Re: draft-bonica-6man-frag-deprecate

[Antonios Atlasis <antonios.atlasis@gmail.com>]

Hi,

there are certainly many security issues in IPv6 related with
fragmentation, but still not convinced if its use should be deprecated
completely. We should not remove any feature that may cause security
issues. We may need it some day. On the contrary, I believe that we should
try to fix it.

I believe that some of the draft RFCs proposed by Fernando Gont are in the
good direction (regarding the RA-Guard case, the generation of the fragment
id values, etc), as well as the newly accepted RFC regarding the handling
of atomic fragments.   Apart from the above, what remains to be fixed, in
my humble opinion, are the following:

a. Tiny fragments (smaller than 1280 bytes) should not be accepted (unless
they are atomic fragments or the last fragment of a datagram).
b. RFC 5722 should be updated so as only the overlapping fragments to be
dropped, not all the ones already received, or the ones that follow (as it
is the recommendation now). This is already implemented by FreeBSD and
seems to me the most proper way for handling overlapping fragments.

We should also never forget that the rest of IPvt6Extension headers can
result in datagrams much bigger than 1280 bytes, 1500 bytes, or even more.
So, if you want to deprecate fragmentation in IPv6, you should also
deprecate or at least change the extension headers usage in IPv6. Which
actually means, redesign IPv6.

Just my 0.02$


Antonios


2013/6/27 Brian E Carpenter <brian.e.carpenter@gmail.com>

> Cutting to the chase, and assuming that the next version
> will have more analysis and observational evidence, I'm thinking
> something like the following:
>
> 3.  Recommendation
>
>    This memo deprecates IPv6 fragmentation and the IPv6 fragment header.
>    Application and transport layer protocols SHOULD support effective
>    PMTU discovery [RFC4821], since ICMP-based PMTU discovery [RFC1981]
>    is unreliable. Any application or transport layer protocol that
>    cannot support effective PMTU discovery MUST NOT in any circumstances
>    send IPv6 packets that exceed the IPv6 minimum MTU of 1280 bytes.
>
>    IPv6 stacks and forwarding nodes SHOULD continue to support inbound
>    fragmented IPv6 packets as specified in [RFC2460]. However, this
>    requirement exceeds the capability of some types of forwarding node
>    such as firewalls and load balancers. Therefore implementers and
>    operators need to be aware that on many paths through the Internet,
>    IPv6 fragmentation will fail. Legacy applications and transport layer
>    protocols that do not conform to the previous paragraph can expect
>    connectivity failures as a result.
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>