[tsvwg] Re: Controlling IP Fragmentation on Common Platforms

"C. M. Heard" <heard@pobox.com> Fri, 15 November 2024 19:06 UTC

Return-Path: <heard@pobox.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE398C1D6FB2 for <tsvwg@ietfa.amsl.com>; Fri, 15 Nov 2024 11:06:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6C7oJMu0tgrv for <tsvwg@ietfa.amsl.com>; Fri, 15 Nov 2024 11:06:08 -0800 (PST)
Received: from fhigh-b7-smtp.messagingengine.com (fhigh-b7-smtp.messagingengine.com [202.12.124.158]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 438DAC1D52EE for <tsvwg@ietf.org>; Fri, 15 Nov 2024 10:59:31 -0800 (PST)
Received: from phl-compute-02.internal (phl-compute-02.phl.internal [10.202.2.42]) by mailfhigh.stl.internal (Postfix) with ESMTP id A4DA025400DA for <tsvwg@ietf.org>; Fri, 15 Nov 2024 13:59:30 -0500 (EST)
Received: from phl-frontend-01 ([10.202.2.160]) by phl-compute-02.internal (MEProxy); Fri, 15 Nov 2024 13:59:30 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1731697170; x=1731783570; bh=N83PEhnAoFIguuuhWZu5OxYfHwLOAE9VkXn ACKI+D/A=; b=fN3OZ5LLmMO8trBs4Fw1q1Z4JKmVG8Rk3IiFXxXbF4nfsgYo7qz iL8+CHkwJ2eNDbDzuTnTZ4lPzEV7iWdwYlByxzWUo1nSFvj+ao1x1VWq8i4SKM4R TDHh2jfieLjNp6L/Ub/j5io30TGIWYYFi5y9gz8W3lrRODAkzHrBRp9p/p7Dpddn n0ISEvUxVTOuDRNbOSiuHuY1pNmRAIx4xJNbOzZb3pq4YSVTKY2Vh8kyJjQ5IYN/ XDRQagSjF8jbgKmPWfeBkafkzvfr3baIFmhuLE3fen4EKHJSCtrrVoTarlcypyiv p6/EEAquE/aiFStT3PbCwRRVFSm52kWKepw==
X-ME-Sender: <xms:Epo3Z83c_xS2_5basBq4GZdSQszstGstOOlH09VB4aVjNJdS8rfJkQ> <xme:Epo3Z3FNQ2zD7CzVMFjcH_XmRr9TpZzOo7rdukbpdtsIeZFOT2ifOBBfDFjSMJ4HR cdhaIb4cxGyuyrgg90>
X-ME-Received: <xmr:Epo3Z07Xx-k-tIJjnP_5JU9hCK7qt5f0eZ8rtAkZ0llcrr0duCOkOnOuJsTQZVxpzaihVU7EbbmPlwS_MdSRjYT0Ev46fGy_wk4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrvdeggdduudejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhepgghfjgfhfffkuffvvegtsegrtderredttdejnecu hfhrohhmpedfvedrucfordcujfgvrghrugdfuceohhgvrghrugesphhosghogidrtghomh eqnecuggftrfgrthhtvghrnhepudeiudegieeukeegffeitedvhffgvdevheeljeettedv fefgveejkedvgfetjeeinecuffhomhgrihhnpehivghtfhdrohhrghdpghhithhhuhgsrd gtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep hhgvrghrugesphhosghogidrtghomhdpnhgspghrtghpthhtohepuddpmhhouggvpehsmh htphhouhhtpdhrtghpthhtohepthhsvhifghesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:Epo3Z10sUnrtAxwNLgyzXC8aB6zSadDHPMM7mWaGK9-0K9eGOMh8Hw> <xmx:Epo3Z_E12LANZh-H4FrcEJCMc7xjNKK_Z1uBlJOSpDRoRzZIuuYNPA> <xmx:Epo3Z-8ZmMXk4J11DxkGFP3dzkx_MamRvFJIu9BjQnLD3q6cLkEekw> <xmx:Epo3Z0lWAWZsjhJnpymmdWrVWx2CM3ysjOB2LRIeUgkPszWqCicEjQ> <xmx:Epo3Z1OG7RWSVTBX0woi9huAlv5V5bFb9u68nENGCpYqpRnuY48DBPI0>
Feedback-ID: i82e14979:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <tsvwg@ietf.org>; Fri, 15 Nov 2024 13:59:30 -0500 (EST)
Received: by mail-ed1-f51.google.com with SMTP id 4fb4d7f45d1cf-5cefa22e9d5so2416872a12.3 for <tsvwg@ietf.org>; Fri, 15 Nov 2024 10:59:29 -0800 (PST)
X-Gm-Message-State: AOJu0Yw3Fb8KO/ouTGjK0ixkJBMm8a0KcGb8nlHZ4fyd+vWvRe/QiIiy suK1l2n8Lbl5GTrKROjtfRIFydK0CeMJd7v83xObBzuJNLBfZIHUJ3gyho+CE3VmRhin+HWH9hh xwZdojlDnmNc+J3u/B1oeRm4OE+w=
X-Google-Smtp-Source: AGHT+IGGGNXjUIBmh4Iu56IJp4q9mra2OAbMQ2CyqGZDgMXtnKF0vXf888UcgfnH0L8KIjn6eMj/5O4h0wWZOf1HTuc=
X-Received: by 2002:a05:6402:2109:b0:5cf:a1c1:526e with SMTP id 4fb4d7f45d1cf-5cfa1c1570fmr221816a12.10.1731697169382; Fri, 15 Nov 2024 10:59:29 -0800 (PST)
MIME-Version: 1.0
References: <CAOYVs2ruNA1D8bEq-waHvKOYCaWREncbOrTyedTyw_Uo5mrrag@mail.gmail.com>
In-Reply-To: <CAOYVs2ruNA1D8bEq-waHvKOYCaWREncbOrTyedTyw_Uo5mrrag@mail.gmail.com>
From: "C. M. Heard" <heard@pobox.com>
Date: Fri, 15 Nov 2024 10:59:18 -0800
X-Gmail-Original-Message-ID: <CACL_3VGQ54HZ-U16OpqnWU5qWheakjmy9OVqZcrbuRBY=zzbiA@mail.gmail.com>
Message-ID: <CACL_3VGQ54HZ-U16OpqnWU5qWheakjmy9OVqZcrbuRBY=zzbiA@mail.gmail.com>
To: Marten Seemann <martenseemann@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000a3ce0c0626f82ab8"
Message-ID-Hash: 7Y2ORNW7HBUMHPSIE562XUIPJSP3XJA5
X-Message-ID-Hash: 7Y2ORNW7HBUMHPSIE562XUIPJSP3XJA5
X-MailFrom: heard@pobox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tsvwg.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tsvwg <tsvwg@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [tsvwg] Re: Controlling IP Fragmentation on Common Platforms
List-Id: Transport Area Working Group <tsvwg.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/QHxcCYQk90GqXQMZMyj4uVlO3a0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Owner: <mailto:tsvwg-owner@ietf.org>
List-Post: <mailto:tsvwg@ietf.org>
List-Subscribe: <mailto:tsvwg-join@ietf.org>
List-Unsubscribe: <mailto:tsvwg-leave@ietf.org>

Hello Marten,

I read your draft with interest and see that it confirms the following
point about Linux that was raised during the discussion of
draft-ietf-dnsop-avoid-fragmentation:

E.g. on Linux socket API does not expose DF bit directly. Application
can request DF bit to be turned on in outgoing packets but at the same
time this implicitly enables receipt and processing of unauthenticated
ICMP messages. These messages can be used to manipulate Path MTU records
in the kernel and mount attacks misusing this technique.

See https://mailarchive.ietf.org/arch/msg/dnsop/elxvZIi8qNgF0eBcu-5AANNlKAo/
and
other messages in the thread for further discussion.

It would seem that this behavior would preclude compliance with Sections
4.5 and 4.6 of RFC 8899, at least without modification to the kernel.

Mike Heard

On Fri, Nov 15, 2024 at 1:54 AM Marten Seemann <martenseemann@gmail.com>
wrote:

> Hello TSVWG!
>
> I just submitted a draft describing how to control IP fragmentation for
> UDP sockets on common platforms:
> https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/
>
> Preventing IP fragmentation is a prerequisite for doing Datagram Path MTU
> Discovery (DPLPMTUD). On IPv4, this is achieved by setting the DF bit in
> the IP header. IPv6 can't be fragmented in transit; however, the sender's
> kernel might decide to split up packets that exceed the path's MTU.
>
> The fragmentation behavior is controlled by socket options. Unfortunately,
> these socket options vary between commonly used platforms, as does the
> behavior of dual-stack UDP sockets. This draft aims to provide guidance for
> implementers on how to control IP fragmentation on common platforms,
> similar to how Martin Duke's draft describes how to set and receive the ECN
> bits.
>
> The GitHub repository for the draft contains a cross-platform C program
> that demonstrates how to set the respective socket options:
> https://github.com/marten-seemann/draft-seemann-tsvwg-udp-fragmentation/tree/main/code.
> The program is most useful when used in combination with Wireshark or
> tcpdump to observe the effects on packets being sent.
>
> Best wishes,
> Marten (with no hats)
>