Last Call Review of draft-ietf-6man-predictable-fragment-id-09
review-ietf-6man-predictable-fragment-id-09-secdir-lc-wierenga-2015-09-10-00

Request Review of draft-ietf-6man-predictable-fragment-id
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2015-09-09
Requested 2015-08-27
Authors Fernando Gont
Draft last updated 2015-09-10
Completed reviews Genart Last Call review of -09 by Meral Shirazipour (diff)
Genart Telechat review of -10 by Meral Shirazipour
Opsdir Last Call review of -09 by Sheng Jiang (diff)
Secdir Telechat review of -10 by Klaas Wierenga
Secdir Last Call review of -09 by Klaas Wierenga (diff)
Assignment Reviewer Klaas Wierenga
State Completed
Review review-ietf-6man-predictable-fragment-id-09-secdir-lc-wierenga-2015-09-10
Reviewed rev. 09 (document currently at 10)
Review result Has Issues
Review completed: 2015-09-10

Review
review-ietf-6man-predictable-fragment-id-09-secdir-lc-wierenga-2015-09-10

Hi,

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document describes security implications of predictable values for the identification field in fragment headers for IPv6.

I believe the document has some issues, see below.

The document does an analysis of the security implications of predictable identification fields and I believe (not being an IPv6 expert) that it does a good job at that. The analysis of the potential exploits is convincing.
Where I am struggling a bit is the algorithms for selecting fragment identification values (5).

The intro text states that there are ‘a number of algorithms', but really there are only 3:
1- per destination counter random initialised
2- random value
3- hash over source, destination, secret with a counter

1 and 3 are essentially the same, the hash function in 3 performs the same function as the pseudo random generated initial value in 1 if I am not mistaken.
So really the choice is between a random value for every datagram or a random value at initialisation of a connection and increasing by 1 for every subsequent datagram.

I’d really like to see some quantitative analysis as to the impact of a random value per packet as well as between 1 and 3. Now, as an implementer I will know about the vulnerability but can not really determine what mediation route to follow.

So to sum up, I really liked the analysis part, but I would prefer some work on the solution to the problem part.

Klaas

--
Klaas Wierenga
Identity Architect
Cisco Cloud Services