Hi, Ray, Thanks so much for your feedback! Please find my comments in-line...
On 01/05/2013 07:24 AM, Ray Hunter wrote: > I have read this draft and support it, as it provides a valuable > security update to IPv6. Thanks! > Nits: > > s/A received "atomic fragments" should be "reassembled" from the > contents of that sole fragment./ > Each received "atomic fragment" should be individually "reassembled" > from the contents of that sole fragment./ Will apply this change to the next rev. > /Many implementations fail to perform validation checks on the received > ICMPv6 error messages, as recommended in Section 5.2 of [RFC4443] and > [RFC5927]./ > > Although RFC4443 is a standard track document, none of the language in > Section 5.2 contains RFC2119 keywords. > RFC5927 is informational. > > You may consider this a separate but related issue to atomic fragments, > but does validation checking of ICMPv6 messages need to be addressed > further in your current ID? What I've tried to note with the above comment is how trivial it is to trigger the use of IPv6 atomic fragments. > I think your current ID stands alone whether these validation checks are > performed or not. Agreed. But what I've tried to stress is that it is trivial to make any connection employ atomic fragments -- hence it's not that the only target of atomic-fragment attacks are those connections already employed atomic fragments or fragmentation: it's trivial to trigger the use of such fragments, and then perform a fragmentation-based attack... > Are we then really justified in chastising implementors who ignore these > recommendations by somehow implying they've 'failed'? > Suggested alternative s/Many implementations fail to/Many > implementations do not/ I'm fine with your proposed text. Should the resulting text then be: "Many implementations do not perform validation checks on the received ICMPv6 error messages as recommended in Section 5.2 of [RFC4443] and [RFC5927]" ? Or can this be read as "they do not perform these validation checks, as RFC4443 and RFC5927 recommend *not* to do so"? (English as second language here) Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
