Re: Non-Last Small IPv6 Fragments
Tom Herbert <tom@herbertland.com> Thu, 10 January 2019 19:18 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197F1130F88 for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 11:18:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.041
X-Spam-Level:
X-Spam-Status: No, score=-2.041 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ox1W7Fu8jZPf for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 11:17:58 -0800 (PST)
Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F937130F81 for <ipv6@ietf.org>; Thu, 10 Jan 2019 11:17:58 -0800 (PST)
Received: by mail-qt1-x841.google.com with SMTP id l11so14845878qtp.0 for <ipv6@ietf.org>; Thu, 10 Jan 2019 11:17:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=UEZt5RqGxfmAutOcJuv+OdgKQS4lyLxHd0Bw9cGSQu4=; b=Sq9wjQXtB0uS2m73H+ABL6V9w+/U/lj/K2p8/ZLZ8FlrJJO3lucxhjpRNQNt//SvT0 CY+tU9WMs58zCGB8t/4MEtj3Cc2tyMjgvJ6b+091jmYAHE+WnTKViP3YUtUUnNH6fsIc LIYUoFMICf+SPf4oradcallRF9FU6x1guU73hrZGvqWMjDvdGkISVIqc+Ixr541/WFk5 2GbIewsWZcZulhtLJv7EniIi+3DcyNKk5CvLl55D4QqFHbubn+x4YcBwLoVKnv9yLW4F 98jQ7qVq+TCgvrlqjDP1BU13/988Yh0FgyghYv0JfHvs+vRKfFzvvzcsUdi1wQtdbz/W RS8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=UEZt5RqGxfmAutOcJuv+OdgKQS4lyLxHd0Bw9cGSQu4=; b=fn4t1+Nb89xOt7X+91h/5v7pVydmiOeIunR2NZi4GV/gUNnBfz8gNs1FtYa7MkBBaU LJz03xHElQlhs8jxxezYcLiiUWtss/UOz/cROYoXIAEVwwejBHKQm3SAwC9cGh9/t86u DxLh/STtvXOyXLn3bdIgDARhVWv4AfB9ZAfA2AjgMRJXq1w6Opu/7PXRJSLPH5Rh0oPf hGUnwn9P2DYgyn/dz7nywdCePjEn+KMhGYePfViElgx6gblAQtoJPzpZ543Q5nBbzuUT WHAlIFVzvmIKBu7W+LYiX0bOW9JMQ8NDGtDpbkJ7YI54CfyPcRO69WDWTF00hv6p/UV6 pZCA==
X-Gm-Message-State: AJcUukcSoTrrUQLb2pBqOXLZCmszRPDCYK9ypziM0PWP5UZJwxA6f+LF 33Ms+DgwPdGgE5Nqg7kjl8wseKDpeNiqmDMOJB6Rcg==
X-Google-Smtp-Source: ALg8bN58faF8siNfDBhBO3wCGXGrwk7kwnpF0ua2WBLjP/NZRGxS3OEyqEh4jlsCDkC7qJM7uW42cHoshKVkGzvgMpE=
X-Received: by 2002:ac8:274a:: with SMTP id h10mr10789161qth.189.1547147876969; Thu, 10 Jan 2019 11:17:56 -0800 (PST)
MIME-Version: 1.0
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <CAJE_bqe2MqH4WGZHcNeWiaBvvpYB2TEvMoOUWE523TSq-Bd0=Q@mail.gmail.com>
In-Reply-To: <CAJE_bqe2MqH4WGZHcNeWiaBvvpYB2TEvMoOUWE523TSq-Bd0=Q@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 10 Jan 2019 11:17:46 -0800
Message-ID: <CALx6S359+9xjBKtxFtDXcsu_WiTQjL6aWQZ1kU__w3aZZnoHHg@mail.gmail.com>
Subject: Re: Non-Last Small IPv6 Fragments
To: 神明達哉 <jinmei@wide.ad.jp>
Cc: Timothy Winters <twinters@iol.unh.edu>, IPv6 IPv6 List <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/gPaPu9ARI2MQfSk41Q382PLDASQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 19:18:01 -0000
On Thu, Jan 10, 2019 at 10:55 AM 神明達哉 <jinmei@wide.ad.jp> wrote: > > At Thu, 10 Jan 2019 10:33:20 -0500, > Timothy Winters <twinters@iol.unh.edu> wrote: > > > The fix was to reject IPv6 fragments less than 1280 that aren't last > > fragment. Section 4.5 of RFC 8200 allows for sending any fragment for > > fragments as long they add up to the original packet. This means that an > > implementation that generates a non-last fragments with a size then 1280, > > will be dropped by the updated kernel. > > > > I'm willing to write a draft about the expected behavior, but before I do > > that I wanted to get the working group feedback on if we think an > > implementation should drop non-last fragments less then 1280. > > I don't see a reason why an implementation can drop such fragments. > As you pointed out, the standard protocol doesn't prohibit it. I > would even consider it "reasonable" (not just "allowed by the > standard") if an implementation divides a 1300-octet packet into two > 650-octet fragments (ignoring common header overhead for brevity) > instead of 1280 + 20, even if there's currently no implementation that > actually does that.. > > Looking at the description about CVE-2018-5391 in > https://lists.debian.org/debian-lts-announce/2018/08/msg00014.html > my guess is that "the attack" is to send many small fragments (perhaps > also in random order?) in an attempt of increasing the management > overhead to the level of denial of service. If I'm correct, I see > that such a possibility of attack allows an implementation to > introduce some implementation-specific limitation, but I think > dropping non-last fragments smaller than 1280 octets goes too far for > that purpose. > The patch for this in Linux was submitted Aug. 3, 2018 ("ipv6: defrag: drop non-last frags smaller than min mtu"). The commit log or discussiosn doesn't mention the security advisory and seems to indicate this is more of an optimization with the assumption that intermediate fragments must be at least 1280. It might just be a bug that is easily reverted. I can take it up on the netdev list. Tom > -- > JINMEI, Tatuya > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > --------------------------------------------------------------------
- Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments 神明達哉
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Erik Kline
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Carsten Bormann
- Re: Non-Last Small IPv6 Fragments 神明達哉
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Mikael Abrahamsson
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Christian Huitema
- Re: Non-Last Small IPv6 Fragments Ole Troan
- RE: Non-Last Small IPv6 Fragments Lubashev, Igor
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- RE: Non-Last Small IPv6 Fragments Manfredi (US), Albert E
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Mark Smith
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- End-to-end (was Re: Non-Last Small IPv6 Fragments) Christian Huitema
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Warren Kumari
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Fernando Gont
- Re: Non-Last Small IPv6 Fragments Mikael Abrahamsson
- Re: Non-Last Small IPv6 Fragments Tim Chown
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Warren Kumari
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fred Baker
- Re: Non-Last Small IPv6 Fragments Tim Chown
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Michael Richardson
- Never fragment: getting PMTU info transmitted rel… Michael Richardson
- Re: Never fragment: getting PMTU info transmitted… Joel M. Halpern
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- Re: Never fragment: getting PMTU info transmitted… Michael Richardson
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- Re: Never fragment: getting PMTU info transmitted… Mark Smith
- Re: Never fragment: getting PMTU info transmitted… Erik Kline
- Re: Never fragment: getting PMTU info transmitted… Mark Smith
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- RE: Never fragment: getting PMTU info transmitted… Lubashev, Igor
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- RE: Never fragment: getting PMTU info transmitted… Lubashev, Igor
- Re: Never fragment: getting PMTU info transmitted… C. M. Heard
- Re: Never fragment: getting PMTU info transmitted… Christian Huitema