Hi Christian, Thanks for your comments. Please find responses inline.
On 22/05/09 08:30 PM, Christian Vogt wrote:
Suresh and all - I have read the document and support it being progressed as a Proposed Standard. The document identifies a security vulnerability that ought to be mitigated, and this document is a necessary step in doing so.
OK.
One comment: Is there data on how common overlapping fragments are in the real world? Obviously, the more common overlapping fragments are,
As far as I know, there are no legitimate applications for overlapping fragments (please send in a note if you see any). I am not aware of any stack that generates these either under normal conditions either.
the less appropriate it would be for firewalls to enforce non-overlapping in the near term. After all, firewalls shouldn't drop legitimate sessions that happen to include overlapping fragments. It would take some time for existing IPv6 implementations to be updated before it would be safe to add such enforcement in firewalls. Hence, it may be good to add a cautionary note about this to the document.
If there are no known legitimate applications of overlapping fragments, would you still like this cautionary note to be included?
Thanks Suresh -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
