Re: Tiny fragments issues
Elwyn Davies <elwynd@dial.pipex.com> Fri, 18 May 2007 15:32 UTC
Return-path: <ipv6-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hp4Ru-00054P-Pk; Fri, 18 May 2007 11:32:58 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hp4Rt-00054K-OD for ipv6@ietf.org; Fri, 18 May 2007 11:32:57 -0400
Received: from smtp.aaisp.net.uk ([2001:8b0:0:81::51bb:5134]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Hp4Rr-0007BM-2B for ipv6@ietf.org; Fri, 18 May 2007 11:32:57 -0400
Received: from 247.254.187.81.in-addr.arpa ([81.187.254.247]) by smtp.aaisp.net.uk with esmtps (TLSv1:AES256-SHA:256) (Exim 4.62) (envelope-from <elwynd@dial.pipex.com>) id 1Hp4Ro-0005AH-9u; Fri, 18 May 2007 16:32:52 +0100
Message-ID: <464DC777.7070902@dial.pipex.com>
Date: Fri, 18 May 2007 16:34:15 +0100
From: Elwyn Davies <elwynd@dial.pipex.com>
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
MIME-Version: 1.0
To: Vishwas Manral <vishwas.ietf@gmail.com>
References: <77ead0ec0705162154i415edc85i34ca5e916afb0804@mail.gmail.com> <20070517045736.101261C065@coconut.itojun.org> <464C62DE.9090503@ericsson.com> <77ead0ec0705180315kb1bc1fcw72fbf9e32d238e1e@mail.gmail.com>
In-Reply-To: <77ead0ec0705180315kb1bc1fcw72fbf9e32d238e1e@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -2.4 (--)
X-Scan-Signature: 3002fc2e661cd7f114cb6bae92fe88f1
Cc: ipv6@ietf.org, Suresh Krishnan <suresh.krishnan@ericsson.com>
Subject: Re: Tiny fragments issues
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Errors-To: ipv6-bounces@ietf.org
Hi. Section 2.1.11 of the Security Overview draft (http://www.ietf.org/internet-drafts/draft-ietf-v6ops-security-overview-06.txt) discusses the 'tiny fragment' problem and tries to reflect Vishwas' original concerns on tiny fragments (see the acknowledgments). After some discussion on the mailing list and with the IESG we settled on a recommendation that non-final fragments smaller than half the 1280 octet minimum MTU (i.e., 640 octets) ought to be filtered out. For any realistic, non-malicious transmission scheme this will not hit genuine packets AFAICS - it allows for schemes that distribute the bytes equally among the required number of fragments as well as schemes that allow for tunnel headers and schemes that send all fragments except the last at the MTU limit. Also Section 2.1.10 suggests that first fragments that do not contain the transport protocol header are very suspicious and could be discarded. Again in any realistic situation a 640 octet header packet should contain the whole of the extension headers and the transport protocol header - I am not aware of situations where the IPsec headers would be likely to break this and you would have to have an *awful* lot of addresses in a Type 0 routing header to break this limit. Of course, Type 0 routing headers are suspicious for other reasons and need to be looked at closely as well! Given that the current IPv6 standard is broken as regards its treatment of fragments, it would be good to update it but I am not sure that there is political will to make the relevant changes. Certainly when I suggested this back in 2004 there was a lot of pushback. The words in the security overview were the best compromise available at the time. If one were to update the standard, I think one would mandate non-final fragments to be at least 50% of the minimum MTU as probably the best way forward without breaking today's (good) implementations. It would also mandate that fragments do not overlap. Regards, Elwyn Vishwas Manral wrote: > Hi Suresh, > > So are you suggesting the non-last fragment size of less than 1280, > example 1200. > > I still have a doubt on this one. Can we state that the first fragment > should have the complete TCP/ UDP headers? I find this essential for > the case of stateless filtering, which are easier to do at line rate > in the hardware. > > Thanks, > Vishwas > > On 5/17/07, Suresh Krishnan <suresh.krishnan@ericsson.com> wrote: >> Hi, >> >> Jun-ichiro itojun Hagino 2.0 wrote: >> > my take on this is that, for non-final fragment, the packet >> size must >> > not be smaller than 1280 bytes. there's no valid use for >> smaller >> > fragments (unless you have special network with MTU < 1280). >> >> I tend to disagree. I do think there are cases where it makes sense to >> have smaller non-final fragments. One example I can think about right >> away is that there is a tunnel somewhere between the source and the >> destination. In this case I would limit myself to a fragment size of >> less than 1280 to avoid further fragmentation. >> >> Cheers >> Suresh >> >> >> >> -------------------------------------------------------------------- >> IETF IPv6 working group mailing list >> ipv6@ietf.org >> Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 >> -------------------------------------------------------------------- >> > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Tiny fragments issues Vishwas Manral
- Re: Tiny fragments issues Jun-ichiro itojun Hagino 2.0
- Re: Tiny fragments issues Vishwas Manral
- Re: Tiny fragments issues Jun-ichiro itojun Hagino 2.0
- Re: Tiny fragments issues Suresh Krishnan
- Re: Tiny fragments issues Vishwas Manral
- Re: Tiny fragments issues Elwyn Davies
- Re: Tiny fragments issues Suresh Krishnan