Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt
Florian Weimer <fweimer@redhat.com> Fri, 24 May 2019 12:21 UTC
Return-Path: <fweimer@redhat.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 195121200CD for <dnsop@ietfa.amsl.com>; Fri, 24 May 2019 05:21:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7eUThbJ3G8w2 for <dnsop@ietfa.amsl.com>; Fri, 24 May 2019 05:21:09 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2A46120092 for <dnsop@ietf.org>; Fri, 24 May 2019 05:21:09 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5157F3005216; Fri, 24 May 2019 12:21:04 +0000 (UTC)
Received: from oldenburg2.str.redhat.com (dhcp-192-219.str.redhat.com [10.33.192.219]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A858E7D660; Fri, 24 May 2019 12:21:03 +0000 (UTC)
From: Florian Weimer <fweimer@redhat.com>
To: Daisuke HIGASHI <daisuke.higashi@gmail.com>
Cc: dnsop@ietf.org
References: <CAO-L_V90W2=m0KKMdnu7gcgaUaKReCa_8C+kp37zwSLxwKH9hA@mail.gmail.com>
Date: Fri, 24 May 2019 14:21:02 +0200
In-Reply-To: <CAO-L_V90W2=m0KKMdnu7gcgaUaKReCa_8C+kp37zwSLxwKH9hA@mail.gmail.com> (Daisuke HIGASHI's message of "Sat, 9 Mar 2019 17:18:18 +0900")
Message-ID: <87mujcqc0h.fsf@oldenburg2.str.redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Fri, 24 May 2019 12:21:04 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lUQ7YUw999DCBCZlhEEvW8PWops>
Subject: Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 May 2019 12:21:12 -0000
* Daisuke HIGASHI: > draft-fujiwara-dnsop-fragment-attack-01: > >> 3. Current status >> >> [Brandt2018] showed that Linux version 3.13 and older versions are >> vulnerable to crafted ICMP fragmentation needed and DF set packet and >> off-path attackers can set some of authoritative servers' path MTU >> size to 296. >> >> The author tested Linux version 2.6.32, 4.18.20 and FreeBSD 12.0. >> Linux 2.6.32 accepts crafted "ICMP Need Fragmentation and DF set" >> packet and path MTU decreased to 552. Linux 2.6.32, Linux 4.18.20 >> and FreeBSD 12.0 accept crafted "ICMPv6 Packet Too Big" packet and >> path MTU decreased to 1280. >> >> Linux version 4.18.20 may ignore crafted ICMP packet. > > I confirmed that Linux 4.18 (Ubuntu 18.10) accepts crafted ICMP > on "plain" UDP socket. And if sockopt IP_PMTUDISC_DONT is set to sockets > (many DNS implements do this) sender host generates fragmented packets > caused by crafted ICMP. > > Determining whether a DNS implementation on Linux accepts > crafted ICMPv4 or not is somewhat confusing and need to investigate > with caution: > > - Latest Linux seems to still accept crafted ICMPv4 by default. > Linux 3.15 introduced a new socket option IP_PMTUDISC_OMIT > which makes sockets ignore PMTU information and send packet with DF=0. > With this option sending socket never honor PMTU information and > fragmentation > is done if and only if the packet size exceeds outgoing interface MTU. > > - Some DNS implementation (BIND 9.9.10 / Unbound 1.5.0 and later) utilize > IP_PMTUDISC_OMIT option if available. So these DNS implementation on > Linux 3.15 (or later) > won't accept crafted ICMP. > (I submitted a patch to NSD for enabling this feature. > https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4235 ) Correct, this was the intent. There is another essential Linux kernel change: not using the path MTU when forwarding packets. Otherwise, a Linux hypervisor (or router), after receiving an ICMP packet directed to itself, would reassemble the packet and re-fragment it to the cached (spoofed) path MTU. I believe it's this commit: commit 69647ce46a236a355a7a3096d793819a9bd7c1d3 Author: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Wed Feb 26 01:20:41 2014 +0100 ipv4: use ip_skb_dst_mtu to determine mtu in ip_fragment ip_skb_dst_mtu mostly falls back to ip_dst_mtu_maybe_forward if no socket is attached to the skb (in case of forwarding) or determines the mtu like we do in ip_finish_output, which actually checks if we should branch to ip_fragment. Thus use the same function to determine the mtu here, too. This is important for the introduction of IP_PMTUDISC_OMIT, where we want the packets getting cut in pieces of the size of the outgoing interface mtu. IPv6 already does this correctly. > - Some Linux distribution is based on older version (like Linux 3.10) > but has IP_PMTUDISC_OMIT feature by backporting. > > I found that IP_PMTUDISC_OMIT feature is backported to Red Hat > Enterprise Linux 7 > (it's Linux 3.10 based) but they didn't backport corresponding macro > definition to glibc header. > So BIND9's / Unbound's IP_PMTUDISC_OMIT feature on current RHEL7 > won't be enabled > regardless of kernel feature. > (Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1684874 ) Yes, this is about to be fixed. But applications can use the constant directly if necessary (it's not architecture-specific and will never change). All in all, I do not think it is necessary or desirable to send DF=1 responses. The backwards compatibility impact would be too large. Thanks, Florian
- [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.t… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Paul Vixie
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… fujiwara
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… 神明達哉
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Mark Andrews
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Daisuke HIGASHI
- Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-… Florian Weimer