Re: Non-Last Small IPv6 Fragments
David Farmer <farmer@umn.edu> Fri, 11 January 2019 22:33 UTC
Return-Path: <farmer@umn.edu>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51878128CE4 for <ipv6@ietfa.amsl.com>; Fri, 11 Jan 2019 14:33:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umn.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6czbRwxGXayk for <ipv6@ietfa.amsl.com>; Fri, 11 Jan 2019 14:33:19 -0800 (PST)
Received: from mta-p8.oit.umn.edu (mta-p8.oit.umn.edu [134.84.196.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC4FE1200B3 for <ipv6@ietf.org>; Fri, 11 Jan 2019 14:33:19 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mta-p8.oit.umn.edu (Postfix) with ESMTP id 61133D25 for <ipv6@ietf.org>; Fri, 11 Jan 2019 22:33:18 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p8.oit.umn.edu ([127.0.0.1]) by localhost (mta-p8.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QNVS8t0kJzn2 for <ipv6@ietf.org>; Fri, 11 Jan 2019 16:33:18 -0600 (CST)
Received: from mail-vk1-f200.google.com (mail-vk1-f200.google.com [209.85.221.200]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p8.oit.umn.edu (Postfix) with ESMTPS id 0C37AD64 for <ipv6@ietf.org>; Fri, 11 Jan 2019 16:33:17 -0600 (CST)
Received: by mail-vk1-f200.google.com with SMTP id l202so3443762vke.1 for <ipv6@ietf.org>; Fri, 11 Jan 2019 14:33:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EEikDGATqvbvq2cyhychY7GqS4pB+deIR3PoQGoY8AI=; b=SpHKWRIqf/U3BGDL29uLtCWMK2o6/5l6q9MSJhdYTllCD+/8nEO99Q00AOMARUbQma 1aqUAbn5BumKq80f12uww8JbCCoRDA5/pgyDiHhQnpHDXbfuej5nytSsKxTDMZ/7hB9o XRcSoXieEhqS2jYnNehXKTeU0HIL/2QZToxABnGsnLY6SMpq6pl29KxIhbkdxd/LVEWq SGCjb3pwmoTeVcl2qeqARdO+XPeDHhxeV4uXixB/kKb7SVQrjlN/g7LAva79wrju8OfY SGAnKeroBdm9m6R+maGhqL2+MD58ZDmzqD9VtK4xWIPV3OlDpTWj4vJvqFahFC841kVT H+3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EEikDGATqvbvq2cyhychY7GqS4pB+deIR3PoQGoY8AI=; b=JYztFtkUNRkR/sfdEoQyKslGaDQwTA17G+tzOMBPBebD8mZtFHMhTQUioObrghceV+ Zuq7TJLH+ynwG3pqvAQdFH5TpDbvpZVjctrXb5MogTSAhzLg0RBFo0SsedWXD1B7lvkB W/SXHXcq7JIYv1tIyRn/RqCnIozCoaVSRMfC5TLlhzRYLsnU9GDpLiKoxGJTCTyhNLkT Kf0YcqaTJe2GiviizUN2OpaZtPu1R8QiBlnJ4ZgFyJF9aEYbENx3IVsejKE7d/neIkJ2 NjxleumHESXYSr0WfL6zagBn/dCGzSAxKuKNQCIu0bE34sxruoSCw9Y0fjKB3Ugg2Naz 7fqA==
X-Gm-Message-State: AJcUukcTec46MQ1UOOmotcHzEBDq9tjY2EV3xrgZzmTrYNXDuH6wt8v9 HwNVHW4BqJp7Y9nI8iMT/OT7y0M0a8Yr8djPLmEFZ9E3Ttu5U8RPgSO+OQfZKkxw5V0KBYBSNMq LtNCiy8jBlVJpky4RztIpjs2+
X-Received: by 2002:a67:4d4f:: with SMTP id a76mr6138554vsb.167.1547245997013; Fri, 11 Jan 2019 14:33:17 -0800 (PST)
X-Google-Smtp-Source: ALg8bN708rdyvbAaGF7BUeuEIQ/unyibLuDEIVFZX8EzJDODwbDfJwYU6DJsFi1F5Cveg3NGSnlfpeLJorhcKBmqnpg=
X-Received: by 2002:a67:4d4f:: with SMTP id a76mr6138543vsb.167.1547245996569; Fri, 11 Jan 2019 14:33:16 -0800 (PST)
MIME-Version: 1.0
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <2AB3F16C-FC0E-4EF7-B1ED-1A97F2CEC69B@gmail.com> <BYAPR05MB42458F851962F26AE1E15CC4AE840@BYAPR05MB4245.namprd05.prod.outlook.com> <CAAedzxofmhokstWuq7mRWnd5PTz5WQaiDNnE8O_VHXF_PbK6nw@mail.gmail.com> <BYAPR05MB4245388FB800873A5A8ED12AAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <66bf652a-2bc0-6814-6ded-a63eece7fbe2@gmail.com> <BYAPR05MB4245B9305E6EC57EDD45509FAE840@BYAPR05MB4245.namprd05.prod.outlook.com> <7453645f-ff91-e866-b087-e7d4f1450ab6@gmail.com> <0e792b48-4360-6977-9ae8-9cdfdc78c7b8@gmail.com> <16A642DC-D3A4-452C-B7D1-20CA0EEEDDA2@lists.zabbadoz.net> <CAOSSMjWS9po2XuBHJ5hbN9hfNDKZ1diecH08Kt697-15jRtAvg@mail.gmail.com> <0e0c3141-889e-ff60-2787-2889b3a9af6b@si6networks.com> <748DA428-5AB2-4487-A4FB-F2DABF5BF8BE@thehobsons.co.uk> <8b43af81-1c49-5cea-6472-97703674e661@si6networks.com> <CAN-Dau1HwG5RndacpSA+si+zKuTdpSvA=QA1A11A==rMNe=4+w@mail.gmail.com> <CALx6S35KNhV2gFp9OdU+M1zy5WUuEAEvXkDXNDWWxi7uQ4e_cw@mail.gmail.com>
In-Reply-To: <CALx6S35KNhV2gFp9OdU+M1zy5WUuEAEvXkDXNDWWxi7uQ4e_cw@mail.gmail.com>
From: David Farmer <farmer@umn.edu>
Date: Fri, 11 Jan 2019 16:33:00 -0600
Message-ID: <CAN-Dau0rTdiiF2SjByxcMG6nhPCEjUH2pYBCOeK_FSGJ_ucDQw@mail.gmail.com>
Subject: Re: Non-Last Small IPv6 Fragments
To: Tom Herbert <tom@herbertland.com>
Cc: Fernando Gont <fgont@si6networks.com>, IPv6 List <ipv6@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000019064057f364841"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/pHwkTV2KZ9FHA7DZOdKlDXwrw-M>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2019 22:33:22 -0000
On Fri, Jan 11, 2019 at 3:27 PM Tom Herbert <tom@herbertland.com> wrote: > On Fri, Jan 11, 2019 at 1:13 PM David Farmer <farmer@umn.edu> wrote: > > > > On Fri, Jan 11, 2019 at 1:58 PM Fernando Gont <fgont@si6networks.com> > wrote: > >> > >> On 11/1/19 15:38, Simon Hobson wrote: > >> > Fernando Gont <fgont@si6networks.com> wrote: > >> > > >> >> ... enforce limits ... > >> > > >> > The guidance also needs to suggest sensible limits - otherwise what > one implementer (eg the Linux stack that discards any small fragment that > isn't the last) > >> > >> IMO, this is bad behavior advice. As an attacker, I'd fire 1280-sized > >> frags, and your check hasn't achieved anything. > >> > >> > >> >may not interoperate with another (eg make the last two fragments > approximately equal in size). In a significant part, that seems to > >> > have been what this thread has been about - what is reasonable > >> guidance for this. > >> > >> In general, what you do is AIMD (additive increase, multiplicative > >> decrease). The numbers limits are a few thousand packets. Which allow > >> fragments to work for some cases - few connections, rather low > >> throughput, but will not allow system breakage when the attacker wants > >> to play. > >> > >> Dropping small frags as in Linux is bad, because you hurt > >> interoperability without any significant/real gain. > >> > >> OTOH, limiting the number of frags is good, because limits kick in at a > >> point in which "you need to do something, because otherwise - DoS". > >> > >> Obviously, you cannot expect big pipes with fragmentation to work. Given > >> high bandwith, multiply 60s * throughput, and you'll need a lot of > >> memory to hold the frags. > >> > >> Adapting the Frag reassembly time out can also help -- there's not much > >> of a point to keep a frag in memory for 60s, particularly when under > >> heavly load. -- well before that TCP timers will fire, or the frag si > >> not useful anymore, anyway. > > > > > > I just had a thought for the guidance; > > > > 1. System-wide limit the number of fragments based on the overall system > resources available. > > 2. As you near said limit, maybe 75% of the limit, drop outright, or at > a high probability, non-final fragments smaller than (1280/2) 640 bytes. > > > > The reasonable fragmentation algorithms I can think of do not generate > non-final fragments that are less than 640 bytes. Nevertheless, such > fragments SHOULD NOT be dropped except for when the system is under stress. > > > > What do others think? > > I don't see any practical purpose of sending tiny fragments with eight > byte payloads in non-first fragments, these can only happens under DOS > attack or synthetic testing. So I do believe it's prudent to have some > guidance on setting limits for minimal sizes of non-first fragments. > The limit should probably be configurable with some recommended > default value. I believe the 1280 limit in Linux is too high, but > there are some compelling arguments for 640. > Why non-first fragments? Did you mean non-final? Maybe both first and last should be exempted? I mostly agree with you, but on the other hand is there any compelling reason to potentially break anything if the host isn't under stress? Further, if you only limit tiny fragment, there is still a problem, you just have to use packets bigger that the limit, what ever it is. A few tiny fragments aren't a problem, only lots of them are. -- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
- Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments 神明達哉
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Erik Kline
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Carsten Bormann
- Re: Non-Last Small IPv6 Fragments 神明達哉
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Mikael Abrahamsson
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Timothy Winters
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- RE: Non-Last Small IPv6 Fragments Ron Bonica
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments David Farmer
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Christian Huitema
- Re: Non-Last Small IPv6 Fragments Ole Troan
- RE: Non-Last Small IPv6 Fragments Lubashev, Igor
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Bob Hinden
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- RE: Non-Last Small IPv6 Fragments Manfredi (US), Albert E
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Mark Smith
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Bjoern A. Zeeb
- Re: Non-Last Small IPv6 Fragments Simon Hobson
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Mark Andrews
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: Non-Last Small IPv6 Fragments Erik Kline
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Tom Herbert
- End-to-end (was Re: Non-Last Small IPv6 Fragments) Christian Huitema
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Nick Hilliard
- Re: Non-Last Small IPv6 Fragments Warren Kumari
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Fernando Gont
- Re: Non-Last Small IPv6 Fragments Mikael Abrahamsson
- Re: Non-Last Small IPv6 Fragments Tim Chown
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Warren Kumari
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: Non-Last Small IPv6 Fragments Ole Troan
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fernando Gont
- Re: Non-Last Small IPv6 Fragments Fred Baker
- Re: Non-Last Small IPv6 Fragments Tim Chown
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Tom Herbert
- Re: End-to-end (was Re: Non-Last Small IPv6 Fragm… Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Brian E Carpenter
- Re: Non-Last Small IPv6 Fragments Michael Richardson
- Never fragment: getting PMTU info transmitted rel… Michael Richardson
- Re: Never fragment: getting PMTU info transmitted… Joel M. Halpern
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- Re: Never fragment: getting PMTU info transmitted… Michael Richardson
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- Re: Never fragment: getting PMTU info transmitted… Mark Smith
- Re: Never fragment: getting PMTU info transmitted… Erik Kline
- Re: Never fragment: getting PMTU info transmitted… Mark Smith
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- Re: Never fragment: getting PMTU info transmitted… Brian E Carpenter
- RE: Never fragment: getting PMTU info transmitted… Lubashev, Igor
- Re: Never fragment: getting PMTU info transmitted… Tom Herbert
- RE: Never fragment: getting PMTU info transmitted… Lubashev, Igor
- Re: Never fragment: getting PMTU info transmitted… C. M. Heard
- Re: Never fragment: getting PMTU info transmitted… Christian Huitema