IETF Logo Mail Archive

Re: Non-Last Small IPv6 Fragments

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 10 January 2019 20:01 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53194131008 for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 12:01:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 42KWGpYhmUmI for <ipv6@ietfa.amsl.com>; Thu, 10 Jan 2019 12:01:29 -0800 (PST)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 208F4131007 for <ipv6@ietf.org>; Thu, 10 Jan 2019 12:01:25 -0800 (PST)
Received: by mail-pf1-x42a.google.com with SMTP id q1so5800035pfi.5 for <ipv6@ietf.org>; Thu, 10 Jan 2019 12:01:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=WEc3C+mmUWKEbNVepnylY7JOyBZJYP/kv9azq1+rmYY=; b=VaIrMSbhSp/CSd/WsFyBBU2jV88zzFRETAPN0jNlDiz3aThtaCt6YUvDNkkLLHzwK5 gGWuDBF2+pDYPDORZT1UkAotE4dx03WFi86xmL7ANCSZ5KbG1F/5iL/dkHC4hbZGJlOK /E7iJn8IaldCrjJ7nPusGuMzFb5rxmzCgd6iFD4G3QU/N0XdMvuELfmuiCPWU76Kkr/g QIGqvNstA4Tdo1nsDl60ehp1Ng2etiSVLRlu+qnrtsp+llrwLd5pvP17lcA//Uq1e/ZF 0bjjJ+dCjpa1NZFgeqNhw+6IrKvZcb0JQSRUjY2mPRdO/I1rEuhaJ07+U39ck633Mw4j vgWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=WEc3C+mmUWKEbNVepnylY7JOyBZJYP/kv9azq1+rmYY=; b=ug0tyZUM50MkKvBpFNHBKNJtb3CfD2xcoWZ+a3WaYswvpH19nWZCj2I10uQi96H406 BHwyYV0436NMLxnySiWnRJ250T6iL9jm54rat28Ti3oLkG3OZTVWC8uAmL7Y+Fy+IZbw oGvQVb3kA4KQP023E6qYRFPNL3lQjSzyI2yS+r+9U/COFw6gnGT35yV9k8gdgg16eGPw mIOFeamRxn4MTBTKm+TNvIIRodm7J3gvdFIy/fnQ7hbbTly9W25LcWlYVdTz3YRCYaaY xc2sSJiWVD4+XEimUINhj4USerlwEONANSrA1Kv55ZkSoVzh0qnC3r19bl9aHLWfQmuf Yuwg==
X-Gm-Message-State: AJcUukcn9Zrutj8awCl2/eCVcXvH+5g4lrTmmggqF0cW5UImF026OqKX TMOOtUsQT0FrQi2O44HgfFI=
X-Google-Smtp-Source: ALg8bN7dSBlJYmlPz/M2KF3s6Zu96wxT/GDPPO9D634LkhejDUhqcmRoDsnGwiHeFvKsTZnYvy9N6Q==
X-Received: by 2002:a63:2744:: with SMTP id n65mr10557797pgn.65.1547150484387; Thu, 10 Jan 2019 12:01:24 -0800 (PST)
Received: from [192.168.178.30] ([118.148.76.40]) by smtp.gmail.com with ESMTPSA id d129sm114685190pfc.31.2019.01.10.12.01.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 Jan 2019 12:01:23 -0800 (PST)
Subject: Re: Non-Last Small IPv6 Fragments
To: Ron Bonica <rbonica@juniper.net>, "ek@loon.co" <ek@loon.co>
Cc: IPv6 List <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
References: <CAOSSMjV0Vazum5OKztWhAhJrjLjXc5w5YGxdzHgbzi7YVSk7rg@mail.gmail.com> <2AB3F16C-FC0E-4EF7-B1ED-1A97F2CEC69B@gmail.com> <BYAPR05MB42458F851962F26AE1E15CC4AE840@BYAPR05MB4245.namprd05.prod.outlook.com> <CAAedzxofmhokstWuq7mRWnd5PTz5WQaiDNnE8O_VHXF_PbK6nw@mail.gmail.com> <BYAPR05MB4245388FB800873A5A8ED12AAE840@BYAPR05MB4245.namprd05.prod.outlook.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <66bf652a-2bc0-6814-6ded-a63eece7fbe2@gmail.com>
Date: Fri, 11 Jan 2019 09:01:18 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <BYAPR05MB4245388FB800873A5A8ED12AAE840@BYAPR05MB4245.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/xV_uAVIpPcm5sWAh-rCoRB2H9SQ>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 20:01:32 -0000

On 2019-01-11 08:52, Ron Bonica wrote:
> Erik,
> 
> Thanks for the response.
> 
> So, I understand that if I were to launch a stream of such packets at a target:
> 
> 
>   *   The target might drop many of the attack packets (but that’s ok)
>   *   The target would still process non-fragmented packets at a reasonable speed
>   *   The target would still be able to reassemble fragments that are from other sources and not part of the attack
> 
> If this is the case, we have nothing to worry about.

Well, we have to worry about a broken Linux implementation unless this "fix" is reversed.

(I can see a pragmatic argument for dropping non-final fragments that are really small, which might be diagnostic of an attack. But then you have to define "really small".)

   Brian

> 
>                                                           Ron
> 
> 
> From: Erik Kline <ek@loon.co>
> Sent: Thursday, January 10, 2019 2:42 PM
> To: Ron Bonica <rbonica@juniper.net>
> Cc: Bob Hinden <bob.hinden@gmail.com>; Timothy Winters <twinters@iol.unh.edu>; IPv6 List <ipv6@ietf.org>
> Subject: Re: Non-Last Small IPv6 Fragments
> 
> On Thu, 10 Jan 2019 at 11:32, Ron Bonica <rbonica@juniper.net<mailto:rbonica@juniper.net>> wrote:
>> I read some of the reports on the link, but am still not clear what the
>> underlying problem is.   Why does Linux have a problem with receving
>> intermediate fragments less than 1280?
>>
> 
> Hi Bob,
> 
> Might we be defending against an attack in which a packet contains:
> 
> - An IPv6 header (40 bytes)
> - A Fragment Header (8 bytes)
> - A TCP header (20 bytes)
> - TCP Payload (1200 bytes)
> 
> This packet doesn't need to be fragmented at all because the total length is only 1268 bytes. However, a mischievous source node divides the packet into 1200 fragments. The first fragment contains an IPv6 header, a fragment header, the TCP header, and one byte of the TCP payload. Each subsequent fragment contains the IPv6 header, a fragment header, and one byte of TCP payload.
> 
> Are reassembly algorithms clever enough to protect against such attacks? If so, I don't see the problem either. But if not, we may have a problem.
> 
> I'm recently familiar with an IPv6 fragment reassembly implementation, as it turns out.  The core implementation uses/makes liberal reference to:
> 
>     https://tools.ietf.org/html/rfc815<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc815&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=Fch9FQ82sir-BoLx84hKuKwl-AWF2EfpHcAwrDThKP8&m=-dVqPKvvhh60cA1adnmR9mFsqrX0ADki0K4BlrOQqGc&s=6m7aXa5azbXR0bSACw5GJgOfJx06tbs_1LydP-h2aqs&e=>
> 
> It works generally in terms of managing a hole descriptor list.  It would successfully reassemble the sequence of packets you describe.  Whether that's an "attack" or not, I don't really see it.  With local policy caps on the lifetime of unreassembled fragment bits and so on, it seems possible to limit and manage the total resources allocated to reassembly.
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>

v2.23.0 | Report a Bug | By Email