Suresh and all -
I have read the document and support it being progressed as a Proposed
Standard. The document identifies a security vulnerability that ought
to be mitigated, and this document is a necessary step in doing so.
One comment: Is there data on how common overlapping fragments are in
the real world? Obviously, the more common overlapping fragments are,
the less appropriate it would be for firewalls to enforce
non-overlapping in the near term. After all, firewalls shouldn't drop
legitimate sessions that happen to include overlapping fragments. It
would take some time for existing IPv6 implementations to be updated
before it would be safe to add such enforcement in firewalls. Hence,
it may be good to add a cautionary note about this to the document.
- Christian
On May 20, 2009, Brian Haberman wrote:
All, This Last Call concluded with exactly one public comment. We
cannot advance this document without support of the working group.
Please review this draft and state whether you support or disagree
with
advancing it.
Regards, Brian
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
