At 01:44 a.m. 23/06/2008, Vishwas Manral wrote:
> * Your documents talk about specifying a minimum size for non-last > fragments. Actually, I think one should be concerned only about the *first* > fragment. That's the one that's used to create state at firewalls, etc. This is the more liberal approach you adopt to achieve the same thing. by having a more conservative approach we reduce the attack vectors further.
Maybe you should clarify this in the draft?
> * I don't think imposing such a requirement will, by itself, help to ensure > that you have in the first packet all the information you need to apply > firewalls rules. It would be trivial for an attacker to comply with such a > requirement, but still do not provide all the relevant information that > would be needed by the firewall to apply its rules. The attacker could just > add one or several extension headers, with lots of PadN options. Thus, it > would comply with your requirement, but still avoid sending e.g. the TCP > source and destination ports. Fernando, that is correct. However we intend to put limitations separately on that.
I think that both requirements should be in the same document, or that at least you should explicitly state that the goal cannot be met unless there are restriction on the maximum number of bytes allowed for Extension Headers.
Suresh probably had a draft regarding the same.
Any pointers? Kind regards, -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
