-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Nevil Brownlee
Sent: Tuesday, October 27, 2009 6:26 AM
To: [email protected]; [email protected]
Subject: [OPS-DIR] Ops Dir review: draft-ietf-6man-overlap-fragment-03
Hi,
I have performed an Operations directorate review of
draft-ietf-6man-overlap-fragment-03,
Handling of overlapping IPv6 fragments
This draft points out that IPv6 fragments can overlap, allowing an
attacker to get through firewalls that only look at the first packet in
a TCP connection. It proposes to change the IPv6 specification (RFC
2460) to forbid overlapping fragments, thus fixinf this security
problem.
--
1. Is the specification complete? Can multiple interoperable
implementations be built based on the specification?
Yes
2. Is the proposed specification deployable? If not, how could it be
improved?
Yes
3. Does the proposed approach have any scaling issues that could
affect usability for large scale operation?
None that I can see. Although fragmentation is much less used than
it used to be, it's probably still neccessary.
4. Are there any backward compatibility issues?
No. This change would simply fix a protocol vulnerability.
5. Do you anticipate any manageability issues with the specification?
No.
6. Does the specification introduce new potential security risks or
avenues for fraud?
No.
Now, for something completely different, a question:
In IPv4 (RFC 791), Fragment Offset is relative to the original
unfragmentsed packet (Stevens, TCP/IP Illustrated).
RFC 1858, when describing the 'tiny fragment' attack, uses Fragment
Offset 1. But that would point at IP header byte 8! Seems to me that
the smallest usable value of Fragment Offset is 3, pointing to byte 24,
i.e. just past the shortest IPv4 header.
Does this seem to you like an error in RFC 1858?
IPv6 (RFC 2460) has the notion of 'Unfragmentable Part,' i.e.
v6 Header + sub-headers, and its Fragment Offset field is relative to
the Fragmentable Part - so Fragment Offsets 0 and 1 are allowed.
Cheers, Nevil
--
---------------------------------------------------------------------
Nevil Brownlee Computer Science Department | ITS
Phone: +64 9 373 7599 x88941 The University of Auckland
FAX: +64 9 373 7453 Private Bag 92019, Auckland 1142, New Zealand
_______________________________________________
OPS-DIR mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ops-dir
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
