draft-ietf-6man-deprecate-atomfrag-generation-03.txt   draft-ietf-6man-deprecate-atomfrag-generation-04.txt 
IPv6 maintenance Working Group (6man) F. Gont IPv6 maintenance Working Group (6man) F. Gont
Internet-Draft SI6 Networks / UTN-FRH Internet-Draft SI6 Networks / UTN-FRH
Updates: 2460 (if approved) W. Liu Intended status: Informational W. Liu
Intended status: Standards Track Huawei Technologies Expires: May 29, 2016 Huawei Technologies
Expires: January 5, 2016 T. Anderson T. Anderson
Redpill Linpro Redpill Linpro
July 4, 2015 November 26, 2015
Deprecating the Generation of IPv6 Atomic Fragments Deprecation of the Generation of IPv6 Atomic Fragments
draft-ietf-6man-deprecate-atomfrag-generation-03 draft-ietf-6man-deprecate-atomfrag-generation-04
Abstract Abstract
The core IPv6 specification requires that when a host receives an RFC2460 requires that when a host receives an ICMPv6 "Packet Too Big"
ICMPv6 "Packet Too Big" message reporting an MTU smaller than 1280 message reporting an MTU smaller than 1280 bytes, the host includes a
bytes, the host includes a Fragment Header in all subsequent packets Fragment Header in all subsequent packets sent to that destination,
sent to that destination, without reducing the assumed Path-MTU. The without reducing the assumed Path-MTU. The simplicity with which
simplicity with which ICMPv6 "Packet Too Big" messages can be forged, ICMPv6 "Packet Too Big" messages can be forged, coupled with the
coupled with the widespread filtering of IPv6 fragments, results in widespread filtering of IPv6 fragments, results in an attack vector
an attack vector that can be leveraged for Denial of Service that can be leveraged for Denial of Service purposes. This document
purposes. This document briefly discusses the aforementioned attack briefly discusses the aforementioned attack vector, and why the
vector, and formally updates RFC2460 such that generation of IPv6 aforementioned functionality is undesirable.
atomic fragments is deprecated, thus eliminating the aforementioned
attack vector.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 5, 2016. This Internet-Draft will expire on May 29, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 20 skipping to change at page 2, line 17
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Denial of Service (DoS) attack vector . . . . . . . . . . . . 3 3. Denial of Service (DoS) attack vector . . . . . . . . . . . . 3
4. Additional Considerations . . . . . . . . . . . . . . . . . . 5 4. Additional Considerations . . . . . . . . . . . . . . . . . . 4
5. Updating RFC2460 . . . . . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 8.1. Normative References . . . . . . . . . . . . . . . . . . 7
9.1. Normative References . . . . . . . . . . . . . . . . . . 7 8.2. Informative References . . . . . . . . . . . . . . . . . 7
9.2. Informative References . . . . . . . . . . . . . . . . . 8
Appendix A. Small Survey of OSes that Fail to Produce IPv6 Appendix A. Small Survey of OSes that Fail to Produce IPv6
Atomic Fragments . . . . . . . . . . . . . . . . . . 9 Atomic Fragments . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction 1. Introduction
[RFC2460] specifies the IPv6 fragmentation mechanism, which allows [RFC2460] specifies the IPv6 fragmentation mechanism, which allows
IPv6 packets to be fragmented into smaller pieces such that they fit IPv6 packets to be fragmented into smaller pieces such that they fit
in the Path-MTU to the intended destination(s). in the Path-MTU to the intended destination(s).
Section 5 of [RFC2460] states that, when a host receives an ICMPv6 Section 5 of [RFC2460] states that, when a host receives an ICMPv6
"Packet Too Big" message [RFC4443] advertising an MTU smaller than "Packet Too Big" message [RFC4443] advertising an MTU smaller than
1280 bytes (the minimum IPv6 MTU), the host is not required to reduce 1280 bytes (the minimum IPv6 MTU), the host is not required to reduce
the assumed Path-MTU, but must simply include a Fragment Header in the assumed Path-MTU, but must simply include a Fragment Header in
all subsequent packets sent to that destination. The resulting all subsequent packets sent to that destination. The resulting
packets will thus *not* be actually fragmented into several pieces, packets will thus *not* be actually fragmented into several pieces,
but rather just include a Fragment Header with both the "Fragment but rather just include a Fragment Header with both the "Fragment
Offset" and the "M" flag set to 0 (we refer to these packets as Offset" and the "M" flag set to 0 (we refer to these packets as
"atomic fragments"). As required by [RFC6946], these atomic "atomic fragments"). As required by [RFC6946], these atomic
fragments are essentially processed by the destination host as non- fragments are essentially processed by the destination host as non-
fragment traffic (since there are not really any fragments to be fragmented traffic (since there are not really any fragments to be
reassembled). The goal of these atomic fragments has been to convey reassembled). The goal of these atomic fragments has been to convey
an appropriate Fragment Identification value to be employed by IPv6/ an appropriate Fragment Identification value to be employed by IPv6/
IPv4 translators for the resulting IPv4 fragments. IPv4 translators for the resulting IPv4 fragments.
While atomic fragments might seem rather benign, there are scenarios While atomic fragments might seem rather benign, there are scenarios
in which the generation of IPv6 atomic fragments can introduce an in which the generation of IPv6 atomic fragments can introduce an
attack vector that can be exploited for denial of service purposes. attack vector that can be exploited for denial of service purposes.
Since there are concrete security implications arising from the Since there are concrete security implications arising from the
generation of IPv6 atomic fragments, and there is no real gain in generation of IPv6 atomic fragments, and there is no real gain in
generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4 generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4
translators generate a Fragment Identification value themselves), translators generate a Fragment Identification value themselves), we
this document formally updates [RFC2460], forbidding the generation conclude that this functionality is undesirable.
of IPv6 atomic fragments, such that the aforementioned attack vector
is eliminated.
Section 3 describes some possible attack scenarios. Section 4 Section 3 describes some possible attack scenarios. Section 4
provides additional considerations regarding the usefulness of provides additional considerations regarding the usefulness of
generating IPv6 atomic fragments. Section 5 formally updates RFC2460 generating IPv6 atomic fragments.
such that this attack vector is eliminated.
2. Terminology 2. Terminology
IPv6 atomic fragments IPv6 atomic fragments
IPv6 packets that contain a Fragment Header with the Fragment IPv6 packets that contain a Fragment Header with the Fragment
Offset set to 0 and the M flag set to 0 (as defined by [RFC6946]). Offset set to 0 and the M flag set to 0 (as defined by [RFC6946]).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
skipping to change at page 3, line 48 skipping to change at page 3, line 42
a forged ICMPv6 "Packet Too Big" (PTB) error message to server B, a forged ICMPv6 "Packet Too Big" (PTB) error message to server B,
reporting an MTU smaller than 1280, this will trigger the generation reporting an MTU smaller than 1280, this will trigger the generation
of IPv6 atomic fragments from that moment on (as required by of IPv6 atomic fragments from that moment on (as required by
[RFC2460]). When server B starts sending IPv6 atomic fragments (in [RFC2460]). When server B starts sending IPv6 atomic fragments (in
response to the received ICMPv6 PTB), these packets will be dropped, response to the received ICMPv6 PTB), these packets will be dropped,
since we previously noted that packets with IPv6 EHs were being since we previously noted that packets with IPv6 EHs were being
dropped between Host A and Server B. Thus, this situation will dropped between Host A and Server B. Thus, this situation will
result in a Denial of Service (DoS) scenario. result in a Denial of Service (DoS) scenario.
Another possible scenario is that in which two BGP peers are Another possible scenario is that in which two BGP peers are
employing IPv6 transport, and they implement ACLs to drop IPv6 employing IPv6 transport, and they implement Access Control Lists
fragments (to avoid control-plane attacks). If the aforementioned (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If
BGP peers drop IPv6 fragments but still honor received ICMPv6 Packet the aforementioned BGP peers drop IPv6 fragments but still honor
Too Big error messages, an attacker could easily attack the peering received ICMPv6 Packet Too Big error messages, an attacker could
session by simply sending an ICMPv6 PTB message with a reported MTU easily attack the peering session by simply sending an ICMPv6 PTB
smaller than 1280 bytes. Once the attack packet has been sent, it message with a reported MTU smaller than 1280 bytes. Once the attack
will be the aforementioned routers themselves the ones dropping their packet has been sent, it will be the aforementioned routers
own traffic. themselves the ones dropping their own traffic.
The aforementioned attack vector is exacerbated by the following The aforementioned attack vector is exacerbated by the following
factors: factors:
o The attacker does not need to forge the IPv6 Source Address of his o The attacker does not need to forge the IPv6 Source Address of his
attack packets. Hence, deployment of simple BCP38 filters will attack packets. Hence, deployment of simple BCP38 filters will
not help as a counter-measure. not help as a counter-measure.
o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6 o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6
payload needs to be forged. While one could envision filtering payload needs to be forged. While one could envision filtering
skipping to change at page 6, line 36 skipping to change at page 6, line 26
relying on the Fragment ID of the IPv6 atomic fragment will result in relying on the Fragment ID of the IPv6 atomic fragment will result in
a reduced Fragment ID collision rate (when compared to the case where a reduced Fragment ID collision rate (when compared to the case where
the translator selects each IPv4 Fragment ID on its own). the translator selects each IPv4 Fragment ID on its own).
Finally, we note that [RFC6145] is currently the only "consumer" of Finally, we note that [RFC6145] is currently the only "consumer" of
IPv6 atomic fragments, and it correctly and diligently notes (in IPv6 atomic fragments, and it correctly and diligently notes (in
Section 6) the possible interoperability problems of relying on IPv6 Section 6) the possible interoperability problems of relying on IPv6
atomic fragments, proposing as a workaround that leads to more robust atomic fragments, proposing as a workaround that leads to more robust
behavior and simplified code. behavior and simplified code.
5. Updating RFC2460 5. IANA Considerations
The following text from Section 5 of [RFC2460]:
"In response to an IPv6 packet that is sent to an IPv4 destination
(i.e., a packet that undergoes translation from IPv6 to IPv4), the
originating IPv6 node may receive an ICMP Packet Too Big message
reporting a Next-Hop MTU less than 1280. In that case, the IPv6
node is not required to reduce the size of subsequent packets to
less than 1280, but must include a Fragment header in those
packets so that the IPv6-to-IPv4 translating router can obtain a
suitable Identification value to use in resulting IPv4 fragments.
Note that this means the payload may have to be reduced to 1232
octets (1280 minus 40 for the IPv6 header and 8 for the Fragment
header), and smaller still if additional extension headers are
used."
is formally replaced with:
"An IPv6 node that receives an ICMPv6 Packet Too Big error message
that reports a Next-Hop MTU smaller than 1280 bytes (the minimum
IPv6 MTU) MUST NOT include a Fragment header in subsequent packets
sent to the corresponding destination. That is, IPv6 nodes MUST
NOT generate IPv6 atomic fragments."
6. IANA Considerations
There are no IANA registries within this document. The RFC-Editor There are no IANA registries within this document. The RFC-Editor
can remove this section before publication of this document as an can remove this section before publication of this document as an
RFC. RFC.
7. Security Considerations 6. Security Considerations
This document describes a Denial of Service (DoS) attack vector that This document describes a Denial of Service (DoS) attack vector that
leverages the widespread filtering of IPv6 fragments in the public leverages the widespread filtering of IPv6 fragments in the public
Internet by means of ICMPv6 PTB error messages. Additionally, it Internet by means of ICMPv6 PTB error messages. It concludes that
formally updates [RFC2460] such that this attack vector is the generation of IPv6 atomic fragments is an undesirable feature.
eliminated.
8. Acknowledgements 7. Acknowledgements
The authors would like to thank (in alphabetical order) Alberto The authors would like to thank (in alphabetical order) Alberto
Leiva, Bob Briscoe, Brian Carpenter, Tatuya Jinmei, Jeroen Massar, Leiva, Bob Briscoe, Brian Carpenter, Tatuya Jinmei, Jeroen Massar,
and Erik Nordmark, for providing valuable comments on earlier Erik Nordmark, and Ole Troan, for providing valuable comments on
versions of this document. earlier versions of this document.
Fernando Gont would like to thank Fernando Gont would like to thank Fernando Gont would like to thank Fernando Gont would like to thank
Jan Zorz / Go6 Lab <http://go6lab.si/>, and Jared Mauch / NTT Jan Zorz / Go6 Lab <http://go6lab.si/>, and Jared Mauch / NTT
America, for providing access to systems and networks that were America, for providing access to systems and networks that were
employed to produce some of tests that resulted in the publication of employed to produce some of tests that resulted in the publication of
this document. Additionally, he would like to thank SixXS this document. Additionally, he would like to thank SixXS
<https://www.sixxs.net> for providing IPv6 connectivity. <https://www.sixxs.net> for providing IPv6 connectivity.
9. References 8. References
9.1. Normative References 8.1. Normative References
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998. (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
December 1998, <http://www.rfc-editor.org/info/rfc2460>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
Message Protocol (ICMPv6) for the Internet Protocol Control Message Protocol (ICMPv6) for the Internet
Version 6 (IPv6) Specification", RFC 4443, March 2006. Protocol Version 6 (IPv6) Specification", RFC 4443,
DOI 10.17487/RFC4443, March 2006,
<http://www.rfc-editor.org/info/rfc4443>.
[RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU
Discovery", RFC 4821, March 2007. Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007,
<http://www.rfc-editor.org/info/rfc4821>.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007. DOI 10.17487/RFC4861, September 2007,
<http://www.rfc-editor.org/info/rfc4861>.
[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
Algorithm", RFC 6145, April 2011. Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011,
<http://www.rfc-editor.org/info/rfc6145>.
9.2. Informative References 8.2. Informative References
[RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", RFC [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery",
2923, September 2000. RFC 2923, DOI 10.17487/RFC2923, September 2000,
<http://www.rfc-editor.org/info/rfc2923>.
[RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path
Algorithm", RFC 2992, November 2000. Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000,
<http://www.rfc-editor.org/info/rfc2992>.
[RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010. [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927,
DOI 10.17487/RFC5927, July 2010,
<http://www.rfc-editor.org/info/rfc5927>.
[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
October 2010. DOI 10.17487/RFC6052, October 2010,
<http://www.rfc-editor.org/info/rfc6052>.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6 NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, April 2011. Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
April 2011, <http://www.rfc-editor.org/info/rfc6146>.
[RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", RFC [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments",
6946, May 2013. RFC 6946, DOI 10.17487/RFC6946, May 2013,
<http://www.rfc-editor.org/info/rfc6946>.
[I-D.ietf-6man-predictable-fragment-id] [I-D.ietf-6man-predictable-fragment-id]
Gont, F., "Security Implications of Predictable Fragment Gont, F., "Security Implications of Predictable Fragment
Identification Values", draft-ietf-6man-predictable- Identification Values", draft-ietf-6man-predictable-
fragment-id-08 (work in progress), June 2015. fragment-id-10 (work in progress), October 2015.
[I-D.ietf-v6ops-ipv6-ehs-in-real-world] [I-D.ietf-v6ops-ipv6-ehs-in-real-world]
Gont, F., Linkova, J., Chown, T., and S. LIU, Gont, F., Linkova, J., Chown, T., and S. LIU,
"Observations on IPv6 EH Filtering in the Real World", "Observations on the Dropping of Packets with IPv6
draft-ietf-v6ops-ipv6-ehs-in-real-world-00 (work in Extension Headers in the Real World", draft-ietf-v6ops-
progress), April 2015. ipv6-ehs-in-real-world-01 (work in progress), October
2015.
[Morbitzer] [Morbitzer]
Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis. Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis.
Thesis number: 670. Department of Computing Science, Thesis number: 670. Department of Computing Science,
Radboud University Nijmegen. August 2013, Radboud University Nijmegen. August 2013,
<https://www.ru.nl/publish/pages/578936/ <https://www.ru.nl/publish/pages/578936/
m_morbitzer_masterthesis.pdf>. m_morbitzer_masterthesis.pdf>.
Appendix A. Small Survey of OSes that Fail to Produce IPv6 Atomic Appendix A. Small Survey of OSes that Fail to Produce IPv6 Atomic
Fragments Fragments
[This section will probably be removed from this document before it [This section will probably be removed from this document before it
is published as an RFC]. is published as an RFC].
 End of changes. 35 change blocks. 
99 lines changed or deleted 84 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/