TSVART review of draft-ietf-6man-deprecate-atomfrag-generation

Joe Touch <touch@xxxxxxx> · Fri, 26 Aug 2016 12:29:39 -0700



    Hi, all,
    I've reviewed this document as part of the Transport Area Review
      Team's (TSVART)
      ongoing effort to review key IETF documents. These comments were
      written primarily for the transport area directors, but are copied
      to the document's authors for their information and to allow them
      to address any issues raised. When done at the time of IETF Last
      Call, the authors should consider this review together with any
      other last-call comments they receive. Please always CC tsv-art@xxxxxxxx if you reply to or
      forward this review. 

    
    Please resolve these comments along with any other Last Call
      comments you may receive. Please wait for direction from your
      document shepherd or AD before posting a new version of the draft.
      

      Document: draft-ietf-6man-deprecate-atomfrag-generation 
      

      Title: Generation of IPv6 Atomic Fragments Considered Harmful

      Reviewer: J. Touch

      Review Date: August 26, 2016
      

      IETF Last Call Date: August 8, 2016
      

      Summary: This draft is on the right track but has open issues,
      described in the review. 
    The document has no issues directly applicable to transport
      protocols. The impact on transports is indirect, in the ability of
      RFC 6145-style IPv6/IPv4 translators to support IPv6-to-IPv4
      translation and deal with IPv4-side fragmentation. 

    
    However, there are some important non-transport issues that are
      noted below.

      
      Major issues: 

    
    The impact of this change does not appear to have been explored.
      Section 3 ends with a claim that links where this translation
      issue would be a problem are rare, but there is no evidence
      presented as to whether current RFC 6145 translators would be
      capable of complying with the changes in this doc, e.g., to be
      able to generate IPv4 IDs as needed. I.e., this document needs to
      update RFC6145 Sec 5.1 to require that IPv4 ID generation MUST be
      supported (and used), rather than MAY.

      
      The document concludes that the translator should create IPv4 IDs
      rather than relying on atomic fragments as a source of that
      information (as per RFC2460) because there is no benefit, but are
      two reasons why this method is directly hazardous as well: 1) RFC
      2460 does not require that the IPv6 ID field is generated to
      ensure that the low 16-bits are unique as required for use as IPv4
      IDs as defined in RFC 6145, and 2) RFC 6145 translation could
      result in collisions where two distinct IPv6 destinations are
      translated into the same IPv4 address, such that IDs that might
      have been generated to be unique in the IPv6 context could end up
      colliding when used in the translated IPv4 context. I.e., this
      does not require ECMP as implied in Section 3.
    Minor issues: 

    
    IMO, it remains unwise to continue to imply that networks should
      treat packets with fragment headers as an attack. Fragmentation
      support is critical to tunneling (see draft-ietf-intarea-tunnels)
      and we need to find ways to support their use safely. The text
      should be edited to explain that the primary motivation here is to
      avoid generating erroneous IPv4 ID fields, rather than to react to
      the incorrect classification of fragment headers as incompatible
      with the Internet.
    The claim that links with IPv6 MTUs smaller than 1260 are rare
      needs to be supported with evidence. I appreciate that such
      evidence may be difficult to observe. In the absence of evidence,
      the statement should be more clear that there is no evidence to
      the contrary -- which is not the same as being able to claim that
      they *are* in fact rare.

    
    --