Friday, 5 February 2016

RFC7739: Security Implications of Predictable Fragment Identification Values


The IETF has published a new RFC by Fernando Gont: RFC7739.

This RFC analyzes the security and privacy implications of predictable Fragment Identification (ID) values, and proposes a number of algorithms that can be employed to select Fragment ID values such that the aforementioned issues are mitigated.

As a result of earlier (internet-draft) versions this document, a number of operating systems (ranging from Linux to Microsoft Windows) had patched their IPv6 implementations to mitigate the aforementioned issues.

Recent discussions at the IETF suggest that the upcoming revision of the core IPv6 specification will remove the suggestion to employ a global counter for the generation of IPv6 Fragment IDs.

Use of predictable identifiers have a long history in IETF protocols, as discussed in this recent internet-draft by Fernando Gont and Iván Arce.


No comments:

Post a Comment