Kathleen, > On May 14, 2015, at 8:32 AM, Kathleen Moriarty > <[email protected]> wrote: > > > > On Wed, May 13, 2015 at 11:59 PM, Suresh Krishnan > <[email protected] <mailto:[email protected]>> wrote: > Hi Ron, > > On 05/13/2015 11:39 PM, Ronald Bonica wrote: > > Kathleen, > > > > AFAIK, most IP stacks include code that detects fragmentation overlap > > attacks. (Do I have that right?) > > > > So, reassembly attacks shouldn't be effective whether reassembly is > > performed at the GRE egress or the ultimate destination. > > > > If reassembly is performed at the ultimate destination, the two endpoints > > might be alerted. However, if reassembly is performed at the GRE ingress, > > the endpoints might never be alerted. > > > > Should we add a paragraph about this in Section 5 (Security > > Considerations). Or is this just another type of DoS attack, which we have > > already mentioned? > > I think it might merit a separate mention since the draft is concerned > with fragmentation. You can use RFC1858 as a reference for IPv4 and > RFC5722 as a reference for IPv6 for handling of the overlapping fragment > problem. > > A separate paragraph would be helpful, thanks. This attack type could lead > to a compromise, so the concern (for me at least) is much higher than a DoS. > I'm glad it's addressed in code and it would just be good to mention > considerations. >
I think that overlapping fragment attacks are orthogonal to whether the packet carries GRE or something else. If reassembly happens at the tunnel endpoint, we might end up with a rightly dropped packet. This seems covered in Section 4 of RFC 1858. What particulars are you thinking about this attack that are specific to GRE? Thanks, — Carlos. > Thank you, > Kathleen > > > Thanks > Suresh > > > > > -- > > Best regards, > Kathleen > _______________________________________________ > Int-area mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/int-area
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
