Hi Nevil, Thanks for the comment. Please see response inline.
On 09-10-27 08:32 AM, Romascanu, Dan (Dan) wrote:
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Nevil Brownlee Sent: Tuesday, October 27, 2009 6:26 AM To: [email protected]; [email protected] Subject: [OPS-DIR] Ops Dir review: draft-ietf-6man-overlap-fragment-03 Hi, I have performed an Operations directorate review of draft-ietf-6man-overlap-fragment-03, Handling of overlapping IPv6 fragments This draft points out that IPv6 fragments can overlap, allowing an attacker to get through firewalls that only look at the first packet in a TCP connection. It proposes to change the IPv6 specification (RFC 2460) to forbid overlapping fragments, thus fixinf this security problem. -- 1. Is the specification complete? Can multiple interoperable implementations be built based on the specification? Yes 2. Is the proposed specification deployable? If not, how could it be improved? Yes 3. Does the proposed approach have any scaling issues that could affect usability for large scale operation? None that I can see. Although fragmentation is much less used than it used to be, it's probably still neccessary. 4. Are there any backward compatibility issues? No. This change would simply fix a protocol vulnerability. 5. Do you anticipate any manageability issues with the specification? No. 6. Does the specification introduce new potential security risks or avenues for fraud? No. Now, for something completely different, a question: In IPv4 (RFC 791), Fragment Offset is relative to the original unfragmentsed packet (Stevens, TCP/IP Illustrated). RFC 1858, when describing the 'tiny fragment' attack, uses Fragment Offset 1. But that would point at IP header byte 8! Seems to me that the smallest usable value of Fragment Offset is 3, pointing to byte 24, i.e. just past the shortest IPv4 header.
The fragment offset describes the offset into the DATA part of the datagram. Thus, the TCP header would begin at offset 0 and not offset 3.
Does this seem to you like an error in RFC 1858?
Not really. I think the RFC1858 definition is correct in this matter. Thanks Suresh -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
