Re: 6MAN WG Last Call:draft-ietf-6man-overlap-fragment-01.txt

To: Christian Vogt <christian.vogt at ericsson.com>
Subject: Re: 6MAN WG Last Call:draft-ietf-6man-overlap-fragment-01.txt
From: Suresh Krishnan <suresh.krishnan at ericsson.com>
Date: Mon, 25 May 2009 10:32:10 -0400
Cc: ipv6 at ietf.org, Brian Haberman <brian at innovationslab.net>, Bob Hinden <bob.hinden at gmail.com>
Delivered-to: ipv6 at core3.amsl.com
In-reply-to: <3C2BA50A-399E-40A6-A165-C95A1503E980 at ericsson.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-help: <mailto:ipv6-request@ietf.org?subject=help>
List-id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-post: <mailto:ipv6@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
References: <49ABEE01.1060800 at innovationslab.net> <4A1449CC.1090400 at innovationslab.net> <3C2BA50A-399E-40A6-A165-C95A1503E980 at ericsson.com>
User-agent: Thunderbird 2.0.0.21 (X11/20090318)

Hi Christian,
  Thanks for your comments. Please find responses inline.

On 22/05/09 08:30 PM, Christian Vogt wrote:

Suresh and all -

I have read the document and support it being progressed as a Proposed
Standard.  The document identifies a security vulnerability that ought
to be mitigated, and this document is a necessary step in doing so.

OK.


One comment:  Is there data on how common overlapping fragments are in
the real world?  Obviously, the more common overlapping fragments are,

As far as I know, there are no legitimate applications for overlappingfragments (please send in a note if you see any). I am not aware of anystack that generates these either under normal conditions either.

the less appropriate it would be for firewalls to enforce
non-overlapping in the near term.  After all, firewalls shouldn't drop
legitimate sessions that happen to include overlapping fragments.  It
would take some time for existing IPv6 implementations to be updated
before it would be safe to add such enforcement in firewalls.  Hence,
it may be good to add a cautionary note about this to the document.

If there are no known legitimate applications of overlapping fragments,would you still like this cautionary note to be included?


Thanks
Suresh

Follow-Ups:
- Re: 6MAN WG Last Call:draft-ietf-6man-overlap-fragment-01.txt
  - From: Christian Vogt

References:
- 6MAN WG Last Call:draft-ietf-6man-overlap-fragment-01.txt
  - From: Brian Haberman
- Re: 6MAN WG Last Call:draft-ietf-6man-overlap-fragment-01.txt
  - From: Brian Haberman
- Re: 6MAN WG Last Call:draft-ietf-6man-overlap-fragment-01.txt
  - From: Christian Vogt

Prev by Date: Re: 6MAN WG Last Call:draft-ietf-6man-overlap-fragment-01.txt
Next by Date: Re: 6MAN WG Last Call:draft-ietf-6man-overlap-fragment-01.txt
Previous by thread: Re: 6MAN WG Last Call:draft-ietf-6man-overlap-fragment-01.txt
Next by thread: Re: 6MAN WG Last Call:draft-ietf-6man-overlap-fragment-01.txt
Index(es):
- Date
- Thread

Re: 6MAN WG Last Call:draft-ietf-6man-overlap-fragment-01.txt

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.