKo>
Subject: [secdir] review of draft-ietf-6man-predictable-fragment-id-09 (was: Re: review of draft-ietf-6man-predictable-fragment-id-09)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Oct 2015 13:55:39 -0000

Hi,

I am happy with the updated draft.

Klaas

--
Klaas Wierenga
Identity Architect
Cisco Cloud Services






> On 01 Oct 2015, at 23:51, Fernando Gont <fgont@si6networks.com>; wrote:
> 
> Hi, Klaas,
> 
> On 09/09/2015 07:02 AM, Klaas Wierenga (kwiereng) wrote:
>>> On 09/09/2015 07:12 AM, Klaas Wierenga (kwiereng) wrote:
>>>> I believe the document has some issues, see below.
>>>> 
>>>> The document does an analysis of the security implications of 
>>>> predictable identification fields and I believe (not being an
>>>> IPv6 expert) that it does a good job at that. The analysis of
>>>> the potential exploits is convincing. Where I am struggling a bit
>>>> is the algorithms for selecting fragment identification values
>>>> (5).
>>>> 
>>>> The intro text states that there are ‘a number of algorithms',
>>>> but really there are only 3: 1- per destination counter random 
>>>> initialised 2- random value 3- hash over source, destination,
>>>> secret with a counter
>>> 
>>> FWIW, these are three concrete algorithms, but that doesn't mean
>>> they are the only possible ones…
>> 
>> Sure, I understand that. It is just when I read it I was preparing
>> for a long list to come, so I think it would be good to state
>> something like:
>> 
>> OLD
>> 
>> This section specifies a number of algorithms that may be used for 
>> selecting Fragment Identification values.
>> 
>> NEW
>> 
>> There are a number of algorithms that may be used for selecting
>> Fragment Identification values. This section presents three of
>> those.
> 
> Will do. (thanks for proposing a way forward, btw).
> 
> 
> 
>>>> 1 and 3 are essentially the same, the hash function in 3 performs
>>>> the same function as the pseudo random generated initial value in
>>>> 1 if I am not mistaken.
>>> 
>>> Yes and no. 1 requires state, but 3 doesn't. That means that, e.g.,
>>> if you have lot's of flows to many different destinations, you may
>>> need to remove some entries from the Dest Cache (and then you run
>>> the risk of Frag ID collisions). However, this is not the case with
>>> algorithm #3.
>> 
>> good point, so is there any compelling reason to select 1 over 3?
> 
> It is generally the other way around: for #1, if you need to remove the
> state from the Destinations Cache, you run the risk of colliding Frag
> IDs. So you could say that #1 is more trivial to implement, whereas #3
> has better properties (when there are ongoing communications with
> multiple destinations that make you hit the limit of entries in the
> Destination Cache).
> 
> 
> 
>>>> So really the choice is between a random value for every datagram
>>>> or a random value at initialisation of a connection and
>>>> increasing by 1 for every subsequent datagram.
>>>> 
>>>> I’d really like to see some quantitative analysis as to the
>>>> impact of a random value per packet as well as between 1 and 3.
>>> 
>>> Impact in terms of what?
>> 
>> Well, as an implementer I want to choose between one of the
>> algorithms you propose. But since I have no clue what the penalty is
>> for doing per packet randomisation as opposed to per flow that is
>> hard.
> 
> Wel, the thing is that, to a large extent, it depends on the details of
> implementation. e.g., what's the algorithm you use for the randon()
> function, etc.
> 
> 
> 
>> If the cost of a pseudorandom operation is outweighed by other
>> factors involved in sending a packet I would probably choose option
>> 2. My gut feeling says however that it is a pretty expensive
>> operation to do on a per packet basis, so I would expect the advise
>> to be “use 1 or 3” unless…..
> 
> We tried to provide options rather than pushing one specific algorithm.
> 
> 
>> And similarly, what is the cost of the
>> hash versus the prg? If they are comparable would option 3 not be
>> better?
> 
> It depends on which hash function vs PRG. For instance, you could employ
> a hash function for the PRG.
> 
> So any assertion on performace would really be questionable...
> 
> Thoughts?
> 
> Thanks!
> 
> Cheers,
> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> 
> 
> 
>