[LACNIC/Seguridad] Generación de IPv6 Frag ID, etc.
Fernando Gont
fgont en si6networks.com
Sab Feb 11 21:09:20 BRST 2012
Para complicar la cosa aún mas:
Pese a que el "Frag ID" de IPv6 es de 32 bits, si en el medio hubiera un
traductor IPv6/IPv4, solo los low-order 16-bits son utilizados... lo
cual ahce que, a la practica, uno probablemente tenga que considerar que
el Frag ID tiene un largo efectivo de 16 bits.
En tales escenarios, si uno simplemente random()iza el frag ID, las
posibilidades de colision son bastante posibles.
A modo de referencia, un estracto de la sección 4 de RFC 6145:
When the IPv4 sender does not set the DF bit, the translator SHOULD
always include an IPv6 Fragment Header to indicate that the sender
allows fragmentation. The translator MAY provide a configuration
function that allows the translator not to include the Fragment
Header for the non-fragmented IPv6 packets.
The rules in Section 4.1 ensure that when packets are fragmented,
either by the sender or by IPv4 routers, the low-order 16 bits of the
fragment identification are carried end-to-end, ensuring that packets
are correctly reassembled. In addition, the rules in Section 4.1 use
the presence of an IPv6 Fragment Header to indicate that the sender
might not be using path MTU discovery (i.e., the packet should not
have the DF flag set should it later be translated back to IPv4).
Saludos,
--
Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Más información sobre la lista de distribución Seguridad