IETF Logo Mail Archive

RE: 6MAN WG Last Call - draft-ietf-6man-deprecate-atomfrag-generation

"Liushucheng (Will)" <liushucheng@huawei.com> Wed, 20 January 2016 07:27 UTC

Return-Path: <liushucheng@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BFF31A873C for <ipv6@ietfa.amsl.com>; Tue, 19 Jan 2016 23:27:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.601
X-Spam-Level:
X-Spam-Status: No, score=-3.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BfGDsH6PmuTE for <ipv6@ietfa.amsl.com>; Tue, 19 Jan 2016 23:27:43 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 194A91A8740 for <ipv6@ietf.org>; Tue, 19 Jan 2016 23:27:41 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml402-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CHD15500; Wed, 20 Jan 2016 07:27:39 +0000 (GMT)
Received: from lhreml704-cah.china.huawei.com (10.201.5.130) by lhreml402-hub.china.huawei.com (10.201.5.241) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 20 Jan 2016 07:27:38 +0000
Received: from SZXEMA412-HUB.china.huawei.com (10.82.72.71) by lhreml704-cah.china.huawei.com (10.201.5.130) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 20 Jan 2016 07:27:37 +0000
Received: from SZXEMA509-MBS.china.huawei.com ([169.254.2.243]) by SZXEMA412-HUB.china.huawei.com ([10.82.72.71]) with mapi id 14.03.0235.001; Wed, 20 Jan 2016 15:27:33 +0800
From: "Liushucheng (Will)" <liushucheng@huawei.com>
To: Tina Tsou <tina.tsou.stds.os@gmail.com>, Fernando Gont <fgont@si6networks.com>
Subject: RE: 6MAN WG Last Call - draft-ietf-6man-deprecate-atomfrag-generation
Thread-Topic: 6MAN WG Last Call - draft-ietf-6man-deprecate-atomfrag-generation
Thread-Index: AQHRNxa4EHl4eocyV0SccTcC9MUYMJ7rL50AgAIqqQCAAOSDgIABbYMAgAd0swCADRhcAA==
Date: Wed, 20 Jan 2016 07:27:33 +0000
Message-ID: <C9B5F12337F6F841B35C404CF0554ACB89666E9C@SZXEMA509-MBS.china.huawei.com>
References: <7BEE06A2-0F6E-493F-B2C6-68DAB3774FD5@gmail.com> <D2B06309.6375D%evyncke@cisco.com> <568C775C.2030300@si6networks.com> <D2B2F41A.63BAC%evyncke@cisco.com> <568E69AA.2090100@si6networks.com> <CAHZxSZiviri=p=6WVQSO9GJoatCyomH+N1atqmO2ZgP82poVVg@mail.gmail.com>
In-Reply-To: <CAHZxSZiviri=p=6WVQSO9GJoatCyomH+N1atqmO2ZgP82poVVg@mail.gmail.com>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.66.78.84]
Content-Type: multipart/alternative; boundary="_000_C9B5F12337F6F841B35C404CF0554ACB89666E9CSZXEMA509MBSchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020206.569F36EB.0109, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.2.243, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 2094197c4705d1ea19ae1ca744cb09c4
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/4u9d6FR9uyEEfdxrPYxRVv9jv4I>
Cc: Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2016 07:27:46 -0000

Hi Tina,



Thanks for your comments.



Yes, a number of folks have noted this on the list and off-list. We will put a bit more stress on it in the draft.

Regards,
Will (Shucheng LIU)

From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Tina Tsou
Sent: Tuesday, January 12, 2016 3:27 PM
To: Fernando Gont
Cc: IPv6 List; Bob Hinden
Subject: Re: 6MAN WG Last Call - draft-ietf-6man-deprecate-atomfrag-generation

Dear all,

I support publication of this document.

Suggestion: Please note earlier in this document that many popular OS do not support the functionality being deprecated. That is, the aforementioned functionality was never widely supported.


Thank you,
Tina

On Thursday, January 7, 2016, Fernando Gont <fgont@si6networks.com<mailto:fgont@si6networks.com>> wrote:
Hi, Eric,

On 01/06/2016 12:47 PM, Eric Vyncke (evyncke) wrote:
> Fernand (and Bob),
>
> First thanks for your replies.
>  (
> About PTB > 1280: I have to read RFC2460bis, but, the 'old' RFC 2460
> states that when the path MTU for one destination is smaller than the
> physical MTU, then either fragmentation (bad) or application (preferred)
> must adapt.

That can't be possible.  If it was, Path-MTU Discovery would be impossible:

You *always* send packets smaller than the physical MTU. Then PMTU
operates between min(IP_MIN_MTU) and min (Physical_MTU, Path-MTU).
(where IP_MIN_MTU is 68 for IPv4 and 1280 for IPv6).

When you employ a protocol that can segment data (TCP, SCTP, etc) you
never fall back to fragmentation (that's the whole point of doing
Path-MTU Discovery). You just keep segmenting the app data at the
transport layer at appropriate chunk sizes.

In IPv4, you never reduce past 68 bytes. In IPv6, you never reduce past
1280 bytes. However, RFC2460 supported a corner case where if you were
to receive an ICMPv6 PTB < 1280, you'd not reduce the size of your data
chunk, but just start sending atomic fragments.

draft-ietf-6man-deprecate-atomfrag-generation discusses why this is not
a good idea. But the short version of the answer is that you don't want
to employ fragmentation unless you really have to. Hence, generating
atomic fragments doesn't make much sense.


> To be honest, I do not have any data backing how
> hosts/applications react in that case. If hosts commonly do fragmentation
> because app is ignorant of the MTU, then the attack is also possible on
> non atomic fragment.

When an app employs TCP+PMTUD or the like, they would never employ
fragmentation, modulo this corner case.



> Then, we agree on the fact that fragmentation should really be discouraged
> for security and performance reasons :-) And we are also in 'violent'
> agreement on the fact that this is really not secure to allow any node to
> reduce the MTU between two other parties... OTOH not an easy problem to
> fix.

This case is actually quite worse, because you're not simply reducing
the MTU between two nodes, but also triggering fragmentation. IN IPv6,
since the minimum MTU is quite large (1280 bytes), an attacker that
reduces the MTU between two node just causes a performance penalty (kind
of small if the real PMTU was e.g. 1500 bytes). BUt an attacker that can
trigger the use of fragmentation opens the door to a number of
fragmentation-based attacks... and, because of the widespread filtering
of IPv6 fragments, at times just triggering fragmentation already
results in a DoS scenario.

Thanks!

Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com<javascript:;>
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492




--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org<javascript:;>
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email