IETF Logo Mail Archive

Re: Non-Last Small IPv6 Fragments

Tom Herbert <tom@herbertland.com> Sat, 12 January 2019 03:47 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26916130F1C for <ipv6@ietfa.amsl.com>; Fri, 11 Jan 2019 19:47:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HkUtJaXDpNHz for <ipv6@ietfa.amsl.com>; Fri, 11 Jan 2019 19:47:32 -0800 (PST)
Received: from mail-qt1-x844.google.com (mail-qt1-x844.google.com [IPv6:2607:f8b0:4864:20::844]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1106B130F1F for <ipv6@ietf.org>; Fri, 11 Jan 2019 19:47:32 -0800 (PST)
Received: by mail-qt1-x844.google.com with SMTP id v11so21151132qtc.2 for <ipv6@ietf.org>; Fri, 11 Jan 2019 19:47:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sdnmxeLTQOiK7OHYtrsK7J5Ozu7KUeHP2B8HQI+m1TU=; b=rir9Er1yu8tEoHwOyq9GF0BREviTbS2uEek3DXescun/BSXUL+MydQT6CbnOPa/iho Dyv5PrtqtGjNEl6V3fJfvS/UJ5WmRsQuvDcz9jZXPqv4p0gY8m2RcOu3ZSwEjdu83xjV /GH8KV9rNEciSLZmtE5ChxKiBfniLA6HKCdNikcr8XoeU0lvycQ6V3Fu42LC/uKFEM8m gYWRqUrgtnWVubiP1EwnNB/j7s7tICnD/7keukhgxkY3lXuqSO3rSLIi8IWGzBgT9oCk SfZv4QZCuMo7G6Szg9ARdGNQNx/1uGCL2U9M8Mrmsv10P4YoScTc38wVROGGHt8L4i6O L+KA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sdnmxeLTQOiK7OHYtrsK7J5Ozu7KUeHP2B8HQI+m1TU=; b=pbfyCyhy0R21fZJMA8kQN0+xJZlp0dUNLVCzsJyU4yS5q9GOzjpH2AWPgFCa9c68Oo yKP8rXhquyyAu3M47FMCilhyrAhodHmHFvZwpkcJaFg3h1ehiS0Flz37QLctBR5uABOq okVnDV+2+pRx6Bc7t3tySJ/NAjr9VIKzZ3q+tbKnikNllIA7+v9Kri4oIMpcj5a3rM0C IbAfVeavLPRDCp/aOf6MOTsgSouCcx8fFhtSmpCr+ixc943mMk+b2HcQRo/44Ei6bYoO BcayDyQvmbChOGmPi22y3kYNQ6RgLqw+iJ39bEJScLc47kL6NmRChHaW5gt9/1tBkm6f xZrA==
X-Gm-Message-State: AJcUukdZUSalzE/FugG/DBczoy7X/hh96NA4ggGGd0rtRBK6FYAU4RGd LgeTdDeBKuCBXOvYserxvYo1eoKRBOwxLjkcOqW5IA==
X-Google-Smtp-Source: ALg8bN5GIMTmF+AquGpsSxfWomty7rHh6M1tKJGL84PtkTkHgJZSsKmK5MzdqJOkOzxxYl7MZMmraHke7rMJCXoIZi4=
X-Received: by 2002:ac8:274a:: with SMTP id h10mr15968938qth.189.1547264851048; Fri, 11 Jan 2019 19:47:31 -0800 (PST)
MIME-Version: 1.0
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <BYAPR05MB4245388FB800873A5A8ED12AAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <66bf652a-2bc0-6814-6ded-a63eece7fbe2@gmail.com> <BYAPR05MB4245B9305E6EC57EDD45509FAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <7453645f-ff91-e866-b087-e7d4f1450ab6@gmail.com> <0e792b48-4360-6977-9ae8-9cdfdc78c7b8@gmail.com> <16A642DC-D3A4-452C-B7D1-20CA0EEEDDA2@lists.zabbadoz.net> <CAOSSMjWS9po2XuBHJ5hbN9hfNDKZ1diecH08Kt697-15jRtAvg@mail.gmail.com> <0e0c3141-889e-ff60-2787-2889b3a9af6b@si6networks.com> <748DA428-5AB2-4487-A4FB-F2DABF5BF8BE@thehobsons.co.uk> <8b43af81-1c49-5cea-6472-97703674e661@si6networks.com> <CAN-Dau1HwG5RndacpSA+si+zKuTdpSvA=QA1A11A==rMNe=4+w@mail.gmail.com> <CALx6S35KNhV2gFp9OdU+M1zy5WUuEAEvXkDXNDWWxi7uQ4e_cw@mail.gmail.com> <CAN-Dau0rTdiiF2SjByxcMG6nhPCEjUH2pYBCOeK_FSGJ_ucDQw@mail.gmail.com> <CALx6S34AyV9OpvnjQhQc56n5vfeVgU5Zd3kheP0g+XvsMbBV9g@mail.gmail.com> <1b2e318e-1a9f-bb5d-75a5-04444c42ef20@si6networks.com>
In-Reply-To: <1b2e318e-1a9f-bb5d-75a5-04444c42ef20@si6networks.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 11 Jan 2019 19:47:18 -0800
Message-ID: <CALx6S37TJr++fC=pVoeS=mrO1fHc4gL_Wtu-XkVTswzs2XxXCA@mail.gmail.com>
Subject: Re: Non-Last Small IPv6 Fragments
To: Fernando Gont <fgont@si6networks.com>
Cc: David Farmer <farmer@umn.edu>, IPv6 List <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/8IBrx78_41g-nX_JW_Vv7GgxkDE>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jan 2019 03:47:34 -0000

On Fri, Jan 11, 2019 at 7:32 PM Fernando Gont <fgont@si6networks.com> wrote:
>
> On 11/1/19 19:47, Tom Herbert wrote:
> > On Fri, Jan 11, 2019 at 2:33 PM David Farmer <farmer@umn.edu> wrote:
> >>
> >>
> >> On Fri, Jan 11, 2019 at 3:27 PM Tom Herbert <tom@herbertland.com> wrote:
> >>>
> >>> On Fri, Jan 11, 2019 at 1:13 PM David Farmer <farmer@umn.edu> wrote:
> >>>>
> >>>> On Fri, Jan 11, 2019 at 1:58 PM Fernando Gont <fgont@si6networks.com> wrote:
> >>>>>
> >>>>> On 11/1/19 15:38, Simon Hobson wrote:
> >>>>>> Fernando Gont <fgont@si6networks.com> wrote:
> >>>>>>
> [....]
> >>>>
> >>>> I just had a thought for the guidance;
> >>>>
> >>>> 1. System-wide limit the number of fragments based on the overall system resources available.
> >>>> 2. As you near said limit, maybe 75% of the limit, drop outright, or at a high probability, non-final fragments smaller than (1280/2) 640 bytes.
> >>>>
> >>>> The reasonable fragmentation algorithms I can think of do not generate non-final fragments that are less than 640 bytes. Nevertheless, such fragments SHOULD NOT be dropped except for when the system is under stress.
> >>>>
> >>>> What do others think?
> >>>
> >>> I don't see any practical purpose of sending tiny fragments with eight
> >>> byte payloads in non-first fragments, these can only happens under DOS
> >>> attack or synthetic testing. So I do believe it's prudent to have some
> >>> guidance on setting limits for minimal sizes of non-first fragments.
> >>> The limit should probably be configurable with some recommended
> >>> default value. I believe the 1280 limit in Linux is too high, but
> >>> there are some compelling arguments for 640.
> >>
> >>
> >> Why non-first fragments? Did you mean non-final? Maybe both first and last should be exempted?
> >>
> > Yes.
>
> So why should I, as an attacker, send you first fragments, then? If for
> some reason I just want to send you, I'd send fragments such that
> Offset!=0 and M=0, with small size, WHat have you gained with the check
> you propose?

That sort of attack would exhaust the limit on how many packets are
allowed to be in reassembly at which point such packets would start to
be dropped. It's also easy enough to prioritize packets for reassmbly
for which the first fragment has already been received when
considering eviction from the reassembly queue.

Tom

>
>
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>

v2.23.0 | Report a Bug | By Email