Hi Kathleen,
I will have text later today.
Ron
From: Kathleen Moriarty [mailto:[email protected]]
Sent: Thursday, May 14, 2015 8:33 AM
To: Suresh Krishnan
Cc: Ronald Bonica; The IESG; [email protected];
[email protected];
[email protected]; [email protected];
[email protected]
Subject: Re: Kathleen Moriarty's Discuss on draft-ietf-intarea-gre-mtu-04:
(with DISCUSS)
On Wed, May 13, 2015 at 11:59 PM, Suresh Krishnan
<[email protected]<mailto:[email protected]>> wrote:
Hi Ron,
On 05/13/2015 11:39 PM, Ronald Bonica wrote:
> Kathleen,
>
> AFAIK, most IP stacks include code that detects fragmentation overlap
> attacks. (Do I have that right?)
>
> So, reassembly attacks shouldn't be effective whether reassembly is performed
> at the GRE egress or the ultimate destination.
>
> If reassembly is performed at the ultimate destination, the two endpoints
> might be alerted. However, if reassembly is performed at the GRE ingress, the
> endpoints might never be alerted.
>
> Should we add a paragraph about this in Section 5 (Security Considerations).
> Or is this just another type of DoS attack, which we have already mentioned?
I think it might merit a separate mention since the draft is concerned
with fragmentation. You can use RFC1858 as a reference for IPv4 and
RFC5722 as a reference for IPv6 for handling of the overlapping fragment
problem.
A separate paragraph would be helpful, thanks. This attack type could lead to
a compromise, so the concern (for me at least) is much higher than a DoS. I'm
glad it's addressed in code and it would just be good to mention considerations.
Thank you,
Kathleen
Thanks
Suresh
--
Best regards,
Kathleen
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
