IETF Logo Mail Archive

Re: Non-Last Small IPv6 Fragments

David Farmer <farmer@umn.edu> Thu, 10 January 2019 21:51 UTC

Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20815131273 for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 13:51:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ek0vqyF5WBqi for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 13:51:27 -0800 (PST)
Received: from mta-p7.oit.umn.edu (mta-p7.oit.umn.edu [134.84.196.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E76AA13127C for <ipv6@ietf.org>; Thu, 10 Jan 2019 13:51:26 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mta-p7.oit.umn.edu (Postfix) with ESMTP id 40CE1C28 for <ipv6@ietf.org>; Thu, 10 Jan 2019 21:51:26 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p7.oit.umn.edu ([127.0.0.1]) by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IScO3hWio4zJ for <ipv6@ietf.org>; Thu, 10 Jan 2019 15:51:25 -0600 (CST)
Received: from mail-vs1-f70.google.com (mail-vs1-f70.google.com [209.85.217.70]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p7.oit.umn.edu (Postfix) with ESMTPS id D2A88B4C for <ipv6@ietf.org>; Thu, 10 Jan 2019 15:51:25 -0600 (CST)
Received: by mail-vs1-f70.google.com with SMTP id x1so5391815vsc.0 for <ipv6@ietf.org>; Thu, 10 Jan 2019 13:51:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F/iPl0Ej5eL+qIcKivIiNmnXv5286Ap5mtHN62qL4dY=; b=NvsdXr1HfQhV9v4pe4kNK4VFshkgnGIH1JFzgb6niuAkeVBXISUkfV4H/+dMYxVL5h iudOMRFoFHUNYdSofwaI4PXHUw3EY2l3IPfrPTJvWDdRr9/l4jajVfDMbyMDT9NyQaRC z/IByLu4xT5gJ/SCRfiIigh4JuZkZA8G/yXdn3KtVA7BBM7kLjYR06JfABa9CoNeWQld 8YelRpWZy7gpl1jAVhzCTsjWHOEJ55iYCgzy+nFdww6EMzhg9B8KIGFJFx4/4P+/4Kg5 ZLfvv+3RW8iFSyLHgngGzMYRPh/m8P9ojKRcZy9TL/qyId1LiXNbw+z/uTBiEDygG5W0 ro7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F/iPl0Ej5eL+qIcKivIiNmnXv5286Ap5mtHN62qL4dY=; b=e5ilxi9INCPJBRjYsFhMfE8LjVEPu9Jxl3exyPbsAHECjecJjnSQZ8EdXRAqcX3WPm P/nbtFRxmpeCOSzKtwozODZMT7fQupBf0WDdvkZeSdrcsGzo3s/l1Dcd+vLLYOTHdRBp mQiMIInLtZ/zOjZjJ7G0oY6muYxp78ec0rqUJJ7IqIVhmCpdlHCqfW2DxkNWm1FdyvOj tbFM9CN4qT0sW0/9SqnYYxjp5Llys9zyi6tF7NxTWESzAKwWK66bv8DJa9m6tikWKqM5 L+fpfVvy8QyIT+YiqmjnSvDW7tU8dMn4p/XD/G6fSM+zvIYZFb1/LUxOzSQZiLNVfwXe K1uA==
X-Gm-Message-State: AJcUukeOx6VhH5fBW/gTG1/8mgfNFiO2Hl759t/Wdms3Qt+IkeUHyBSH xQFWCQNVCw+1XKa/sKegW8wAOSIQv2eYeJH7gFdYyhgS6V3+nuQX2AsYdlMCM8sz0z6cjseVS3I FgcedFfABwqHtRmNQk0t8JKF1
X-Received: by 2002:ab0:1307:: with SMTP id g7mr4274851uae.35.1547157084839; Thu, 10 Jan 2019 13:51:24 -0800 (PST)
X-Google-Smtp-Source: ALg8bN4oh2G+IxNoOdWvfr/S2aD8c3mZ2CDkUF+Xoxd8zj4mq4vrstQ8r+L9KwfO6Sd8oTDtjLmkQiVKY4V9qfw+Bug=
X-Received: by 2002:ab0:1307:: with SMTP id g7mr4274840uae.35.1547157084232; Thu, 10 Jan 2019 13:51:24 -0800 (PST)
MIME-Version: 1.0
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <2AB3F16C-FC0E-4EF7-B1ED-1A97F2CEC69B@gmail.com> <BYAPR05MB42458F851962F26AE1E15CC4AE840@BYAPR05MB4245.namprd05.prod.outlook.com> <CAAedzxofmhokstWuq7mRWnd5PTz5WQaiDNnE8O_VHXF_PbK6nw@mail.gmail.com> <BYAPR05MB4245388FB800873A5A8ED12AAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <66bf652a-2bc0-6814-6ded-a63eece7fbe2@gmail.com> <BYAPR05MB4245B9305E6EC57EDD45509FAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <CALx6S35QkKhRFVV+FE0Cnb-CrNHTj96QqQGNsHqrxjQYV5qB0Q@mail.gmail.com> <F39C20D8-9478-478F-896B-D4AC4B0D4BBA@isc.org>
In-Reply-To: <F39C20D8-9478-478F-896B-D4AC4B0D4BBA@isc.org>
From: David Farmer <farmer@umn.edu>
Date: Thu, 10 Jan 2019 15:51:08 -0600
Message-ID: <CAN-Dau19NeWg_8+cMCjZUymB0QmP073sE_5Xm02otg6b6krSUg@mail.gmail.com>
Subject: Re: Non-Last Small IPv6 Fragments
To: Mark Andrews <marka@isc.org>
Cc: Tom Herbert <tom@herbertland.com>, IPv6 List <ipv6@ietf.org>, "ek@loon.co" <ek@loon.co>, Bob Hinden <bob.hinden@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000006b0574057f2194bd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/Z7xRtgEy-VU1mD1A4Hwx9HDgo0M>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 21:51:31 -0000

So basically you are adding a limitation of "but not more fragments than
the number of Minimum MTU fragments necessary to send the original packet"
to the current rule allowing the "for sending any fragment for fragments as
long they add up to the original packet."

I was thinking along these lines too, and it seems prudent to limit the
number of fragments that can be created.

Or, maybe "but not more than one additional fragment than the number of
Minimum MTU fragments necessary to send the original packet"

Which would be essentially 1280/3, this would allow some flexibility
without leaving it completely open-ended.

On Thu, Jan 10, 2019 at 3:24 PM Mark Andrews <marka@isc.org> wrote:

> A resonable limit is 1280/2.  This allow a 1281 packet to be split into
> 2 even sizes packets.  Even sized packets have less reordering issues
> than all PMTU but the last.
>
> > On 11 Jan 2019, at 8:19 am, Tom Herbert <tom@herbertland.com> wrote:
> >
> > On Thu, Jan 10, 2019 at 12:33 PM Ron Bonica <rbonica@juniper.net> wrote:
> >>
> >> Brian,
> >>
> >> The following are two more fundamental questions:
> >>
> >> - Would the attack be effective?
> > Hi Ron,
> >
> > I imagine it could be. In Linux for instance, the reassembly queue
> > requires an skbuf structure for each fragment. That means one packet
> > in reassembly could tie up thousands of such structures in memory in
> > your proposed attack.
> >
> >> - If the attack is effective, is there a better way to mitigate it
> (e.g., by limiting the number of fragments that a receiving node is willing
> to reassemble for a single packet)?
> >
> > That might be reasonable, however requiring intermediate fragments to
> > be at least 1280 MTU in IPv6 also solves that without needing to
> > define some aritrary new limit. I'd also point out that while Linux
> > was changed to enforce a minimum size on intermediate fragments for
> > IPv6, doing the same thing in IPv4 was rejected since intermediate
> > nodes can fragment.
> >
> > Tom
> >
> >>
> >>
> Ron
> >>
> >>
> >>> -----Original Message-----
> >>> From: Brian E Carpenter <brian.e.carpenter@gmail.com>
> >>> Sent: Thursday, January 10, 2019 3:01 PM
> >>> To: Ron Bonica <rbonica@juniper.net>; ek@loon.co
> >>> Cc: IPv6 List <ipv6@ietf.org>; Bob Hinden <bob.hinden@gmail.com>
> >>> Subject: Re: Non-Last Small IPv6 Fragments
> >>>
> >>> On 2019-01-11 08:52, Ron Bonica wrote:
> >>>> Erik,
> >>>>
> >>>> Thanks for the response.
> >>>>
> >>>> So, I understand that if I were to launch a stream of such packets at
> a target:
> >>>>
> >>>>
> >>>>  *   The target might drop many of the attack packets (but that’s ok)
> >>>>  *   The target would still process non-fragmented packets at a
> reasonable
> >>> speed
> >>>>  *   The target would still be able to reassemble fragments that are
> from
> >>> other sources and not part of the attack
> >>>>
> >>>> If this is the case, we have nothing to worry about.
> >>>
> >>> Well, we have to worry about a broken Linux implementation unless this
> "fix"
> >>> is reversed.
> >>>
> >>> (I can see a pragmatic argument for dropping non-final fragments that
> are
> >>> really small, which might be diagnostic of an attack. But then you
> have to
> >>> define "really small".)
> >>>
> >>>   Brian
> >>>
> >>>>
> >>>>                                                          Ron
> >>>>
> >>>>
> >>>> From: Erik Kline <ek@loon.co>
> >>>> Sent: Thursday, January 10, 2019 2:42 PM
> >>>> To: Ron Bonica <rbonica@juniper.net>
> >>>> Cc: Bob Hinden <bob.hinden@gmail.com>; Timothy Winters
> >>> <twinters@iol.unh.edu>; IPv6 List <ipv6@ietf.org>
> >>>> Subject: Re: Non-Last Small IPv6 Fragments
> >>>>
> >>>> On Thu, 10 Jan 2019 at 11:32, Ron Bonica
> >>> <rbonica@juniper.net<mailto:rbonica@juniper.net>> wrote:
> >>>>> I read some of the reports on the link, but am still not clear what
> the
> >>>>> underlying problem is.   Why does Linux have a problem with receving
> >>>>> intermediate fragments less than 1280?
> >>>>>
> >>>>
> >>>> Hi Bob,
> >>>>
> >>>> Might we be defending against an attack in which a packet contains:
> >>>>
> >>>> - An IPv6 header (40 bytes)
> >>>> - A Fragment Header (8 bytes)
> >>>> - A TCP header (20 bytes)
> >>>> - TCP Payload (1200 bytes)
> >>>>
> >>>> This packet doesn't need to be fragmented at all because the total
> length is
> >>> only 1268 bytes. However, a mischievous source node divides the packet
> into
> >>> 1200 fragments. The first fragment contains an IPv6 header, a fragment
> >>> header, the TCP header, and one byte of the TCP payload. Each
> subsequent
> >>> fragment contains the IPv6 header, a fragment header, and one byte of
> TCP
> >>> payload.
> >>>>
> >>>> Are reassembly algorithms clever enough to protect against such
> attacks? If
> >>> so, I don't see the problem either. But if not, we may have a problem.
> >>>>
> >>>> I'm recently familiar with an IPv6 fragment reassembly
> implementation, as it
> >>> turns out.  The core implementation uses/makes liberal reference to:
> >>>>
> >>>>    https://urldefense.proofpoint.com/v2/url?u=https-
> >>> 3A__tools.ietf.org_html_rfc815&d=DwIFaQ&c=HAkYuh63rsuhr6Scbfh0UjBX
> >>> eMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> >>> AWF2EfpHcAwrDThKP8&m=sK5K5wuiRYsxdqBoO01uXstXrB6pcOH7vIaVlqPk
> >>> bw8&s=wRD2EDX32nGJdkVKcg_MlfkjpiweHbKU_7X3BJXHQks&e=<https://u
> >>> rldefense.proofpoint.com/v2/url?u=https-
> >>> 3A__tools.ietf.org_html_rfc815&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjB
> >>> XeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> >>> AWF2EfpHcAwrDThKP8&m=-
> >>> dVqPKvvhh60cA1adnmR9mFsqrX0ADki0K4BlrOQqGc&s=6m7aXa5azbXR0bS
> >>> ACw5GJgOfJx06tbs_1LydP-h2aqs&e=>
> >>>>
> >>>> It works generally in terms of managing a hole descriptor list.  It
> would
> >>> successfully reassemble the sequence of packets you describe.  Whether
> that's
> >>> an "attack" or not, I don't really see it.  With local policy caps on
> the lifetime of
> >>> unreassembled fragment bits and so on, it seems possible to limit and
> manage
> >>> the total resources allocated to reassembly.
> >>>>
> >>>>
> >>>> --------------------------------------------------------------------
> >>>> IETF IPv6 working group mailing list
> >>>> ipv6@ietf.org
> >>>> Administrative Requests:
> >>> https://urldefense.proofpoint.com/v2/url?u=https-
> >>> 3A__www.ietf.org_mailman_listinfo_ipv6&d=DwIFaQ&c=HAkYuh63rsuhr6S
> >>> cbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
> >>> AWF2EfpHcAwrDThKP8&m=sK5K5wuiRYsxdqBoO01uXstXrB6pcOH7vIaVlqPk
> >>> bw8&s=aU3laJhpXnj8ataCCjgCdmeHhXP6jyerRBW6vUlk-SI&e=
> >>>> --------------------------------------------------------------------
> >>>>
> >>
> >> --------------------------------------------------------------------
> >> IETF IPv6 working group mailing list
> >> ipv6@ietf.org
> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >> --------------------------------------------------------------------
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>


-- 
===============================================
David Farmer               Email:farmer@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

v2.23.0 | Report a Bug | By Email