Last Call Review of draft-ietf-6man-predictable-fragment-id-09
review-ietf-6man-predictable-fragment-id-09-secdir-lc-wierenga-2015-09-10-00

Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes security implications of predictable values for the
identification field in fragment headers for IPv6.

I believe the document has some issues, see below.

The document does an analysis of the security implications of predictable
identification fields and I believe (not being an IPv6 expert) that it does a
good job at that. The analysis of the potential exploits is convincing. Where I
am struggling a bit is the algorithms for selecting fragment identification
values (5).

The intro text states that there are ‘a number of algorithms', but really there
are only 3: 1- per destination counter random initialised 2- random value 3-
hash over source, destination, secret with a counter

1 and 3 are essentially the same, the hash function in 3 performs the same
function as the pseudo random generated initial value in 1 if I am not
mistaken. So really the choice is between a random value for every datagram or
a random value at initialisation of a connection and increasing by 1 for every
subsequent datagram.

I’d really like to see some quantitative analysis as to the impact of a random
value per packet as well as between 1 and 3. Now, as an implementer I will know
about the vulnerability but can not really determine what mediation route to
follow.

So to sum up, I really liked the analysis part, but I would prefer some work on
the solution to the problem part.

Klaas

--
Klaas Wierenga
Identity Architect
Cisco Cloud Services