Re: oversized-header-chains: Receipt of illegal first-fragments

RJ Atkinson <> Thu, 19 July 2012 18:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B1DB721F8690 for <>; Thu, 19 Jul 2012 11:33:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.2
X-Spam-Status: No, score=-3.2 tagged_above=-999 required=5 tests=[AWL=0.400, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BCwc9q1u3rnU for <>; Thu, 19 Jul 2012 11:33:05 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D5CA321F864E for <>; Thu, 19 Jul 2012 11:33:04 -0700 (PDT)
Received: by qcac10 with SMTP id c10so2061577qca.31 for <>; Thu, 19 Jul 2012 11:33:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; bh=e/PRjJqDN0To4PZjCCYHgoxqo3nbS7XDAdWd63T0WHo=; b=Ds8Rces80AK1Ud79NiUwJ5TwYDN5W87FTvzHf49OD3u+maquUJbPeu0/+OalX9D7EO XY6odbmfIwdNVwmeXrZvj7KP8MDjo2fm/JUK1NLTjZh9fn7z41Pi9tWXjP2dRQmrUpfQ f+mWz/0gaFfo1XbkKl+acFoVMLuS10e7iG6TYF9kHirqkayN6wAFnhl7Pzuto/1owJxk ibDrBnmaA5bynLsqTDOhSlc3S+POhkg8jlqf9wTXZDTtXpO1TtEwSXlpsXFpkxtMS1OR bUQN1l+9O+7ifkwWVOx1W38VAZAOE1Y29pOAgp9fftBEFGi+2Mz0wrXT6/5e6F4AUnCn 8QRw==
Received: by with SMTP id t15mr5501793qaz.15.1342722838386; Thu, 19 Jul 2012 11:33:58 -0700 (PDT)
Received: from [] ( []) by with ESMTPS id f14sm3535062qak.20.2012. (version=TLSv1/SSLv3 cipher=OTHER); Thu, 19 Jul 2012 11:33:57 -0700 (PDT)
From: RJ Atkinson <>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: oversized-header-chains: Receipt of illegal first-fragments
Date: Thu, 19 Jul 2012 14:33:55 -0400
Message-Id: <>
Mime-Version: 1.0 (Apple Message framework v1278)
X-Mailer: Apple Mail (2.1278)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Jul 2012 18:33:05 -0000


I concur with Fred Baker's analysis of "SHOULD" versus "MUST".

I think the requirement that a packet that violates the
proposed oversized-heacer-chain rule be dropped "silently" 
is too strong and lacks operational flexibility.

A device ought to be allowed, but not required, to send 
an ICMPv6 Parameter Problem message if/when it drops 
such a packet.

In some situations, it might be desirable for a device
to drop the packet AND also generate an ICMPv6 
"Parameter Problem" message for the packet originator.  



1) I'd prefer this draft say that such illegal packets MUST 
   be dropped, but then also say that the device dropping the 
   packet MAY send an ICMPv6 Parameter Problem control message 
   back to the (alleged) sending node.  A brief sentence 
   suggesting, but not requiring, that implementations make 
   the sending of the ICMPv6 message configurable also would be 


2) For the situation where an IPv6 packet is dropped for this
   specific reason, I'd suggest that the "Reason Code" registry 
   for an ICMPv6 "Type 4 - Parameter Problem" message be updated
   with a new focused reason code defined.  As a straw man, 
   I'd propose adding this new entry to that registry, 
   as part of this proposal:

     3      IPv6 Initial Fragment missing upper-layer protocol header

    Of course, this means an "IANA Considerations" section
    update for the I-D would be in order.


3) I'd also suggest a sentence or two clarifying that the
   ICMPv6 "Parameter Problem" with the new Reason Code
   is the appropriate message to send -- if the device dropping
   the packet with oversized-header-chain sends an ICMPv6
   message.  One would hope this would be obvious, but being
   very clear is good.


4) Security Considerations ought to note the importance of
   deploying Source Address Forgery Prevention filters, in
   order to reduce the threat of an adversary forging an
   illegal packet with contains a victim/target's IP address
   in the Source IPv6 Address field of the illegal packet.
   [RFC-2827, RFC-3704]