Telechat Review of draft-ietf-6man-predictable-fragment-id-10
review-ietf-6man-predictable-fragment-id-10-secdir-telechat-wierenga-2015-10-22-00
| Request | Review of | draft-ietf-6man-predictable-fragment-id |
|---|---|---|
| Requested rev. | no specific revision (document currently at 10) | |
| Type | Telechat Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2015-10-20 | |
| Requested | 2015-10-15 | |
| Authors | Fernando Gont | |
| Draft last updated | 2015-10-22 | |
| Completed reviews |
Genart Last Call review of -09 by Meral Shirazipour
(diff)
Genart Telechat review of -10 by Meral Shirazipour Opsdir Last Call review of -09 by Sheng Jiang (diff) Secdir Telechat review of -10 by Klaas Wierenga Secdir Last Call review of -09 by Klaas Wierenga (diff) |
|
| Assignment | Reviewer | Klaas Wierenga |
| State | Completed | |
| Review | review-ietf-6man-predictable-fragment-id-10-secdir-telechat-wierenga-2015-10-22 | |
| Reviewed rev. | 10 | |
| Review result | Ready | |
| Review completed: | 2015-10-22 |
Review
review-ietf-6man-predictable-fragment-id-10-secdir-telechat-wierenga-2015-10-22
Hi, I am happy with the updated draft. Klaas -- Klaas Wierenga Identity Architect Cisco Cloud Services > On 01 Oct 2015, at 23:51, Fernando Gont <fgont at si6networks.com> wrote: > > Hi, Klaas, > > On 09/09/2015 07:02 AM, Klaas Wierenga (kwiereng) wrote: >>> On 09/09/2015 07:12 AM, Klaas Wierenga (kwiereng) wrote: >>>> I believe the document has some issues, see below. >>>> >>>> The document does an analysis of the security implications of >>>> predictable identification fields and I believe (not being an >>>> IPv6 expert) that it does a good job at that. The analysis of >>>> the potential exploits is convincing. Where I am struggling a bit >>>> is the algorithms for selecting fragment identification values >>>> (5). >>>> >>>> The intro text states that there are ‘a number of algorithms', >>>> but really there are only 3: 1- per destination counter random >>>> initialised 2- random value 3- hash over source, destination, >>>> secret with a counter >>> >>> FWIW, these are three concrete algorithms, but that doesn't mean >>> they are the only possible ones… >> >> Sure, I understand that. It is just when I read it I was preparing >> for a long list to come, so I think it would be good to state >> something like: >> >> OLD >> >> This section specifies a number of algorithms that may be used for >> selecting Fragment Identification values. >> >> NEW >> >> There are a number of algorithms that may be used for selecting >> Fragment Identification values. This section presents three of >> those. > > Will do. (thanks for proposing a way forward, btw). > > > >>>> 1 and 3 are essentially the same, the hash function in 3 performs >>>> the same function as the pseudo random generated initial value in >>>> 1 if I am not mistaken. >>> >>> Yes and no. 1 requires state, but 3 doesn't. That means that, e.g., >>> if you have lot's of flows to many different destinations, you may >>> need to remove some entries from the Dest Cache (and then you run >>> the risk of Frag ID collisions). However, this is not the case with >>> algorithm #3. >> >> good point, so is there any compelling reason to select 1 over 3? > > It is generally the other way around: for #1, if you need to remove the > state from the Destinations Cache, you run the risk of colliding Frag > IDs. So you could say that #1 is more trivial to implement, whereas #3 > has better properties (when there are ongoing communications with > multiple destinations that make you hit the limit of entries in the > Destination Cache). > > > >>>> So really the choice is between a random value for every datagram >>>> or a random value at initialisation of a connection and >>>> increasing by 1 for every subsequent datagram. >>>> >>>> I’d really like to see some quantitative analysis as to the >>>> impact of a random value per packet as well as between 1 and 3. >>> >>> Impact in terms of what? >> >> Well, as an implementer I want to choose between one of the >> algorithms you propose. But since I have no clue what the penalty is >> for doing per packet randomisation as opposed to per flow that is >> hard. > > Wel, the thing is that, to a large extent, it depends on the details of > implementation. e.g., what's the algorithm you use for the randon() > function, etc. > > > >> If the cost of a pseudorandom operation is outweighed by other >> factors involved in sending a packet I would probably choose option >> 2. My gut feeling says however that it is a pretty expensive >> operation to do on a per packet basis, so I would expect the advise >> to be “use 1 or 3” unless….. > > We tried to provide options rather than pushing one specific algorithm. > > >> And similarly, what is the cost of the >> hash versus the prg? If they are comparable would option 3 not be >> better? > > It depends on which hash function vs PRG. For instance, you could employ > a hash function for the PRG. > > So any assertion on performace would really be questionable... > > Thoughts? > > Thanks! > > Cheers, > -- > Fernando Gont > SI6 Networks > e-mail: fgont at si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > >