Re: [v6ops] Fwd: New Version Notification for draft-taylor-v6ops-fragdrop-00.txt
Warren Kumari <warren@kumari.net> Tue, 16 October 2012 12:27 UTC
Return-Path: <warren@kumari.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A34C21F8818 for <v6ops@ietfa.amsl.com>; Tue, 16 Oct 2012 05:27:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.299
X-Spam-Level:
X-Spam-Status: No, score=-102.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3i2B636Fq5d3 for <v6ops@ietfa.amsl.com>; Tue, 16 Oct 2012 05:27:02 -0700 (PDT)
Received: from vimes.kumari.net (smtp1.kumari.net [204.194.22.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA29E21F8814 for <v6ops@ietf.org>; Tue, 16 Oct 2012 05:27:02 -0700 (PDT)
Received: from [10.196.196.235] (1-193.icannmeeting.org [199.91.193.1]) by vimes.kumari.net (Postfix) with ESMTPSA id 0EE651B40038; Tue, 16 Oct 2012 08:27:02 -0400 (EDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\))
From: Warren Kumari <warren@kumari.net>
In-Reply-To: <20121016112137.GG13776@Space.Net>
Date: Tue, 16 Oct 2012 08:27:01 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <3D093C82-0AD6-416B-8DE2-BD351FF6D3A6@kumari.net>
References: <20121015231232.4507.54646.idtracker@ietfa.amsl.com> <507CAE0A.7000802@gmail.com> <Pine.LNX.4.64.1210151944310.23110@shell4.bayarea.net> <507CD6BC.2050006@bogus.com> <20121016062633.33DE329D6876@drugs.dv.isc.org> <507D079C.1000405@gmail.com> <20121016112137.GG13776@Space.Net>
To: Gert Doering <gert@space.net>
X-Mailer: Apple Mail (2.1498)
Cc: "C. M. Heard" <heard@pobox.com>, IPv6 Ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] Fwd: New Version Notification for draft-taylor-v6ops-fragdrop-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Oct 2012 12:27:03 -0000
On Oct 16, 2012, at 7:21 AM, Gert Doering <gert@space.net> wrote: > Hi, > > On Tue, Oct 16, 2012 at 08:07:08AM +0100, Brian E Carpenter wrote: >> Use the flow label. This is one of the reasons we did RFC 6436, 6437 and 6438. > > So how exactly is "filter based on an arbitrary value the attacker can > control" better than "just let non-initial fragments through"? > > Which is what I'd do - either reassemble at the (stateful) firewall, Reassembly at "firewalls" is wickedly expensive (in terms of CPU, memory, etc) and often end up as bottlenecks under things like missing fragment / incomplete fragment attacks. Also, this is assuming that there is a stateful firewall somewhere between the Internet and your network -- for many many people this is not true (or really possible). > or let non-initial fragments pass. Or drop them… W > > Gert Doering > -- NetMaster > -- > have you enabled IPv6 on something today...? > > SpaceNet AG Vorstand: Sebastian v. Bomhard > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann > D-80807 Muenchen HRB: 136055 (AG Muenchen) > Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops > -- Consider orang-utans. In all the worlds graced by their presence, it is suspected that they can talk but choose not to do so in case humans put them to work, possibly in the television industry. In fact they can talk. It's just that they talk in Orang-utan. Humans are only capable of listening in Bewilderment. -- Terry Practhett
- [v6ops] Fwd: New Version Notification for draft-t… Tom Taylor
- Re: [v6ops] Fwd: New Version Notification for dra… C. M. Heard
- Re: [v6ops] Fwd: New Version Notification for dra… joel jaeggli
- Re: [v6ops] Fwd: New Version Notification for dra… Mark Andrews
- Re: [v6ops] Fwd: New Version Notification for dra… Brian E Carpenter
- Re: [v6ops] Fwd: New Version Notification for dra… joel jaeggli
- Re: [v6ops] Fwd: New Version Notification for dra… Brian E Carpenter
- Re: [v6ops] Fwd: New Version Notification for dra… Gert Doering
- Re: [v6ops] Fwd: New Version Notification for dra… Warren Kumari
- Re: [v6ops] Fwd: New Version Notification for dra… Gert Doering
- Re: [v6ops] Fwd: New Version Notification for dra… Ivan Pepelnjak
- Re: [v6ops] Fwd: New Version Notification for dra… Tom Taylor
- Re: [v6ops] Fwd: New Version Notification for dra… Ivan Pepelnjak
- Re: [v6ops] Fwd: New Version Notification for dra… joel jaeggli
- Re: [v6ops] Fwd: New Version Notification for dra… Brian E Carpenter
- Re: [v6ops] Fwd: New Version Notification for dra… C. M. Heard
- Re: [v6ops] Fwd: New Version Notification for dra… joel jaeggli
- Re: [v6ops] Fwd: New Version Notification for dra… Nick Hilliard
- Re: [v6ops] Fwd: New Version Notification for dra… Fernando Gont
- Re: [v6ops] Fwd: New Version Notification for dra… Brian E Carpenter