IETF Logo Mail Archive

Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt

神明達哉 <jinmei@wide.ad.jp> Mon, 04 March 2019 19:10 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64151130DDA for <dnsop@ietfa.amsl.com>; Mon, 4 Mar 2019 11:10:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.901
X-Spam-Level:
X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.018, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kqkKuLQwXn9Q for <dnsop@ietfa.amsl.com>; Mon, 4 Mar 2019 11:10:44 -0800 (PST)
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A8D41277D2 for <dnsop@ietf.org>; Mon, 4 Mar 2019 11:10:44 -0800 (PST)
Received: by mail-wm1-f44.google.com with SMTP id n19so270104wmi.1 for <dnsop@ietf.org>; Mon, 04 Mar 2019 11:10:44 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=p87PxpbtKB47p07HUg6WGLyzjOZUKG6tZEhxaTsxaXI=; b=Lx0X1+KYNT1A8LAWjG0MP9wG7Mq9yfQUJcM1V4NxLy8Qo3DJjyHPWWHrzVmRtC73H0 l42VNWMxR3kNwE2EZc1/xdzOy06A423frCQh7Ljc7QuIaT1x33uDZUI+sP+4d3STnwm9 4IRwyAHOnSxrxtoNTpXCdDdC76dBe47cQi5vkGWIlbI62YfZzFvbYMmcerG2SWqv49rS G8G4MT6u54KuU6yLox4fy1bpUcgllux8ENZWUDWAR2r9fCsurxU7RA7wF8UQVPu9taLQ aL0Gl478XN9LTR/poLdcLnIeuz61maDMr9P5+udxn3xR6ksLyO/GNVFsrh0scFWnglei DApQ==
X-Gm-Message-State: APjAAAWRpQu1Z92A/gSUcA4yzkhs0bdyb1ZCuRaYTqLteeVknPgkh/Gg 1ZflcO06pTPiZU+Lr0boN4vP9C77z0dI1emgBo4AVsky
X-Google-Smtp-Source: APXvYqxgf+MiDVCIXk+aNwkNu6TBo1mbCVJpOMU3l98itak2NHVh2neCkBFkg5ZQ5r74kHzSOItA2rgGQ+4i5sBbF6M=
X-Received: by 2002:a1c:dc0a:: with SMTP id t10mr370739wmg.101.1551726642494; Mon, 04 Mar 2019 11:10:42 -0800 (PST)
MIME-Version: 1.0
References: <20190301.211448.2262229485785576167.fujiwara@jprs.co.jp> <CAJE_bqeMMiqpnPfVZiWGWS3OgjUqjpLQzYpYAb=utfn8cc9NVg@mail.gmail.com> <20190304.204314.379212645659552827.fujiwara@jprs.co.jp>
In-Reply-To: <20190304.204314.379212645659552827.fujiwara@jprs.co.jp>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Mon, 04 Mar 2019 11:10:30 -0800
Message-ID: <CAJE_bqdKxRgtdzyDhLm868FCDJJ1-xw8desSYib0+PpR-6YgSA@mail.gmail.com>
To: fujiwara <fujiwara@jprs.co.jp>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005085fa058349833b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PgKhVDVZqpPIMQPSmXZuBxx9pVU>
Subject: Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2019 19:10:47 -0000

At Mon, 04 Mar 2019 20:43:14 +0900 (JST),
fujiwara@jprs.co.jp wrote:

> > - Section 3
> >
> >    Linux 2.6.32, Linux 4.18.20
> >    and FreeBSD 12.0 accept crafted "ICMPv6 Packet Too Big" packet and
> >    path MTU decreased to 1280.
> >
> >   I suspect this often doesn't matter much in practice.  Since IPv6
> >   doesn't allow fragmentation and PMTU discovery isn't very effective
for
>                   ^^^^^^^^^^^^^
>           on-path fragmentation ?

Oops, sorry for the confusing text.  I meant "IPv6 doesn't allow
fragmentation at intermediate nodes" (or, yes, I meant "on-path
fragmentation").

> >   DNS responders, the server implementation should set
> >   IPV6_USE_MIN_MTU and expect that MTU anyway (several implementations
> >   actually set this option; some others don't, but they are just lucky
> >   to not encounter the problem or receive complaints about it).
>
> If setting IPV6_USE_MIN_MTU, does the server use 1280 as all path MTU
value ?

Yes.  Or more accurately, if IPV6_USE_MIN_MTU is set the path MTU
value (if known) is just ignored.

> Without IPV6_DONTFRAG option, are responses larger than 1280 fragmented ?

Yes (if IPV6_USE_MIN_MTU is specified).

> I observed many fragmented IPv6 DNS responses whose packet size are
> 1496 or 1500.

Those should be sent from a server that doesn't set IPV6_USE_MIN_MTU
or from a system that doesn't support the option (sadly a very widely
deployed OS doesn't support it: Linux).

> # What I was interested in was that many implementations accept
> # crafted "ICMPv6 Packet Too Big".

Sure, but unless it matters in the larger context of the draft, it's
just a distraction.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email