IETF Logo Mail Archive

Re: Non-Last Small IPv6 Fragments

Tom Herbert <tom@herbertland.com> Fri, 11 January 2019 22:47 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1333D128CE4 for <ipv6@ietfa.amsl.com>; Fri, 11 Jan 2019 14:47:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.042
X-Spam-Level:
X-Spam-Status: No, score=-2.042 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id keIaAM1Ilqft for <ipv6@ietfa.amsl.com>; Fri, 11 Jan 2019 14:47:56 -0800 (PST)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4712D128B14 for <ipv6@ietf.org>; Fri, 11 Jan 2019 14:47:56 -0800 (PST)
Received: by mail-qt1-x830.google.com with SMTP id t33so20638483qtt.4 for <ipv6@ietf.org>; Fri, 11 Jan 2019 14:47:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KnBI8Y7aNZg5LPH+VDuWL2BAJDeLzZ9toPIEwyHdIB4=; b=Z7UJxkzVCk6t5+LoDqTayUA8Y1gtaMu9ZI7Rf+AHmRdZSuJLkhUo92Xr7PdTIqi8DI M1koqqKKQvGvInt2ndf01RkwOhxGeOiJKueB9Aqm6IaU75KHnSKJQfdmspp6lcF02Ji4 HWZsBXfxWUA6kTlxN2ridJC6oD4yXQzoZWwGn9i0Bogr9BGdHvDCUJxulUuxwfBX9Tqp 0d2VfZQ4/tTIwI6uLUh4oktV4yYEVGVppWImbd21OAz1Jv6ktsxRXTeTa68WFs5OtGGU rgnaMG4xqav+Acnk11HSnc9wk+rsMzw2rLAd+QfaxI0Bd+1j6JgXdOs/gws4rMWCLK1/ 7l0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KnBI8Y7aNZg5LPH+VDuWL2BAJDeLzZ9toPIEwyHdIB4=; b=JK+vgmz49mgHHwoTyD3vped5MLKQrrJ9qRTEPVTdqcBxTRShz++q34QrxjrZKSnmBD foSmeT7glWoEUHklwLjmvvuRof6AtPOlGZt2L1BZF0oc+G3lC0NweC7VGpvhDweMSwDR BCNUYiEI0hSGDmKk6YnAXZvQlFsHkr6qh9XoXFhTPHaS9xkJg3qpveA3gGDZIfbH12CC j2gy8CkREsN6lPE4p+A/06+5aBUdwUFoWFKBn6z2AgM1OMwNSccGWUxhQNhjoyei/KKv cnTL5W/aDj0bQCcnKnsj5+Xcz+98qCYj2Yqg3QPgKgY3Gs+4ZPkeY/1vXdzBguw43xi0 g5Dw==
X-Gm-Message-State: AJcUukeLumAXZCqlTsACrNBpKi88q+n4P4VnnsnYw/cQEJ6ey+uMlI5/ ZZR9XOXCrcX3V0Q6VYP1FHprlCmGpvV5eCIWWlYZt2B/Bik=
X-Google-Smtp-Source: ALg8bN5iso8zGcEb7P0RBEDzRAl28ewl4hupebZ+bZ2brsuP+G4dBx8OAV02/18NWzmB4fqr68kMqgX23jm7UXc52wE=
X-Received: by 2002:aed:3a69:: with SMTP id n96mr15718065qte.246.1547246875161; Fri, 11 Jan 2019 14:47:55 -0800 (PST)
MIME-Version: 1.0
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <2AB3F16C-FC0E-4EF7-B1ED-1A97F2CEC69B@gmail.com> <BYAPR05MB42458F851962F26AE1E15CC4AE840@BYAPR05MB4245.namprd05.prod.outlook.com> <CAAedzxofmhokstWuq7mRWnd5PTz5WQaiDNnE8O_VHXF_PbK6nw@mail.gmail.com> <BYAPR05MB4245388FB800873A5A8ED12AAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <66bf652a-2bc0-6814-6ded-a63eece7fbe2@gmail.com> <BYAPR05MB4245B9305E6EC57EDD45509FAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <7453645f-ff91-e866-b087-e7d4f1450ab6@gmail.com> <0e792b48-4360-6977-9ae8-9cdfdc78c7b8@gmail.com> <16A642DC-D3A4-452C-B7D1-20CA0EEEDDA2@lists.zabbadoz.net> <CAOSSMjWS9po2XuBHJ5hbN9hfNDKZ1diecH08Kt697-15jRtAvg@mail.gmail.com> <0e0c3141-889e-ff60-2787-2889b3a9af6b@si6networks.com> <748DA428-5AB2-4487-A4FB-F2DABF5BF8BE@thehobsons.co.uk> <8b43af81-1c49-5cea-6472-97703674e661@si6networks.com> <CAN-Dau1HwG5RndacpSA+si+zKuTdpSvA=QA1A11A==rMNe=4+w@mail.gmail.com> <CALx6S35KNhV2gFp9OdU+M1zy5WUuEAEvXkDXNDWWxi7uQ4e_cw@mail.gmail.com> <CAN-Dau0rTdiiF2SjByxcMG6nhPCEjUH2pYBCOeK_FSGJ_ucDQw@mail.gmail.com>
In-Reply-To: <CAN-Dau0rTdiiF2SjByxcMG6nhPCEjUH2pYBCOeK_FSGJ_ucDQw@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 11 Jan 2019 14:47:44 -0800
Message-ID: <CALx6S34AyV9OpvnjQhQc56n5vfeVgU5Zd3kheP0g+XvsMbBV9g@mail.gmail.com>
Subject: Re: Non-Last Small IPv6 Fragments
To: David Farmer <farmer@umn.edu>
Cc: Fernando Gont <fgont@si6networks.com>, IPv6 List <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/nrLwVHaJ5E1mf_nMlgvLYB3kya0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2019 22:47:58 -0000

On Fri, Jan 11, 2019 at 2:33 PM David Farmer <farmer@umn.edu> wrote:
>
>
> On Fri, Jan 11, 2019 at 3:27 PM Tom Herbert <tom@herbertland.com> wrote:
>>
>> On Fri, Jan 11, 2019 at 1:13 PM David Farmer <farmer@umn.edu> wrote:
>> >
>> > On Fri, Jan 11, 2019 at 1:58 PM Fernando Gont <fgont@si6networks.com> wrote:
>> >>
>> >> On 11/1/19 15:38, Simon Hobson wrote:
>> >> > Fernando Gont <fgont@si6networks.com> wrote:
>> >> >
>> >> >> ... enforce limits ...
>> >> >
>> >> > The guidance also needs to suggest sensible limits - otherwise what one implementer (eg the Linux stack that discards any small fragment that isn't the last)
>> >>
>> >> IMO, this is bad behavior advice. As an attacker, I'd fire 1280-sized
>> >> frags, and your check hasn't achieved anything.
>> >>
>> >>
>> >> >may not interoperate with another (eg make the last two fragments approximately equal in size). In a significant part, that seems to
>> >> > have been what this thread has been about - what is reasonable
>> >> guidance for this.
>> >>
>> >> In general, what you do is AIMD (additive increase, multiplicative
>> >> decrease). The numbers limits are a few thousand packets. Which allow
>> >> fragments to work for some cases - few connections, rather low
>> >> throughput, but will not allow system breakage when the attacker wants
>> >> to play.
>> >>
>> >> Dropping small frags as in Linux is bad, because you hurt
>> >> interoperability without any significant/real gain.
>> >>
>> >> OTOH, limiting the number of frags is good, because limits kick in at a
>> >> point in which "you need to do something, because otherwise - DoS".
>> >>
>> >> Obviously, you cannot expect big pipes with fragmentation to work. Given
>> >> high bandwith, multiply 60s * throughput, and you'll need a lot of
>> >> memory to hold the frags.
>> >>
>> >> Adapting the Frag reassembly time out can also help -- there's not much
>> >> of a point to keep a frag in memory for 60s, particularly when under
>> >> heavly load. -- well before that TCP timers will fire, or the frag si
>> >> not useful anymore, anyway.
>> >
>> >
>> > I just had a thought for the guidance;
>> >
>> > 1. System-wide limit the number of fragments based on the overall system resources available.
>> > 2. As you near said limit, maybe 75% of the limit, drop outright, or at a high probability, non-final fragments smaller than (1280/2) 640 bytes.
>> >
>> > The reasonable fragmentation algorithms I can think of do not generate non-final fragments that are less than 640 bytes. Nevertheless, such fragments SHOULD NOT be dropped except for when the system is under stress.
>> >
>> > What do others think?
>>
>> I don't see any practical purpose of sending tiny fragments with eight
>> byte payloads in non-first fragments, these can only happens under DOS
>> attack or synthetic testing. So I do believe it's prudent to have some
>> guidance on setting limits for minimal sizes of non-first fragments.
>> The limit should probably be configurable with some recommended
>> default value. I believe the 1280 limit in Linux is too high, but
>> there are some compelling arguments for 640.
>
>
> Why non-first fragments? Did you mean non-final? Maybe both first and last should be exempted?
>
Yes.

> I mostly agree with you, but on the other hand is there any compelling reason to potentially break anything if the host isn't under stress?

That depends on what resource is "under stress" in the host.
Reassembly is an expensive packet processing operation that requires
one lookup to find the state for the ID being reassembled, and then a
second lookup to find the position of the fragment in the queue.
Because fragmentation is considered to be rare, there hasn't been a
lot of work to optimize these operations or rely on hardware offload
(there is UDP fragmentation offload, but that is not ubiquitous). I
would be concerned that a well crafted attack with small packets could
be bad for low powered devices. A limit on the fragment size not only
caps the amount of memory burned, but also caps the packet rate and
hence CPU needed for reassmbly.

Tom

>
> Further, if you only limit tiny fragment, there is still a problem, you just have to use packets bigger that the limit, what ever it is.  A few tiny fragments aren't a problem, only lots of them are.
>
> --
> ===============================================
> David Farmer               Email:farmer@umn.edu
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================

v2.23.0 | Report a Bug | By Email