IETF Logo Mail Archive

Re: IPv6 payload length check?

Fernando Gont <fgont@si6networks.com> Thu, 06 February 2020 18:30 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA9BB120858 for <ipv6@ietfa.amsl.com>; Thu, 6 Feb 2020 10:30:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.307
X-Spam-Level:
X-Spam-Status: No, score=-0.307 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6zzr6kt_kdH for <ipv6@ietfa.amsl.com>; Thu, 6 Feb 2020 10:30:15 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CADB112084A for <ipv6@ietf.org>; Thu, 6 Feb 2020 10:30:14 -0800 (PST)
Received: from [192.168.0.84] (unknown [181.169.127.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 1D83F834B9; Thu, 6 Feb 2020 19:30:10 +0100 (CET)
Subject: Re: IPv6 payload length check?
To: "Aitken, Paul" <paul.aitken@intl.att.com>, "ipv6@ietf.org" <ipv6@ietf.org>
References: <90342768-7f25-b9dd-eeae-29db6045b40a@intl.att.com> <77f55628-6f9d-d06a-4e38-f84d76e716bb@intl.att.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <c5edfc71-73f1-718e-9537-000220aa1af9@si6networks.com>
Date: Thu, 06 Feb 2020 11:55:35 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <77f55628-6f9d-d06a-4e38-f84d76e716bb@intl.att.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/Kao_qLmma1j1UcpgOn2xudCC53U>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2020 18:30:17 -0000

Hello, Aitken,

On 3/2/20 12:30, Aitken, Paul wrote:
> Can anyone point me to a standards reference for the check to validate
> that the IPv6 payload length is less than or equal to the link layer
> frame size upon forwarding a packet?

There is no standards reference for that check.

That said, years ago I worked on a consulting project where, among other 
things, we specified validation checks for IPv6 packets.

This is the relevant excerpt for the "Payload Length":

----cut here ----
The Payload Length is a 16-bit unsigned integer that indicates the 
length of the IPv6 payload (i.e., length of the rest of the packet 
following the fixed IPv6 header). Implementations should be aware that 
the IPv6 module could be handed a packet larger than that
implied by the value of the Payload Length field. Such difference in the 
packet size might have todo with legitimate padding bytes at the 
link-layer protocol, but it could also be the result of malicious 
activity by an attacker. Furthermore, even when the maximum length of an 
IPv6
datagram is 65855 bytes (40 bytes for the fixed IPv6 header, plus 65535 
bytes for the payload), if the link-layer technology in use allows for 
payloads larger than 65855 bytes, an attacker could forge such a large 
link-layer packet, and direct it to the IPv6 module. If the IPv6 module 
of the receiving system were not prepared to handle such an oversized 
link-layer payload, an unexpected failure might occur. Therefore, the 
memory buffer used to store the link-layer payload should be allocated 
according to the payload size reported by the Link layer.

The IPv6 module could also be handed a packet that is smaller than the 
actual IPv6 packet size implied by the Payload Length field. This could 
be used, for example, to produce an information leakage. Therefore, the 
following check should be performed:

           Payload Length <= LinkLayer.PayloadSize - 40

       (The length of the ‘fixed’ IPv6 header is 40 bytes.)

As stated in RFC 2675 [Borman et al, 1999], if a node that supports the 
Jumbo Payload option receives a packet with a Payload Length of 0 and 
with a Next Header of 0 (meaning that a Hop-by-Hop Options header 
follows), and the link layer indicates the presence of octets beyond the
IPv6 header, the node must proceed to process the Hop-by-hop Options 
header to determine theactual length of the payload from the Jumbo 
Payload option.

If the Payload Length is 0, but the Next Header is not 0, the packet 
should be dropped, and an ICMPv6 Parameter Problem (code 0) error 
message (with the ‘Pointer’ pointing to the high-order octet of the 
Payload Length ) should be sent to the Source Address of the offending 
packet (provided it is not a multicast address). Additionally, if the 
Payload length is 0 and the Next Header is 0, but the Hop-by-hop Options 
header does not include a Jumbo Payload option, the corresponding packet 
should be dropped, and an ICMPv6 Parameter Problem (code 0) error 
message (with the ‘Pointer’ pointing to the high-order octet of the 
Payload Length ) should be sent to the Source Address of the offending 
packet (provided it is not a multicast address).
---- cut here ----

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

v2.23.0 | Report a Bug | By Email