IETF Logo Mail Archive

Re: Non-Last Small IPv6 Fragments

David Farmer <farmer@umn.edu> Sat, 12 January 2019 00:11 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB990128AFB for <ipv6@ietfa.amsl.com>; Fri, 11 Jan 2019 16:11:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7c-8lRfqI_vT for <ipv6@ietfa.amsl.com>; Fri, 11 Jan 2019 16:11:18 -0800 (PST)
Received: from mta-p7.oit.umn.edu (mta-p7.oit.umn.edu [134.84.196.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5471126BED for <ipv6@ietf.org>; Fri, 11 Jan 2019 16:11:18 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 65419CE6 for <ipv6@ietf.org>; Sat, 12 Jan 2019 00:11:17 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09RQoqGlEYtM for <ipv6@ietf.org>; Fri, 11 Jan 2019 18:11:17 -0600 (CST)
Received: from mail-vs1-f71.google.com (mail-vs1-f71.google.com [209.85.217.71]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 0FA8FCFB for <ipv6@ietf.org>; Fri, 11 Jan 2019 18:11:16 -0600 (CST)
Received: by mail-vs1-f71.google.com with SMTP id z189so6946683vsc.16 for <ipv6@ietf.org>; Fri, 11 Jan 2019 16:11:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jI40+A0UCnQ7eAB25ccErdNHetH0UELnTPSI+88nRgA=; b=cOKirC97R56vkInUI5hnsu7fQvDKe/Lt1zv8vwgfv3GrpFc4e/bTYvEHqt/y3MIcNA XMyQKmNpHg0A+sOCOb2zGgn7KjhETU2rTbj6A8ms+3Nr/Z9AIbiB8l5g3/daihlFImgQ WjelRKIruSZP/WKc7sTY6MIJJvbFJnnm0y7v0VrCOK9echNPaVXlI26s9aZ8E5555tMx xlsA7G8+s0CIa4z792sJ1IW6n6aiUUkH5/abwqhF5zsr5dPL44f+rV1BJrRzRS4eMAjw 977Ge4ZfdwtC2EF/mPQmNbgMVeUJOixoen/UM1ZmcX2DkE992uebuek8fpCBSMfxI1FB cEDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jI40+A0UCnQ7eAB25ccErdNHetH0UELnTPSI+88nRgA=; b=BNbdAM8W90eDfyrn035i0J0ws2vDgJAkbRpm7lxV1HkKqrGjmZK8aen2Xp6rl+xMuA 71kxwCq52GZ/mXpQ9awR+MdbxzJV4vjdHI1nnSzh2dxLlaC+jAqMAuzm2JWPV1/hFRkK LaMW1ZZTWa9rIuO/+DlKwNjV8lnNWxERu1d8RSt4ygPEk1u6xWFH0sTpf4zb8I7N+KxA XvvHExVZgDCSAp+gT68zQ0BqM5gTs0awlXbhnEdW8pD/j3jY9TRo721yrqm7cEKlpJA5 GGpjitGSf2bB8Z55f7MHGcwp1NgcBcxOvxORNHYQIfEfFCfm3b1ImhbwhmaTZnxeLtjm TUNQ==
X-Gm-Message-State: AJcUukcfavPiYywbRXpvFlHpEqTSwYBiJRwJr/MzkoQX3dAD+OlBrMBf 50O6VcXVDw5lY6IetXxKeOtwXH3Z5b99Y78oxYHAKwWxj2qmeKT3op9C3N0JzgruXDfNUvvYxk8 6fs8tZKhbYQqJtfHEnXuVX9CG
X-Received: by 2002:a1f:5f55:: with SMTP id t82mr6381037vkb.60.1547251875842; Fri, 11 Jan 2019 16:11:15 -0800 (PST)
X-Google-Smtp-Source: ALg8bN5hOIOIJqcL0AMfBpUBA6BCNcEYr/60fGRwEbPIX2pl27Xda2vrcefU5Hv6l3moshHrMq/cB4uGL96XaYDatPQ=
X-Received: by 2002:a1f:5f55:: with SMTP id t82mr6381032vkb.60.1547251875411; Fri, 11 Jan 2019 16:11:15 -0800 (PST)
MIME-Version: 1.0
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <2AB3F16C-FC0E-4EF7-B1ED-1A97F2CEC69B@gmail.com> <BYAPR05MB42458F851962F26AE1E15CC4AE840@BYAPR05MB4245.namprd05.prod.outlook.com> <CAAedzxofmhokstWuq7mRWnd5PTz5WQaiDNnE8O_VHXF_PbK6nw@mail.gmail.com> <BYAPR05MB4245388FB800873A5A8ED12AAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <66bf652a-2bc0-6814-6ded-a63eece7fbe2@gmail.com> <BYAPR05MB4245B9305E6EC57EDD45509FAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <7453645f-ff91-e866-b087-e7d4f1450ab6@gmail.com> <0e792b48-4360-6977-9ae8-9cdfdc78c7b8@gmail.com> <16A642DC-D3A4-452C-B7D1-20CA0EEEDDA2@lists.zabbadoz.net> <CAOSSMjWS9po2XuBHJ5hbN9hfNDKZ1diecH08Kt697-15jRtAvg@mail.gmail.com> <0e0c3141-889e-ff60-2787-2889b3a9af6b@si6networks.com> <748DA428-5AB2-4487-A4FB-F2DABF5BF8BE@thehobsons.co.uk> <8b43af81-1c49-5cea-6472-97703674e661@si6networks.com> <CAN-Dau1HwG5RndacpSA+si+zKuTdpSvA=QA1A11A==rMNe=4+w@mail.gmail.com> <CALx6S35KNhV2gFp9OdU+M1zy5WUuEAEvXkDXNDWWxi7uQ4e_cw@mail.gmail.com> <CAN-Dau0rTdiiF2SjByxcMG6nhPCEjUH2pYBCOeK_FSGJ_ucDQw@mail.gmail.com> <CALx6S34AyV9OpvnjQhQc56n5vfeVgU5Zd3kheP0g+XvsMbBV9g@mail.gmail.com>
In-Reply-To: <CALx6S34AyV9OpvnjQhQc56n5vfeVgU5Zd3kheP0g+XvsMbBV9g@mail.gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Fri, 11 Jan 2019 18:10:57 -0600
Message-ID: <CAN-Dau1kTNztYhtzQHfRc1U3zE771iKEp_fLo0E6HXFZDHGztQ@mail.gmail.com>
Subject: Re: Non-Last Small IPv6 Fragments
To: Tom Herbert <tom@herbertland.com>
Cc: Fernando Gont <fgont@si6networks.com>, IPv6 List <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000699477057f37a626"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/9oYSsAJ5BUFA6_VeSZtKrPQb6Bs>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jan 2019 00:11:21 -0000

On Fri, Jan 11, 2019 at 4:47 PM Tom Herbert <tom@herbertland.com> wrote:

> On Fri, Jan 11, 2019 at 2:33 PM David Farmer <farmer@umn.edu> wrote:
> >
> >
> > On Fri, Jan 11, 2019 at 3:27 PM Tom Herbert <tom@herbertland.com> wrote:
> >>
> >> On Fri, Jan 11, 2019 at 1:13 PM David Farmer <farmer@umn.edu> wrote:
> >> >
> >> > On Fri, Jan 11, 2019 at 1:58 PM Fernando Gont <fgont@si6networks.com>
> wrote:
> >> >>
> >> >> On 11/1/19 15:38, Simon Hobson wrote:
> >> >> > Fernando Gont <fgont@si6networks.com> wrote:
> >> >> >
> >> >> >> ... enforce limits ...
> >> >> >
> >> >> > The guidance also needs to suggest sensible limits - otherwise
> what one implementer (eg the Linux stack that discards any small fragment
> that isn't the last)
> >> >>
> >> >> IMO, this is bad behavior advice. As an attacker, I'd fire 1280-sized
> >> >> frags, and your check hasn't achieved anything.
> >> >>
> >> >>
> >> >> >may not interoperate with another (eg make the last two fragments
> approximately equal in size). In a significant part, that seems to
> >> >> > have been what this thread has been about - what is reasonable
> >> >> guidance for this.
> >> >>
> >> >> In general, what you do is AIMD (additive increase, multiplicative
> >> >> decrease). The numbers limits are a few thousand packets. Which allow
> >> >> fragments to work for some cases - few connections, rather low
> >> >> throughput, but will not allow system breakage when the attacker
> wants
> >> >> to play.
> >> >>
> >> >> Dropping small frags as in Linux is bad, because you hurt
> >> >> interoperability without any significant/real gain.
> >> >>
> >> >> OTOH, limiting the number of frags is good, because limits kick in
> at a
> >> >> point in which "you need to do something, because otherwise - DoS".
> >> >>
> >> >> Obviously, you cannot expect big pipes with fragmentation to work.
> Given
> >> >> high bandwith, multiply 60s * throughput, and you'll need a lot of
> >> >> memory to hold the frags.
> >> >>
> >> >> Adapting the Frag reassembly time out can also help -- there's not
> much
> >> >> of a point to keep a frag in memory for 60s, particularly when under
> >> >> heavly load. -- well before that TCP timers will fire, or the frag si
> >> >> not useful anymore, anyway.
> >> >
> >> >
> >> > I just had a thought for the guidance;
> >> >
> >> > 1. System-wide limit the number of fragments based on the overall
> system resources available.
> >> > 2. As you near said limit, maybe 75% of the limit, drop outright, or
> at a high probability, non-final fragments smaller than (1280/2) 640 bytes.
> >> >
> >> > The reasonable fragmentation algorithms I can think of do not
> generate non-final fragments that are less than 640 bytes. Nevertheless,
> such fragments SHOULD NOT be dropped except for when the system is under
> stress.
> >> >
> >> > What do others think?
> >>
> >> I don't see any practical purpose of sending tiny fragments with eight
> >> byte payloads in non-first fragments, these can only happens under DOS
> >> attack or synthetic testing. So I do believe it's prudent to have some
> >> guidance on setting limits for minimal sizes of non-first fragments.
> >> The limit should probably be configurable with some recommended
> >> default value. I believe the 1280 limit in Linux is too high, but
> >> there are some compelling arguments for 640.
> >
> >
> > Why non-first fragments? Did you mean non-final? Maybe both first and
> last should be exempted?
> >
> Yes.
>
> > I mostly agree with you, but on the other hand is there any compelling
> reason to potentially break anything if the host isn't under stress?
>
> That depends on what resource is "under stress" in the host.
> Reassembly is an expensive packet processing operation that requires
> one lookup to find the state for the ID being reassembled, and then a
> second lookup to find the position of the fragment in the queue.
> Because fragmentation is considered to be rare, there hasn't been a
> lot of work to optimize these operations or rely on hardware offload
> (there is UDP fragmentation offload, but that is not ubiquitous). I
> would be concerned that a well crafted attack with small packets could
> be bad for low powered devices. A limit on the fragment size not only
> caps the amount of memory burned, but also caps the packet rate and
> hence CPU needed for reassmbly.
>

I'd be fine with adding something like the following;

Destination nodes SHOULD NOT drop non-final fragments shorter than 640
bytes unless they are under stress. However, highly constrained devices,
such as devices with minimumal memory or CPU, or very low-power devices,
could be considered as always under stress, and therefore it might be
prudent for such devices to always drop non-final fragments shorter than
640 bytes.

Would that cover your issues?

-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email