Re: IPv6 payload length check?
Fernando Gont <fgont@si6networks.com> Thu, 06 February 2020 18:30 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA9BB120858 for <ipv6@ietfa.amsl.com>; Thu, 6 Feb 2020 10:30:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.307
X-Spam-Level:
X-Spam-Status: No, score=-0.307 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6zzr6kt_kdH for <ipv6@ietfa.amsl.com>; Thu, 6 Feb 2020 10:30:15 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CADB112084A for <ipv6@ietf.org>; Thu, 6 Feb 2020 10:30:14 -0800 (PST)
Received: from [192.168.0.84] (unknown [181.169.127.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 1D83F834B9; Thu, 6 Feb 2020 19:30:10 +0100 (CET)
Subject: Re: IPv6 payload length check?
To: "Aitken, Paul" <paul.aitken@intl.att.com>, "ipv6@ietf.org" <ipv6@ietf.org>
References: <90342768-7f25-b9dd-eeae-29db6045b40a@intl.att.com> <77f55628-6f9d-d06a-4e38-f84d76e716bb@intl.att.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <c5edfc71-73f1-718e-9537-000220aa1af9@si6networks.com>
Date: Thu, 06 Feb 2020 11:55:35 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <77f55628-6f9d-d06a-4e38-f84d76e716bb@intl.att.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/Kao_qLmma1j1UcpgOn2xudCC53U>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2020 18:30:17 -0000
Hello, Aitken, On 3/2/20 12:30, Aitken, Paul wrote: > Can anyone point me to a standards reference for the check to validate > that the IPv6 payload length is less than or equal to the link layer > frame size upon forwarding a packet? There is no standards reference for that check. That said, years ago I worked on a consulting project where, among other things, we specified validation checks for IPv6 packets. This is the relevant excerpt for the "Payload Length": ----cut here ---- The Payload Length is a 16-bit unsigned integer that indicates the length of the IPv6 payload (i.e., length of the rest of the packet following the fixed IPv6 header). Implementations should be aware that the IPv6 module could be handed a packet larger than that implied by the value of the Payload Length field. Such difference in the packet size might have todo with legitimate padding bytes at the link-layer protocol, but it could also be the result of malicious activity by an attacker. Furthermore, even when the maximum length of an IPv6 datagram is 65855 bytes (40 bytes for the fixed IPv6 header, plus 65535 bytes for the payload), if the link-layer technology in use allows for payloads larger than 65855 bytes, an attacker could forge such a large link-layer packet, and direct it to the IPv6 module. If the IPv6 module of the receiving system were not prepared to handle such an oversized link-layer payload, an unexpected failure might occur. Therefore, the memory buffer used to store the link-layer payload should be allocated according to the payload size reported by the Link layer. The IPv6 module could also be handed a packet that is smaller than the actual IPv6 packet size implied by the Payload Length field. This could be used, for example, to produce an information leakage. Therefore, the following check should be performed: Payload Length <= LinkLayer.PayloadSize - 40 (The length of the ‘fixed’ IPv6 header is 40 bytes.) As stated in RFC 2675 [Borman et al, 1999], if a node that supports the Jumbo Payload option receives a packet with a Payload Length of 0 and with a Next Header of 0 (meaning that a Hop-by-Hop Options header follows), and the link layer indicates the presence of octets beyond the IPv6 header, the node must proceed to process the Hop-by-hop Options header to determine theactual length of the payload from the Jumbo Payload option. If the Payload Length is 0, but the Next Header is not 0, the packet should be dropped, and an ICMPv6 Parameter Problem (code 0) error message (with the ‘Pointer’ pointing to the high-order octet of the Payload Length ) should be sent to the Source Address of the offending packet (provided it is not a multicast address). Additionally, if the Payload length is 0 and the Next Header is 0, but the Hop-by-hop Options header does not include a Jumbo Payload option, the corresponding packet should be dropped, and an ICMPv6 Parameter Problem (code 0) error message (with the ‘Pointer’ pointing to the high-order octet of the Payload Length ) should be sent to the Source Address of the offending packet (provided it is not a multicast address). ---- cut here ---- Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- IPv6 payload length check? Aitken, Paul
- Re: IPv6 payload length check? Erik Kline
- Re: IPv6 payload length check? Aitken, Paul
- Re: IPv6 payload length check? Mark Smith
- Re: IPv6 payload length check? Michael Richardson
- Re: IPv6 payload length check? Mark Smith
- Re: IPv6 payload length check? Brian E Carpenter
- Re: IPv6 payload length check? Joel M. Halpern
- Re: IPv6 payload length check? Mark Smith
- Re: IPv6 payload length check? Fernando Gont
- Re: IPv6 payload length check? Gyan Mishra