IETF Logo Mail Archive

Re: Non-Last Small IPv6 Fragments

Tom Herbert <tom@herbertland.com> Thu, 10 January 2019 19:18 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197F1130F88 for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 11:18:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ox1W7Fu8jZPf for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 11:17:58 -0800 (PST)
Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F937130F81 for <ipv6@ietf.org>; Thu, 10 Jan 2019 11:17:58 -0800 (PST)
Received: by mail-qt1-x841.google.com with SMTP id l11so14845878qtp.0 for <ipv6@ietf.org>; Thu, 10 Jan 2019 11:17:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=UEZt5RqGxfmAutOcJuv+OdgKQS4lyLxHd0Bw9cGSQu4=; b=Sq9wjQXtB0uS2m73H+ABL6V9w+/U/lj/K2p8/ZLZ8FlrJJO3lucxhjpRNQNt//SvT0 CY+tU9WMs58zCGB8t/4MEtj3Cc2tyMjgvJ6b+091jmYAHE+WnTKViP3YUtUUnNH6fsIc LIYUoFMICf+SPf4oradcallRF9FU6x1guU73hrZGvqWMjDvdGkISVIqc+Ixr541/WFk5 2GbIewsWZcZulhtLJv7EniIi+3DcyNKk5CvLl55D4QqFHbubn+x4YcBwLoVKnv9yLW4F 98jQ7qVq+TCgvrlqjDP1BU13/988Yh0FgyghYv0JfHvs+vRKfFzvvzcsUdi1wQtdbz/W RS8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=UEZt5RqGxfmAutOcJuv+OdgKQS4lyLxHd0Bw9cGSQu4=; b=fn4t1+Nb89xOt7X+91h/5v7pVydmiOeIunR2NZi4GV/gUNnBfz8gNs1FtYa7MkBBaU LJz03xHElQlhs8jxxezYcLiiUWtss/UOz/cROYoXIAEVwwejBHKQm3SAwC9cGh9/t86u DxLh/STtvXOyXLn3bdIgDARhVWv4AfB9ZAfA2AjgMRJXq1w6Opu/7PXRJSLPH5Rh0oPf hGUnwn9P2DYgyn/dz7nywdCePjEn+KMhGYePfViElgx6gblAQtoJPzpZ543Q5nBbzuUT WHAlIFVzvmIKBu7W+LYiX0bOW9JMQ8NDGtDpbkJ7YI54CfyPcRO69WDWTF00hv6p/UV6 pZCA==
X-Gm-Message-State: AJcUukcSoTrrUQLb2pBqOXLZCmszRPDCYK9ypziM0PWP5UZJwxA6f+LF 33Ms+DgwPdGgE5Nqg7kjl8wseKDpeNiqmDMOJB6Rcg==
X-Google-Smtp-Source: ALg8bN58faF8siNfDBhBO3wCGXGrwk7kwnpF0ua2WBLjP/NZRGxS3OEyqEh4jlsCDkC7qJM7uW42cHoshKVkGzvgMpE=
X-Received: by 2002:ac8:274a:: with SMTP id h10mr10789161qth.189.1547147876969; Thu, 10 Jan 2019 11:17:56 -0800 (PST)
MIME-Version: 1.0
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <CAJE_bqe2MqH4WGZHcNeWiaBvvpYB2TEvMoOUWE523TSq-Bd0=Q@mail.gmail.com>
In-Reply-To: <CAJE_bqe2MqH4WGZHcNeWiaBvvpYB2TEvMoOUWE523TSq-Bd0=Q@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 10 Jan 2019 11:17:46 -0800
Message-ID: <CALx6S359+9xjBKtxFtDXcsu_WiTQjL6aWQZ1kU__w3aZZnoHHg@mail.gmail.com>
Subject: Re: Non-Last Small IPv6 Fragments
To: 神明達哉 <jinmei@wide.ad.jp>
Cc: Timothy Winters <twinters@iol.unh.edu>, IPv6 IPv6 List <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/gPaPu9ARI2MQfSk41Q382PLDASQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 19:18:01 -0000

On Thu, Jan 10, 2019 at 10:55 AM 神明達哉 <jinmei@wide.ad.jp> wrote:
>
> At Thu, 10 Jan 2019 10:33:20 -0500,
> Timothy Winters <twinters@iol.unh.edu> wrote:
>
> > The fix was to reject IPv6 fragments less than 1280 that aren't last
> > fragment.  Section 4.5 of RFC 8200 allows for sending any fragment for
> > fragments as long they add up to the original packet.  This means that an
> > implementation that generates a non-last fragments with a size then 1280,
> > will be dropped by the updated kernel.
> >
> > I'm willing to write a draft about the expected behavior, but before I do
> > that I wanted to get the working group feedback on if we think an
> > implementation should drop non-last fragments less then 1280.
>
> I don't see a reason why an implementation can drop such fragments.
> As you pointed out, the standard protocol doesn't prohibit it.  I
> would even consider it "reasonable" (not just "allowed by the
> standard") if an implementation divides a 1300-octet packet into two
> 650-octet fragments (ignoring common header overhead for brevity)
> instead of 1280 + 20, even if there's currently no implementation that
> actually does that..
>
> Looking at the description about CVE-2018-5391 in
> https://lists.debian.org/debian-lts-announce/2018/08/msg00014.html
> my guess is that "the attack" is to send many small fragments (perhaps
> also in random order?) in an attempt of increasing the management
> overhead to the level of denial of service.  If I'm correct, I see
> that such a possibility of attack allows an implementation to
> introduce some implementation-specific limitation, but I think
> dropping non-last fragments smaller than 1280 octets goes too far for
> that purpose.
>
The patch for this in Linux was submitted Aug. 3, 2018 ("ipv6: defrag:
drop non-last frags smaller than min mtu"). The commit log or
discussiosn doesn't mention the security advisory and seems to
indicate this is more of an optimization with the assumption that
intermediate fragments must be at least 1280. It might just be a bug
that is easily reverted. I can take it up on the netdev list.

Tom

> --
> JINMEI, Tatuya
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email