Last Call Review of draft-ietf-6man-predictable-fragment-id-09
review-ietf-6man-predictable-fragment-id-09-secdir-lc-wierenga-2015-09-10-00
| Request | Review of | draft-ietf-6man-predictable-fragment-id |
|---|---|---|
| Requested rev. | no specific revision (document currently at 10) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2015-09-09 | |
| Requested | 2015-08-27 | |
| Draft last updated | 2015-09-10 | |
| Completed reviews |
Genart Last Call review of -09 by Meral Shirazipour
(diff)
Genart Telechat review of -10 by Meral Shirazipour Opsdir Last Call review of -09 by Sheng Jiang (diff) Secdir Telechat review of -10 by Klaas Wierenga Secdir Last Call review of -09 by Klaas Wierenga (diff) |
|
| Assignment | Reviewer | Klaas Wierenga |
| State | Completed | |
| Review | review-ietf-6man-predictable-fragment-id-09-secdir-lc-wierenga-2015-09-10 | |
| Reviewed rev. | 09 (document currently at 10) | |
| Review result | Has Issues | |
| Review completed: | 2015-09-10 |
Review
review-ietf-6man-predictable-fragment-id-09-secdir-lc-wierenga-2015-09-10
Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes security implications of predictable values for the identification field in fragment headers for IPv6. I believe the document has some issues, see below. The document does an analysis of the security implications of predictable identification fields and I believe (not being an IPv6 expert) that it does a good job at that. The analysis of the potential exploits is convincing. Where I am struggling a bit is the algorithms for selecting fragment identification values (5). The intro text states that there are ‘a number of algorithms', but really there are only 3: 1- per destination counter random initialised 2- random value 3- hash over source, destination, secret with a counter 1 and 3 are essentially the same, the hash function in 3 performs the same function as the pseudo random generated initial value in 1 if I am not mistaken. So really the choice is between a random value for every datagram or a random value at initialisation of a connection and increasing by 1 for every subsequent datagram. I’d really like to see some quantitative analysis as to the impact of a random value per packet as well as between 1 and 3. Now, as an implementer I will know about the vulnerability but can not really determine what mediation route to follow. So to sum up, I really liked the analysis part, but I would prefer some work on the solution to the problem part. Klaas -- Klaas Wierenga Identity Architect Cisco Cloud Services