Re: {Blocked Content} Overlapping fragments in IPv6 and firewalls

Wed, 30 Jul 2008 04:29:14 -0700 


Suresh Krishnan wrote:



Hi Folks,

  This draft describes how to use overlapping fragments in IPv6 to 
bypass firewalling restrictions. It recommends disallowing overlapping 
fragments in IPv6.


Thanks
Suresh



The following two documents provide fairly detailed analysis of this (and other 
issues) that IPv6 Firewalls should consider:


Firewall Design Considerations for IPv6
http://www.nsa.gov/snac/ipv6/I733-041R-2007.pdf

A Filtering Strategy for Mobile IPv6
http://www.nsa.gov/snac/ipv6/I733-040R-2007.pdf


The first document covers other interesting issues with fragments, including the 
possibility of tunneled fragments being fragmented again ... header option 
ordering, etc.



As far as specsmanship to "prohibit" overlapping fragments, if the motivation is 
to change/ensure the behavior of all end nodes, updating 2460 (or some other 
vehicle) might make sense.



If the goal is to effect the behavior of firewalls, what we really need is a 
firewalls capability spec.  As far as I know, firewalls are not required to 
enforce all aspects of protocol correctness ... nor are they required to follow 
all aspects of end to end protocol specs.  So it is questionable if changing 
2460 will impact firewall behavior ... unless the firewall community decides on 
its own that it is a useful/necessary feature to implement.  Maybe it would some 
leverage that customers could use to lean on FW implementors .... but it would 
be indirect.


dougm
--
+----------------------------------------------------------------------------+
| Doug Montgomery       Manager, Internetworking Technologies Research Group |
| Advanced Network Technologies Division      WWW: http://www.antd.nist.gov/ |
| National Institute of Standards and Technology      Email:  [EMAIL PROTECTED] 
|
| 100 Bureau Drive                                    Voice: +1-301-975-3630 |
| Gaithersburg, MD 20899-8920 USA                     Fax:   +1-301-975-6238 |
| Key fingerprint =       3BCA EDD0 585D D068 CD46 E578 BD01 92A3 D1B0 04BB  |
+----------------------------------------------------------------------------+

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------














    











					Reply via email to