Re: Non-Last Small IPv6 Fragments
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 11 January 2019 00:56 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96AC9131315 for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 16:56:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yCFZxIPdpPxG for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 16:56:49 -0800 (PST)
Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8231D13130A for <ipv6@ietf.org>; Thu, 10 Jan 2019 16:56:49 -0800 (PST)
Received: by mail-pf1-x442.google.com with SMTP id q1so6114429pfi.5 for <ipv6@ietf.org>; Thu, 10 Jan 2019 16:56:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=P2HLVM3CcK7xZfWsu0pt+9U97fjuuSaEvyp+JBnIkOE=; b=lxtZa8/yJ4JFaA/obpwbhgpvm7eVx49Gg8ZMq8fGg2DIzDrBoJJ7VGhq1aGyafGrXe 2gMdcQeNFPxejFtAjTYxumkE3Y2PfsK61WtssA8ZA5SR7+hvrKNEQBOHL7RsInYqjLLS 1kTtclTWJPuCfid706nCPneCczUaqx4v1FjuE9VuqA/BAtgr8TkrehlmXu7rkKrOoBg/ 6528o4yLbFYmCeSjSS3SfQ2u0J+4ipn0Ni+fVgyt+x2TFvuyC7zOZAfr8OTpIUslOssk QfFKezLiLIdJJ2Lbnj5etUr6zQu6HR14VK85w2JPSaWfcHpIyiAtwh+LVJCjS9feu0wU JGAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=P2HLVM3CcK7xZfWsu0pt+9U97fjuuSaEvyp+JBnIkOE=; b=mWhVVpA/RHRfZUrYDtUNJlD/L0LEkCr8yeEhSTG/EHDM3K7s0SvUQ8opNvk4JKnGjr 0Cs0EJubdzagqmddqrFodWRcrIZs54U3yWMU+bnuJFrAilgZWX66GTwX9I9duZKqm9Fb Xnf9Sjw7txSZWWz8dPEewL5a0zcM9+kPWXPowym/SRLcMY/JG5aplSKgOO3cGMQ3nf9e d202PquGQhUeHcYAibhvigBw53h3uLWB6mlR+WWacuTKELvtX3FQSjWwralM/k2khnc0 Nn5nAMhemT0MRiJmKmt0JGTEuFSyCHQkGf0dAUkYm56mVGn+6r4BuSTTid3NyC/qTpmb vvRg==
X-Gm-Message-State: AJcUuket7csWcgFaBdukoJ96x1Ubnclimm+040tH6sIkq11CnwV4k0Vx 8ylr41u9OI65v6XSDeTcOhY=
X-Google-Smtp-Source: ALg8bN6G59v7+syLfenzDGmeso5McXZHtbmvMTMuh7/cThTXYRyL9sQDAvB51PxB8uV/CNElbTuBAg==
X-Received: by 2002:a63:2d46:: with SMTP id t67mr11629402pgt.140.1547168208989; Thu, 10 Jan 2019 16:56:48 -0800 (PST)
Received: from [192.168.178.30] ([118.148.76.40]) by smtp.gmail.com with ESMTPSA id l184sm113748535pfc.112.2019.01.10.16.56.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 Jan 2019 16:56:47 -0800 (PST)
Subject: Re: Non-Last Small IPv6 Fragments
To: Ron Bonica <rbonica@juniper.net>, "ek@loon.co" <ek@loon.co>
Cc: IPv6 List <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <2AB3F16C-FC0E-4EF7-B1ED-1A97F2CEC69B@gmail.com> <BYAPR05MB42458F851962F26AE1E15CC4AE840@BYAPR05MB4245.namprd05.prod.outlook.com> <CAAedzxofmhokstWuq7mRWnd5PTz5WQaiDNnE8O_VHXF_PbK6nw@mail.gmail.com> <BYAPR05MB4245388FB800873A5A8ED12AAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <66bf652a-2bc0-6814-6ded-a63eece7fbe2@gmail.com> <BYAPR05MB4245B9305E6EC57EDD45509FAE840@BYAPR05MB4245.namprd05.prod.outlook.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <7453645f-ff91-e866-b087-e7d4f1450ab6@gmail.com>
Date: Fri, 11 Jan 2019 13:56:42 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <BYAPR05MB4245B9305E6EC57EDD45509FAE840@BYAPR05MB4245.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/Gz7Y5W7j9gg2QCEYLm4QtDpEdLQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2019 00:56:59 -0000
On 2019-01-11 09:32, Ron Bonica wrote: > Brian, > > The following are two more fundamental questions: > > - Would the attack be effective? Like all resource-consumption attacks, it all depends. Yes, one-byte fragments would probably be an issue but would 256-byte fragments? I just don't know. Once in my misspent youth I wrote code for fragmentation/reassembly of CLNP packets over a PMTU of 64 bytes. I did not enjoy writing the code, but I never saw any particular performance issues, even on a microsecond-per-instruction minicomputer. However, I think there's no generic answer to your question. > - If the attack is effective, is there a better way to mitigate it (e.g., by limiting the number of fragments that a receiving node is willing to reassemble for a single packet)? Yes, I think quite a few pragmatic suggestions have been made in this thread. But given that this is 6man, maybe we should be asking whether this is a gap in the IPv6 specification. Brian > > Ron > > >> -----Original Message----- >> From: Brian E Carpenter <brian.e.carpenter@gmail.com> >> Sent: Thursday, January 10, 2019 3:01 PM >> To: Ron Bonica <rbonica@juniper.net>; ek@loon.co >> Cc: IPv6 List <ipv6@ietf.org>; Bob Hinden <bob.hinden@gmail.com> >> Subject: Re: Non-Last Small IPv6 Fragments >> >> On 2019-01-11 08:52, Ron Bonica wrote: >>> Erik, >>> >>> Thanks for the response. >>> >>> So, I understand that if I were to launch a stream of such packets at a target: >>> >>> >>> * The target might drop many of the attack packets (but that’s ok) >>> * The target would still process non-fragmented packets at a reasonable >> speed >>> * The target would still be able to reassemble fragments that are from >> other sources and not part of the attack >>> >>> If this is the case, we have nothing to worry about. >> >> Well, we have to worry about a broken Linux implementation unless this "fix" >> is reversed. >> >> (I can see a pragmatic argument for dropping non-final fragments that are >> really small, which might be diagnostic of an attack. But then you have to >> define "really small".) >> >> Brian >> >>> >>> Ron >>> >>> >>> From: Erik Kline <ek@loon.co> >>> Sent: Thursday, January 10, 2019 2:42 PM >>> To: Ron Bonica <rbonica@juniper.net> >>> Cc: Bob Hinden <bob.hinden@gmail.com>; Timothy Winters >> <twinters@iol.unh.edu>; IPv6 List <ipv6@ietf.org> >>> Subject: Re: Non-Last Small IPv6 Fragments >>> >>> On Thu, 10 Jan 2019 at 11:32, Ron Bonica >> <rbonica@juniper.net<mailto:rbonica@juniper.net>> wrote: >>>> I read some of the reports on the link, but am still not clear what the >>>> underlying problem is. Why does Linux have a problem with receving >>>> intermediate fragments less than 1280? >>>> >>> >>> Hi Bob, >>> >>> Might we be defending against an attack in which a packet contains: >>> >>> - An IPv6 header (40 bytes) >>> - A Fragment Header (8 bytes) >>> - A TCP header (20 bytes) >>> - TCP Payload (1200 bytes) >>> >>> This packet doesn't need to be fragmented at all because the total length is >> only 1268 bytes. However, a mischievous source node divides the packet into >> 1200 fragments. The first fragment contains an IPv6 header, a fragment >> header, the TCP header, and one byte of the TCP payload. Each subsequent >> fragment contains the IPv6 header, a fragment header, and one byte of TCP >> payload. >>> >>> Are reassembly algorithms clever enough to protect against such attacks? If >> so, I don't see the problem either. But if not, we may have a problem. >>> >>> I'm recently familiar with an IPv6 fragment reassembly implementation, as it >> turns out. The core implementation uses/makes liberal reference to: >>> >>> https://urldefense.proofpoint.com/v2/url?u=https- >> 3A__tools.ietf.org_html_rfc815&d=DwIFaQ&c=HAkYuh63rsuhr6Scbfh0UjBX >> eMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl- >> AWF2EfpHcAwrDThKP8&m=sK5K5wuiRYsxdqBoO01uXstXrB6pcOH7vIaVlqPk >> bw8&s=wRD2EDX32nGJdkVKcg_MlfkjpiweHbKU_7X3BJXHQks&e=<https://u >> rldefense.proofpoint.com/v2/url?u=https- >> 3A__tools.ietf.org_html_rfc815&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjB >> XeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl- >> AWF2EfpHcAwrDThKP8&m=- >> dVqPKvvhh60cA1adnmR9mFsqrX0ADki0K4BlrOQqGc&s=6m7aXa5azbXR0bS >> ACw5GJgOfJx06tbs_1LydP-h2aqs&e=> >>> >>> It works generally in terms of managing a hole descriptor list. It would >> successfully reassemble the sequence of packets you describe. Whether that's >> an "attack" or not, I don't really see it. With local policy caps on the lifetime of >> unreassembled fragment bits and so on, it seems possible to limit and manage >> the total resources allocated to reassembly. >>> >>> >>> -------------------------------------------------------------------- >>> IETF IPv6 working group mailing list >>> ipv6@ietf.org >>> Administrative Requests: >> https://urldefense.proofpoint.com/v2/url?u=https- >> 3A__www.ietf.org_mailman_listinfo_ipv6&d=DwIFaQ&c=HAkYuh63rsuhr6S >> cbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl- >> AWF2EfpHcAwrDThKP8&m=sK5K5wuiRYsxdqBoO01uXstXrB6pcOH7vIaVlqPk >> bw8&s=aU3laJhpXnj8ataCCjgCdmeHhXP6jyerRBW6vUlk-SI&e= >>> -------------------------------------------------------------------- >>> >
- Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments 神明達哉
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Erik Kline
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Carsten Bormann
- Re: Non-Last Small IPv6 Fragments 神明達哉
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Mikael Abrahamsson
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Christian Huitema
- Re: Non-Last Small IPv6 Fragments Ole Troan
- RE: Non-Last Small IPv6 Fragments Lubashev, Igor
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- RE: Non-Last Small IPv6 Fragments Manfredi (US), Albert E
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Mark Smith
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- End-to-end (was Re: Non-Last Small IPv6 Fragments) Christian Huitema
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Warren Kumari
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Fernando Gont
- Re: Non-Last Small IPv6 Fragments Mikael Abrahamsson
- Re: Non-Last Small IPv6 Fragments Tim Chown
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Warren Kumari
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fred Baker
- Re: Non-Last Small IPv6 Fragments Tim Chown
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Michael Richardson
- Never fragment: getting PMTU info transmitted rel… Michael Richardson
- Re: Never fragment: getting PMTU info transmitted… Joel M. Halpern
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- Re: Never fragment: getting PMTU info transmitted… Michael Richardson
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- Re: Never fragment: getting PMTU info transmitted… Mark Smith
- Re: Never fragment: getting PMTU info transmitted… Erik Kline
- Re: Never fragment: getting PMTU info transmitted… Mark Smith
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- RE: Never fragment: getting PMTU info transmitted… Lubashev, Igor
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- RE: Never fragment: getting PMTU info transmitted… Lubashev, Igor
- Re: Never fragment: getting PMTU info transmitted… C. M. Heard
- Re: Never fragment: getting PMTU info transmitted… Christian Huitema