[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on draft-manral-v6ops-tiny-fragments-issues-02.txt
Vishwas:
I have gotten some comments off-list, and some comments on.
The general consensus of what I'm hearing is that the draft is
incomplete, but hits on a real problem, which is that of overlapping
fragments resulting in a variety of attack. Your primary concern is
not that, however, it is the matter of the first fragment managing to
enable a firewall to mis-apply a rule, allowing a packet to get
through because the port number is in the second fragment.
The security overview document draft-ietf-v6ops-security-
overview-04.txt, in sections 2.1.10 and 2.1.11, addresses
fragmentation-related issues. The IESG has bounced that back with a
number of comments, and so there will need to be a new draft posted.
I would suggest that you correspond with the authors, copied; I
believe that you will find that they are willing to make sure your
issues are covered in that draft.
Fred