IETF Logo Mail Archive

Re: Non-Last Small IPv6 Fragments

Timothy Winters <twinters@iol.unh.edu> Fri, 11 January 2019 15:10 UTC

Return-Path: <twinters@iol.unh.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CBE11228B7 for <ipv6@ietfa.amsl.com>; Fri, 11 Jan 2019 07:10:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iol.unh.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hEHel8mjW7X9 for <ipv6@ietfa.amsl.com>; Fri, 11 Jan 2019 07:10:57 -0800 (PST)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EC58124BE5 for <ipv6@ietf.org>; Fri, 11 Jan 2019 07:10:57 -0800 (PST)
Received: by mail-wr1-x42d.google.com with SMTP id z5so15512488wrt.11 for <ipv6@ietf.org>; Fri, 11 Jan 2019 07:10:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iol.unh.edu; s=unh-iol; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IKjh8YIrlqTy9tnQKV94/L86OPsI5Me5T8K1f3Jxodg=; b=bRw1J3a0c1VJzgKAwUUs3MU0sSapLW9Md9h0SwaC4Yk2yeGdK0+yvZ9y9i0BNk5ict C3spWfL+Q24aDg0KYrISWpTuuf3PP7nuBsT7OrwFdyA+kKReim+tyYjG97KkNbDE+nTR 8uyUPS9uy3MTy2Wq8KrcDgFc4rMwWpP6Gf298=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IKjh8YIrlqTy9tnQKV94/L86OPsI5Me5T8K1f3Jxodg=; b=Fz0YMQ87ZQAAkmNwHHQEf3XPUv/KeiMEzfWKvivKLKBK5g/0mQIsXYh7fi0Rfhr36I HbhsSbxW9RHRJhyuqlOe+/9D+v3irapIcnHziNcO3obs5EO03Fy9zsD1meAsq1x2oVjl 8hX5kaCZbqGiavlS1xb0G3kubmWpkk4pN6x5gIXtEO5Sz5QXdnceNY1ClGyBM36Bk9cb O19kv0HfqU3KqgaWOdHfVpgNcilu5CEpa5OrtDHMPybgUUg9oESzC/sflG9kaYC7Ion3 Zd6hvds3tTr8hVHrrJzb0fOZVoIBi2CCzm0SLwzQl/EC3U5qKHS1KmdunsjUOZeifAOV 2DHQ==
X-Gm-Message-State: AJcUukcKcfi9HGvyOhFAicrF6HIzT1o3kZuO5qeF2AMXnAaAHcv8GqeJ 7i3AtDOe77nvCVOrLHcj600aMk5hkNKVzVi4JHhkQ0i/M9E=
X-Google-Smtp-Source: ALg8bN6TP1ynSMgoEshHS+AYIrB/KJTSrELkq8Z1F+ZtNkFIPecnf5VEiBOAk4HOOR63+bZzkAFKgGQTq8H2m95n19k=
X-Received: by 2002:adf:e407:: with SMTP id g7mr13342886wrm.277.1547219455627; Fri, 11 Jan 2019 07:10:55 -0800 (PST)
MIME-Version: 1.0
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <2AB3F16C-FC0E-4EF7-B1ED-1A97F2CEC69B@gmail.com> <BYAPR05MB42458F851962F26AE1E15CC4AE840@BYAPR05MB4245.namprd05.prod.outlook.com> <CAAedzxofmhokstWuq7mRWnd5PTz5WQaiDNnE8O_VHXF_PbK6nw@mail.gmail.com> <BYAPR05MB4245388FB800873A5A8ED12AAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <66bf652a-2bc0-6814-6ded-a63eece7fbe2@gmail.com> <BYAPR05MB4245B9305E6EC57EDD45509FAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <7453645f-ff91-e866-b087-e7d4f1450ab6@gmail.com> <0e792b48-4360-6977-9ae8-9cdfdc78c7b8@gmail.com> <16A642DC-D3A4-452C-B7D1-20CA0EEEDDA2@lists.zabbadoz.net> <CAOSSMjWS9po2XuBHJ5hbN9hfNDKZ1diecH08Kt697-15jRtAvg@mail.gmail.com> <0e0c3141-889e-ff60-2787-2889b3a9af6b@si6networks.com> <A9497CD3-67BD-47A8-9FE9-88F3672158C7@employees.org>
In-Reply-To: <A9497CD3-67BD-47A8-9FE9-88F3672158C7@employees.org>
From: Timothy Winters <twinters@iol.unh.edu>
Date: Fri, 11 Jan 2019 10:10:44 -0500
Message-ID: <CAOSSMjUK+Y5eS8ayye6Z9mNivu2-3V3JQJQS2dPi2Veappyfxg@mail.gmail.com>
Subject: Re: Non-Last Small IPv6 Fragments
To: Ole Troan <otroan@employees.org>
Cc: Fernando Gont <fgont@si6networks.com>, "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>, 6man WG <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000af6d1057f301a5e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/SsAecqB0-ANjl5SvQn4qUmI9Vsc>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2019 15:10:59 -0000

On Fri, Jan 11, 2019 at 9:40 AM Ole Troan <otroan@employees.org> wrote:

> >> As Tom mentioned he has started a discussion on the Linux Network list
> >> about FragmentSmack.  I'll report back if they have a more elegant
> >> solution to the problem.
> >>
> >> This is the best write-up I've found discussing the issue.
> >>
> >> https://access.redhat.com/articles/3553061
> >>
> >> Based on the general comments on list and reading about this attack I'm
> >> going to create a draft to give some guidance to implementors for this
> >> attack.
> >
> > Guidance: whenever there is some data structure that could potentially
> > grow without bounds, or a resource that consumed until it is exhausted,
> > and that would affect the system or the communications in which the
> > system is directly or indirectly involved, enforce limits and try to
> > avoid fair use of such resource. Otherwise, we will keep disvovering the
> > same kind of vulnerabiities we have discovered during the last 30 years
> > or so.
> >
> > :-)
> >
> > IP fragmention is no special.
>
> That’s not quite true. IP reassembly is made an easy target because it
> forces the receiver to complete reassembly before it can determine that the
> complete packet was unwanted.
> Isn’t there a reason we see many IP reassembly attacks and not TCP
> segmentation attacks?
> (And that we encourage deprecation of fragmentation at the network layer).
>
> Cheers,
> Ole

Ultimately, that is the issue in this case.    I think the safest thing to
help against an attack like this, is to update the size to something like
640 to allow implementations to not waste CPU time on processing super
small fragments.

~Tim

v2.23.0 | Report a Bug | By Email