Re: Predictable IP protocol values

Fernando Gont <> Sat, 28 April 2012 20:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1D70121F8546 for <>; Sat, 28 Apr 2012 13:50:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.524
X-Spam-Status: No, score=-2.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XuRm3KvPOTze for <>; Sat, 28 Apr 2012 13:50:18 -0700 (PDT)
Received: from (unknown [IPv6:2a02:27f8:1025:18::232]) by (Postfix) with ESMTP id 78CF421F853D for <>; Sat, 28 Apr 2012 13:50:17 -0700 (PDT)
Received: from [] (helo=[]) by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <>) id 1SOEan-00010B-I7; Sat, 28 Apr 2012 22:50:10 +0200
Message-ID: <>
Date: Sat, 28 Apr 2012 17:49:46 -0300
From: Fernando Gont <>
Organization: SI6 Networks
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120412 Thunderbird/11.0.1
MIME-Version: 1.0
To: "Joel M. Halpern" <>
Subject: Re: Predictable IP protocol values
References: <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Fernando Gont <>, " Mailing List" <>, Bob Hinden <>
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 28 Apr 2012 20:50:19 -0000

On 04/28/2012 05:28 PM, Joel M. Halpern wrote:
> It seems to me that the proposed document is a partial fix to a marginal
> problem.
> Yes, I take it as given that if I followed the references I wind find
> descriptions of the attacks.  I do see how one could force fragmented
> packets if one knew that A was talking to B at the current moment.

Just send an ICMPv6 PTB claiming an MTU smaller than 1280 bytes, and
you're done.

Now think about you favourite application running on two known systems.
It just takes you one ICMPv6 PTB to trigger fragmentation, one ping6 to
sample the Frag ID, and further (rather low-rate) fragments that will
cause collisions, leading to DoS -- and it si very easy to maintaint
that DoS state.

Dumb/idle scans have also been well-known since the IPv4 era, and
trivial to exploit (for instance, nmap implements this vector).

We produced tools to test these things, and have been trying to help
vendors. Most vendors cared
(, as
they did at the time for IPv4 case.

So IMO it would be weird for us to not be willing to do our part
(maintain our specs), when others have done theirs (fix their

Just my two cents.

Best regards,
Fernando Gont
SI6 Networks
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492