Re: Review of draft-gont-6man-deprecate-atomfrag-generation-01
Hosnieh Rafiee <ietf@rozanak.com> Wed, 17 September 2014 07:36 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E7BC1A0022 for <ipv6@ietfa.amsl.com>; Wed, 17 Sep 2014 00:36:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.551
X-Spam-Level:
X-Spam-Status: No, score=-3.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.652] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fDNjjnsKZMbi for <ipv6@ietfa.amsl.com>; Wed, 17 Sep 2014 00:36:19 -0700 (PDT)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65ACB1A0310 for <6man@ietf.org>; Wed, 17 Sep 2014 00:36:18 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id AFD5156609BB; Wed, 17 Sep 2014 07:36:16 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pkr9olmHX5xn; Wed, 17 Sep 2014 09:35:43 +0200 (CEST)
Received: from [10.35.250.111] (ip-109-43-2-245.web.vodafone.de [109.43.2.245]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id 1C435566097E; Wed, 17 Sep 2014 09:35:43 +0200 (CEST)
Date: Wed, 17 Sep 2014 09:34:59 +0200
Subject: Re: Review of draft-gont-6man-deprecate-atomfrag-generation-01
Message-ID: <uhsii3ytu5v93fn896sqk2sa.1410939299021@email.android.com>
Importance: normal
From: Hosnieh Rafiee <ietf@rozanak.com>
To: fgont@si6networks.com, hannes@redhat.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.android.email_123481210474363"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipv6/bMxOJm6Z0SmCvu5w721w9iVd55s
Cc: 6man@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Sep 2014 07:36:24 -0000
Hi Fernando, Thanks a lot for your review and comments. Sure i will review your draft and send commens to you first and then if you like to the mailinglist. Best, Hosnieh ___________________________ “sorry for tpyos from my chubby fingers typing on my phone“ -------- Original message -------- Subject: Re: Review of draft-gont-6man-deprecate-atomfrag-generation-01 From: Fernando Gont <fgont@si6networks.com> To: Hannes Frederic Sowa <hannes@redhat.com> CC: 6man@ietf.org Hi, Hannes, On 09/16/2014 05:56 PM, Hannes Frederic Sowa wrote: >> (Actually, I'll try to check that with a current Linux kernel..) >> >> >>> So the unkown variables >>> for an attacker would be the connection quadruple and the sequence >>> numbers. Hitting non-connected UDP on Linux sockets seems pretty easy, >>> but TCP might not be as easy. >> >> Does an ICMPv6 PTB targetted at a UDP socket span all sockets with that >> Destination Address? i.e., could I use UDP (which enforces fewer checks) >> to attack TCP flows? > > Yes, you can. So... if there's a socket with the same remote address, the TCP SEQ check can be bypassed by performing the attack with ICMPv6 messages embedding UDP packets. (just double-checking) > So next outgoing packet will already use new mtu information. > > Kernel before 3.14 also used this MTU value for the forwarding path but > did not look at dst_allfrag attribute (which is the function which > checks if atomic fragments should be generated). "Forwarding path" meaning "if the box is operating as a router for this packet"? [...] >>> OT: >>> This is very well true! On Linux still we use per-host increasing >>> randomized IDs, but at least since the paper "Counting Packets Sent >>> Between Arbitrary Internet Hosts" by Jeffrey Knockel and Jedidiah >>> Crandall showed up, we also seed in a bit of randomness. >> >> We had sent a report to some Linux folks regarding issues with >> predictable Frag IDs arounf 2010 or 2011. At the time, it was changed >> from a global counter to a per-dest counter (initialized to a random >> value, IIRC). >> >> Has anything changed since then? e.g., what do you mean by "seed in a >> bit of randomness). > > The above paper showed that it is possible to infer from the > fragmentation ids if two independent machines on the internet are > communicating with each other: > > https://www.cs.unm.edu/~crandall/foci2014.pdf I'll check the paper. >>> Also multiple >>> IP addresses now share one IP-state "bucket". >> >> That's so that the per-destination counter is less deterministic, or what? > > The tree we kept the per-destination in became a bottleneck: The new > method uses less memory and does faster lookup. A side effect is also > that the per-destination counter are less deterministic. > > The new hash to store the counters also keeps a timestamps to later > check when the last fragmentation id was used. > > In case we didn't communicate with a host for some time we add a random > value clamped to (current time - last timestamp). Cool. Thanks for the clarification. > > >>> I still think that for generating fragmentation ids using just an >>> increasing counter and encrypting it with a very small block cipher >>> (e.g. RC5) is the way to go, but very slow. >> >> Take a look at the hash-based approach in >> [I-D.ietf-6man-predictable-fragment-id]. You probably get the same >> thing... but faster... > > I think you're referring to 6.3? I'll study that, thanks! Section 5.3. -- As far as I recall, Linux uses/used the same sort of algorithm for TCP port randomization -- with the exception that you employ a global counter rather than counter[G(src IP, Dst Pref, secret2)] >>>> 5. Updating RFC2460 >>>> >>>> The following text from Section 5 of [RFC2460]: >>>> >>>> "In response to an IPv6 packet that is sent to an IPv4 destination >>>> (i.e., a packet that undergoes translation from IPv6 to IPv4), the >>>> originating IPv6 node may receive an ICMP Packet Too Big message >>>> reporting a Next-Hop MTU less than 1280. In that case, the IPv6 >>>> node is not required to reduce the size of subsequent packets to >>>> less than 1280, but must include a Fragment header in those >>>> packets so that the IPv6-to-IPv4 translating router can obtain a >>>> suitable Identification value to use in resulting IPv4 fragments. >>>> Note that this means the payload may have to be reduced to 1232 >>>> octets (1280 minus 40 for the IPv6 header and 8 for the Fragment >>>> header), and smaller still if additional extension headers are >>>> used." >>>> >>>> is formally replaced with: >>>> >>>> "An IPv6 node that receives an ICMPv6 Packet Too Big error message >>>> that reports a Next-Hop MTU smaller than 1280 bytes (the minimum >>>> IPv6 MTU) MUST NOT include a Fragment header in subsequent packets >>>> sent to the corresponding destination. That is, IPv6 nodes MUST >>>> NOT generate IPv6 atomic fragments." >>> >>> This is the same as ignoring the packet? Should we still notify any >>> errors without updating path MTUs? >> >> The original advice was to just drop the ICMPv6 PTB. However, it was >> later noted that still notifying the errors (without updating the Path >> MTU) would be better. -- And I'd say I'd agree. e.g., ythat could result >> in a more specific error message if eventually e.g. the TCP connection >> times out. >> >> >>> I am not sure because user space might have cared about IPv6 < 1280 >>> errors before and they very well might be listening for them. >> >> Any ideas what they might be using those ICMPv6 PTB for? -- The only >> consumer for ICMPv6 PTBs<1280 is SIIT... so one would expect that any >> other app would just drop those PTBs if received.... > > I also only think those would be SIIT applications sitting on top of > Linux. I am unsure if they can make use of those notifications any more, Why? > but I don't think they will upgrade right away. If we push the changes > to linux stable, all currently supported kernel will ignore PTB<1280 > right away, that's why I ask. Certainly the idea is that the kernel ignores PTB<1280. If it's also possible to still notify the errors to the upper layer, that'd be perfect. Thus e.g. TCP can report a more specific error message other than "timeout" and, if there's any upper-layer app that has not yet been patched to *not* rely on ICMPv6 PTBs, it can still do its job. Thoughts? >>> I am a bit unsure but hadn't yet time to test this. We definitely have >>> the logic to generate atomic fragments in those mentioned linux >>> versions. >> >> Since there are tools to do that >> (<http://www.si6networks.com/tools/ipv6toolkit>), I'll try to check that >> for TCP, UDP, and ICMPv6. > > Merci! I also attached a packetdrill snippet in the other mail, which > you could use in FreeBSD (IIRC) and Linux to check the stacks behavior. I'll report back asap. Thanks so much! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Review of draft-gont-6man-deprecate-atomfrag-gene… Hannes Frederic Sowa
- Re: Review of draft-gont-6man-deprecate-atomfrag-… Hannes Frederic Sowa
- Re: Review of draft-gont-6man-deprecate-atomfrag-… Fernando Gont
- Re: Review of draft-gont-6man-deprecate-atomfrag-… Fernando Gont
- Re: Review of draft-gont-6man-deprecate-atomfrag-… Hannes Frederic Sowa
- Re: Re: Review of draft-gont-6man-deprecate-atomf… Ray Hunter
- Re: Review of draft-gont-6man-deprecate-atomfrag-… Hosnieh Rafiee
- RE: Review of draft-gont-6man-deprecate-atomfrag-… Hosnieh Rafiee
- Re: Review of draft-gont-6man-deprecate-atomfrag-… Hannes Frederic Sowa