IETF Logo Mail Archive

RE: Non-Last Small IPv6 Fragments

Ron Bonica <rbonica@juniper.net> Thu, 10 January 2019 20:32 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E01A131244 for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 12:32:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.253
X-Spam-Level:
X-Spam-Status: No, score=-5.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 38U8eFdG0LPG for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 12:32:52 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82D9C13123C for <ipv6@ietf.org>; Thu, 10 Jan 2019 12:32:52 -0800 (PST)
Received: from pps.filterd (m0108163.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0AKRsee016629; Thu, 10 Jan 2019 12:32:51 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=BoxH1FQw6B8vu4p9MOqzjDQgUkID4Vf0OxAKjULzSyA=; b=dyCetvm5vUDDf72Q8b8LugR2Zmb4Nt1wv8kGwJCjZuPHK4E+ZN2Xjy0E7L69/EJs1Tlp MGZDUJSnZaOIzJgFm6i4CjcoX97kg1xMtvlDR/CRVQNfkcWfOB7UPQjLe1NP0l1LKP/6 SwXprfLlVpj+bObZ6BkgEvb8bXSnZvVJrYV5tZS29U+pXUjKRR7uPOySZl/L/jSK6uev jcF9lzFHc/6ID1qpBq7IVe8HfBNJdvHd4LvW6oIEVm+DqHDcCvJCePDsr2tlIXAFUWr0 N0MlKPVxVmYd3eE7w5pwMtq63D6gRc4T72b0o55oM/NggdTGb8s3/fEk5cF9guniHYSd qw==
Received: from nam04-co1-obe.outbound.protection.outlook.com (mail-co1nam04lp2053.outbound.protection.outlook.com [104.47.45.53]) by mx0b-00273201.pphosted.com with ESMTP id 2pxaf008jh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 10 Jan 2019 12:32:50 -0800
Received: from BYAPR05MB4245.namprd05.prod.outlook.com (20.176.252.26) by BYAPR05MB4663.namprd05.prod.outlook.com (52.135.233.77) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.6; Thu, 10 Jan 2019 20:32:47 +0000
Received: from BYAPR05MB4245.namprd05.prod.outlook.com ([fe80::7598:d648:d84f:9304]) by BYAPR05MB4245.namprd05.prod.outlook.com ([fe80::7598:d648:d84f:9304%3]) with mapi id 15.20.1516.015; Thu, 10 Jan 2019 20:32:47 +0000
From: Ron Bonica <rbonica@juniper.net>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, "ek@loon.co" <ek@loon.co>
CC: IPv6 List <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
Subject: RE: Non-Last Small IPv6 Fragments
Thread-Topic: Non-Last Small IPv6 Fragments
Thread-Index: AQHUqPnhfVKjIVRV7USb44QrUExkh6WoxzKAgAAaJXCAAAXdgIAAAdRAgAADgwCAAAeqIA==
Date: Thu, 10 Jan 2019 20:32:47 +0000
Message-ID: <BYAPR05MB4245B9305E6EC57EDD45509FAE840@BYAPR05MB4245.namprd05.prod.outlook.com>
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <2AB3F16C-FC0E-4EF7-B1ED-1A97F2CEC69B@gmail.com> <BYAPR05MB42458F851962F26AE1E15CC4AE840@BYAPR05MB4245.namprd05.prod.outlook.com> <CAAedzxofmhokstWuq7mRWnd5PTz5WQaiDNnE8O_VHXF_PbK6nw@mail.gmail.com> <BYAPR05MB4245388FB800873A5A8ED12AAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <66bf652a-2bc0-6814-6ded-a63eece7fbe2@gmail.com>
In-Reply-To: <66bf652a-2bc0-6814-6ded-a63eece7fbe2@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.0.61
dlp-reaction: no-action
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR05MB4663; 6:dUkBYShTfazBNzpq4OKDyLQcBVWACZw+ho6j3Dj9a9tXBAh1o2YEW918Fgt9NX3XD2EGySmATQOMOACOsZitsAYJYJLb96wPfhhEkGQr4PZwXUZEpLSNIf+nEQatfUA0Qc/+UzJAN4d58Z1Aplu6QgmHLlHUGAr5g9oEo/+ovlLFfgSQyMSeQZKwcs/bSwfD8Bcnp3/kdIF0UUtEuG3DKVb6oEAaAWNxkuUCToXjwtiuSLtOIXos0+gO4HTphPQdHZCS5e3IjvviYYCjXp+j1L8EiLCDFyB78D1bCL4vCTOCvgHnTXVzgCOYw9KLlJ1mLTXb/ivRpuhAeT4gQbKdEEH66UI4WYhJJ3oV4dvzU2RzzQpybc1EqFGopvQNov2l6huFGk56stcsQVExeHyNfE6vZTIi72dmz2+l81pk1SMHLpjfycUXkSyO6oD6kpsR551Yzu7AAeQGe+DGVcx/GA==; 5:GSPsNfT2ns9ejSW5uVPwJzgszuhyMNtEq+Nc2T+0sDqE8fXOw8tBZdTuS7pyqkveStVzIZ2YD1n0vTq8C7vTiXga0Xc2jkZgh9t88XDI4UCSuwhBdlJK0QzAGwXvI61PjGhcFYhQpcQqxpHZONZpPM+YhNMavyE/15YlQ3vscSrUGC4DzvegNnJ/oSWNn3tCtO6ihCEbJxq+SEs/uM42Vw==; 7:eEp6wTUUwYz1z8zcAmnuoAEbm666vXYOV7wCVSEXePjNVV5R4zeUdY2x53h9eXHp425NkvkKTQn3gp3xHnH7/0/7A3tPjCK3VJI2WSP8ZVCJA3ORIjPI9vh17NQJ6DtwtLcx1101NwChWihqZdH17Q==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 23de69fb-fcd8-4e59-0f3f-08d6773ac857
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB4663;
x-ms-traffictypediagnostic: BYAPR05MB4663:
x-microsoft-antispam-prvs: <BYAPR05MB46639843F0C43CAC68DC6E3DAE840@BYAPR05MB4663.namprd05.prod.outlook.com>
x-forefront-prvs: 0913EA1D60
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(39860400002)(376002)(366004)(136003)(51914003)(13464003)(189003)(199004)(74316002)(446003)(55016002)(6436002)(5660300001)(486006)(68736007)(11346002)(14444005)(256004)(2501003)(97736004)(3846002)(6116002)(7736002)(81166006)(8676002)(81156014)(305945005)(8936002)(66066001)(476003)(229853002)(33656002)(575784001)(86362001)(316002)(26005)(99286004)(54906003)(110136005)(6246003)(53936002)(93886005)(6306002)(106356001)(105586002)(19627235002)(76176011)(9686003)(71190400001)(186003)(71200400001)(478600001)(2906002)(25786009)(4326008)(39060400002)(53546011)(6506007)(102836004)(966005)(14454004)(7696005); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB4663; H:BYAPR05MB4245.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: OHHeKrsNOwsyf48TfO1NpcfcSCWZgS6K0Pg2Yq+RpN3yKBqc+jrmdQOPQbeOrchTjmW8458nQ6P+XcjDZVtJRVmhuScExiyPXpPAMMsKRqvIBn8qVpdk74GkApwpw+r19S3G+Q5fjijwQVdKrN+loP8AxvsESo22zz4XS80OVMfTRWZCC7Qo4tO02/TbV7XjNxE4Nw99K6pJ+4Eh3sMz/NnazRnaB8J+GpR3qaogIvha2w7qS71+ybgtQ9C8XMwWc63xfkd+uNYGXnNBa4cf4o7tGbu+J7hKardP469bufx1pVuWEn5Tav+3Espa5Ymy7R4UAYQhc9nvGn3AxJVZgiUzF8fSoOoqLI9i9weIqR0tyM45exN4wramyyo1VrHbKPfiRxnz8mR1PAPdPtVimfT5muu5ec/NXoLgB1NyHz3r829z2rLWwf7iSn8OXdKo0Ch8LkHp4TTEdqFKXdZREw==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 23de69fb-fcd8-4e59-0f3f-08d6773ac857
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jan 2019 20:32:47.0940 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4663
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-10_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901100158
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/YDeGX8dvBZ15GsACC5F7H1vjCrA>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 20:32:56 -0000

Brian,

The following are two more fundamental questions:

- Would the attack be effective?
- If the attack is effective, is there a better way to mitigate it (e.g., by limiting the number of fragments that a receiving node is willing to reassemble for a single packet)?

                                                                        Ron


> -----Original Message-----
> From: Brian E Carpenter <brian.e.carpenter@gmail.com>
> Sent: Thursday, January 10, 2019 3:01 PM
> To: Ron Bonica <rbonica@juniper.net>; ek@loon.co
> Cc: IPv6 List <ipv6@ietf.org>; Bob Hinden <bob.hinden@gmail.com>
> Subject: Re: Non-Last Small IPv6 Fragments
> 
> On 2019-01-11 08:52, Ron Bonica wrote:
> > Erik,
> >
> > Thanks for the response.
> >
> > So, I understand that if I were to launch a stream of such packets at a target:
> >
> >
> >   *   The target might drop many of the attack packets (but that’s ok)
> >   *   The target would still process non-fragmented packets at a reasonable
> speed
> >   *   The target would still be able to reassemble fragments that are from
> other sources and not part of the attack
> >
> > If this is the case, we have nothing to worry about.
> 
> Well, we have to worry about a broken Linux implementation unless this "fix"
> is reversed.
> 
> (I can see a pragmatic argument for dropping non-final fragments that are
> really small, which might be diagnostic of an attack. But then you have to
> define "really small".)
> 
>    Brian
> 
> >
> >                                                           Ron
> >
> >
> > From: Erik Kline <ek@loon.co>
> > Sent: Thursday, January 10, 2019 2:42 PM
> > To: Ron Bonica <rbonica@juniper.net>
> > Cc: Bob Hinden <bob.hinden@gmail.com>; Timothy Winters
> <twinters@iol.unh.edu>; IPv6 List <ipv6@ietf.org>
> > Subject: Re: Non-Last Small IPv6 Fragments
> >
> > On Thu, 10 Jan 2019 at 11:32, Ron Bonica
> <rbonica@juniper.net<mailto:rbonica@juniper.net>> wrote:
> >> I read some of the reports on the link, but am still not clear what the
> >> underlying problem is.   Why does Linux have a problem with receving
> >> intermediate fragments less than 1280?
> >>
> >
> > Hi Bob,
> >
> > Might we be defending against an attack in which a packet contains:
> >
> > - An IPv6 header (40 bytes)
> > - A Fragment Header (8 bytes)
> > - A TCP header (20 bytes)
> > - TCP Payload (1200 bytes)
> >
> > This packet doesn't need to be fragmented at all because the total length is
> only 1268 bytes. However, a mischievous source node divides the packet into
> 1200 fragments. The first fragment contains an IPv6 header, a fragment
> header, the TCP header, and one byte of the TCP payload. Each subsequent
> fragment contains the IPv6 header, a fragment header, and one byte of TCP
> payload.
> >
> > Are reassembly algorithms clever enough to protect against such attacks? If
> so, I don't see the problem either. But if not, we may have a problem.
> >
> > I'm recently familiar with an IPv6 fragment reassembly implementation, as it
> turns out.  The core implementation uses/makes liberal reference to:
> >
> >     https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__tools.ietf.org_html_rfc815&d=DwIFaQ&c=HAkYuh63rsuhr6Scbfh0UjBX
> eMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> AWF2EfpHcAwrDThKP8&m=sK5K5wuiRYsxdqBoO01uXstXrB6pcOH7vIaVlqPk
> bw8&s=wRD2EDX32nGJdkVKcg_MlfkjpiweHbKU_7X3BJXHQks&e=<https://u
> rldefense.proofpoint.com/v2/url?u=https-
> 3A__tools.ietf.org_html_rfc815&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjB
> XeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> AWF2EfpHcAwrDThKP8&m=-
> dVqPKvvhh60cA1adnmR9mFsqrX0ADki0K4BlrOQqGc&s=6m7aXa5azbXR0bS
> ACw5GJgOfJx06tbs_1LydP-h2aqs&e=>
> >
> > It works generally in terms of managing a hole descriptor list.  It would
> successfully reassemble the sequence of packets you describe.  Whether that's
> an "attack" or not, I don't really see it.  With local policy caps on the lifetime of
> unreassembled fragment bits and so on, it seems possible to limit and manage
> the total resources allocated to reassembly.
> >
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests:
> https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__www.ietf.org_mailman_listinfo_ipv6&d=DwIFaQ&c=HAkYuh63rsuhr6S
> cbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> AWF2EfpHcAwrDThKP8&m=sK5K5wuiRYsxdqBoO01uXstXrB6pcOH7vIaVlqPk
> bw8&s=aU3laJhpXnj8ataCCjgCdmeHhXP6jyerRBW6vUlk-SI&e=
> > --------------------------------------------------------------------
> >

v2.23.0 | Report a Bug | By Email