IETF Logo Mail Archive

Re: Non-Last Small IPv6 Fragments

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 13 January 2019 21:40 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E8D412D4EB for <ipv6@ietfa.amsl.com>; Sun, 13 Jan 2019 13:40:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJLPGczkgJVv for <ipv6@ietfa.amsl.com>; Sun, 13 Jan 2019 13:40:49 -0800 (PST)
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABBD812D4EA for <ipv6@ietf.org>; Sun, 13 Jan 2019 13:40:49 -0800 (PST)
Received: by mail-pf1-x42e.google.com with SMTP id g62so9377552pfd.12 for <ipv6@ietf.org>; Sun, 13 Jan 2019 13:40:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=Rf5hoKMm9QG+LCeOYm0/mAgLnAkHS4YEOj0WWYbpSmA=; b=kgCsTW4pR16GVW/8WwJwt79vf65IVi9XBqQmaIp5DCu4qmxtLq5ViFZQwGvEPIE/2f /5sfHYQ0U39ZXf7WQSrJ7BB0Z2KE7ZjUJX76+1icyLpbrsJaVkda3HU9RBB4VJGT9tWy BmLj8qNDWU3afZpahr1tlXPkBHoAU67MYncjrvnX6Kv/zG3hv/9lD6Dq953dDat3aCEW mOUerhiLfcgNnmHzYpNxaWMVm5zz/ecMOuBHSiBoJnmoF2q/Mo/Em0wMe2M2tSTJySv1 Bil4qkDKYTJ025ptmU7XoAygzoUs1x7SwiG6Iy/rkl1EO3oNGZ0YW0eLx58F2Aqkc7RQ CbVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Rf5hoKMm9QG+LCeOYm0/mAgLnAkHS4YEOj0WWYbpSmA=; b=genXgtRuPxU8P+MNAc4Ug9E7kuIDp/81XgQyBT1mSNJjkjK2AM4+RRQtDdc81Te0oD CRGeSWnEBapJqtxCU/A2x/c08FjUyLSi2H1vbMhnVs/uUfOOgjdujvABK//UAcI611g4 WtTaDUZQ5+hQMJwwob8N/J1A1IXw8nxgqHfjWEJC4UdeiMbNctwPpdcO0rRAzSy/+9Oj NDTbCS2pYN/6vM1L2jiDX4xArpMf+RYf4Cau6Kj8kPLbjPErJWQHui6cgOS76orRR517 8FrIRn5iWjGVx7/oD7FqMtigzN+U2OOR0bceXfeBAcvahaD86IATAqxGgLBPALCTMAiR ADSA==
X-Gm-Message-State: AJcUukfRJO9NEQoGg1NCjL+RuVG6bCmi6TupIJ1vzAQOboL5uhLQXkNZ /F9DanV23zBKFAyaUq4JzWhpaM5R
X-Google-Smtp-Source: ALg8bN7yQTlCcW3ZHOMqFrqrAMe/wSQM9ZXsLwedaOIrpbTCGYGXQae9p2+Wm1Pnq4131bKs5Y8DGA==
X-Received: by 2002:a62:a99:: with SMTP id 25mr22575320pfk.121.1547415648429; Sun, 13 Jan 2019 13:40:48 -0800 (PST)
Received: from [192.168.178.30] ([118.148.76.40]) by smtp.gmail.com with ESMTPSA id b26sm190815945pfe.91.2019.01.13.13.40.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 13 Jan 2019 13:40:47 -0800 (PST)
Subject: Re: Non-Last Small IPv6 Fragments
To: Tom Herbert <tom@herbertland.com>
Cc: Bob Hinden <bob.hinden@gmail.com>, IPv6 List <ipv6@ietf.org>
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <8b43af81-1c49-5cea-6472-97703674e661@si6networks.com> <CAN-Dau1HwG5RndacpSA+si+zKuTdpSvA=QA1A11A==rMNe=4+w@mail.gmail.com> <CALx6S35KNhV2gFp9OdU+M1zy5WUuEAEvXkDXNDWWxi7uQ4e_cw@mail.gmail.com> <CAN-Dau0rTdiiF2SjByxcMG6nhPCEjUH2pYBCOeK_FSGJ_ucDQw@mail.gmail.com> <CALx6S34AyV9OpvnjQhQc56n5vfeVgU5Zd3kheP0g+XvsMbBV9g@mail.gmail.com> <1b2e318e-1a9f-bb5d-75a5-04444c42ef20@si6networks.com> <CALx6S37TJr++fC=pVoeS=mrO1fHc4gL_Wtu-XkVTswzs2XxXCA@mail.gmail.com> <CALx6S36V7vrVyoTP0G6+S5XeFNB3KWS5UaNnVi20xogRERdCfg@mail.gmail.com> <973A1649-55F6-4D97-A97F-CEF555A4D397@employees.org> <CALx6S34YbBe8xBod3VsWVO33TpZcdxh2uV1vaO8Z_NKnVXp66g@mail.gmail.com> <A3C3F9C0-0A07-41AF-9671-B9E486CB8246@employees.org> <AEA47E27-C0CB-4ABE-8ADE-51E9D599EF8F@gmail.com> <6aae7888-46a4-342d-1d76-10f8b50cebc4@gmail.com> <CALx6S35QKOqn_Ywh9yzm1JDA8Xnp7fLPPmXUvomvz_xOZP8bfg@mail.gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <146dbb4f-bebb-cce4-f0f8-f965a951dc47@gmail.com>
Date: Mon, 14 Jan 2019 10:40:41 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <CALx6S35QKOqn_Ywh9yzm1JDA8Xnp7fLPPmXUvomvz_xOZP8bfg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/XEA5RRvgMHIexzhctA9wPLFnbSU>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jan 2019 21:40:53 -0000

On 2019-01-14 08:48, Tom Herbert wrote:
> On Sun, Jan 13, 2019 at 11:25 AM Brian E Carpenter
> <brian.e.carpenter@gmail.com> wrote:
>>
>> On 2019-01-14 07:54, Bob Hinden wrote:
>>> Unleveling a bit.
>>>
>>> I think the w.g. should be very cautious about making protocol changes based on what appears to be a fragmentation resource management problem in an implementation.
>>
>> I agree. However, I wonder if we need to clarify that there is no rule that non-last fragments must be at least 1280. It seems that the Linux patch assumed that there is
>> such a rule.
> Brian,
> 
> Yes, but then what are the rules? 

Well, I'm an advocate of one step at a time.

Step 1: As an addendum to RFC8200, state that there is no rule that non-last fragments must be at least 1280.

Step 2: Discuss whether there *should* be any rules about non-last fragment size, given that there are legitimate cases where they will be less than 1280.

Step 3: TBD

   Brian

> AFAICT from RFC8200 the minimum
> fragment data is eight bytes. I think it's going to be a hard sell to
> convince OS developers that they should accept such packets just
> because the spec requires it-- the DOS attack vector in this is too
> obvious.
> 
> I'd also point out that this really isn't a Linux specific problem.
> We've already had proposals to recommend that fragmentation should not
> be used in the Internet. Frankly, such recommendations are not being
> made because of deficient host implementations, because of
> intermediate nodes that don't handle fragmentation properly. Narrowing
> the requirements to make them more practical may be a good step
> getting these devices to properly support fragmentation.
> 
> Tom
> 
>>
>>    Brian
>>
>>>
>>> The fix of “..reject IPv6 fragments less than 1280 that aren't last fragment” seems pretty limited as discussed on the list.   Seems to me that this implementation needs more robust ability to handles it’s reassembly resources.
>>>
>>> Bob
>>>
>>>
>>>
>>>> On Jan 12, 2019, at 11:45 AM, Ole Troan <otroan@employees.org> wrote:
>>>>
>>>> Tom,
>>>>
>>>>> On 12 Jan 2019, at 20:27, Tom Herbert <tom@herbertland.com> wrote:
>>>>>
>>>>>> On Sat, Jan 12, 2019 at 10:50 AM Ole Troan <otroan@employees.org> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> On 12 Jan 2019, at 18:17, Tom Herbert <tom@herbertland.com> wrote:
>>>>>>>>
>>>>>>>> On Sat, Jan 12, 2019 at 1:49 AM Ole Troan <otroan@employees.org> wrote:
>>>>>>>>
>>>>>>>> Fernando said:
>>>>>>>>> I agree with the above (please see the ref I posted to RFC6274, which
>>>>>>>>> basically argues about this). HOowever, it is still not clear to me
>>>>>>>>> what's the problem you are addressing by enforcing a minimum fragment
>>>>>>>>> size. If you allow MIN_MTU/2, then you require first frags to be 640
>>>>>>>>> bytes.. and teh attacker is required to send 640 as opposed to 60 bytes
>>>>>>>>> or  so. Doesn't seem to be much of a difference to me.
>>>>>>>>> And as noted by Bob, I still don't see what's the big deal with the
>>>>>>>>> small fragments.
>>>>>>>>>
>>>>>>>>> There are some DoS attacks where you send a last frag and possibly a
>>>>>>>>> first frag, and the implementation allocates a buffer that would fit the
>>>>>>>>> rest of the missing fragments -- obviously exacerbating the problem a
>>>>>>>>> bit. BUt still i this cases, the size of the first frag is not a big deal.
>>>>>>>>
>>>>>>>> In e.g. VPP limiting fragment size would not help at all.
>>>>>>>> The scarce resource is number of available buffers. One fragment occupies at least one buffer regardless of how much smaller than 2K (default buffer size) it is.
>>>>>>>>
>>>>>>>> Mitigations against attack is highly likely to be implementation specific.
>>>>>>>> As an example see:
>>>>>>>> https://github.com/FDio/vpp/blob/master/src/vnet/ip/ip6_reassembly.c
>>>>>>>>
>>>>>>>> Default reassembly timeout is 100ms (constrasting that with the RFC 60s)
>>>>>>>> Maximum consequtive reassemblies in progress is limited to 1024.
>>>>>>>> And in other virtual reassembly algorithms we have also limited maximum allowed number of fragments in chain to 5.
>>>>>>>>
>>>>>>> Ole,
>>>>>>>
>>>>>>> I don't know what the protocol requirements are for virtual
>>>>>>> reassembly. Is there an I-D or RFC on this?
>>>>>>
>>>>>> Virtual reassembly is just an optimization. The protocol requirements are the same.
>>>>>>
>>>>> The same as what requirements? RFC8200 defines how reassembly occurs
>>>>> at a destination (the addressed node), not how an intermediate node in
>>>>> the network reassembles packets. It is not the same thing. For
>>>>> instance, there is an additional implicit requirement in virtual
>>>>> reassembly that all fragments are routed through the same node. Also,
>>>>> Hop-by-Hop options and Destination options can precede the fragment
>>>>> header, so is the requirement that same that nodes MUST process these
>>>>> before the fragmentation header is processed?
>>>>>
>>>>> If virtual reassembly is brought up in the context of standard
>>>>> protocol discussion, it would really be nice to have a normative
>>>>> desciption of that protocol mechanism.
>>>>
>>>> The code example I gave was for host reassembly.
>>>> I didn’t intend with my comment any more than that this is quite implementation specific, that it’s not obvious that the IETF can provide anything useful here, apart from removing network layer fragmentation, and I was absolutely not suggesting we should have a document on in-network reassembly.
>>>>
>>>> Cheers
>>>> Ole
>>>>>
>>>>> Tom
>>>>>
>>>>>> Cheers
>>>>>> Ole
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Tom
>>>>>>>
>>>>>>>> Now, if we in the IETF think we can provide some guidance here, I will second Erik’s suggestion of getting more research.
>>>>>>>>
>>>>>>>> The packet traces I have looked at in the past, the majority of fragmeted packets looked like attacks. UDP port 80, DNS queries to “thisdomainnamewillgiveaverylongresponsepurelyforthepurposeofattack.org”,
>>>>>>>> didn’t reassemble, 64K size… But it would be interesting to understand fragmentation behaviour in various parts of the network.
>>>>>>>>
>>>>>>>> - how long are fragment chains (both in packets and in time span)
>>>>>>>> - ratio of out of order fragments
>>>>>>>> - which applications use fragments
>>>>>>>> - ratio of attack traffic using fragments
>>>>>>>> - average/min/maximum sizes, same for numbers of fragments in chain
>>>>>>>> - ratio of complete fragment chain following the same path in the network
>>>>>>>> - ratio of fragments to total traffic
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Ole
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --------------------------------------------------------------------
>>>>>>>> IETF IPv6 working group mailing list
>>>>>>>> ipv6@ietf.org
>>>>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>>>> --------------------------------------------------------------------
>>>>>>
>>>>
>>>> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list
>>>> ipv6@ietf.org
>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>> --------------------------------------------------------------------
>>>
>>>
>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> ipv6@ietf.org
>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
>>>
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email