IETF Logo Mail Archive

Re: Fragmentation-related security issues

Mark Andrews <marka@isc.org> Fri, 06 January 2012 02:07 UTC

Return-Path: <marka@isc.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7F2511E8088 for <ipv6@ietfa.amsl.com>; Thu, 5 Jan 2012 18:07:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.364
X-Spam-Level:
X-Spam-Status: No, score=-2.364 tagged_above=-999 required=5 tests=[AWL=0.236, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kZA2Jp8rEfHy for <ipv6@ietfa.amsl.com>; Thu, 5 Jan 2012 18:07:19 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 9274B11E807A for <ipv6@ietf.org>; Thu, 5 Jan 2012 18:07:18 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id E9E3C5F98BF; Fri, 6 Jan 2012 02:06:58 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:19ba:ae94:8c13:6cc4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id D5288216C6E; Fri, 6 Jan 2012 02:06:56 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 2A0521AD6A63; Fri, 6 Jan 2012 13:06:54 +1100 (EST)
To: Fernando Gont <fernando@gont.com.ar>
From: Mark Andrews <marka@isc.org>
References: <82fwgfk1ev.fsf@mid.bfk.de> <20111220.124458.41706285.sthaug@nethelp.no> <B34F3C95-25CF-405E-A25B-7BEFB4E0F18B@lists.zabbadoz.net> <20120102.231616.74700645.sthaug@nethelp.no> <C2383165-4925-4208-A118-9920111DB3EB@lists.zabbadoz.net> <4F028C9B.4010704@si6networks.com> <82ehvfnakx.fsf@mid.bfk.de> <4F048DD2.9050107@si6networks.com> <82lipmjxlg.fsf@mid.bfk.de> <4F060631.1070903@gont.com.ar>
Subject: Re: Fragmentation-related security issues
In-reply-to: Your message of "Thu, 05 Jan 2012 17:21:05 -0300." <4F060631.1070903@gont.com.ar>
Date: Fri, 06 Jan 2012 13:06:54 +1100
Message-Id: <20120106020654.2A0521AD6A63@drugs.dv.isc.org>
Cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2012 02:07:20 -0000

In message <4F060631.1070903@gont.com.ar>, Fernando Gont writes:
> Florian,
> 
> On 01/05/2012 06:40 AM, Florian Weimer wrote:
> >>> Do we really know that adding a fragment header to all outgoing packets
> >>> does not cause them to be rejected? 
> >>
> >> Are you arguing that IPv6 fragmentation does no work at all, or what?
> > 
> > I fear that it might work as well as in IPv4, that is, you can only get
> > there with some effort, and for some nodes, it will never work.
> 
> But that's an entirely different question. If you're thinking about e.g.
> banning all fragmentation from IPv6, that's certainly completely
> unrelated to the two I-D's that I've published on the subject...
> 
> 
> 
> >>> Could this be deployed at large DNS servers in a risk-free fashion,
> >>> for instance?
> >>
> >> What's the specific question you're asking, and what is your concern,
> >> specifically?
> > 
> > If DNS servers started sending either atomic fragments or fragmented
> > responses today (i.e., all generated packets carry an IPv6 extension
> > header), would these servers become unreachable for some clients?
> > (I think we have to assume the answer is "yes".)
> 
> Because some clients ignore atomic fragments, because fragments would be
> dropped in the path to the client, or what?
> 
> Note: I'm interested on the topic, but this one has to do more with Mark
> Andrews' proposal than with mine. -- Mine is about how to improve the
> state of affairs of IPv6 fragmentation. Mark's is about increasing its use.

I'm more about making DNS work reliably.  We have forced fragmentation
of DNS/UDP/IPv6 datagrams, using IPV6_USE_MIN_MTU, since Jun 2000.

Some other vendors havn't and that does result in operational
problems as PMTUD is not reliable.  Which can be seen when you
repeatedly send the same DNS query to the same server but only
get the last fragment when there is a tunnel in the reply path.

Additionally, even if the PTB message gets through it is usually
server to client traffic that gets dropped and servers don't keep
a history of the responses they have sent over UDP so it requires
a client timeout and requery to get the response resent.

If you have a several of servers for a zone it can be several seconds
before client retries the query to the first server, even with sub
second timeouts, as the client assumes the server is *dead* and
moves on to the next server.

IPV6_USE_MIN_MTU works for clients that have a MTU path 1280 or greater.
IPV6_USE_MIN_MTU does NOT work for clients that have a MTU path < 1280,
which is a gap in spec.  draft-andrews-6man-force-fragmentation is
about filling in that gap.

IPV6_USE_MIN_MTU was developed to deal with the issue of PMTUD being
bad for DNS.  draft-ietf-ipngwg-bsd-frag was the early work that
eventually became IPV6_USE_MIN_MTU.

> > IPv4 is different in this regard because clients can opt out from
> > fragmented responses by requesting 512 byte responses (even if it's
> > technically a DNS protocol violation).  This is just not possible with
> > IPv6---unless the server keeps per-client state, which is a non-starter
> > for large DNS server deployments.
> 
> Strictly speaking, that's not correct. Requesting 512-byte responses
> does not necessarily avoid fragmentation. The IPv4 MTU is 68 bytes, not
> 576. For instance, OpenBSD's imposes a lower limit of 296 (rather than
> 576 or the like) because such low-MTU technologies exist.
> 
> Thanks,
> -- 
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@si6networks.com
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
> 
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email