Re: threats ID

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 21-jan-04, at 0:18, Masataka Ohta wrote:

> > > However, IP layer does not have any state of a connection,

> > That's not true. The routing table is state,

> It is not state of a connection.

Ok.

> > as is per-destination path MTU information.

> It is a wrong understanding of PMTUD issues.

> PMTUD is an issue of connections.

> A few years ago, transport people finally recognized it and
> had a BoF or WG to do PMTUD at the transport layer. I haven't
> traced the activity, because I think PMTUD is a bad idea even
> if it is implemented at the transport layer.

In IPv4 PMTUD is mostly a TCP thing: UDP and other non-TCP packets are 
generally transmitted with the DF bit set to zero. However, this isn't 
possible in IPv6: if a router returns a "packet too big" ICMP message, 
the source is required to start fragmenting subsequent packets. So in 
IPv6, PMTUD is very much an IP layer issue, even if the transport layer 
is also aware of it.

> > I believe NOID and certainly ODT allow layer 4 to work without 
> > changes,

> You can believe so, just as you can believe NAT allow layer 4 to work
> without changes.

:-)

The real problems start at layers above 4 with NAT...

Fortunately none the MH mechanisms that have been proposed here use NAT 
(as far as I can remember, at least).

> > This is important, because true man in the middle capability isn't 
> > something that is easily achieved, while "man on the sideline", where 
> > the attacker can observe data and inject his own, but not stop the 
> > real data from flowing, is fairly trivial to achieve in many 
> > situations.

> Maybe. But, it has nothing to do with M6.

I tend to agree but I don't think we can entirely dismiss the potential 
attacsk that go beyond what's possible today when attackers have this 
capability.