< draft-ietf-intarea-frag-fragile-11.txt   draft-ietf-intarea-frag-fragile-12.txt >
Internet Area WG R. Bonica Internet Area WG R. Bonica
Internet-Draft Juniper Networks Internet-Draft Juniper Networks
Intended status: Best Current Practice F. Baker Intended status: Best Current Practice F. Baker
Expires: December 16, 2019 Unaffiliated Expires: December 21, 2019 Unaffiliated
G. Huston G. Huston
APNIC APNIC
R. Hinden R. Hinden
Check Point Software Check Point Software
O. Troan O. Troan
Cisco Cisco
F. Gont F. Gont
SI6 Networks SI6 Networks
June 14, 2019 June 19, 2019
IP Fragmentation Considered Fragile IP Fragmentation Considered Fragile
draft-ietf-intarea-frag-fragile-11 draft-ietf-intarea-frag-fragile-12
Abstract Abstract
This document describes IP fragmentation and explains how it This document describes IP fragmentation and explains how it
introduces fragility to Internet communication. introduces fragility to Internet communication.
This document also proposes alternatives to IP fragmentation and This document also proposes alternatives to IP fragmentation and
provides recommendations for developers and network operators. provides recommendations for developers and network operators.
Status of This Memo Status of This Memo
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 16, 2019. This Internet-Draft will expire on December 21, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 22 skipping to change at page 3, line 22
1. Introduction 1. Introduction
Operational experience [Kent] [Huston] [RFC7872] reveals that IP Operational experience [Kent] [Huston] [RFC7872] reveals that IP
fragmentation introduces fragility to Internet communication. This fragmentation introduces fragility to Internet communication. This
document describes IP fragmentation and explains the fragility it document describes IP fragmentation and explains the fragility it
introduces. It also proposes alternatives to IP fragmentation and introduces. It also proposes alternatives to IP fragmentation and
provides recommendations for developers and network operators. provides recommendations for developers and network operators.
While this document identifies issues associated with IP While this document identifies issues associated with IP
fragmentation, it does not recommend deprecation. Legacy protocols fragmentation, it does not recommend deprecation. Legacy protocols
that depend upon IP fragmentation SHOULD be updated to break that that depend upon IP fragmentation SHOULD be updated to remove that
dependency. However, some applications and environments (see dependency. However, some applications and environments (see
Section 6) require IP fragmentation. In these cases, the protocol Section 6) require IP fragmentation. In these cases, the protocol
will continue to rely on IP fragmentation, but the designer should to will continue to rely on IP fragmentation, but the designer should to
be aware that fragmented packets may result in blackholes; a design be aware that fragmented packets may result in blackholes; a design
should include appropriate safeguards (e.g. PLPMTU). should include appropriate safeguards (e.g. PLPMTU).
Rather than deprecating IP Fragmentation, this document recommends Rather than deprecating IP Fragmentation, this document recommends
that upper-layer protocols address the problem of fragmentation at that upper-layer protocols address the problem of fragmentation at
their layer, reducing their reliance on IP fragmentation to the their layer, reducing their reliance on IP fragmentation to the
greatest degree possible. greatest degree possible.
skipping to change at page 11, line 16 skipping to change at page 11, line 16
the IPv6 identification field is 32 bits long. the IPv6 identification field is 32 bits long.
4.6. Security Vulnerabilities 4.6. Security Vulnerabilities
Security researchers have documented several attacks that exploit IP Security researchers have documented several attacks that exploit IP
fragmentation. The following are examples: fragmentation. The following are examples:
o Overlapping fragment attacks [RFC1858][RFC3128][RFC5722] o Overlapping fragment attacks [RFC1858][RFC3128][RFC5722]
o Resource exhaustion attacks (such as the Rose Attack, o Resource exhaustion attacks (such as the Rose Attack,
https://web.archive.org/web/20110723091910/
http://www.digital.net/~gandalf/Rose_Frag_Attack_Explained.htm) http://www.digital.net/~gandalf/Rose_Frag_Attack_Explained.htm)
o Attacks based on predictable fragment identification values o Attacks based on predictable fragment identification values
[RFC7739] [RFC7739]
o Evasion of Network Intrusion Detection Systems (NIDS) [Ptacek1998] o Evasion of Network Intrusion Detection Systems (NIDS) [Ptacek1998]
In the overlapping fragment attack, an attacker constructs a series In the overlapping fragment attack, an attacker constructs a series
of packet fragments. The first fragment contains an IP header, a of packet fragments. The first fragment contains an IP header, a
transport-layer header, and some transport-layer payload. This transport-layer header, and some transport-layer payload. This
skipping to change at page 16, line 20 skipping to change at page 16, line 20
PMTU. For example, if routing changes and as a result the PMTU PMTU. For example, if routing changes and as a result the PMTU
becomes smaller, TCP will not know until the ICMP PTB message becomes smaller, TCP will not know until the ICMP PTB message
arrives. If this occurs, the packet is dropped, the PMTU estimate is arrives. If this occurs, the packet is dropped, the PMTU estimate is
updated, the segment is divided into smaller segments and each updated, the segment is divided into smaller segments and each
smaller segment is submitted to the underlying IP module. smaller segment is submitted to the underlying IP module.
The Datagram Congestion Control Protocol (DCCP) [RFC4340] and the The Datagram Congestion Control Protocol (DCCP) [RFC4340] and the
Stream Control Transport Protocol (SCTP) [RFC4960] also can be Stream Control Transport Protocol (SCTP) [RFC4960] also can be
operated in a mode that does not require IP fragmentation. They both operated in a mode that does not require IP fragmentation. They both
accept data from an application and divide that data into segments, accept data from an application and divide that data into segments,
with no segment exceeding a maximum size. </t><t> DCCP offers manual with no segment exceeding a maximum size.
configuration, PMTUD, and PLPMTUD as mechanisms for managing that
maximum size. Datagram protocols can also implement PLPMTUD to DCCP offers manual configuration, PMTUD, and PLPMTUD as mechanisms
estimate the PMTU via[I-D.ietf-tsvwg-datagram-plpmtud]. This for managing that maximum size. Datagram protocols can also
proposes procedures for performing PLPMTUD with UDP, UDP-Options, implement PLPMTUD to estimate the PMTU
SCTP, QUIC and other datagram protocols. via[I-D.ietf-tsvwg-datagram-plpmtud]. This proposes procedures for
performing PLPMTUD with UDP, UDP-Options, SCTP, QUIC and other
datagram protocols.
Currently, User Data Protocol (UDP) [RFC0768] lacks a fragmentation Currently, User Data Protocol (UDP) [RFC0768] lacks a fragmentation
mechanism of its own and relies on IP fragmentation. However, mechanism of its own and relies on IP fragmentation. However,
[I-D.ietf-tsvwg-udp-options] proposes a fragmentation mechanism for [I-D.ietf-tsvwg-udp-options] proposes a fragmentation mechanism for
UDP. UDP.
5.2. Application Layer Solutions 5.2. Application Layer Solutions
[RFC8085] recognizes that IP fragmentation reduces the reliability of [RFC8085] recognizes that IP fragmentation reduces the reliability of
Internet communication. It also recognizes that UDP lacks a Internet communication. It also recognizes that UDP lacks a
skipping to change at page 20, line 14 skipping to change at page 20, line 17
boxes may perform sub-optimally, process IP fragments in a manner boxes may perform sub-optimally, process IP fragments in a manner
that is not compliant with RFC 791 or RFC 8200, or even discard IP that is not compliant with RFC 791 or RFC 8200, or even discard IP
fragments completely. Such behaviors are NOT RECOMMENDED. If a fragments completely. Such behaviors are NOT RECOMMENDED. If a
middleboxes implements non-standard behavior with respect to IP middleboxes implements non-standard behavior with respect to IP
fragmentation, then that behavior MUST be clearly documented. fragmentation, then that behavior MUST be clearly documented.
7.4. For ECMP, LAG and Load-Balancer Developers And Operators 7.4. For ECMP, LAG and Load-Balancer Developers And Operators
In their default configuration, when the IPv6 Flow Label is not equal In their default configuration, when the IPv6 Flow Label is not equal
to zero, IPv6 devices that implement Equal-Cost Multipath (ECMP) to zero, IPv6 devices that implement Equal-Cost Multipath (ECMP)
Routing as described in <xref target="RFC2328">OSPF</xref> and other Routing as described in OSPF [RFC2328] and other routing protocols,
routing protocols, <xref target="RFC7424">Link Aggregation Grouping Link Aggregation Grouping (LAG) [RFC7424], or other load-balancing
(LAG)</xref>, or other load-balancing technologies SHOULD accept only technologies SHOULD accept only the following fields as input to
the following fields as input to their hash algorithm:</t> their hash algorithm:
o IP Source Address. o IP Source Address.
o IP Destination Address. o IP Destination Address.
o Flow Label. o Flow Label.
<t>Operators SHOULD deploy these devices in their default Operators SHOULD deploy these devices in their default configuration.
configuration.
These recommendations are similar to those presented in [RFC6438] and These recommendations are similar to those presented in [RFC6438] and
[RFC7098]. They differ in that they specify a default configuration. [RFC7098]. They differ in that they specify a default configuration.
7.5. For Network Operators 7.5. For Network Operators
Operators MUST ensure proper PMTUD operation in their network, Operators MUST ensure proper PMTUD operation in their network,
including making sure the network generates PTB packets when dropping including making sure the network generates PTB packets when dropping
packets too large compared to outgoing interface MTU. However, packets too large compared to outgoing interface MTU. However,
implementations MAY rate limit ICMP messages as per [RFC1812] and implementations MAY rate limit ICMP messages as per [RFC1812] and
skipping to change at page 25, line 32 skipping to change at page 25, line 32
[RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
A., and H. Ashida, "Common Requirements for Carrier-Grade A., and H. Ashida, "Common Requirements for Carrier-Grade
NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
April 2013, <https://www.rfc-editor.org/info/rfc6888>. April 2013, <https://www.rfc-editor.org/info/rfc6888>.
[RFC7098] Carpenter, B., Jiang, S., and W. Tarreau, "Using the IPv6 [RFC7098] Carpenter, B., Jiang, S., and W. Tarreau, "Using the IPv6
Flow Label for Load Balancing in Server Farms", RFC 7098, Flow Label for Load Balancing in Server Farms", RFC 7098,
DOI 10.17487/RFC7098, January 2014, DOI 10.17487/RFC7098, January 2014,
<https://www.rfc-editor.org/info/rfc7098>. <https://www.rfc-editor.org/info/rfc7098>.
[RFC7424] Krishnan, R., Yong, L., Ghanwani, A., So, N., and B.
Khasnabish, "Mechanisms for Optimizing Link Aggregation
Group (LAG) and Equal-Cost Multipath (ECMP) Component Link
Utilization in Networks", RFC 7424, DOI 10.17487/RFC7424,
January 2015, <https://www.rfc-editor.org/info/rfc7424>.
[RFC7588] Bonica, R., Pignataro, C., and J. Touch, "A Widely [RFC7588] Bonica, R., Pignataro, C., and J. Touch, "A Widely
Deployed Solution to the Generic Routing Encapsulation Deployed Solution to the Generic Routing Encapsulation
(GRE) Fragmentation Problem", RFC 7588, (GRE) Fragmentation Problem", RFC 7588,
DOI 10.17487/RFC7588, July 2015, DOI 10.17487/RFC7588, July 2015,
<https://www.rfc-editor.org/info/rfc7588>. <https://www.rfc-editor.org/info/rfc7588>.
[RFC7676] Pignataro, C., Bonica, R., and S. Krishnan, "IPv6 Support [RFC7676] Pignataro, C., Bonica, R., and S. Krishnan, "IPv6 Support
for Generic Routing Encapsulation (GRE)", RFC 7676, for Generic Routing Encapsulation (GRE)", RFC 7676,
DOI 10.17487/RFC7676, October 2015, DOI 10.17487/RFC7676, October 2015,
<https://www.rfc-editor.org/info/rfc7676>. <https://www.rfc-editor.org/info/rfc7676>.
 End of changes. 10 change blocks. 
17 lines changed or deleted 25 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/