| draft-ietf-6man-deprecate-atomfrag-generation-01.txt | draft-ietf-6man-deprecate-atomfrag-generation-02.txt | |||
|---|---|---|---|---|
| IPv6 maintenance Working Group (6man) F. Gont | IPv6 maintenance Working Group (6man) F. Gont | |||
| Internet-Draft SI6 Networks / UTN-FRH | Internet-Draft SI6 Networks / UTN-FRH | |||
| Updates: 2460, 6145 (if approved) W. Liu | Updates: 2460, 6145 (if approved) W. Liu | |||
| Intended status: Standards Track Huawei Technologies | Intended status: Standards Track Huawei Technologies | |||
| Expires: October 29, 2015 T. Anderson | Expires: January 5, 2016 T. Anderson | |||
| Redpill Linpro | Redpill Linpro | |||
| April 27, 2015 | July 4, 2015 | |||
| Deprecating the Generation of IPv6 Atomic Fragments | Deprecating the Generation of IPv6 Atomic Fragments | |||
| draft-ietf-6man-deprecate-atomfrag-generation-01 | draft-ietf-6man-deprecate-atomfrag-generation-02 | |||
| Abstract | Abstract | |||
| The core IPv6 specification requires that when a host receives an | The core IPv6 specification requires that when a host receives an | |||
| ICMPv6 "Packet Too Big" message reporting a "Next-Hop MTU" smaller | ICMPv6 "Packet Too Big" message reporting an MTU smaller than 1280 | |||
| than 1280, the host includes a Fragment Header in all subsequent | bytes, the host includes a Fragment Header in all subsequent packets | |||
| packets sent to that destination, without reducing the assumed Path- | sent to that destination, without reducing the assumed Path-MTU. The | |||
| MTU. The simplicity with which ICMPv6 "Packet Too Big" messages can | simplicity with which ICMPv6 "Packet Too Big" messages can be forged, | |||
| be forged, coupled with the widespread filtering of IPv6 fragments, | coupled with the widespread filtering of IPv6 fragments, results in | |||
| results in an attack vector that can be leveraged for Denial of | an attack vector that can be leveraged for Denial of Service | |||
| Service purposes. This document briefly discusses the aforementioned | purposes. This document briefly discusses the aforementioned attack | |||
| attack vector, and formally updates RFC2460 such that generation of | vector, and formally updates RFC2460 such that generation of IPv6 | |||
| IPv6 atomic fragments is deprecated, thus eliminating the | atomic fragments is deprecated, thus eliminating the aforementioned | |||
| aforementioned attack vector. Additionally, it formally updates | attack vector. | |||
| RFC6145 such that the Stateless IP/ICMP Translation Algorithm (SIIT) | ||||
| does not rely on the generation of IPv6 atomic fragments, thus | ||||
| improving the robustness of the protocol. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 29, 2015. | This Internet-Draft will expire on January 5, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 26 | skipping to change at page 2, line 21 | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Denial of Service (DoS) attack vector . . . . . . . . . . . . 3 | 3. Denial of Service (DoS) attack vector . . . . . . . . . . . . 3 | |||
| 4. Additional Considerations . . . . . . . . . . . . . . . . . . 5 | 4. Additional Considerations . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Updating RFC2460 . . . . . . . . . . . . . . . . . . . . . . 7 | 5. Updating RFC2460 . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. Updating RFC6145 . . . . . . . . . . . . . . . . . . . . . . 7 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 15 | 9.2. Informative References . . . . . . . . . . . . . . . . . 8 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 15 | ||||
| Appendix A. Small Survey of OSes that Fail to Produce IPv6 | Appendix A. Small Survey of OSes that Fail to Produce IPv6 | |||
| Atomic Fragments . . . . . . . . . . . . . . . . . . 16 | Atomic Fragments . . . . . . . . . . . . . . . . . . 9 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| [RFC2460] specifies the IPv6 fragmentation mechanism, which allows | [RFC2460] specifies the IPv6 fragmentation mechanism, which allows | |||
| IPv6 packets to be fragmented into smaller pieces such that they fit | IPv6 packets to be fragmented into smaller pieces such that they fit | |||
| in the Path-MTU to the intended destination(s). | in the Path-MTU to the intended destination(s). | |||
| Section 5 of [RFC2460] states that, when a host receives an ICMPv6 | Section 5 of [RFC2460] states that, when a host receives an ICMPv6 | |||
| "Packet Too Big" message [RFC4443] advertising a "Next-Hop MTU" | "Packet Too Big" message [RFC4443] advertising an MTU smaller than | |||
| smaller than 1280 (the minimum IPv6 MTU), the host is not required to | 1280 bytes (the minimum IPv6 MTU), the host is not required to reduce | |||
| reduce the assumed Path-MTU, but must simply include a Fragment | the assumed Path-MTU, but must simply include a Fragment Header in | |||
| Header in all subsequent packets sent to that destination. The | all subsequent packets sent to that destination. The resulting | |||
| resulting packets will thus *not* be actually fragmented into several | packets will thus *not* be actually fragmented into several pieces, | |||
| pieces, but rather just include a Fragment Header with both the | but rather just include a Fragment Header with both the "Fragment | |||
| "Fragment Offset" and the "M" flag set to 0 (we refer to these | Offset" and the "M" flag set to 0 (we refer to these packets as | |||
| packets as "atomic fragments"). As required by [RFC6946], these | "atomic fragments"). As required by [RFC6946], these atomic | |||
| atomic fragments are essentially processed by the destination host as | fragments are essentially processed by the destination host as non- | |||
| non-fragment traffic (since there are not really any fragments to be | fragment traffic (since there are not really any fragments to be | |||
| reassembled). IPv6/IPv4 translators will typically employ the | reassembled). The goal of these atomic fragments has been to convey | |||
| Fragment Identification information found in the Fragment Header to | an appropriate Fragment Identification value to be employed by IPv6/ | |||
| select an appropriate Fragment Identification value for the resulting | IPv4 translators for the resulting IPv4 fragments. | |||
| IPv4 fragments. | ||||
| While atomic fragments might seem rather benign, there are scenarios | While atomic fragments might seem rather benign, there are scenarios | |||
| in which the generation of IPv6 atomic fragments can introduce an | in which the generation of IPv6 atomic fragments can introduce an | |||
| attack vector that can be exploited for denial of service purposes. | attack vector that can be exploited for denial of service purposes. | |||
| Since there are concrete security implications arising from the | Since there are concrete security implications arising from the | |||
| generation of IPv6 atomic fragments, and there is no real gain in | generation of IPv6 atomic fragments, and there is no real gain in | |||
| generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4 | generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4 | |||
| translators generate a Fragment Identification value themselves), | translators generate a Fragment Identification value themselves), | |||
| this document formally updates [RFC2460], forbidding the generation | this document formally updates [RFC2460], forbidding the generation | |||
| of IPv6 atomic fragments, such that the aforementioned attack vector | of IPv6 atomic fragments, such that the aforementioned attack vector | |||
| is eliminated. Additionally, it formally updates [RFC6145] such that | is eliminated. | |||
| the Stateless IP/ICMP Translation Algorithm (SIIT) does not rely on | ||||
| the generation of IPv6 atomic fragments. | ||||
| Section 3 describes some possible attack scenarios. Section 4 | Section 3 describes some possible attack scenarios. Section 4 | |||
| provides additional considerations regarding the usefulness of | provides additional considerations regarding the usefulness of | |||
| generating IPv6 atomic fragments. Section 5 formally updates RFC2460 | generating IPv6 atomic fragments. Section 5 formally updates RFC2460 | |||
| such that this attack vector is eliminated. Section 6 formally | such that this attack vector is eliminated. | |||
| updates RFC6145 such that it does not relies on the generation of | ||||
| IPv6 atomic fragments. | ||||
| 2. Terminology | 2. Terminology | |||
| IPv6 atomic fragments | IPv6 atomic fragments | |||
| IPv6 packets that contain a Fragment Header with the Fragment | IPv6 packets that contain a Fragment Header with the Fragment | |||
| Offset set to 0 and the M flag set to 0 (as defined by [RFC6946]). | Offset set to 0 and the M flag set to 0 (as defined by [RFC6946]). | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 3. Denial of Service (DoS) attack vector | 3. Denial of Service (DoS) attack vector | |||
| Let us assume that Host A is communicating with Server B, and that, | Let us assume that Host A is communicating with Server B, and that, | |||
| as a result of the widespread filtering of IPv6 packets with | as a result of the widespread filtering of IPv6 packets with | |||
| extension headers (including fragmentation) | extension headers (including fragmentation) | |||
| [I-D.gont-v6ops-ipv6-ehs-in-real-world], some intermediate node | [I-D.ietf-v6ops-ipv6-ehs-in-real-world], some intermediate node | |||
| filters fragments between Host A and Server B. If an attacker sends | filters fragments between Host A and Server B. If an attacker sends | |||
| a forged ICMPv6 "Packet Too Big" (PTB) error message to server B, | a forged ICMPv6 "Packet Too Big" (PTB) error message to server B, | |||
| reporting a Next-Hop MTU smaller than 1280, this will trigger the | reporting an MTU smaller than 1280, this will trigger the generation | |||
| generation of IPv6 atomic fragments from that moment on (as required | of IPv6 atomic fragments from that moment on (as required by | |||
| by [RFC2460]). When server B starts sending IPv6 atomic fragments | [RFC2460]). When server B starts sending IPv6 atomic fragments (in | |||
| (in response to the received ICMPv6 PTB), these packets will be | response to the received ICMPv6 PTB), these packets will be dropped, | |||
| dropped, since we previously noted that packets with IPv6 EHs were | since we previously noted that packets with IPv6 EHs were being | |||
| being dropped between Host A and Server B. Thus, this situation will | dropped between Host A and Server B. Thus, this situation will | |||
| result in a Denial of Service (DoS) scenario. | result in a Denial of Service (DoS) scenario. | |||
| Another possible scenario is that in which two BGP peers are | Another possible scenario is that in which two BGP peers are | |||
| employing IPv6 transport, and they implement ACLs to drop IPv6 | employing IPv6 transport, and they implement ACLs to drop IPv6 | |||
| fragments (to avoid control-plane attacks). If the aforementioned | fragments (to avoid control-plane attacks). If the aforementioned | |||
| BGP peers drop IPv6 fragments but still honor received ICMPv6 Packet | BGP peers drop IPv6 fragments but still honor received ICMPv6 Packet | |||
| Too Big error messages, an attacker could easily attack the peering | Too Big error messages, an attacker could easily attack the peering | |||
| session by simply sending an ICMPv6 PTB message with a reported MTU | session by simply sending an ICMPv6 PTB message with a reported MTU | |||
| smaller than 1280 bytes. Once the attack packet has been fired, it | smaller than 1280 bytes. Once the attack packet has been sent, it | |||
| will be the aforementioned routers themselves the ones dropping their | will be the aforementioned routers themselves the ones dropping their | |||
| own traffic. | own traffic. | |||
| The aforementioned attack vector is exacerbated by the following | The aforementioned attack vector is exacerbated by the following | |||
| factors: | factors: | |||
| o The attacker does not need to forge the IPv6 Source Address of his | o The attacker does not need to forge the IPv6 Source Address of his | |||
| attack packets. Hence, deployment of simple BCP38 filters will | attack packets. Hence, deployment of simple BCP38 filters will | |||
| not help as a counter-measure. | not help as a counter-measure. | |||
| o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6 | o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6 | |||
| payload need to be forged. While one could envision filtering | payload needs to be forged. While one could envision filtering | |||
| devices enforcing BCP38-style filters on the ICMPv6 payload, the | devices enforcing BCP38-style filters on the ICMPv6 payload, the | |||
| use of extension (by the attacker) could make this difficult, if | use of extension headers (by the attacker) could make this | |||
| at all possible. | difficult, if at all possible. | |||
| o Many implementations fail to perform validation checks on the | o Many implementations fail to perform validation checks on the | |||
| received ICMPv6 error messages, as recommended in Section 5.2 of | received ICMPv6 error messages, as recommended in Section 5.2 of | |||
| [RFC4443] and documented in [RFC5927]. It should be noted that in | [RFC4443] and documented in [RFC5927]. It should be noted that in | |||
| some cases, such as when an ICMPv6 error message has (supposedly) | some cases, such as when an ICMPv6 error message has (supposedly) | |||
| been elicited by a connection-less transport protocol (or some | been elicited by a connection-less transport protocol (or some | |||
| other connection-less protocol being encapsulated in IPv6), it may | other connection-less protocol being encapsulated in IPv6), it may | |||
| be virtually impossible to perform validation checks on the | be virtually impossible to perform validation checks on the | |||
| received ICMPv6 error messages. And, because of IPv6 extension | received ICMPv6 error messages. And, because of IPv6 extension | |||
| headers, the ICMPv6 payload might not even contain any useful | headers, the ICMPv6 payload might not even contain any useful | |||
| skipping to change at page 5, line 42 | skipping to change at page 5, line 33 | |||
| o There exists a fair share of evidence of ICMPv6 Packet Too Big | o There exists a fair share of evidence of ICMPv6 Packet Too Big | |||
| messages being dropped on the public Internet (for instance, that | messages being dropped on the public Internet (for instance, that | |||
| is one of the reasons for which PLPMTUD [RFC4821] was produced). | is one of the reasons for which PLPMTUD [RFC4821] was produced). | |||
| Therefore, relying on such messages being successfully delivered | Therefore, relying on such messages being successfully delivered | |||
| will affect the robustness of the protocol that relies on them. | will affect the robustness of the protocol that relies on them. | |||
| o A number of IPv6 implementations have been known to fail to | o A number of IPv6 implementations have been known to fail to | |||
| generate IPv6 atomic fragments in response to ICMPv6 PTB messages | generate IPv6 atomic fragments in response to ICMPv6 PTB messages | |||
| reporting an MTU smaller than 1280 bytes (see Appendix A for a | reporting an MTU smaller than 1280 bytes (see Appendix A for a | |||
| small survey). Additionally, results included in Section 6 of | small survey). Additionally, the results included in Section 6 of | |||
| [RFC6145] note that 57% of the tested web servers failed to | [RFC6145] note that 57% of the tested web servers failed to | |||
| produce IPv6 atomic fragments in response to ICMPv6 PTB messages | produce IPv6 atomic fragments in response to ICMPv6 PTB messages | |||
| reporting an MTU smaller than 1280 bytes. Thus, any protocol | reporting an MTU smaller than 1280 bytes. Thus, any protocol | |||
| relying on IPv6 atomic fragment generation for proper functioning | relying on IPv6 atomic fragment generation for proper functioning | |||
| will have interoperability problems with the aforementioned IPv6 | will have interoperability problems with the aforementioned IPv6 | |||
| stacks. | stacks. | |||
| o IPv6 atomic fragment generation represents a case in which | o IPv6 atomic fragment generation represents a case in which | |||
| fragmented traffic is produced where otherwise it would not be | fragmented traffic is produced where otherwise it would not be | |||
| needed. Since there is widespread filtering of IPv6 fragments in | needed. Since there is widespread filtering of IPv6 fragments in | |||
| the public Internet [I-D.gont-v6ops-ipv6-ehs-in-real-world], this | the public Internet [I-D.ietf-v6ops-ipv6-ehs-in-real-world], this | |||
| would mean that the (unnecessary) use of IPv6 fragmentation might | would mean that the (unnecessary) use of IPv6 fragmentation might | |||
| result, unnecessarily, in a Denial of Service situation even in | result, unnecessarily, in a Denial of Service situation even in | |||
| legitimate cases. | legitimate cases. | |||
| Finally, we note that SIIT essentially employs the Fragment Header of | Finally, we note that SIIT essentially employs the Fragment Header of | |||
| IPv6 atomic fragments to signal the translator how to set the DF bit | IPv6 atomic fragments to signal the translator how to set the DF bit | |||
| of IPv4 datagrams (the DF bit is cleared when the IPv6 packet | of IPv4 datagrams (the DF bit is cleared when the IPv6 packet | |||
| contains a Fragment Header, and is otherwise set to 1 when the IPv6 | contains a Fragment Header, and is otherwise set to 1 when the IPv6 | |||
| packet does not contain an IPv6 Fragment Header). Additionally, the | packet does not contain an IPv6 Fragment Header). Additionally, the | |||
| translator will employ the low-order 16-bits of the IPv6 Fragment | translator will employ the low-order 16-bits of the IPv6 Fragment | |||
| Identification for setting the IPv4 Fragment Identification. At | Identification for setting the IPv4 Fragment Identification. At | |||
| least in theory, this is expected to reduce the Fragment ID collision | least in theory, this is expected to reduce the Fragment ID collision | |||
| rate in the following specific scenario: | rate in the following specific scenario: | |||
| 1. An IPv6 node communicates with an IPv4 node (through SIIT) | 1. An IPv6 node communicates with an IPv4 node (through SIIT) | |||
| 2. The IPv4 node is located behind an IPv4 link with an MTU < 1260 | 2. The IPv4 node is located behind an IPv4 link with an MTU < 1260 | |||
| 3. ECMP routing [RFC2992] with more than one translator are employed | 3. ECMP routing [RFC2992] with more than one translator is employed | |||
| for e.g., redundancy purposes | for e.g., redundancy purposes | |||
| In such a scenario, if each translator were to select the IPv4 | In such a scenario, if each translator were to select the IPv4 | |||
| Fragment Identification on its own (rather than selecting the IPv4 | Fragment Identification on its own (rather than selecting the IPv4 | |||
| Fragment ID from the low-order 16-bits of the Fragment Identification | Fragment ID from the low-order 16-bits of the Fragment Identification | |||
| of atomic fragments), this could possibly lead to IPv4 Fragment ID | of atomic fragments), this could possibly lead to IPv4 Fragment ID | |||
| collisions. However, since a number of implementations set IPv6 | collisions. However, since a number of implementations set IPv6 | |||
| Fragment ID according to the output of a Pseudo-Random Number | Fragment ID according to the output of a Pseudo-Random Number | |||
| Generator (PRNG) (see Appendix B of | Generator (PRNG) (see Appendix B of | |||
| [I-D.ietf-6man-predictable-fragment-id]) and the translator only | [I-D.ietf-6man-predictable-fragment-id]) and the translator only | |||
| employs the low-order 16-bits of such value, it is very unlikely that | employs the low-order 16-bits of such value, it is very unlikely that | |||
| relying on the Fragment ID of the IPv6 atomic fragment will result in | relying on the Fragment ID of the IPv6 atomic fragment will result in | |||
| a reduced Fragment ID collision rate (when compared to the case where | a reduced Fragment ID collision rate (when compared to the case where | |||
| the translator selects each IPv4 Fragment ID on its own). | the translator selects each IPv4 Fragment ID on its own). | |||
| Finally, we note that [RFC6145] is currently the only "consumer" of | Finally, we note that [RFC6145] is currently the only "consumer" of | |||
| IPv6 atomic fragments, and it correctly and diligently notes (in | IPv6 atomic fragments, and it correctly and diligently notes (in | |||
| Section 6) the possible interoperability problems of relying on IPv6 | Section 6) the possible interoperability problems of relying on IPv6 | |||
| atomic fragments, proposing as a workaround something very similar to | atomic fragments, proposing as a workaround that leads to more robust | |||
| what we propose in Section 6. We believe that, by making the more | behavior and simplified code. | |||
| robust behavior the default behavior of the "IP/ICMP Translation | ||||
| Algorithm", robustness is improved, and the corresponding code is | ||||
| simplified. | ||||
| 5. Updating RFC2460 | 5. Updating RFC2460 | |||
| The following text from Section 5 of [RFC2460]: | The following text from Section 5 of [RFC2460]: | |||
| "In response to an IPv6 packet that is sent to an IPv4 destination | "In response to an IPv6 packet that is sent to an IPv4 destination | |||
| (i.e., a packet that undergoes translation from IPv6 to IPv4), the | (i.e., a packet that undergoes translation from IPv6 to IPv4), the | |||
| originating IPv6 node may receive an ICMP Packet Too Big message | originating IPv6 node may receive an ICMP Packet Too Big message | |||
| reporting a Next-Hop MTU less than 1280. In that case, the IPv6 | reporting a Next-Hop MTU less than 1280. In that case, the IPv6 | |||
| node is not required to reduce the size of subsequent packets to | node is not required to reduce the size of subsequent packets to | |||
| skipping to change at page 7, line 30 | skipping to change at page 7, line 13 | |||
| used." | used." | |||
| is formally replaced with: | is formally replaced with: | |||
| "An IPv6 node that receives an ICMPv6 Packet Too Big error message | "An IPv6 node that receives an ICMPv6 Packet Too Big error message | |||
| that reports a Next-Hop MTU smaller than 1280 bytes (the minimum | that reports a Next-Hop MTU smaller than 1280 bytes (the minimum | |||
| IPv6 MTU) MUST NOT include a Fragment header in subsequent packets | IPv6 MTU) MUST NOT include a Fragment header in subsequent packets | |||
| sent to the corresponding destination. That is, IPv6 nodes MUST | sent to the corresponding destination. That is, IPv6 nodes MUST | |||
| NOT generate IPv6 atomic fragments." | NOT generate IPv6 atomic fragments." | |||
| 6. Updating RFC6145 | 6. IANA Considerations | |||
| The following text from Section 4 (Translating from IPv4 to IPv6) of | ||||
| [RFC6145]: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| When the IPv4 sender does not set the DF bit, the translator SHOULD | ||||
| always include an IPv6 Fragment Header to indicate that the sender | ||||
| allows fragmentation. The translator MAY provide a configuration | ||||
| function that allows the translator not to include the Fragment | ||||
| Header for the non-fragmented IPv6 packets. | ||||
| The rules in Section 4.1 ensure that when packets are fragmented, | ||||
| either by the sender or by IPv4 routers, the low-order 16 bits of the | ||||
| fragment identification are carried end-to-end, ensuring that packets | ||||
| are correctly reassembled. In addition, the rules in Section 4.1 use | ||||
| the presence of an IPv6 Fragment Header to indicate that the sender | ||||
| might not be using path MTU discovery (i.e., the packet should not | ||||
| have the DF flag set should it later be translated back to IPv4). | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| is formally replaced with: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| The rules in Section 4.1 ensure that when packets are fragmented, | ||||
| either by the sender or by IPv4 routers, the low-order 16 bits of the | ||||
| fragment identification are carried end-to-end, ensuring that packets | ||||
| are correctly reassembled. | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| The following text from Section 4.1 ("Translating IPv4 Headers into | ||||
| IPv6 Headers") of [RFC6145]: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| If there is a need to add a Fragment Header (the DF bit is not set or | ||||
| the packet is a fragment), the header fields are set as above with | ||||
| the following exceptions: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| is formally replaced with: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| If there is a need to add a Fragment Header (the packet is a | ||||
| fragment), the header fields are set as above with the following | ||||
| exceptions: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| The following text from Section 4.2 ("Translating ICMPv4 Headers into | ||||
| ICMPv6 Headers") of [RFC6145]: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| Code 4 (Fragmentation Needed and DF was Set): Translate to | ||||
| an ICMPv6 Packet Too Big message (Type 2) with Code set | ||||
| to 0. The MTU field MUST be adjusted for the difference | ||||
| between the IPv4 and IPv6 header sizes, i.e., | ||||
| minimum(advertised MTU+20, MTU_of_IPv6_nexthop, | ||||
| (MTU_of_IPv4_nexthop)+20). Note that if the IPv4 router | ||||
| set the MTU field to zero, i.e., the router does not | ||||
| implement [RFC1191], then the translator MUST use the | ||||
| plateau values specified in [RFC1191] to determine a | ||||
| likely path MTU and include that path MTU in the ICMPv6 | ||||
| packet. (Use the greatest plateau value that is less | ||||
| than the returned Total Length field.) | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| is formally replaced with: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| Code 4 (Fragmentation Needed and DF was Set): Translate to | ||||
| an ICMPv6 Packet Too Big message (Type 2) with Code set | ||||
| to 0. The MTU field MUST be adjusted for the difference | ||||
| between the IPv4 and IPv6 header sizes, but MUST NOT be | ||||
| set to a value smaller than the minimum IPv6 MTU | ||||
| (1280 bytes). That is, it should be set to maximum(1280, | ||||
| minimum(advertised MTU+20, MTU_of_IPv6_nexthop, | ||||
| (MTU_of_IPv4_nexthop)+20)). Note that if the IPv4 router | ||||
| set the MTU field to zero, i.e., the router does not | ||||
| implement [RFC1191], then the translator MUST use the | ||||
| plateau values specified in [RFC1191] to determine a | ||||
| likely path MTU and include that path MTU in the ICMPv6 | ||||
| packet. (Use the greatest plateau value that is less | ||||
| than the returned Total Length field, but that is larger | ||||
| than or equal to 1280.) | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| The following text from Section 5 ("Translating from IPv6 to IPv4") | ||||
| of [RFC6145]: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| There are some differences between IPv6 and IPv4 (in the areas of | ||||
| fragmentation and the minimum link MTU) that affect the translation. | ||||
| An IPv6 link has to have an MTU of 1280 bytes or greater. The | ||||
| corresponding limit for IPv4 is 68 bytes. Path MTU discovery across | ||||
| a translator relies on ICMP Packet Too Big messages being received | ||||
| and processed by IPv6 hosts, including an ICMP Packet Too Big that | ||||
| indicates the MTU is less than the IPv6 minimum MTU. This | ||||
| requirement is described in Section 5 of [RFC2460] (for IPv6's | ||||
| 1280-octet minimum MTU) and Section 5 of [RFC1883] (for IPv6's | ||||
| previous 576-octet minimum MTU). | ||||
| In an environment where an ICMPv4 Packet Too Big message is | ||||
| translated to an ICMPv6 Packet Too Big message, and the ICMPv6 Packet | ||||
| Too Big message is successfully delivered to and correctly processed | ||||
| by the IPv6 hosts (e.g., a network owned/operated by the same entity | ||||
| that owns/operates the translator), the translator can rely on IPv6 | ||||
| hosts sending subsequent packets to the same IPv6 destination with | ||||
| IPv6 Fragment Headers. In such an environment, when the translator | ||||
| receives an IPv6 packet with a Fragment Header, the translator SHOULD | ||||
| generate the IPv4 packet with a cleared Don't Fragment bit, and with | ||||
| its identification value from the IPv6 Fragment Header, for all of | ||||
| the IPv6 fragments (MF=0 or MF=1). | ||||
| In an environment where an ICMPv4 Packet Too Big message is filtered | ||||
| (by a network firewall or by the host itself) or not correctly | ||||
| processed by the IPv6 hosts, the IPv6 host will never generate an | ||||
| IPv6 packet with the IPv6 Fragment Header. In such an environment, | ||||
| the translator SHOULD set the IPv4 Don't Fragment bit. While setting | ||||
| the Don't Fragment bit may create PMTUD black holes [RFC2923] if | ||||
| there are IPv4 links smaller than 1260 octets, this is considered | ||||
| safer than causing IPv4 reassembly errors [RFC4963]. | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| is formally replaced with: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| There are some differences between IPv6 and IPv4 (in the areas of | ||||
| fragmentation and the minimum link MTU) that affect the translation. | ||||
| An IPv6 link has to have an MTU of 1280 bytes or greater. The | ||||
| corresponding limit for IPv4 is 68 bytes. Path MTU discovery across | ||||
| a translator relies on ICMP Packet Too Big messages being received | ||||
| and processed by IPv6 hosts. | ||||
| The difference in the minimum MTUs of IPv4 and IPv6 is accommodated | ||||
| as follows: | ||||
| o When translating an ICMPv4 "Fragmentation Needed" packet, the | ||||
| indicated MTU in the resulting ICMPv6 "Packet Too Big" will | ||||
| never be set to a value lower than 1280. This ensures that the | ||||
| IPv6 nodes will never have to encounter or handle Path MTU | ||||
| values lower than the minimum IPv6 link MTU of 1280. See | ||||
| Section 4.2. | ||||
| o When the resulting IPv4 packet is smaller than or equal to 1260 | ||||
| bytes, the translator MUST send the packet with a cleared Don't | ||||
| Fragment bit. Otherwise, the packet MUST be sent with the Don't | ||||
| Fragment bit set. See Section 5.1. | ||||
| This approach allows Path MTU Discovery to operate end-to-end for | ||||
| paths whose MTU are not smaller than minimum IPv6 MTU of 1280 (which | ||||
| corresponds to MTU of 1260 in the IPv4 domain). On paths that have | ||||
| IPv4 links with MTU < 1260, the IPv4 router(s) connected to those | ||||
| links will fragment the packets in accordance with Section 2.3 of | ||||
| [RFC0791]. | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| The following text from Section 5.1 ("Translating IPv6 Headers into | ||||
| IPv4 Headers") of [RFC6145]: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| Identification: All zero. In order to avoid black holes caused by | ||||
| ICMPv4 filtering or non-[RFC2460]-compatible IPv6 hosts (a | ||||
| workaround is discussed in Section 6), the translator MAY provide | ||||
| a function to generate the identification value if the packet size | ||||
| is greater than 88 bytes and less than or equal to 1280 bytes. | ||||
| The translator SHOULD provide a method for operators to enable or | ||||
| disable this function. | ||||
| Flags: The More Fragments flag is set to zero. The Don't Fragment | ||||
| (DF) flag is set to one. In order to avoid black holes caused by | ||||
| ICMPv4 filtering or non-[RFC2460]-compatible IPv6 hosts (a | ||||
| workaround is discussed in Section 6), the translator MAY provide | ||||
| a function as follows. If the packet size is greater than 88 | ||||
| bytes and less than or equal to 1280 bytes, it sets the DF flag to | ||||
| zero; otherwise, it sets the DF flag to one. The translator | ||||
| SHOULD provide a method for operators to enable or disable this | ||||
| function. | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| is formally replaced with: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| Identification: Set according to a Fragment Identification | ||||
| generator at the translator. | ||||
| Flags: The More Fragments flag is set to zero. The Don't Fragment | ||||
| (DF) flag is set as follows: If the size of the translated IPv4 | ||||
| packet is less than or equal to 1260 bytes, it is set to zero; | ||||
| otherwise, it is set to one. | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| The following text from Section 5.1.1 ("IPv6 Fragment Processing") of | ||||
| [RFC6145]: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| If a translated packet with DF set to 1 will be larger than the MTU | ||||
| of the next-hop interface, then the translator MUST drop the packet | ||||
| and send the ICMPv6 Packet Too Big (Type 2, Code 0) error message to | ||||
| the IPv6 host with an adjusted MTU in the ICMPv6 message. | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| is formally replaced with: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| If an IPv6 packet that is smaller than or equal to 1280 bytes results | ||||
| (after translation) in an IPv4 packet that is larger than the MTU of | ||||
| the next-hop interface, then the translator MUST perform IPv4 | ||||
| fragmentation on that packet such that it can be transferred over the | ||||
| constricting link. | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| Finally, the following text from 6 ("Special Considerations for | ||||
| ICMPv6 Packet Too Big") of [RFC6145]: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| Two recent studies analyzed the behavior of IPv6-capable web servers | ||||
| on the Internet and found that approximately 95% responded as | ||||
| expected to an IPv6 Packet Too Big that indicated MTU = 1280, but | ||||
| only 43% responded as expected to an IPv6 Packet Too Big that | ||||
| indicated an MTU < 1280. It is believed that firewalls violating | ||||
| Section 4.3.1 of [RFC4890] are at fault. Both failures (the 5% wrong | ||||
| response when MTU = 1280 and the 57% wrong response when MTU < 1280) | ||||
| will cause PMTUD black holes [RFC2923]. Unfortunately, the | ||||
| translator cannot improve the failure rate of the first case (MTU = | ||||
| 1280), but the translator can improve the failure rate of the second | ||||
| case (MTU < 1280). There are two approaches to resolving the problem | ||||
| with sending ICMPv6 messages indicating an MTU < 1280. It SHOULD be | ||||
| possible to configure a translator for either of the two approaches. | ||||
| The first approach is to constrain the deployment of the IPv6/IPv4 | ||||
| translator by observing that four of the scenarios intended for | ||||
| stateless IPv6/IPv4 translators do not have IPv6 hosts on the | ||||
| Internet (Scenarios 1, 2, 5, and 6 described in [RFC6144], which | ||||
| refer to "An IPv6 network"). In these scenarios, IPv6 hosts, IPv6- | ||||
| host-based firewalls, and IPv6 network firewalls can be administered | ||||
| in compliance with Section 4.3.1 of [RFC4890] and therefore avoid the | ||||
| problem witnessed with IPv6 hosts on the Internet. | ||||
| The second approach is necessary if the translator has IPv6 hosts, | ||||
| IPv6-host-based firewalls, or IPv6 network firewalls that do not (or | ||||
| cannot) comply with Section 5 of [RFC2460] -- such as IPv6 hosts on | ||||
| the Internet. This approach requires the translator to do the | ||||
| following: | ||||
| 1. In the IPv4-to-IPv6 direction: if the MTU value of ICMPv4 Packet | ||||
| Too Big (PTB) messages is less than 1280, change it to 1280. | ||||
| This is intended to cause the IPv6 host and IPv6 firewall to | ||||
| process the ICMP PTB message and generate subsequent packets to | ||||
| this destination with an IPv6 Fragment Header. | ||||
| Note: Based on recent studies, this is effective for 95% of IPv6 | ||||
| hosts on the Internet. | ||||
| 2. In the IPv6-to-IPv4 direction: | ||||
| A. If there is a Fragment Header in the IPv6 packet, the last 16 | ||||
| bits of its value MUST be used for the IPv4 identification | ||||
| value. | ||||
| B. If there is no Fragment Header in the IPv6 packet: | ||||
| a. If the packet is less than or equal to 1280 bytes: | ||||
| - The translator SHOULD set DF to 0 and generate an IPv4 | ||||
| identification value. | ||||
| - To avoid the problems described in [RFC4963], it is | ||||
| RECOMMENDED that the translator maintain 3-tuple state | ||||
| for generating the IPv4 identification value. | ||||
| b. If the packet is greater than 1280 bytes, the translator | ||||
| SHOULD set the IPv4 DF bit to 1. | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| is formally replaced with: | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| A number of studies (see e.g. ) indicate that it not unusual for networks | ||||
| to drop ICMPv6 Packet Too Big error messages. Such packet drops will | ||||
| result in PMTUD blackholes [RFC2923], which can only be overcome with | ||||
| PLPMTUD [RFC4821]. | ||||
| ---------------- cut here -------------- cut here ---------------- | ||||
| 7. IANA Considerations | ||||
| There are no IANA registries within this document. The RFC-Editor | There are no IANA registries within this document. The RFC-Editor | |||
| can remove this section before publication of this document as an | can remove this section before publication of this document as an | |||
| RFC. | RFC. | |||
| 8. Security Considerations | 7. Security Considerations | |||
| This document describes a Denial of Service (DoS) attack vector that | This document describes a Denial of Service (DoS) attack vector that | |||
| leverages the widespread filtering of IPv6 fragments in the public | leverages the widespread filtering of IPv6 fragments in the public | |||
| Internet by means of ICMPv6 PTB error messages. Additionally, it | Internet by means of ICMPv6 PTB error messages. Additionally, it | |||
| formally updates [RFC2460] such that this attack vector is | formally updates [RFC2460] such that this attack vector is | |||
| eliminated, and also formally updated [RFC6145] such that it does not | eliminated. | |||
| rely on IPv6 atomic fragments. | ||||
| 9. Acknowledgements | 8. Acknowledgements | |||
| The authors would like to thank (in alphabetical order) Alberto | The authors would like to thank (in alphabetical order) Alberto | |||
| Leiva, Bob Briscoe, Brian Carpenter, Tatuya Jinmei, Jeroen Massar, | Leiva, Bob Briscoe, Brian Carpenter, Tatuya Jinmei, Jeroen Massar, | |||
| and Erik Nordmark, for providing valuable comments on earlier | and Erik Nordmark, for providing valuable comments on earlier | |||
| versions of this document. | versions of this document. | |||
| Fernando Gont would like to thank Jan Zorz and Go6 Lab | Fernando Gont would like to thank Fernando Gont would like to thank | |||
| <http://go6lab.si/> for providing access to systems and networks that | Jan Zorz / Go6 Lab <http://go6lab.si/>, and Jared Mauch / NTT | |||
| were employed to produce some of tests that resulted in the | America, for providing access to systems and networks that were | |||
| publication of this document. Additionally, he would like to thank | employed to produce some of tests that resulted in the publication of | |||
| SixXS <https://www.sixxs.net> for providing IPv6 connectivity. | this document. Additionally, he would like to thank SixXS | |||
| <https://www.sixxs.net> for providing IPv6 connectivity. | ||||
| 10. References | 9. References | |||
| 10.1. Normative References | 9.1. Normative References | |||
| [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | |||
| (IPv6) Specification", RFC 2460, December 1998. | (IPv6) Specification", RFC 2460, December 1998. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control | [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control | |||
| Message Protocol (ICMPv6) for the Internet Protocol | Message Protocol (ICMPv6) for the Internet Protocol | |||
| Version 6 (IPv6) Specification", RFC 4443, March 2006. | Version 6 (IPv6) Specification", RFC 4443, March 2006. | |||
| skipping to change at page 15, line 42 | skipping to change at page 8, line 19 | |||
| [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU | [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU | |||
| Discovery", RFC 4821, March 2007. | Discovery", RFC 4821, March 2007. | |||
| [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | |||
| "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | |||
| September 2007. | September 2007. | |||
| [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation | [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation | |||
| Algorithm", RFC 6145, April 2011. | Algorithm", RFC 6145, April 2011. | |||
| 10.2. Informative References | 9.2. Informative References | |||
| [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", RFC | [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", RFC | |||
| 2923, September 2000. | 2923, September 2000. | |||
| [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path | [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path | |||
| Algorithm", RFC 2992, November 2000. | Algorithm", RFC 2992, November 2000. | |||
| [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010. | [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010. | |||
| [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. | [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. | |||
| skipping to change at page 16, line 19 | skipping to change at page 8, line 43 | |||
| [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful | [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful | |||
| NAT64: Network Address and Protocol Translation from IPv6 | NAT64: Network Address and Protocol Translation from IPv6 | |||
| Clients to IPv4 Servers", RFC 6146, April 2011. | Clients to IPv4 Servers", RFC 6146, April 2011. | |||
| [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", RFC | [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", RFC | |||
| 6946, May 2013. | 6946, May 2013. | |||
| [I-D.ietf-6man-predictable-fragment-id] | [I-D.ietf-6man-predictable-fragment-id] | |||
| Gont, F., "Security Implications of Predictable Fragment | Gont, F., "Security Implications of Predictable Fragment | |||
| Identification Values", draft-ietf-6man-predictable- | Identification Values", draft-ietf-6man-predictable- | |||
| fragment-id-05 (work in progress), April 2015. | fragment-id-08 (work in progress), June 2015. | |||
| [I-D.gont-v6ops-ipv6-ehs-in-real-world] | [I-D.ietf-v6ops-ipv6-ehs-in-real-world] | |||
| Gont, F., Linkova, J., Chown, T., and W. Will, | Gont, F., Linkova, J., Chown, T., and S. LIU, | |||
| "Observations on IPv6 EH Filtering in the Real World", | "Observations on IPv6 EH Filtering in the Real World", | |||
| draft-gont-v6ops-ipv6-ehs-in-real-world-02 (work in | draft-ietf-v6ops-ipv6-ehs-in-real-world-00 (work in | |||
| progress), March 2015. | progress), April 2015. | |||
| [Morbitzer] | [Morbitzer] | |||
| Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis. | Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis. | |||
| Thesis number: 670. Department of Computing Science, | Thesis number: 670. Department of Computing Science, | |||
| Radboud University Nijmegen. August 2013, | Radboud University Nijmegen. August 2013, | |||
| <https://www.ru.nl/publish/pages/578936/ | <https://www.ru.nl/publish/pages/578936/ | |||
| m_morbitzer_masterthesis.pdf>. | m_morbitzer_masterthesis.pdf>. | |||
| Appendix A. Small Survey of OSes that Fail to Produce IPv6 Atomic | Appendix A. Small Survey of OSes that Fail to Produce IPv6 Atomic | |||
| Fragments | Fragments | |||
| End of changes. 30 change blocks. | ||||
| 366 lines changed or deleted | 72 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||