draft-ietf-ippm-6man-pdm-option-04.txt   draft-ietf-ippm-6man-pdm-option-05.txt 
INTERNET-DRAFT N. Elkins INTERNET-DRAFT N. Elkins
Inside Products Inside Products
R. Hamilton R. Hamilton
Chemical Abstracts Service Chemical Abstracts Service
M. Ackermann M. Ackermann
Intended Status: Proposed Standard BCBS Michigan Intended Status: Proposed Standard BCBS Michigan
Expires: March 17, 2017 September 13, 2016 Expires: March 18, 2017 September 14, 2016
IPv6 Performance and Diagnostic Metrics (PDM) Destination Option IPv6 Performance and Diagnostic Metrics (PDM) Destination Option
draft-ietf-ippm-6man-pdm-option-04 draft-ietf-ippm-6man-pdm-option-05
Abstract Abstract
To assess performance problems, measurements based on optional To assess performance problems, measurements based on optional
sequence numbers and timing may be embedded in each packet. Such sequence numbers and timing may be embedded in each packet. Such
measurements may be interpreted in real-time or after the fact. An measurements may be interpreted in real-time or after the fact. An
implementation of the existing IPv6 Destination Options extension implementation of the existing IPv6 Destination Options extension
header, the Performance and Diagnostic Metrics (PDM) Destination header, the Performance and Diagnostic Metrics (PDM) Destination
Options extension header as well as the field limits, calculations, Options extension header as well as the field limits, calculations,
and usage of the PDM in measurement are included in this document. and usage of the PDM in measurement are included in this document.
skipping to change at page 26, line 36 skipping to change at page 26, line 36
A "SYN flood" type of attack succeeds because a TCP SYN packet is A "SYN flood" type of attack succeeds because a TCP SYN packet is
small but it causes the end host to start creating a place holder for small but it causes the end host to start creating a place holder for
the session such that quite a bit of control block and other storage the session such that quite a bit of control block and other storage
is used. This is an asynchronous type of attack in that a small is used. This is an asynchronous type of attack in that a small
amount of work by the attacker creates a large amount of work by the amount of work by the attacker creates a large amount of work by the
resource attacked. resource attacked.
For PDM, the amount of data to be kept is quite small. That is, the For PDM, the amount of data to be kept is quite small. That is, the
control block is quite lightweight. Concerns about SYN Flood and control block is quite lightweight. Concerns about SYN Flood and
other type of resource consumption attacks (memory, processing power, other type of resource consumption attacks (memory, processing power,
etc) can be alleviated by having a limit on the size of the control etc) can be alleviated by having a limit on the number of control
block. block entries.
We recommend that implementation of PDM SHOULD have a limit on the We recommend that implementation of PDM SHOULD have a limit on the
size of the control blocks used. number of control block entries.
8.2 Pervasive monitoring 8.2 Pervasive monitoring
Since PDM passes in the clear, a concern arises as to whether the Since PDM passes in the clear, a concern arises as to whether the
data can be used to fingerprint the system or somehow obtain data can be used to fingerprint the system or somehow obtain
information about the contents of the payload. information about the contents of the payload.
Let us discuss fingerprinting of the end host first. It is possible Let us discuss fingerprinting of the end host first. It is possible
that seeing the pattern of deltas or the absolute values could give that seeing the pattern of deltas or the absolute values could give
some information as to the speed of the end host - that is, if it is some information as to the speed of the end host - that is, if it is
 End of changes. 4 change blocks. 
5 lines changed or deleted 5 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/