[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Status of various documents

To: v6ops@ops.ietf.org
Subject: Re: Status of various documents
From: Fred Baker <fred@cisco.com>
Date: Thu, 25 May 2006 17:55:37 -0700
Authentication-results: sj-dkim-8.cisco.com; header.From=fred@cisco.com; dkim=pass ( sig from cisco.com verified; );
Dkim-signature: a=rsa-sha1; q=dns; l=2487; t=1148604939; x=1149468939; c=relaxed/simple; s=sjdkim8001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fred@cisco.com; z=From:Fred=20Baker=20<fred@cisco.com> |Subject:Re=3A=20Status=20of=20various=20documents; X=v=3Dcisco.com=3B=20h=3DAfNULCmqrmjRzzGfrH8DnclSAnE=3D; b=X4qINFuvHec3ryFSFDYR4yQEM/Uh06MxAqBlygm348nqU+dt+eb57zLJCzWS426f94cl6ytg LyVg37kZDbyCq8N9Sbbbv7GIegtMpdeiAYHEBbr0Ljl+VtIJwwhYLy+S;
In-reply-to: <77ead0ec0605242356q1a38e3a0p4a9bd3ab7a8df485@mail.gmail.com>
References: <769B92A9-778F-4B30-BBB7-321F77FB9033@cisco.com> <77ead0ec0605240002j121b0f7ar67aacc3c8e661115@mail.gmail.com> <516F5B4E-3893-451D-A23E-E6B9DB549B35@cisco.com> <77ead0ec0605242356q1a38e3a0p4a9bd3ab7a8df485@mail.gmail.com>

OK, folks. Lets get a review.

http://www.ietf.org/internet-drafts/draft-manral-v6ops-tiny-fragments-issues-02.txt"Operational issues with Tiny Fragments in IPv6", Vishwas Manral,9-Jan-06,

  <draft-manral-v6ops-tiny-fragments-issues-02.txt>

The principal comment that I noted from our previous discussion wasthat the problem existed for IPv4 also, and hence was notspecifically an IPv6 problem. The working group did not choose tomake a recommendation on the topic, and personally I wasn't awarethat we were asked to. The key recommendation seems to be that therebe a minimum MTU size large enough to contain the IPv6 header (withall of its additional headers) plus the second layer header, and thatmiddleware devices like firewalls discard messages that were a non-last fragment and were smaller than that size.

In such a case, this would convert the attack to another kind ofattack, one in which the target is bombarded with fragments ofmessages, but never enabled to reassemble them, and attacking thereassembly tables and associated memory. The solution for that isfortunately trivial - in the event that there is any any overload inthis area, discard the oldest fragment in the buffer and any otherfragments that are presumptively part of the same message - the sameway we protect TCP TCBs.

The origin of the discussion was in Mobile IP, where related issueswere addressed.

What do folks wish the document said? Is this something for theworking group to make an effort on? Is there a feeling that it shouldbe a working group draft?



On May 24, 2006, at 11:56 PM, Vishwas Manral wrote:

Hi Fred,

I thought it was an important enough issue to be addressed, fromthe operational perspective.

If possible I would want to drive it further. Would be eager to getyour views on the same.

Thanks for restarting the discussion,
Vishwas

On 5/24/06, Fred Baker <fred@cisco.com> wrote:
On May 24, 2006, at 12:02 AM, Vishwas Manral wrote:

> I am not sure the draft http://www.ietf.org/internet-drafts/draft-
> manral-v6ops-tiny-fragments-issues-02.txt is dead. It still exists
> in the IETF repository.

Yes, it is in the repository; it remains until they flush it out.
What I was saying is that discussion seems to be at an end.

What would you like to do with it further? Do you plan to continue
driving this?

References:
- Status of various documents
  - From: Fred Baker <fred@cisco.com>
- Re: Status of various documents
  - From: "Vishwas Manral" <vishwas.ietf@gmail.com>
- Re: Status of various documents
  - From: Fred Baker <fred@cisco.com>
- Re: Status of various documents
  - From: "Vishwas Manral" <vishwas.ietf@gmail.com>

Prev by Date: Re: Status of various documents
Next by Date: Status of Operational issues with Tiny Fragments in IPv6
Previous by thread: Re: Status of various documents
Next by thread: Fwd: IANA considerations confusion
Index(es):
- Date
- Thread