IETF Logo Mail Archive

Re: Non-Last Small IPv6 Fragments

Mark Andrews <marka@isc.org> Thu, 10 January 2019 21:24 UTC

Return-Path: <marka@isc.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 088D813125E for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 13:24:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QvlRYGMevDWb for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 13:24:39 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 253D913125C for <ipv6@ietf.org>; Thu, 10 Jan 2019 13:24:39 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id F00DD3AB040; Thu, 10 Jan 2019 21:24:38 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id A0165160054; Thu, 10 Jan 2019 21:24:38 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 8CE34160075; Thu, 10 Jan 2019 21:24:38 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 9HHf9KhQNA9t; Thu, 10 Jan 2019 21:24:38 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 08D62160054; Thu, 10 Jan 2019 21:24:36 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: Re: Non-Last Small IPv6 Fragments
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CALx6S35QkKhRFVV+FE0Cnb-CrNHTj96QqQGNsHqrxjQYV5qB0Q@mail.gmail.com>
Date: Fri, 11 Jan 2019 08:24:34 +1100
Cc: Ron Bonica <rbonica@juniper.net>, IPv6 List <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>, "ek@loon.co" <ek@loon.co>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F39C20D8-9478-478F-896B-D4AC4B0D4BBA@isc.org>
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <2AB3F16C-FC0E-4EF7-B1ED-1A97F2CEC69B@gmail.com> <BYAPR05MB42458F851962F26AE1E15CC4AE840@BYAPR05MB4245.namprd05.prod.outlook.com> <CAAedzxofmhokstWuq7mRWnd5PTz5WQaiDNnE8O_VHXF_PbK6nw@mail.gmail.com> <BYAPR05MB4245388FB800873A5A8ED12AAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <66bf652a-2bc0-6814-6ded-a63eece7fbe2@gmail.com> <BYAPR05MB4245B9305E6EC57EDD45509FAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <CALx6S35QkKhRFVV+FE0Cnb-CrNHTj96QqQGNsHqrxjQYV5qB0Q@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/eRseywiYBpIA39p7ruldMwPypbE>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 21:24:41 -0000

A resonable limit is 1280/2.  This allow a 1281 packet to be split into
2 even sizes packets.  Even sized packets have less reordering issues
than all PMTU but the last.

> On 11 Jan 2019, at 8:19 am, Tom Herbert <tom@herbertland.com> wrote:
> 
> On Thu, Jan 10, 2019 at 12:33 PM Ron Bonica <rbonica@juniper.net> wrote:
>> 
>> Brian,
>> 
>> The following are two more fundamental questions:
>> 
>> - Would the attack be effective?
> Hi Ron,
> 
> I imagine it could be. In Linux for instance, the reassembly queue
> requires an skbuf structure for each fragment. That means one packet
> in reassembly could tie up thousands of such structures in memory in
> your proposed attack.
> 
>> - If the attack is effective, is there a better way to mitigate it (e.g., by limiting the number of fragments that a receiving node is willing to reassemble for a single packet)?
> 
> That might be reasonable, however requiring intermediate fragments to
> be at least 1280 MTU in IPv6 also solves that without needing to
> define some aritrary new limit. I'd also point out that while Linux
> was changed to enforce a minimum size on intermediate fragments for
> IPv6, doing the same thing in IPv4 was rejected since intermediate
> nodes can fragment.
> 
> Tom
> 
>> 
>>                                                                        Ron
>> 
>> 
>>> -----Original Message-----
>>> From: Brian E Carpenter <brian.e.carpenter@gmail.com>
>>> Sent: Thursday, January 10, 2019 3:01 PM
>>> To: Ron Bonica <rbonica@juniper.net>; ek@loon.co
>>> Cc: IPv6 List <ipv6@ietf.org>; Bob Hinden <bob.hinden@gmail.com>
>>> Subject: Re: Non-Last Small IPv6 Fragments
>>> 
>>> On 2019-01-11 08:52, Ron Bonica wrote:
>>>> Erik,
>>>> 
>>>> Thanks for the response.
>>>> 
>>>> So, I understand that if I were to launch a stream of such packets at a target:
>>>> 
>>>> 
>>>>  *   The target might drop many of the attack packets (but that’s ok)
>>>>  *   The target would still process non-fragmented packets at a reasonable
>>> speed
>>>>  *   The target would still be able to reassemble fragments that are from
>>> other sources and not part of the attack
>>>> 
>>>> If this is the case, we have nothing to worry about.
>>> 
>>> Well, we have to worry about a broken Linux implementation unless this "fix"
>>> is reversed.
>>> 
>>> (I can see a pragmatic argument for dropping non-final fragments that are
>>> really small, which might be diagnostic of an attack. But then you have to
>>> define "really small".)
>>> 
>>>   Brian
>>> 
>>>> 
>>>>                                                          Ron
>>>> 
>>>> 
>>>> From: Erik Kline <ek@loon.co>
>>>> Sent: Thursday, January 10, 2019 2:42 PM
>>>> To: Ron Bonica <rbonica@juniper.net>
>>>> Cc: Bob Hinden <bob.hinden@gmail.com>; Timothy Winters
>>> <twinters@iol.unh.edu>; IPv6 List <ipv6@ietf.org>
>>>> Subject: Re: Non-Last Small IPv6 Fragments
>>>> 
>>>> On Thu, 10 Jan 2019 at 11:32, Ron Bonica
>>> <rbonica@juniper.net<mailto:rbonica@juniper.net>> wrote:
>>>>> I read some of the reports on the link, but am still not clear what the
>>>>> underlying problem is.   Why does Linux have a problem with receving
>>>>> intermediate fragments less than 1280?
>>>>> 
>>>> 
>>>> Hi Bob,
>>>> 
>>>> Might we be defending against an attack in which a packet contains:
>>>> 
>>>> - An IPv6 header (40 bytes)
>>>> - A Fragment Header (8 bytes)
>>>> - A TCP header (20 bytes)
>>>> - TCP Payload (1200 bytes)
>>>> 
>>>> This packet doesn't need to be fragmented at all because the total length is
>>> only 1268 bytes. However, a mischievous source node divides the packet into
>>> 1200 fragments. The first fragment contains an IPv6 header, a fragment
>>> header, the TCP header, and one byte of the TCP payload. Each subsequent
>>> fragment contains the IPv6 header, a fragment header, and one byte of TCP
>>> payload.
>>>> 
>>>> Are reassembly algorithms clever enough to protect against such attacks? If
>>> so, I don't see the problem either. But if not, we may have a problem.
>>>> 
>>>> I'm recently familiar with an IPv6 fragment reassembly implementation, as it
>>> turns out.  The core implementation uses/makes liberal reference to:
>>>> 
>>>>    https://urldefense.proofpoint.com/v2/url?u=https-
>>> 3A__tools.ietf.org_html_rfc815&d=DwIFaQ&c=HAkYuh63rsuhr6Scbfh0UjBX
>>> eMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
>>> AWF2EfpHcAwrDThKP8&m=sK5K5wuiRYsxdqBoO01uXstXrB6pcOH7vIaVlqPk
>>> bw8&s=wRD2EDX32nGJdkVKcg_MlfkjpiweHbKU_7X3BJXHQks&e=<https://u
>>> rldefense.proofpoint.com/v2/url?u=https-
>>> 3A__tools.ietf.org_html_rfc815&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjB
>>> XeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
>>> AWF2EfpHcAwrDThKP8&m=-
>>> dVqPKvvhh60cA1adnmR9mFsqrX0ADki0K4BlrOQqGc&s=6m7aXa5azbXR0bS
>>> ACw5GJgOfJx06tbs_1LydP-h2aqs&e=>
>>>> 
>>>> It works generally in terms of managing a hole descriptor list.  It would
>>> successfully reassemble the sequence of packets you describe.  Whether that's
>>> an "attack" or not, I don't really see it.  With local policy caps on the lifetime of
>>> unreassembled fragment bits and so on, it seems possible to limit and manage
>>> the total resources allocated to reassembly.
>>>> 
>>>> 
>>>> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list
>>>> ipv6@ietf.org
>>>> Administrative Requests:
>>> https://urldefense.proofpoint.com/v2/url?u=https-
>>> 3A__www.ietf.org_mailman_listinfo_ipv6&d=DwIFaQ&c=HAkYuh63rsuhr6S
>>> cbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-
>>> AWF2EfpHcAwrDThKP8&m=sK5K5wuiRYsxdqBoO01uXstXrB6pcOH7vIaVlqPk
>>> bw8&s=aU3laJhpXnj8ataCCjgCdmeHhXP6jyerRBW6vUlk-SI&e=
>>>> --------------------------------------------------------------------
>>>> 
>> 
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email