Re: [BEHAVE] How to set the DF and the ID values for IPv4 packets (was Re: Amount of fragmentation resulting from translation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [BEHAVE] How to set the DF and the ID values for IPv4 packets (was Re: Amount of fragmentation resulting from translation

To: Fernando Gont <fernando at gont.com.ar>
Subject: Re: [BEHAVE] How to set the DF and the ID values for IPv4 packets (was Re: Amount of fragmentation resulting from translation
From: marcelo bagnulo braun <marcelo at it.uc3m.es>
Date: Mon, 02 Nov 2009 21:51:10 +0100
Cc: Stig Venaas <stig at venaas.com>, Behave WG <behave at ietf.org>, Mark Andrews <marka at isc.org>, Ben at wand.net.nz
Delivered-to: behave at core3.amsl.com
In-reply-to: <4AEF354E.2000705 at gont.com.ar>
List-archive: <http://www.ietf.org/mail-archive/web/behave>
List-help: <mailto:behave-request@ietf.org?subject=help>
List-id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-post: <mailto:behave@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
References: <C70F9602.7445%rpenno at juniper.net> <4AEAA516.1040605 at it.uc3m.es> <4AEF354E.2000705 at gont.com.ar>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

Fernando Gont escribió:

Hello, Marcelo,

Comments in-line....

So, consider that the translator receives an IPv6 packet without a
fragment header.
Those packets without the fragment header do not contain any ID value.
The stateless document
defines that the ID value is set to 0 and the DF set to 1. That works
modulo the following black hole situation:


It actually doesn't, even in v4-only scenarios. See Section 3.5.1 of
http://www.cpni.gov.uk/Docs/InternetProtocol.pdf

Right, Iljitsch mentioned this to me, but it was not obvious to me howpervasive that behaviour was(for those who didn't open the doc, it states that there are middleboxes that fragment even if the DF bit is set

packets and set DF to zero. In order to do that, we should generate
values for the ID field so that they do not clash

That would require changing the stateless document or if we don't want
to keep the seq number state in that document, but we consider the
problem is real and want to solve it int he stateful case, then take a
different approach in the stateless and the staefull document.


For *this* is scenario (xlat),

mmm, i am confused by this.

You mean that this is your reccoemndation for the stateless trasnlatorand _not_ for the stateful?

Or that this would be your reccomendation for both of them?

 my recommendation would be a RFC1948-like
scheme:

ID = counter + F()

Where F() is a hash function that takes src IPv4, Dst IPv4, Protocol,
and secret_key as parameters.

mmm, for packets containing a full packet (i.e. not a fragment) i wasthinking on a simple counter per source IPv4 address... wouldnt' that bebetter? I mean, it would minimize the possibility of having a colision.

I mean, the algorihtm you suggest seems to have higher chance ofcollision, is there a benefit? I mean, i am not sure if the attacks thatapply to the TCP seq number also apply here....

(for packets contianing a fragment, we need to copy the IPv6 value orreassemble before translating)


Regards, marcelo

Thanks!

Kind regards,

References:
- Re: [BEHAVE] Amount of fragmentation resulting from translation
  - From: Reinaldo Penno
- [BEHAVE] How to set the DF and the ID values for IPv4 packets (was Re: Amount of fragmentation resulting from translation
  - From: marcelo bagnulo braun
- Re: [BEHAVE] How to set the DF and the ID values for IPv4 packets (was Re: Amount of fragmentation resulting from translation
  - From: Fernando Gont

Prev by Date: [BEHAVE] TURN URI implicit processing [was Re: Opsdir Review of draft-ietf-behave-turn-uri-03.txt]
Next by Date: Re: [BEHAVE] TURN port assignment and IANA port registry
Previous by thread: Re: [BEHAVE] How to set the DF and the ID values for IPv4 packets (was Re: Amount of fragmentation resulting from translation
Next by thread: Re: [BEHAVE] Amount of fragmentation resulting from translation
Index(es):
- Date
- Thread

Re: [BEHAVE] How to set the DF and the ID values for IPv4 packets (was Re: Amount of fragmentation resulting from translation

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.