[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-manral-v6ops-tiny-fragments-issues-02.txt



Vishwas:

I have gotten some comments off-list, and some comments on.

The general consensus of what I'm hearing is that the draft is incomplete, but hits on a real problem, which is that of overlapping fragments resulting in a variety of attack. Your primary concern is not that, however, it is the matter of the first fragment managing to enable a firewall to mis-apply a rule, allowing a packet to get through because the port number is in the second fragment.

The security overview document draft-ietf-v6ops-security- overview-04.txt, in sections 2.1.10 and 2.1.11, addresses fragmentation-related issues. The IESG has bounced that back with a number of comments, and so there will need to be a new draft posted. I would suggest that you correspond with the authors, copied; I believe that you will find that they are willing to make sure your issues are covered in that draft.

Fred