Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt

Daisuke HIGASHI <daisuke.higashi@gmail.com> Sat, 09 March 2019 08:18 UTC

Return-Path: <daisuke.higashi@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7215B126C01 for <dnsop@ietfa.amsl.com>; Sat, 9 Mar 2019 00:18:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1yVsPeTXAW5 for <dnsop@ietfa.amsl.com>; Sat, 9 Mar 2019 00:18:29 -0800 (PST)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1DEE124C04 for <dnsop@ietf.org>; Sat, 9 Mar 2019 00:18:28 -0800 (PST)
Received: by mail-oi1-x235.google.com with SMTP id b4so17747668oif.6 for <dnsop@ietf.org>; Sat, 09 Mar 2019 00:18:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=2o1iEh5baJeGFJEBoUR9K1WgslWI1M8EWto1unYN9cM=; b=OlSLFnc2j37OJTYtIs1nU2O1McAGFk8r7FfOot+Uk6wA0eFhCCTamezP43I9llaopb LIYG7pz7Gf0U+OTpdTIRqKS5PkjPpfu9SrWqKRJc19L9jzf4L8jBd+uG3gh6yBn9K7Nl /zAkwM0CBdQotuuoJmsjgx4zWudCPhKm0Or2np8HXCYIoghSt2W87f+I9N4dsAL5Zvqh HlK+9F3kmEnktZhpcIin/hcuhygAYae6CnoQ53nEAJfFrMJrUZIY6odA40lvKfZ+DZdb msesDX/O5Pk9sY+dAqRixsxP31cKd02pM9yhWGERi3468fo4S2WukCbelPwf/cv1I13c KJ2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=2o1iEh5baJeGFJEBoUR9K1WgslWI1M8EWto1unYN9cM=; b=dQ+mI9FVbyDar86T/UoqZ8t+xjDJrRQvIgqA+o5x/wllRDRkV+D9r3DWYHLhUKOcd+ AStzwRkw92fOLpjNHMGoZrnuzq/hfHymuGU9aM/nRwdJvMIVDzEYpEewdJJblZUpMws1 hJfJ5U+4Gj67+1pTP/aHme0bwgQvgTwpWj0YtDAIO+bwol/vagWxfwi0n/dyiZpSyzKS A3fehAyc8GTqgFBStAZy4DVEep9wBkoi1nVDGG32BlOTYgr8waJbIpDlS8tjAuG4CmJU mpvccCVdHTdqUgTJj7mX/AjxZZUo7YoQqoMHzxb5B0BeXVNJwbqBOJJVQSHgzeWN19Ws 56eQ==
X-Gm-Message-State: APjAAAXCxcfgNpEaPWq4IX+eoegC7cwHcKPn7alRahWRB2Ual7egTp7T 1RXIDBHDrHor80J/ePCy47fNY39l3H62R2bmOiZfQ7U8
X-Google-Smtp-Source: APXvYqyxpVAGHKtwmbyYIpCm8RrhiKagpYyz2R1c3bVKvcM1ali/jIwlgTrdHZAaVF/dzk4uD+ZahBW8r2bhG8IQC8I=
X-Received: by 2002:aca:d805:: with SMTP id p5mr10114253oig.144.1552119507788; Sat, 09 Mar 2019 00:18:27 -0800 (PST)
MIME-Version: 1.0
From: Daisuke HIGASHI <daisuke.higashi@gmail.com>
Date: Sat, 9 Mar 2019 17:18:18 +0900
Message-ID: <CAO-L_V90W2=m0KKMdnu7gcgaUaKReCa_8C+kp37zwSLxwKH9hA@mail.gmail.com>
To: dnsop@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/oMh465HH3XhTE7D9RVJjUypepGc>
Subject: Re: [DNSOP] draft-fujiwara-dnsop-fragment-attack-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Mar 2019 08:18:31 -0000

draft-fujiwara-dnsop-fragment-attack-01:

> 3.  Current status
>
>   [Brandt2018] showed that Linux version 3.13 and older versions are
>   vulnerable to crafted ICMP fragmentation needed and DF set packet and
>   off-path attackers can set some of authoritative servers' path MTU
>   size to 296.
>
>   The author tested Linux version 2.6.32, 4.18.20 and FreeBSD 12.0.
>   Linux 2.6.32 accepts crafted "ICMP Need Fragmentation and DF set"
>   packet and path MTU decreased to 552.  Linux 2.6.32, Linux 4.18.20
>   and FreeBSD 12.0 accept crafted "ICMPv6 Packet Too Big" packet and
>   path MTU decreased to 1280.
>
>  Linux version 4.18.20 may ignore crafted ICMP packet.

   I confirmed that Linux 4.18 (Ubuntu 18.10) accepts crafted ICMP
on "plain" UDP socket. And if sockopt IP_PMTUDISC_DONT is set to sockets
(many DNS implements do this) sender host generates fragmented packets
caused by crafted ICMP.

   Determining whether a DNS implementation on Linux accepts
crafted ICMPv4 or not is somewhat confusing and need to investigate
with caution:

 - Latest Linux seems to still accept crafted ICMPv4 by default.
   Linux 3.15 introduced a new socket option IP_PMTUDISC_OMIT
   which makes sockets ignore PMTU information and send packet with DF=0.
   With this option sending socket never honor PMTU information and
fragmentation
   is done if and only if the packet size exceeds outgoing interface MTU.

- Some DNS implementation (BIND 9.9.10 / Unbound 1.5.0 and later) utilize
  IP_PMTUDISC_OMIT option if available. So these DNS implementation on
Linux 3.15 (or later)
  won't accept crafted ICMP.
  (I submitted a patch to NSD for enabling this feature.
    https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4235 )

- Some Linux distribution is based on older version (like Linux 3.10)
  but has IP_PMTUDISC_OMIT feature by backporting.

  I found that IP_PMTUDISC_OMIT feature is backported to Red Hat
Enterprise Linux 7
  (it's Linux 3.10 based) but they didn't backport corresponding macro
definition to glibc header.
  So BIND9's / Unbound's IP_PMTUDISC_OMIT feature on current RHEL7
won't be enabled
  regardless of kernel feature.
  (Bug report:  https://bugzilla.redhat.com/show_bug.cgi?id=1684874 )

Regards,
--
 Daisuke Higashi