ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Is Fragmentation at IP layer even needed ?

2016-02-18 14:15:51
from [Mark Andrews] [Permanent Link] 

In message 
<56C5808C(_dot_)1090906(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp>,
 Masataka Ohta writes:

Masataka Ohta (I) wrote:


The RFC is a complete mess, in various ways. It says flow IDs are
good because it is random, but, at the same time, it says flow
IDs may not be random.


I found the rfc is even worse.

The most important thing the rfc must have stated (it
does not, of course) is:

      (SRC1, DST1, flow_ID1)

of a stateful flow MUST be unique (not used by packets
not belonging to the flow) within the Internet,
which can be guaranteed only by an end (source or
destination), which is a straight forward manifestation
of the end to end argument.

But, the rfc allow routers (firewalls) change flow IDs to
nonzero value.

So, if a router changes flow ID of (SRC1, DST1, flow_ID2),
from flow_ID2 to flow_ID3, then, there is a possibility
that flow_ID1==flow_ID3, which is fatal for the stateful
flow, if the modified packets are merged to the stateful
flow (certain protection against merging possible but
not robust against route changes).

Of course, section 6.1 of the rfc on covert channels is
abstract nonsense, because covert channels may be created
in various ways to carry information, for example, with
extension headers (fragmentation boundaries, for example,
can be arbitrary), which means firewalls should reject
packets with extension headers.


No, it doesn't.  Firewalls have a purpose.  Most of the time the
purpose isn't to block communication.  It is to block wasting
resources or to try to prevent poorly written applications / ip
stacks being compromised.

Often people forget that firewalls need to let packets though that
are part of a legitimate communications flow through.  You don't
actually need to stop *every* potential packet that isn't part of
a communications flow.  You just need to make it hard enough that
it is not worth the effort to find the open paths if you are not
part of a legitimate flow.


                                      Masataka Ohta

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka(_at_)isc(_dot_)org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: draft-klensin-iaoc-member-01 (was: Re: I-D Action: draft-hardie-iaoc-iab-update-00.txt), Andrew Sullivan
Next by Date:  IETF Culture was: Re: draft-klensin-iaoc-member-01 (was: Re: I-D Action: draft-hardie-iaoc-iab-update-00.txt), Michael StJohns
Previous by Thread:  Re: Is Fragmentation at IP layer even needed ?, Masataka Ohta
Next by Thread:  Not EUI-64 [was Re: Is Fragmentation at IP layer even needed ?], Brian E Carpenter
Indexes:  [Date] [Thread] [Top] [All Lists]