Overlapping fragments in IPv6 and firewalls
Suresh Krishnan <suresh.krishnan@ericsson.com> Mon, 14 July 2008 23:27 UTC
Return-Path: <ipv6-bounces@ietf.org>
X-Original-To: ipv6-archive@megatron.ietf.org
Delivered-To: ietfarch-ipv6-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4EED63A67D4; Mon, 14 Jul 2008 16:27:16 -0700 (PDT)
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 57E963A67A4 for <ipv6@core3.amsl.com>; Mon, 14 Jul 2008 16:27:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.562
X-Spam-Level:
X-Spam-Status: No, score=-6.562 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRkIxHS-5T9W for <ipv6@core3.amsl.com>; Mon, 14 Jul 2008 16:27:14 -0700 (PDT)
Received: from imr2.ericy.com (imr2.ericy.com [198.24.6.3]) by core3.amsl.com (Postfix) with ESMTP id 286293A6B0B for <ipv6@ietf.org>; Mon, 14 Jul 2008 16:26:55 -0700 (PDT)
Received: from eusrcmw751.eamcs.ericsson.se (eusrcmw751.exu.ericsson.se [138.85.77.51]) by imr2.ericy.com (8.13.1/8.13.1) with ESMTP id m6ENRLe6013534 for <ipv6@ietf.org>; Mon, 14 Jul 2008 18:27:21 -0500
Received: from eusrcmw750.eamcs.ericsson.se ([138.85.77.50]) by eusrcmw751.eamcs.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Mon, 14 Jul 2008 18:27:21 -0500
Received: from [142.133.10.113] ([142.133.10.113]) by eusrcmw750.eamcs.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Mon, 14 Jul 2008 18:27:21 -0500
Message-ID: <487BE16C.4030103@ericsson.com>
Date: Mon, 14 Jul 2008 19:29:48 -0400
From: Suresh Krishnan <suresh.krishnan@ericsson.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080505)
MIME-Version: 1.0
To: IETF IPv6 Mailing List <ipv6@ietf.org>
Subject: Overlapping fragments in IPv6 and firewalls
Content-Type: multipart/mixed; boundary="------------040302090609080508010804"
X-OriginalArrivalTime: 14 Jul 2008 23:27:21.0155 (UTC) FILETIME=[29DDB930:01C8E609]
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Sender: ipv6-bounces@ietf.org
Errors-To: ipv6-bounces@ietf.org
Hi Folks, This draft describes how to use overlapping fragments in IPv6 to bypass firewalling restrictions. It recommends disallowing overlapping fragments in IPv6. Thanks Suresh -------- Original Message -------- Subject: I-D Action:draft-krishnan-6man-overlap-fragment-01.txt Date: Mon, 14 Jul 2008 14:15:02 -0700 (PDT) From: Internet-Drafts@ietf.org Reply-To: internet-drafts@ietf.org To: i-d-announce@ietf.org A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Issues with overlapping IPv6 fragments Author(s) : S. Krishnan Filename : draft-krishnan-6man-overlap-fragment-01.txt Pages : 7 Date : 2008-07-13 The fragmentation and reassembly algorithm specified in the base IPv6 specification allows fragments to overlap. This document demonstrates the security issues with allowing overlapping fragments and updates the IPv6 specification to explicitly forbid overlapping fragments. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-krishnan-6man-overlap-fragment-01.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft.
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Overlapping fragments in IPv6 and firewalls Suresh Krishnan
- Re: {Blocked Content} Overlapping fragments in IP… Doug Montgomery