Re: [Softwires] WG last call on the security document
Florent Parent <Florent.Parent@beon.ca> Tue, 04 December 2007 18:13 UTC
Return-path: <softwires-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IzcGV-0002E6-Pa; Tue, 04 Dec 2007 13:13:03 -0500
Received: from softwires by megatron.ietf.org with local (Exim 4.43) id 1IzcGU-0002DC-CK for softwires-confirm+ok@megatron.ietf.org; Tue, 04 Dec 2007 13:13:02 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IzcGU-0002D2-2S for softwires@ietf.org; Tue, 04 Dec 2007 13:13:02 -0500
Received: from ns.beon.ca ([2001:5c0:8001::53] helo=smtp.beon.ca) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IzcGS-0005SA-Dm for softwires@ietf.org; Tue, 04 Dec 2007 13:13:02 -0500
Received: from dhcp-169f.ietf70.org (dhcp-169f.ietf70.org [130.129.22.159]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by smtp.beon.ca (Postfix) with ESMTP id 69D31AD750; Tue, 4 Dec 2007 13:12:59 -0500 (EST)
Message-Id: <9A0E5E9B-7235-40CE-9145-7796C7B3E270@beon.ca>
From: Florent Parent <Florent.Parent@beon.ca>
To: Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <18261.37635.641968.59716@fireball.kivinen.iki.fi>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v915)
Subject: Re: [Softwires] WG last call on the security document
Date: Tue, 04 Dec 2007 10:12:55 -0800
References: <C379780F.608C%alain_durand@cable.comcast.com> <18260.18811.69209.831957@fireball.kivinen.iki.fi> <6E9098A8-B8AB-4EC4-A8E3-0BAC7BCB7CB0@beon.ca> <18261.37635.641968.59716@fireball.kivinen.iki.fi>
X-Mailer: Apple Mail (2.915)
X-Spam-Score: 1.6 (+)
X-Scan-Signature: b4a0a5f5992e2a4954405484e7717d8c
Cc: softwires@ietf.org
X-BeenThere: softwires@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: softwires wg discussion list <softwires.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/softwires>
List-Post: <mailto:softwires@ietf.org>
List-Help: <mailto:softwires-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/softwires>, <mailto:softwires-request@ietf.org?subject=subscribe>
Errors-To: softwires-bounces@ietf.org
Le 07-12-04 à 09:48, Tero Kivinen a écrit : > Florent Parent writes: >>> So there is only options to recompute checksum (might be >>> expensive), or make the implementation so it will not check the UDP >>> checksum of the L2TPv2 packet. This should not matter, as we do >>> have ESP outside providing much better validation of the received >>> packet and there is also another checksum inside the packet inside >>> the L2TPv2+PPP packet. >> >> In the scenario where IPv4 over IPv6 is used (3.5.4.2), L2TP/UDP is >> transported over IPv6, so UDP checksum must be enabled: > > Not necessarely. > > What happens there is that packet comes in: > > IPV6 hdr, UDP(4500,4500), ESP, UDP(1701,1701), L2TP, PPP, IPv4, ESP > AUTH > > There is now multiple checksums. The UDP(4500, 4500) header do have > checksum, and that is checked and is correct. The ESP covers the > packet from UDP(1701, 1701) to the end, so it knows there cannot be > bit errors in that part. > > The UDP(1701 1701) header has wrong UDP checksum as it is not fixed by > the NAT (it is inside the ESP). The IPv4 packet inside has also more > checksums. When we strip the UDP encapsulation and ESP, we get packet: > > IPV6 hdr, UDP(1701,1701), L2TP, PPP, IPv4 > > which have wrong checksum for the UDP(1701, 1701) header, but we are > not really interested in that, as we are going to give that the local > L2TP application, that will throw the IPv6 header, UDP(1701, 1701) > header away, and take the IPv4 packet from inside. What we can do > there, is to simply set the bit on in the kernel internal packet > context saying that UDP checksum is already checked, and there is no > need to recheck it anymore (there is usuallu such bit because the same > thing is used when the ethernet hardware does UDP/TCP checksum > calculations instead of IP stack. If there is no such option in the > kernel, then we must use the "recompute checksum", but in most > environments it is very easy to do the "do not check". Understood. > > > The recompatation does not help at all, as it does not protect againts > any errors or attacks. > > Anyways, in the IPv4 we can set UDP checksum to 0, and IPv6 NATs are > not that common, so if you really want you can force them do > recomputations if you want. Or just say that RFC 3948 section 3.1.2 > option 1 cannot be done, so either option 2 or 3 MUST be used. This is also a very valid point: UDP encapsulation of ESP may very well not by used on IPv6 networks. But if it is, the above considerations on UDP checksum will provide the implementation guidelines. Thanks for the comprehensive response. Florent _______________________________________________ Softwires mailing list Softwires@ietf.org https://www1.ietf.org/mailman/listinfo/softwires
- [Softwires] WG last call on the security document Alain Durand
- [Softwires] WG last call on the security document Tero Kivinen
- Re: [Softwires] WG last call on the security docu… Florent Parent
- Re: [Softwires] WG last call on the security docu… Tero Kivinen
- Re: [Softwires] WG last call on the security docu… Tero Kivinen
- Re: [Softwires] WG last call on the security docu… Florent Parent
- Re: [Softwires] WG last call on the security docu… Florent Parent