IETF Logo Mail Archive

RE: Non-Last Small IPv6 Fragments

Ron Bonica <rbonica@juniper.net> Thu, 10 January 2019 19:52 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 427EB130F88 for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 11:52:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.263
X-Spam-Level:
X-Spam-Status: No, score=-3.263 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, KHOP_DYNAMIC=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gV-aXODBJLwR for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 11:52:41 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 430A9130F6D for <ipv6@ietf.org>; Thu, 10 Jan 2019 11:52:41 -0800 (PST)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0AJm20j016850; Thu, 10 Jan 2019 11:52:40 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=VMnd+zUK7sgyld59o0nNdDoaPVOXnn1A/97Gfzm8Gt8=; b=ReAGlvA2fW/IgOHS8AQpMpCa+Q+xEX+NvCvofYDZr4G1+z15VdGkxESLgRoA67AULWS1 S+J/AVtehuT2rKbFtgQqLgMvYMmfcQx/wXvzEol/EcEQiXM8jku+bD6JJvyNW7LV1nob HnOITyA4EbOqGEDUwzLy4UAwyP5VEFw2axd+X7nkQ9UKW9zHZdEGtxi+GKfh2aZJG6hJ FWJ+UCVF/DgYCjF42IyYs1+GSKRjWLmSHZIgOZWqlF979dVMxrfSTfovr5nckYKwg6zG 78cPJB18pYToALnf8//MNV2VI5qGdTlZmvVGi5IXsa4pStyATRxAOOal1P9ly1+UE+hy Xg==
Received: from nam04-sn1-obe.outbound.protection.outlook.com (mail-sn1nam04lp2050.outbound.protection.outlook.com [104.47.44.50]) by mx0a-00273201.pphosted.com with ESMTP id 2px1qah0tt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 10 Jan 2019 11:52:40 -0800
Received: from BYAPR05MB4245.namprd05.prod.outlook.com (20.176.252.26) by BYAPR05MB4614.namprd05.prod.outlook.com (52.135.233.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.10; Thu, 10 Jan 2019 19:52:34 +0000
Received: from BYAPR05MB4245.namprd05.prod.outlook.com ([fe80::7598:d648:d84f:9304]) by BYAPR05MB4245.namprd05.prod.outlook.com ([fe80::7598:d648:d84f:9304%3]) with mapi id 15.20.1516.015; Thu, 10 Jan 2019 19:52:34 +0000
From: Ron Bonica <rbonica@juniper.net>
To: "ek@loon.co" <ek@loon.co>
CC: Bob Hinden <bob.hinden@gmail.com>, Timothy Winters <twinters@iol.unh.edu>, IPv6 List <ipv6@ietf.org>
Subject: RE: Non-Last Small IPv6 Fragments
Thread-Topic: Non-Last Small IPv6 Fragments
Thread-Index: AQHUqPnhfVKjIVRV7USb44QrUExkh6WoxzKAgAAaJXCAAAXdgIAAAdRA
Date: Thu, 10 Jan 2019 19:52:34 +0000
Message-ID: <BYAPR05MB4245388FB800873A5A8ED12AAE840@BYAPR05MB4245.namprd05.prod.outlook.com>
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <2AB3F16C-FC0E-4EF7-B1ED-1A97F2CEC69B@gmail.com> <BYAPR05MB42458F851962F26AE1E15CC4AE840@BYAPR05MB4245.namprd05.prod.outlook.com> <CAAedzxofmhokstWuq7mRWnd5PTz5WQaiDNnE8O_VHXF_PbK6nw@mail.gmail.com>
In-Reply-To: <CAAedzxofmhokstWuq7mRWnd5PTz5WQaiDNnE8O_VHXF_PbK6nw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.0.61
dlp-reaction: no-action
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR05MB4614; 6:WlaC2v87DziYDvXxZmghykuE1iFTTuaBhimmJMc0T4b8b7YGam7ZVNWrRUQJhS5s/wOvJrJaASVPr1UCKAsKnvbES78FeGVRB2wTi20n/BqYndNzu6OVIAqC/UpCtECxjPQZi7P3b6q1lXsGtP4qTbwT2wtnfrEKmDjO5r+0lOM6q8kAfcm7P9VcGrEl7CiCrVCK5WfZsHeEpWULZQnfO2N1Teqq+w0/oODQ8JQBWg7PsvEbH+F6qRcZ1NXo63xXME6rseAB07ikP/1fzcCI+kfEvJMewOnoxx4Y3KxqyPwgOXfBPm4JeaKWjE1d+vhCfdr9YkjtsqqpDrx2n9/7l5Ys9ecA5BtW7RYAWtalnnMTF0HN3oy1tm2gTvDwd2C9Hajr9y/86f5jusRW3OK7g3G1nuBJOCSAZ3HgO7Q9nW+HwHqM2+rIh3zN/bsmLE2JyyCebw/bz2uW6Qic2dMbiA==; 5:P0C0ezR4MLYoHJqfU5Nki4IQxijADtQk2ipST4KdxBuD1rdf5Ji+bla0F2/tUPZ9EWhQvh+IJ1IfcIVrBd2Tovf5MapCQOJGXwVNb/j7o2WztRnoCWAjZtG2tDc6iZYkpMwDE+S8QF9mply6o/hBsvbmr2hvhBiPYFFgB3p2x46k5aTk+JBZ6h5MkXuvW0iQEDzQqdFJ4nwJ9R2HlBbOxQ==; 7:2U1EqgyzqHB4/7yES+lPjiP+3vQ6o2EtxLRCAednHFKAn6xspTKt434uIj8BHcPwc5AOUvW5TShquAwodlMusiutKL4Sr8BQze0Vrislxtbl3K24kyDX0pbde6tYWcUwPIEvxJakBdDOGh7qet/qZw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 50bbdafb-5b43-4621-5ae0-08d677352a52
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB4614;
x-ms-traffictypediagnostic: BYAPR05MB4614:
x-microsoft-antispam-prvs: <BYAPR05MB46140BF4AAB5FCF568B16399AE840@BYAPR05MB4614.namprd05.prod.outlook.com>
x-forefront-prvs: 0913EA1D60
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(136003)(396003)(346002)(39860400002)(376002)(51914003)(189003)(199004)(54906003)(8676002)(2906002)(966005)(81156014)(81166006)(1730700003)(236005)(5660300001)(7736002)(6306002)(54896002)(14454004)(53936002)(9686003)(478600001)(606006)(105586002)(6916009)(6436002)(486006)(2351001)(8936002)(97736004)(5640700003)(186003)(71200400001)(39060400002)(316002)(106356001)(33656002)(26005)(55016002)(4326008)(2501003)(102836004)(6246003)(3846002)(25786009)(99286004)(71190400001)(53546011)(6506007)(6116002)(790700001)(11346002)(7696005)(86362001)(76176011)(66066001)(74316002)(229853002)(476003)(446003)(93886005)(14444005)(68736007)(256004)(567974002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB4614; H:BYAPR05MB4245.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 3Jc8oBiD35Kz5ZjcT0I9tUTxmmHN/RRjssuuY7HAQhZJyCy5j/HbKBx+0mdIdBsyjLmmMnl0mNC3xpOFgGaa1QAeGFjDMpZCpnB1sU2k8YybFYoRa+sa6PM7/PkCIwl8NOWOdj0K7LDFKBc601obiVZIXJ6w/BI8syPTxNz3Q9tC+ZaNeU0ixk1fMSLZ4jfAHRPX6+8uNoBhVaYkLTDA12D4mmJddpg9D4LHR1RMDbREYZQEBa00P/L9NqMFlVDyaWeLAlWd2KlrugzkC5xP038R6T8rWoHZcr0LKrml87fDdfaEDSzwfA54sFre0/tn
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BYAPR05MB4245388FB800873A5A8ED12AAE840BYAPR05MB4245namp_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 50bbdafb-5b43-4621-5ae0-08d677352a52
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jan 2019 19:52:34.4664 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4614
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-10_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901100153
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/wHNJdl-1kRQ4k-ksCOjMK7uwMGw>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 19:52:44 -0000

Erik,

Thanks for the response.

So, I understand that if I were to launch a stream of such packets at a target:


  *   The target might drop many of the attack packets (but that’s ok)
  *   The target would still process non-fragmented packets at a reasonable speed
  *   The target would still be able to reassemble fragments that are from other sources and not part of the attack

If this is the case, we have nothing to worry about.

                                                          Ron


From: Erik Kline <ek@loon.co>
Sent: Thursday, January 10, 2019 2:42 PM
To: Ron Bonica <rbonica@juniper.net>
Cc: Bob Hinden <bob.hinden@gmail.com>; Timothy Winters <twinters@iol.unh.edu>; IPv6 List <ipv6@ietf.org>
Subject: Re: Non-Last Small IPv6 Fragments

On Thu, 10 Jan 2019 at 11:32, Ron Bonica <rbonica@juniper.net<mailto:rbonica@juniper.net>> wrote:
> I read some of the reports on the link, but am still not clear what the
> underlying problem is.   Why does Linux have a problem with receving
> intermediate fragments less than 1280?
>

Hi Bob,

Might we be defending against an attack in which a packet contains:

- An IPv6 header (40 bytes)
- A Fragment Header (8 bytes)
- A TCP header (20 bytes)
- TCP Payload (1200 bytes)

This packet doesn't need to be fragmented at all because the total length is only 1268 bytes. However, a mischievous source node divides the packet into 1200 fragments. The first fragment contains an IPv6 header, a fragment header, the TCP header, and one byte of the TCP payload. Each subsequent fragment contains the IPv6 header, a fragment header, and one byte of TCP payload.

Are reassembly algorithms clever enough to protect against such attacks? If so, I don't see the problem either. But if not, we may have a problem.

I'm recently familiar with an IPv6 fragment reassembly implementation, as it turns out.  The core implementation uses/makes liberal reference to:

    https://tools.ietf.org/html/rfc815<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc815&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=-dVqPKvvhh60cA1adnmR9mFsqrX0ADki0K4BlrOQqGc&s=6m7aXa5azbXR0bSACw5GJgOfJx06tbs_1LydP-h2aqs&e=>

It works generally in terms of managing a hole descriptor list.  It would successfully reassemble the sequence of packets you describe.  Whether that's an "attack" or not, I don't really see it.  With local policy caps on the lifetime of unreassembled fragment bits and so on, it seems possible to limit and manage the total resources allocated to reassembly.

v2.23.0 | Report a Bug | By Email