[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: threats ID

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: threats ID
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Wed, 21 Jan 2004 13:24:19 +0900
Cc: Multi6 List <multi6@ops.ietf.org>
In-reply-to: <A1AC1702-4BA1-11D8-9871-000A95CD987A@muada.com>
References: <LIEEJBCNFDJHFFKJJDPAEECKDJAA.mbagnulo@ing.uc3m.es> <D88F1830-4B08-11D8-AC7E-000393CE1E8C@nomadiclab.com> <400D2075.8040207@necom830.hpcl.titech.ac.jp> <E50A0372-4B8A-11D8-9871-000A95CD987A@muada.com> <400DB734.8000307@necom830.hpcl.titech.ac.jp> <A1AC1702-4BA1-11D8-9871-000A95CD987A@muada.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

Iljitsch;

A few years ago, transport people finally recognized it and
had a BoF or WG to do PMTUD at the transport layer. I haven't
traced the activity, because I think PMTUD is a bad idea even
if it is implemented at the transport layer.

In IPv4 PMTUD is mostly a TCP thing:

Whether PMTUD is a TCP thing or not is independent of IP layer.

UDP and other non-TCP packets are generally transmitted with the DF bit set to zero.

It is because minimum MTU of IPv4 is too small.

However, this isn't possible in IPv6: if a router returns a "packet too big" ICMP message, the source is required to start fragmenting subsequent packets. So in IPv6, PMTUD is very much an IP layer issue, even if the transport layer is also aware of it.

Just send 1280 bytes.

Given that all the protocols are required to operate with MTU of
1280 anyway, that most link will have MTU of 1500 forever, that
no multicast protocols can perform PMTUD and that each transport
and application layer protocol must be modified to accomodate
PMTUD, there is no point to be bothered to have PMTUD.

It is very good design of IPv6 to outlaw fragmentation.

Even better is to make minimum MTU 1280.

The best could have been to make minimum MTU 1500 to
outlaw dialup protocol of PPP over Ethernet, though.

Fortunately none the MH mechanisms that have been proposed here use NAT (as far as I can remember, at least).


I'm not sure what do you mean "proposed" but Dave Crocker explicitely
admit his proposal essentially NAT.

This is important, because true man in the middle capability isn't something that is easily achieved, while "man on the sideline", where the attacker can observe data and inject his own, but not stop the real data from flowing, is fairly trivial to achieve in many situations.

Maybe. But, it has nothing to do with M6.

I tend to agree but I don't think we can entirely dismiss the potential attacsk that go beyond what's possible today when attackers have this capability.


I have shown, with DNS, that what's possible today is connection
hijacking, which means it is already worst.

Masataka Ohta

References:
- RE: threats ID
  - From: "marcelo bagnulo" <mbagnulo@ing.uc3m.es>
- Re: threats ID
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: threats ID
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: threats ID
  - From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
- Re: threats ID
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: threats ID
Next by Date: Re: Reminder re multi6 drafts
Previous by thread: Re: threats ID
Next by thread: Re: threats ID
Index(es):
- Date
- Thread