Re: [Softwires] WG last call on the security document
Tero Kivinen <kivinen@kivinen.iki.fi> Tue, 04 December 2007 18:01 UTC
Return-path: <softwires-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Izc5C-0001Vy-HO; Tue, 04 Dec 2007 13:01:22 -0500
Received: from softwires by megatron.ietf.org with local (Exim 4.43) id 1Izc5B-0001Vo-An for softwires-confirm+ok@megatron.ietf.org; Tue, 04 Dec 2007 13:01:21 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Izc5A-0001VX-Uu for softwires@ietf.org; Tue, 04 Dec 2007 13:01:21 -0500
Received: from fireball.acr.fi ([83.145.195.1] helo=mail.kivinen.iki.fi) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Izc5A-0008JX-8i for softwires@ietf.org; Tue, 04 Dec 2007 13:01:20 -0500
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.13.8/8.12.10) with ESMTP id lB4I1IBv012507 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <softwires@ietf.org>; Tue, 4 Dec 2007 20:01:18 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.13.8/8.12.11) id lB4I1ILX001044; Tue, 4 Dec 2007 20:01:18 +0200 (EET)
Resent-From: kivinen@kivinen.iki.fi
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@kivinen.iki.fi using -f
Resent-Message-ID: <18261.38382.246050.994259@fireball.kivinen.iki.fi>
Resent-Date: Tue, 04 Dec 2007 20:01:18 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <18261.37635.641968.59716@fireball.kivinen.iki.fi>
Date: Tue, 04 Dec 2007 19:48:51 +0200
From: Tero Kivinen <kivinen@kivinen.iki.fi>
Resent-to: softwires@ietf.org
To: Florent Parent <Florent.Parent@beon.ca>
Subject: Re: [Softwires] WG last call on the security document
In-Reply-To: <6E9098A8-B8AB-4EC4-A8E3-0BAC7BCB7CB0@beon.ca>
References: <C379780F.608C%alain_durand@cable.comcast.com> <18260.18811.69209.831957@fireball.kivinen.iki.fi> <6E9098A8-B8AB-4EC4-A8E3-0BAC7BCB7CB0@beon.ca>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 28 min
X-Total-Time: 44 min
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002
Resent-Date: Tue, 04 Dec 2007 13:01:21 -0500
Cc: softwires@ietf.org
X-BeenThere: softwires@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: softwires wg discussion list <softwires.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/softwires>
List-Post: <mailto:softwires@ietf.org>
List-Help: <mailto:softwires-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=subscribe>
Sender: softwires-bounces@ietf.org
Errors-To: softwires-bounces@ietf.org
Florent Parent writes: > > So there is only options to recompute checksum (might be > > expensive), or make the implementation so it will not check the UDP > > checksum of the L2TPv2 packet. This should not matter, as we do > > have ESP outside providing much better validation of the received > > packet and there is also another checksum inside the packet inside > > the L2TPv2+PPP packet. > > In the scenario where IPv4 over IPv6 is used (3.5.4.2), L2TP/UDP is > transported over IPv6, so UDP checksum must be enabled: Not necessarely. What happens there is that packet comes in: IPV6 hdr, UDP(4500,4500), ESP, UDP(1701,1701), L2TP, PPP, IPv4, ESP AUTH There is now multiple checksums. The UDP(4500, 4500) header do have checksum, and that is checked and is correct. The ESP covers the packet from UDP(1701, 1701) to the end, so it knows there cannot be bit errors in that part. The UDP(1701 1701) header has wrong UDP checksum as it is not fixed by the NAT (it is inside the ESP). The IPv4 packet inside has also more checksums. When we strip the UDP encapsulation and ESP, we get packet: IPV6 hdr, UDP(1701,1701), L2TP, PPP, IPv4 which have wrong checksum for the UDP(1701, 1701) header, but we are not really interested in that, as we are going to give that the local L2TP application, that will throw the IPv6 header, UDP(1701, 1701) header away, and take the IPv4 packet from inside. What we can do there, is to simply set the bit on in the kernel internal packet context saying that UDP checksum is already checked, and there is no need to recheck it anymore (there is usuallu such bit because the same thing is used when the ethernet hardware does UDP/TCP checksum calculations instead of IP stack. If there is no such option in the kernel, then we must use the "recompute checksum", but in most environments it is very easy to do the "do not check". The recompatation does not help at all, as it does not protect againts any errors or attacks. Anyways, in the IPv4 we can set UDP checksum to 0, and IPv6 NATs are not that common, so if you really want you can force them do recomputations if you want. Or just say that RFC 3948 section 3.1.2 option 1 cannot be done, so either option 2 or 3 MUST be used. -- kivinen@safenet-inc.com _______________________________________________ Softwires mailing list Softwires@ietf.org https://www1.ietf.org/mailman/listinfo/softwires
- [Softwires] WG last call on the security document Alain Durand
- [Softwires] WG last call on the security document Tero Kivinen
- Re: [Softwires] WG last call on the security docu… Florent Parent
- Re: [Softwires] WG last call on the security docu… Tero Kivinen
- Re: [Softwires] WG last call on the security docu… Tero Kivinen
- Re: [Softwires] WG last call on the security docu… Florent Parent
- Re: [Softwires] WG last call on the security docu… Florent Parent