Re: Non-Last Small IPv6 Fragments

Bob Hinden <bob.hinden@gmail.com> Thu, 10 January 2019 17:48 UTC

Return-Path: <bob.hinden@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F2721311BF for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 09:48:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3PqrEFOc6AvC for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 09:48:12 -0800 (PST)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A9F61311B4 for <ipv6@ietf.org>; Thu, 10 Jan 2019 09:48:12 -0800 (PST)
Received: by mail-wr1-x431.google.com with SMTP id j2so12434474wrw.1 for <ipv6@ietf.org>; Thu, 10 Jan 2019 09:48:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ZiDURly7go8Fqnc4J+NSgNaHoO1xiW1cOMDhntGbcik=; b=EKxsMlE11AbphK++Ha822iWJJqWd6qfrOSAprY18PY5l+f7J6oL8Skx09g81iRtVhn mnjV/67QGvOoOfFFf8JEd9j7eUwUDaMAdXU1SjN36BXG4LaLxv43+0rEDwsTcmMcKc0c OxKTWzyeoDLC9yTDcsWv3BZQN7JNRvdxt6UZMdoc3MPiBqF1rr7M1J94vuAwmiLnoeG8 Mgu7jURPreiF0yVi9NNqoPxksHKDrPtlnMRa7a/Ft5m+11BVgzrXYMej/QvL0J/tkcBz CZgPzVEWoyygRqkmV24NBLjoEklX3kVXsR4FQZEzizhjJscR+P6FHXQVEue9yw5cwjCw 8upg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ZiDURly7go8Fqnc4J+NSgNaHoO1xiW1cOMDhntGbcik=; b=T8Ww/QygyKDygNcglbo+O3iXI2YUtC6yGu2ESNlcKZXTOuXGyw2bSUuvdoenANwDFx pNe4bEnx8S3fxGUf4cALfP70YYPAJ/WzWrP0kY53Mz8SWGf/3zuwHnGgIPaJ0ZKI7m2b /3zzKefjF/P/78NSxedysQE9TKPFTB5GjT7kE3FlPw5ZxOuJDQh5b614QFr4KD+1Wj+5 11l0D63mrAeFSFzvE5AXyuoHB3HQUfaKntiz/s+ieZqES5sLWzac4Om81YTo24IQXdGs HI+GGyybTgsI3iSS2ed5jQIIb/IMU/tNG4q75LFpPEe0uevkAQ3nKIZl2Pd3kjs1HH+h c2rA==
X-Gm-Message-State: AJcUukd2dD/Nb+nAq+fzSqVjRBSXJ0lMnc30bOg9zX5gdgYl10oBUOSg lZ/lg5noGe/uQa/IatTZMTU=
X-Google-Smtp-Source: ALg8bN5OhpRmahYGCSbua91BMsVvOvr7UFMizGtttSA/AM/RkPdz+1CZJ+hpBojAJzdGBfXjcMvu+A==
X-Received: by 2002:adf:f8cf:: with SMTP id f15mr10207101wrq.265.1547142490618; Thu, 10 Jan 2019 09:48:10 -0800 (PST)
Received: from ?IPv6:2601:647:4d01:f3a:49bb:7c5b:688c:ee66? ([2601:647:4d01:f3a:49bb:7c5b:688c:ee66]) by smtp.gmail.com with ESMTPSA id l19sm17690223wme.21.2019.01.10.09.48.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 Jan 2019 09:48:09 -0800 (PST)
From: Bob Hinden <bob.hinden@gmail.com>
Message-Id: <2AB3F16C-FC0E-4EF7-B1ED-1A97F2CEC69B@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_8F7364FD-2F56-4F4A-B752-AB09ED31C944"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: Non-Last Small IPv6 Fragments
Date: Thu, 10 Jan 2019 09:47:37 -0800
In-Reply-To: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com>
Cc: Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
To: Timothy Winters <twinters@iol.unh.edu>
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/TaNXx9KYChqML4qt-0Qtegni-_w>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 17:48:15 -0000

Tim,

> On Jan 10, 2019, at 7:33 AM, Timothy Winters <twinters@iol.unh.edu> wrote:
> 
> We have encountered a potential Interoperability issue at the UNH-IOL while running some testing.  The issue is around fragments.
> 
> The Linux Kernel updated based on the following CVE:
> 
> https://nvd.nist.gov/vuln/detail/CVE-2018-5391.

I read some of the reports on the link, but am still not clear what the underlying problem is.   Why does Linux have a problem with receving intermediate fragments less than 1280?

Bob


> 
> The fix was to reject IPv6 fragments less than 1280 that aren't last fragment.  Section 4.5 of RFC 8200 allows for sending any fragment for fragments as long they add up to the original packet.  This means that an implementation that generates a non-last fragments with a size then 1280, will be dropped by the updated kernel.
> 
> I'm willing to write a draft about the expected behavior, but before I do that I wanted to get the working group feedback on if we think an implementation should drop non-last fragments less then 1280.
> 
> ~Tim
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------