Re: Non-Last Small IPv6 Fragments
David Farmer <farmer@umn.edu> Sat, 12 January 2019 00:11 UTC
Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB990128AFB for <ipv6@ietfa.amsl.com>; Fri, 11 Jan 2019 16:11:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7c-8lRfqI_vT for <ipv6@ietfa.amsl.com>; Fri, 11 Jan 2019 16:11:18 -0800 (PST)
Received: from mta-p7.oit.umn.edu (mta-p7.oit.umn.edu [134.84.196.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5471126BED for <ipv6@ietf.org>; Fri, 11 Jan 2019 16:11:18 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 65419CE6 for <ipv6@ietf.org>; Sat, 12 Jan 2019 00:11:17 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09RQoqGlEYtM for <ipv6@ietf.org>; Fri, 11 Jan 2019 18:11:17 -0600 (CST)
Received: from mail-vs1-f71.google.com (mail-vs1-f71.google.com [209.85.217.71]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 0FA8FCFB for <ipv6@ietf.org>; Fri, 11 Jan 2019 18:11:16 -0600 (CST)
Received: by mail-vs1-f71.google.com with SMTP id z189so6946683vsc.16 for <ipv6@ietf.org>; Fri, 11 Jan 2019 16:11:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jI40+A0UCnQ7eAB25ccErdNHetH0UELnTPSI+88nRgA=; b=cOKirC97R56vkInUI5hnsu7fQvDKe/Lt1zv8vwgfv3GrpFc4e/bTYvEHqt/y3MIcNA XMyQKmNpHg0A+sOCOb2zGgn7KjhETU2rTbj6A8ms+3Nr/Z9AIbiB8l5g3/daihlFImgQ WjelRKIruSZP/WKc7sTY6MIJJvbFJnnm0y7v0VrCOK9echNPaVXlI26s9aZ8E5555tMx xlsA7G8+s0CIa4z792sJ1IW6n6aiUUkH5/abwqhF5zsr5dPL44f+rV1BJrRzRS4eMAjw 977Ge4ZfdwtC2EF/mPQmNbgMVeUJOixoen/UM1ZmcX2DkE992uebuek8fpCBSMfxI1FB cEDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jI40+A0UCnQ7eAB25ccErdNHetH0UELnTPSI+88nRgA=; b=BNbdAM8W90eDfyrn035i0J0ws2vDgJAkbRpm7lxV1HkKqrGjmZK8aen2Xp6rl+xMuA 71kxwCq52GZ/mXpQ9awR+MdbxzJV4vjdHI1nnSzh2dxLlaC+jAqMAuzm2JWPV1/hFRkK LaMW1ZZTWa9rIuO/+DlKwNjV8lnNWxERu1d8RSt4ygPEk1u6xWFH0sTpf4zb8I7N+KxA XvvHExVZgDCSAp+gT68zQ0BqM5gTs0awlXbhnEdW8pD/j3jY9TRo721yrqm7cEKlpJA5 GGpjitGSf2bB8Z55f7MHGcwp1NgcBcxOvxORNHYQIfEfFCfm3b1ImhbwhmaTZnxeLtjm TUNQ==
X-Gm-Message-State: AJcUukcfavPiYywbRXpvFlHpEqTSwYBiJRwJr/MzkoQX3dAD+OlBrMBf 50O6VcXVDw5lY6IetXxKeOtwXH3Z5b99Y78oxYHAKwWxj2qmeKT3op9C3N0JzgruXDfNUvvYxk8 6fs8tZKhbYQqJtfHEnXuVX9CG
X-Received: by 2002:a1f:5f55:: with SMTP id t82mr6381037vkb.60.1547251875842; Fri, 11 Jan 2019 16:11:15 -0800 (PST)
X-Google-Smtp-Source: ALg8bN5hOIOIJqcL0AMfBpUBA6BCNcEYr/60fGRwEbPIX2pl27Xda2vrcefU5Hv6l3moshHrMq/cB4uGL96XaYDatPQ=
X-Received: by 2002:a1f:5f55:: with SMTP id t82mr6381032vkb.60.1547251875411; Fri, 11 Jan 2019 16:11:15 -0800 (PST)
MIME-Version: 1.0
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <2AB3F16C-FC0E-4EF7-B1ED-1A97F2CEC69B@gmail.com> <BYAPR05MB42458F851962F26AE1E15CC4AE840@BYAPR05MB4245.namprd05.prod.outlook.com> <CAAedzxofmhokstWuq7mRWnd5PTz5WQaiDNnE8O_VHXF_PbK6nw@mail.gmail.com> <BYAPR05MB4245388FB800873A5A8ED12AAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <66bf652a-2bc0-6814-6ded-a63eece7fbe2@gmail.com> <BYAPR05MB4245B9305E6EC57EDD45509FAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <7453645f-ff91-e866-b087-e7d4f1450ab6@gmail.com> <0e792b48-4360-6977-9ae8-9cdfdc78c7b8@gmail.com> <16A642DC-D3A4-452C-B7D1-20CA0EEEDDA2@lists.zabbadoz.net> <CAOSSMjWS9po2XuBHJ5hbN9hfNDKZ1diecH08Kt697-15jRtAvg@mail.gmail.com> <0e0c3141-889e-ff60-2787-2889b3a9af6b@si6networks.com> <748DA428-5AB2-4487-A4FB-F2DABF5BF8BE@thehobsons.co.uk> <8b43af81-1c49-5cea-6472-97703674e661@si6networks.com> <CAN-Dau1HwG5RndacpSA+si+zKuTdpSvA=QA1A11A==rMNe=4+w@mail.gmail.com> <CALx6S35KNhV2gFp9OdU+M1zy5WUuEAEvXkDXNDWWxi7uQ4e_cw@mail.gmail.com> <CAN-Dau0rTdiiF2SjByxcMG6nhPCEjUH2pYBCOeK_FSGJ_ucDQw@mail.gmail.com> <CALx6S34AyV9OpvnjQhQc56n5vfeVgU5Zd3kheP0g+XvsMbBV9g@mail.gmail.com>
In-Reply-To: <CALx6S34AyV9OpvnjQhQc56n5vfeVgU5Zd3kheP0g+XvsMbBV9g@mail.gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Fri, 11 Jan 2019 18:10:57 -0600
Message-ID: <CAN-Dau1kTNztYhtzQHfRc1U3zE771iKEp_fLo0E6HXFZDHGztQ@mail.gmail.com>
Subject: Re: Non-Last Small IPv6 Fragments
To: Tom Herbert <tom@herbertland.com>
Cc: Fernando Gont <fgont@si6networks.com>, IPv6 List <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000699477057f37a626"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/9oYSsAJ5BUFA6_VeSZtKrPQb6Bs>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jan 2019 00:11:21 -0000
On Fri, Jan 11, 2019 at 4:47 PM Tom Herbert <tom@herbertland.com> wrote: > On Fri, Jan 11, 2019 at 2:33 PM David Farmer <farmer@umn.edu> wrote: > > > > > > On Fri, Jan 11, 2019 at 3:27 PM Tom Herbert <tom@herbertland.com> wrote: > >> > >> On Fri, Jan 11, 2019 at 1:13 PM David Farmer <farmer@umn.edu> wrote: > >> > > >> > On Fri, Jan 11, 2019 at 1:58 PM Fernando Gont <fgont@si6networks.com> > wrote: > >> >> > >> >> On 11/1/19 15:38, Simon Hobson wrote: > >> >> > Fernando Gont <fgont@si6networks.com> wrote: > >> >> > > >> >> >> ... enforce limits ... > >> >> > > >> >> > The guidance also needs to suggest sensible limits - otherwise > what one implementer (eg the Linux stack that discards any small fragment > that isn't the last) > >> >> > >> >> IMO, this is bad behavior advice. As an attacker, I'd fire 1280-sized > >> >> frags, and your check hasn't achieved anything. > >> >> > >> >> > >> >> >may not interoperate with another (eg make the last two fragments > approximately equal in size). In a significant part, that seems to > >> >> > have been what this thread has been about - what is reasonable > >> >> guidance for this. > >> >> > >> >> In general, what you do is AIMD (additive increase, multiplicative > >> >> decrease). The numbers limits are a few thousand packets. Which allow > >> >> fragments to work for some cases - few connections, rather low > >> >> throughput, but will not allow system breakage when the attacker > wants > >> >> to play. > >> >> > >> >> Dropping small frags as in Linux is bad, because you hurt > >> >> interoperability without any significant/real gain. > >> >> > >> >> OTOH, limiting the number of frags is good, because limits kick in > at a > >> >> point in which "you need to do something, because otherwise - DoS". > >> >> > >> >> Obviously, you cannot expect big pipes with fragmentation to work. > Given > >> >> high bandwith, multiply 60s * throughput, and you'll need a lot of > >> >> memory to hold the frags. > >> >> > >> >> Adapting the Frag reassembly time out can also help -- there's not > much > >> >> of a point to keep a frag in memory for 60s, particularly when under > >> >> heavly load. -- well before that TCP timers will fire, or the frag si > >> >> not useful anymore, anyway. > >> > > >> > > >> > I just had a thought for the guidance; > >> > > >> > 1. System-wide limit the number of fragments based on the overall > system resources available. > >> > 2. As you near said limit, maybe 75% of the limit, drop outright, or > at a high probability, non-final fragments smaller than (1280/2) 640 bytes. > >> > > >> > The reasonable fragmentation algorithms I can think of do not > generate non-final fragments that are less than 640 bytes. Nevertheless, > such fragments SHOULD NOT be dropped except for when the system is under > stress. > >> > > >> > What do others think? > >> > >> I don't see any practical purpose of sending tiny fragments with eight > >> byte payloads in non-first fragments, these can only happens under DOS > >> attack or synthetic testing. So I do believe it's prudent to have some > >> guidance on setting limits for minimal sizes of non-first fragments. > >> The limit should probably be configurable with some recommended > >> default value. I believe the 1280 limit in Linux is too high, but > >> there are some compelling arguments for 640. > > > > > > Why non-first fragments? Did you mean non-final? Maybe both first and > last should be exempted? > > > Yes. > > > I mostly agree with you, but on the other hand is there any compelling > reason to potentially break anything if the host isn't under stress? > > That depends on what resource is "under stress" in the host. > Reassembly is an expensive packet processing operation that requires > one lookup to find the state for the ID being reassembled, and then a > second lookup to find the position of the fragment in the queue. > Because fragmentation is considered to be rare, there hasn't been a > lot of work to optimize these operations or rely on hardware offload > (there is UDP fragmentation offload, but that is not ubiquitous). I > would be concerned that a well crafted attack with small packets could > be bad for low powered devices. A limit on the fragment size not only > caps the amount of memory burned, but also caps the packet rate and > hence CPU needed for reassmbly. > I'd be fine with adding something like the following; Destination nodes SHOULD NOT drop non-final fragments shorter than 640 bytes unless they are under stress. However, highly constrained devices, such as devices with minimumal memory or CPU, or very low-power devices, could be considered as always under stress, and therefore it might be prudent for such devices to always drop non-final fragments shorter than 640 bytes. Would that cover your issues? -- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
- Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments 神明達哉
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Erik Kline
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Carsten Bormann
- Re: Non-Last Small IPv6 Fragments 神明達哉
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Mikael Abrahamsson
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Christian Huitema
- Re: Non-Last Small IPv6 Fragments Ole Troan
- RE: Non-Last Small IPv6 Fragments Lubashev, Igor
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- RE: Non-Last Small IPv6 Fragments Manfredi (US), Albert E
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Mark Smith
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- End-to-end (was Re: Non-Last Small IPv6 Fragments) Christian Huitema
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Warren Kumari
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Fernando Gont
- Re: Non-Last Small IPv6 Fragments Mikael Abrahamsson
- Re: Non-Last Small IPv6 Fragments Tim Chown
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Warren Kumari
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fred Baker
- Re: Non-Last Small IPv6 Fragments Tim Chown
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Michael Richardson
- Never fragment: getting PMTU info transmitted rel… Michael Richardson
- Re: Never fragment: getting PMTU info transmitted… Joel M. Halpern
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- Re: Never fragment: getting PMTU info transmitted… Michael Richardson
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- Re: Never fragment: getting PMTU info transmitted… Mark Smith
- Re: Never fragment: getting PMTU info transmitted… Erik Kline
- Re: Never fragment: getting PMTU info transmitted… Mark Smith
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- RE: Never fragment: getting PMTU info transmitted… Lubashev, Igor
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- RE: Never fragment: getting PMTU info transmitted… Lubashev, Igor
- Re: Never fragment: getting PMTU info transmitted… C. M. Heard
- Re: Never fragment: getting PMTU info transmitted… Christian Huitema