On Wed, May 13, 2015 at 11:59 PM, Suresh Krishnan < [email protected]> wrote:
> Hi Ron, > > On 05/13/2015 11:39 PM, Ronald Bonica wrote: > > Kathleen, > > > > AFAIK, most IP stacks include code that detects fragmentation overlap > attacks. (Do I have that right?) > > > > So, reassembly attacks shouldn't be effective whether reassembly is > performed at the GRE egress or the ultimate destination. > > > > If reassembly is performed at the ultimate destination, the two > endpoints might be alerted. However, if reassembly is performed at the GRE > ingress, the endpoints might never be alerted. > > > > Should we add a paragraph about this in Section 5 (Security > Considerations). Or is this just another type of DoS attack, which we have > already mentioned? > > I think it might merit a separate mention since the draft is concerned > with fragmentation. You can use RFC1858 as a reference for IPv4 and > RFC5722 as a reference for IPv6 for handling of the overlapping fragment > problem. > A separate paragraph would be helpful, thanks. This attack type could lead to a compromise, so the concern (for me at least) is much higher than a DoS. I'm glad it's addressed in code and it would just be good to mention considerations. Thank you, Kathleen > > Thanks > Suresh > > -- Best regards, Kathleen
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
