Suresh Krishnan wrote:
Hi Folks,
This draft describes how to use overlapping fragments in IPv6 to
bypass firewalling restrictions. It recommends disallowing overlapping
fragments in IPv6.
Thanks
Suresh
The following two documents provide fairly detailed analysis of this (and other
issues) that IPv6 Firewalls should consider:
Firewall Design Considerations for IPv6
http://www.nsa.gov/snac/ipv6/I733-041R-2007.pdf
A Filtering Strategy for Mobile IPv6
http://www.nsa.gov/snac/ipv6/I733-040R-2007.pdf
The first document covers other interesting issues with fragments, including the
possibility of tunneled fragments being fragmented again ... header option
ordering, etc.
As far as specsmanship to "prohibit" overlapping fragments, if the motivation is
to change/ensure the behavior of all end nodes, updating 2460 (or some other
vehicle) might make sense.
If the goal is to effect the behavior of firewalls, what we really need is a
firewalls capability spec. As far as I know, firewalls are not required to
enforce all aspects of protocol correctness ... nor are they required to follow
all aspects of end to end protocol specs. So it is questionable if changing
2460 will impact firewall behavior ... unless the firewall community decides on
its own that it is a useful/necessary feature to implement. Maybe it would some
leverage that customers could use to lean on FW implementors .... but it would
be indirect.
dougm
--
+----------------------------------------------------------------------------+
| Doug Montgomery Manager, Internetworking Technologies Research Group |
| Advanced Network Technologies Division WWW: http://www.antd.nist.gov/ |
| National Institute of Standards and Technology Email: [EMAIL PROTECTED]
|
| 100 Bureau Drive Voice: +1-301-975-3630 |
| Gaithersburg, MD 20899-8920 USA Fax: +1-301-975-6238 |
| Key fingerprint = 3BCA EDD0 585D D068 CD46 E578 BD01 92A3 D1B0 04BB |
+----------------------------------------------------------------------------+
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------