[LAC-TF] Fwd: RFC 7112 on Implications of Oversized IPv6 Header Chains

Azael Fernandez Alcantara afaza at unam.mx
Wed Jan 29 16:14:31 BRST 2014 

Buen Dia,

Gracias Fernando y Felicitaciones a que finalmente se publica.

A reserva de leer detenidamente nuevamente, la version final del ahora 
RFC.

Dos preguntas: desde tu punto de vista este cambio, para mejora de la 
seguridad, que tan complicado consideras pueda demorar su implementacion 
por los fabricantes ?

Y que comentario habria sobre la ultima consideracion de seguridad, cito:

"A firewall that performs stateless deep packet inspection (i.e.,
    examines application payload content) might still be unable to
    correctly process fragmented packets, even if the IPv6 Header Chain
    is not fragmented."


SALUDOS
____________________________________
Azael
UNAM
___________________________________
Mensaje enviado sin acentos


On Wed, 29 Jan 2014, Fernando Gont wrote:

> Date: Wed, 29 Jan 2014 11:58:04 -0600
> From: Fernando Gont <fgont at si6networks.com>
> Reply-To: lactf at lac.ipv6tf.org
> To: Lista para discusión de seguridad en redes y sistemas informaticos de la
>     región <seguridad at lacnic.net>,
>     "lactf at lac.ipv6tf.org" <lactf at lac.ipv6tf.org>,
>     Latin America and Caribbean Region Network Operators Group
>     <lacnog at lacnic.net>
> Subject: [LAC-TF] Fwd: RFC 7112 on Implications of Oversized IPv6 Header
>     	Chains
> 
> FYI: <http://www.rfc-editor.org/rfc/rfc7112.txt>
>
> Hace tanto que este documento venía incubandose que hoy me quede sin
> dormir para que no se demore mas. :-)
>
>
> Si Ud. se encuentra tomando mate con bizcochitos, y quiere enterarse de
> que se trata la cuestión, sin cortar con la mateada, la idea es así de
> simple:
>
> Hasta el momento, las especificaciones permitian la existencia de
> paquetes tan ridiculos que tenian la cadena de encabezados IPv6
> desparramada en varios fragmentos. Este doumento actualiza la norma base
> de IPv6 (RFC 2460), de modo de prohibir dichos paquetes. Es decir, se
> requiere que la cadena completa de encabezados siempre este presente en
> el primer fragmento (obviamente en los casos que se usa fragmentacion..
> ya que sino este problema no se presenta).
>
> Las implicancias de esta actulización son que a partir de ahora, uno
> puede realizar filtrado de paquetes "sin estado" (steteless) -- lo cual
> es agradable. :-)
>
> Pero no joda... siga tomando mate, que esto lo puede lee en otro momento ;-)
>
> Saludos,
> Fernando
>
>
>
>
> -------- Original Message --------
> Subject: RFC 7112 on Implications of Oversized IPv6 Header Chains
> Date: Wed, 29 Jan 2014 09:30:44 -0800 (PST)
> From: rfc-editor at rfc-editor.org
> To: ietf-announce at ietf.org, rfc-dist at rfc-editor.org
> CC: drafts-update-ref at iana.org, ipv6 at ietf.org, rfc-editor at rfc-editor.org
>
> A new Request for Comments is now available in online RFC libraries.
>
>
>        RFC 7112
>
>        Title:      Implications of Oversized IPv6 Header
>                    Chains
>        Author:     F. Gont, V. Manral,
>                    R. Bonica
>        Status:     Standards Track
>        Stream:     IETF
>        Date:       January 2014
>        Mailbox:    fgont at si6networks.com,
>                    vishwas at ionosnetworks.com,
>                    rbonica at juniper.net
>        Pages:      8
>        Characters: 15897
>        Updates:    RFC 2460
>
>        I-D Tag:    draft-ietf-6man-oversized-header-chain-09.txt
>
>        URL:        http://www.rfc-editor.org/rfc/rfc7112.txt
>
> The IPv6 specification allows IPv6 Header Chains of an arbitrary
> size.  The specification also allows options that can, in turn,
> extend each of the headers.  In those scenarios in which the IPv6
> Header Chain or options are unusually long and packets are
> fragmented, or scenarios in which the fragment size is very small,
> the First Fragment of a packet may fail to include the entire IPv6
> Header Chain.  This document discusses the interoperability and
> security problems of such traffic, and updates RFC 2460 such that the
> First Fragment of a packet is required to contain the entire IPv6
> Header Chain.
>
> This document is a product of the IPv6 Maintenance Working Group of the
> IETF.
>
> This is now a Proposed Standard.
>
> STANDARDS TRACK: This document specifies an Internet standards track
> protocol for the Internet community,and requests discussion and suggestions
> for improvements.  Please refer to the current edition of the Internet
> Official Protocol Standards (STD 1) for the standardization state and
> status of this protocol.  Distribution of this memo is unlimited.
>
> This announcement is sent to the IETF-Announce and rfc-dist lists.
> To subscribe or unsubscribe, see
>  http://www.ietf.org/mailman/listinfo/ietf-announce
>  http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist
>
> For searching the RFC series, see
> http://www.rfc-editor.org/search/rfc_search.php
> For downloading RFCs, see http://www.rfc-editor.org/rfc.html
>
> Requests for special distribution should be addressed to either the
> author of the RFC in question, or to rfc-editor at rfc-editor.org.  Unless
> specifically noted otherwise on the RFC itself, all RFCs are for
> unlimited distribution.
>
>
> The RFC Editor Team
> Association Management Solutions, LLC
>
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6 at ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
>
>
> _______________________________________________
> LACTF mailing list
> LACTF at lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lactf
> Cancelar suscripcion: lactf-unsubscribe at lacnic.net
>

More information about the LACTF mailing list