draft-ietf-6man-deprecate-atomfrag-generation-07.txt   draft-ietf-6man-deprecate-atomfrag-generation-08.txt 
IPv6 maintenance Working Group (6man) F. Gont IPv6 maintenance Working Group (6man) F. Gont
Internet-Draft SI6 Networks / UTN-FRH Internet-Draft SI6 Networks / UTN-FRH
Intended status: Informational W. Liu Intended status: Informational W. Liu
Expires: January 18, 2017 Huawei Technologies Expires: March 16, 2017 Huawei Technologies
T. Anderson T. Anderson
Redpill Linpro Redpill Linpro
July 17, 2016 September 12, 2016
Generation of IPv6 Atomic Fragments Considered Harmful Generation of IPv6 Atomic Fragments Considered Harmful
draft-ietf-6man-deprecate-atomfrag-generation-07 draft-ietf-6man-deprecate-atomfrag-generation-08
Abstract Abstract
This document discusses the security implications of the generation This document discusses the security implications of the generation
of IPv6 atomic fragments and a number of interoperability issues of IPv6 atomic fragments and a number of interoperability issues
associated with IPv6 atomic fragments, and concludes that the associated with IPv6 atomic fragments, and concludes that the
aforementioned functionality is undesirable, thus documenting the aforementioned functionality is undesirable, thus documenting the
motivation for removing this functionality in the revision of the motivation for removing this functionality in the revision of the
core IPv6 protocol specification. core IPv6 protocol specification.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 18, 2017. This Internet-Draft will expire on March 16, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 17 skipping to change at page 2, line 17
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Security Implications of the Generation of IPv6 Atomic 2. Security Implications of the Generation of IPv6 Atomic
Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Additional Considerations . . . . . . . . . . . . . . . . . . 5 3. Additional Considerations . . . . . . . . . . . . . . . . . . 5
4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.1. Normative References . . . . . . . . . . . . . . . . . . 8 8.1. Normative References . . . . . . . . . . . . . . . . . . 8
8.2. Informative References . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. Small Survey of OSes that Fail to Produce IPv6 Appendix A. Small Survey of OSes that Fail to Produce IPv6
Atomic Fragments . . . . . . . . . . . . . . . . . . 10 Atomic Fragments . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
skipping to change at page 3, line 23 skipping to change at page 3, line 23
of Service (DoS) attack vector that leverages the widespread of Service (DoS) attack vector that leverages the widespread
filtering of IPv6 fragments in the public Internet. Section 3 filtering of IPv6 fragments in the public Internet. Section 3
provides additional considerations regarding the usefulness of provides additional considerations regarding the usefulness of
generating IPv6 atomic fragments. generating IPv6 atomic fragments.
2. Security Implications of the Generation of IPv6 Atomic Fragments 2. Security Implications of the Generation of IPv6 Atomic Fragments
The security implications of IP fragmentation have been discussed at The security implications of IP fragmentation have been discussed at
length in [RFC6274] and [RFC7739]. An attacker can leverage the length in [RFC6274] and [RFC7739]. An attacker can leverage the
generation of IPv6 atomic fragments to trigger the use of generation of IPv6 atomic fragments to trigger the use of
fragmentation in an arbitrary IPv6 flow and subsequently perform any fragmentation in an arbitrary IPv6 flow (in scenarios in which actual
fragmentation of packets is not needed), and subsequently perform any
fragmentation-based attack against legacy IPv6 nodes that do not fragmentation-based attack against legacy IPv6 nodes that do not
implement [RFC6946]. implement [RFC6946]. That is, employing fragmentation where not
actually needed allows for fragmentation-based attack vectors to be
employed, unnecessarily.
Unfortunately, even nodes that already implement [RFC6946] can be We note that, Unfortunately, even nodes that already implement
subject to DoS attacks as a result of the generation of IPv6 atomic [RFC6946] can be subject to DoS attacks as a result of the generation
fragments. Let us assume that Host A is communicating with Server B, of IPv6 atomic fragments. Let us assume that Host A is communicating
and that, as a result of the widespread dropping of IPv6 packets that with Server B, and that, as a result of the widespread dropping of
contain extension headers (including fragmentation) [RFC7872], some IPv6 packets that contain extension headers (including fragmentation)
intermediate node filters fragments between Host A and Server B. If [RFC7872], some intermediate node filters fragments between Server B
an attacker sends a forged ICMPv6 "Packet Too Big" (PTB) error and Host A. If an attacker sends a forged ICMPv6 "Packet Too Big"
message to server B, reporting an MTU smaller than 1280, this will (PTB) error message to server B, reporting an MTU smaller than 1280,
trigger the generation of IPv6 atomic fragments from that moment on this will trigger the generation of IPv6 atomic fragments from that
(as required by [RFC2460]). When server B starts sending IPv6 atomic moment on (as required by [RFC2460]). When server B starts sending
fragments (in response to the received ICMPv6 PTB), these packets IPv6 atomic fragments (in response to the received ICMPv6 PTB), these
will be dropped, since we previously noted that IPv6 packets with packets will be dropped, since we previously noted that IPv6 packets
extension headers were being dropped between Host A and Server B. with extension headers were being dropped between Server B and Host
Thus, this situation will result in a Denial of Service (DoS) A. Thus, this situation will result in a Denial of Service (DoS)
scenario. scenario.
Another possible scenario is that in which two BGP peers are Another possible scenario is that in which two BGP peers are
employing IPv6 transport, and they implement Access Control Lists employing IPv6 transport, and they implement Access Control Lists
(ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If
the aforementioned BGP peers drop IPv6 fragments but still honor the aforementioned BGP peers drop IPv6 fragments but still honor
received ICMPv6 Packet Too Big error messages, an attacker could received ICMPv6 Packet Too Big error messages, an attacker could
easily attack the peering session by simply sending an ICMPv6 PTB easily attack the peering session by simply sending an ICMPv6 PTB
message with a reported MTU smaller than 1280 bytes. Once the attack message with a reported MTU smaller than 1280 bytes. Once the attack
packet has been sent, the aforementioned routers will themselves be packet has been sent, the aforementioned routers will themselves be
skipping to change at page 5, line 25 skipping to change at page 5, line 25
2. The ability of the nodes receiving ICMPv6 PTB messages reporting 2. The ability of the nodes receiving ICMPv6 PTB messages reporting
an MTU smaller than 1280 bytes to actually produce atomic an MTU smaller than 1280 bytes to actually produce atomic
fragments fragments
3. Support for IPv6 fragmentation on the IPv6 side of the translator 3. Support for IPv6 fragmentation on the IPv6 side of the translator
4. The ability of the translator implementation to access the 4. The ability of the translator implementation to access the
information conveyed by the IPv6 Fragment Header information conveyed by the IPv6 Fragment Header
5. The value extracted from the low-order 16-bits of the IPv6
fragment Identification resulting in an appropriate IPv4
Identification value
Unfortunately, Unfortunately,
1. There exists a fair share of evidence of ICMPv6 Packet Too Big 1. There exists a fair share of evidence of ICMPv6 Packet Too Big
messages being dropped on the public Internet (for instance, that messages being dropped on the public Internet (for instance, that
is one of the reasons for which PLPMTUD [RFC4821] was produced). is one of the reasons for which PLPMTUD [RFC4821] was produced).
Therefore, relying on such messages being successfully delivered Therefore, relying on such messages being successfully delivered
will affect the robustness of the protocol that relies on them. will affect the robustness of the protocol that relies on them.
2. A number of IPv6 implementations have been known to fail to 2. A number of IPv6 implementations have been known to fail to
generate IPv6 atomic fragments in response to ICMPv6 PTB messages generate IPv6 atomic fragments in response to ICMPv6 PTB messages
skipping to change at page 6, line 12 skipping to change at page 6, line 14
unnecessarily, in a Denial of Service situation even in unnecessarily, in a Denial of Service situation even in
legitimate cases. legitimate cases.
4. The packet-handling API at the node where the translator is 4. The packet-handling API at the node where the translator is
running may obscure fragmentation-related information. In such running may obscure fragmentation-related information. In such
scenarios, the information conveyed by the Fragment Header may be scenarios, the information conveyed by the Fragment Header may be
unavailable to the translator. [JOOL] discusses a sample unavailable to the translator. [JOOL] discusses a sample
framework (Linux Netfilter) that hinders access to the framework (Linux Netfilter) that hinders access to the
information conveyed in IPv6 atomic fragments. information conveyed in IPv6 atomic fragments.
5. While [RFC2460] requires that the IPv6 fragment Identification of
a fragmented packet be different that of any other fragmented
packet sent recently with the same Source Address and Destination
Address, there is no requirement on the low-order 16-bits of such
value. Thus, there is no guarantee that, by employing the low-
order 16-bits of the IPv6 fragment Identification of a packet
sent by a source host, IPv4 fragment identification collisions
will be avoided or reduced. Besides, collisions might occur
where two distinct IPv6 Destination Addresses are translated into
the same IPv4 address, such that Identification values that might
have been generated to be unique in the IPv6 context end up
colliding when used in the translated IPv4 context.
We note that SIIT essentially employs the Fragment Header of IPv6 We note that SIIT essentially employs the Fragment Header of IPv6
atomic fragments to signal the translator how to set the DF bit of atomic fragments to signal the translator how to set the DF bit of
IPv4 datagrams (the DF bit is cleared when the IPv6 packet contains a IPv4 datagrams (the DF bit is cleared when the IPv6 packet contains a
Fragment Header, and is otherwise set to 1 when the IPv6 packet does Fragment Header, and is otherwise set to 1 when the IPv6 packet does
not contain an IPv6 Fragment Header). Additionally, the translator not contain an IPv6 Fragment Header). Additionally, the translator
will employ the low-order 16-bits of the IPv6 Fragment Identification will employ the low-order 16-bits of the IPv6 Fragment Identification
for setting the IPv4 Fragment Identification. At least in theory, for setting the IPv4 Fragment Identification. At least in theory,
this is expected to reduce the IPv4 Identification collision rate in this is expected to reduce the IPv4 Identification collision rate in
the following specific scenario: the following specific scenario:
skipping to change at page 6, line 36 skipping to change at page 6, line 51
Path MTU of 1280, due to an option-less IPv4 header being 20 Path MTU of 1280, due to an option-less IPv4 header being 20
bytes shorter than the IPv6 header. bytes shorter than the IPv6 header.
3. ECMP routing [RFC2992] with more than one translator is employed 3. ECMP routing [RFC2992] with more than one translator is employed
for e.g., redundancy purposes. for e.g., redundancy purposes.
In such a scenario, if each translator were to select the IPv4 In such a scenario, if each translator were to select the IPv4
Identification on its own (rather than selecting the IPv4 Identification on its own (rather than selecting the IPv4
Identification from the low-order 16-bits of the Fragment Identification from the low-order 16-bits of the Fragment
Identification of IPv6 atomic fragments), this could possibly lead to Identification of IPv6 atomic fragments), this could possibly lead to
IPv4 Identification collisions. However, since a number of IPv4 Identification collisions. However, as noted above, the value
implementations set the IPv6 Fragment Identification according to the extracted from the low-order 16-bits of the IPv6 fragment
output of a Pseudo-Random Number Generator (PRNG) (see Appendix B of Identification might not result in an appropriate IPv4
[RFC7739]) and the translator only employs the low-order 16-bits of identification: for example, a number of implementations set the IPv6
such value, it is very unlikely that relying on the Fragment Fragment Identification according to the output of a Pseudo-Random
Identification of the IPv6 atomic fragment will result in a reduced Number Generator (PRNG) (see Appendix B of [RFC7739]); hence,if the
IPv4 Identification collision rate (when compared to the case where translator only employs the low-order 16-bits of such value, it is
the translator selects each IPv4 Identification on its own). very unlikely that relying on the Fragment Identification of the IPv6
Besides, because of the limited sized of the IPv4 identification atomic fragment will result in a reduced IPv4 Identification
field, it is nevertheless virtually impossible to guarantee collision rate (when compared to the case where the translator
uniqueness of the IPv4 identification values without artificially selects each IPv4 Identification on its own). Besides, because of
limiting the data rate of fragmented traffic [RFC6864] [RFC4963]. the limited sized of the IPv4 identification field, it is
nevertheless virtually impossible to guarantee uniqueness of the IPv4
identification values without artificially limiting the data rate of
fragmented traffic [RFC6864] [RFC4963].
[RFC6145] was the only "consumer" of IPv6 atomic fragments, and it [RFC6145] was the only "consumer" of IPv6 atomic fragments, and it
correctly and diligently noted (in Section 6) the possible correctly and diligently noted (in Section 6) the possible
interoperability problems of relying on IPv6 atomic fragments, interoperability problems of relying on IPv6 atomic fragments,
proposing a workaround that led to more robust behavior and proposing a workaround that led to more robust behavior and
simplified code. [RFC6145] has been obsoleted by [RFC7915], such simplified code. [RFC6145] has been obsoleted by [RFC7915], such
that SIIT does not rely on IPv6 atomic fragments. that SIIT does not rely on IPv6 atomic fragments.
Finally, we believe that IPv4 links with an MTU smaller than 1260
bytes are very uncommonly found in the modern Internet. At the same
time, we note that the sole purpose of IPv6 atomic fragments is to
make such links compatible with IPv4/IPv6 translation. We surmise,
therefore, that IPv6 atomic fragments are useful in only a minuscule
number of "real world" situations.
4. Conclusions 4. Conclusions
Taking all of the above considerations into account, we recommend Taking all of the above considerations into account, we recommend
that IPv6 atomic fragments be deprecated. that IPv6 atomic fragments be deprecated.
In particular: In particular:
o IPv4/IPv6 translators should be updated to not generate ICMPv6 o IPv4/IPv6 translators should be updated to not generate ICMPv6
Packet Too Big errors containing a Path MTU value smaller than the Packet Too Big errors containing a Path MTU value smaller than the
minimum IPv6 MTU of 1280 bytes. This will ensure that current minimum IPv6 MTU of 1280 bytes. This will ensure that current
skipping to change at page 7, line 42 skipping to change at page 8, line 8
We note that these recommendations have been incorporated in We note that these recommendations have been incorporated in
[I-D.ietf-6man-rfc1981bis], [I-D.ietf-6man-rfc2460bis] and [RFC7915]. [I-D.ietf-6man-rfc1981bis], [I-D.ietf-6man-rfc2460bis] and [RFC7915].
5. IANA Considerations 5. IANA Considerations
There are no IANA registries within this document. There are no IANA registries within this document.
6. Security Considerations 6. Security Considerations
This document briefly discusses the security implications of the This document briefly discusses the security implications of the
generation of IPv6 atomic fragments, and describes a specific Denial generation of IPv6 atomic fragments, and describes one specific
of Service (DoS) attack vector that leverages the widespread Denial of Service (DoS) attack vector that leverages the widespread
filtering of IPv6 fragments in the public Internet. It concludes filtering of IPv6 fragments in the public Internet. It concludes
that the generation of IPv6 atomic fragments is an undesirable that the generation of IPv6 atomic fragments is an undesirable
feature, and documents the motivation for removing this functionality feature, and documents the motivation for removing this functionality
from [I-D.ietf-6man-rfc2460bis]. from [I-D.ietf-6man-rfc2460bis].
7. Acknowledgements 7. Acknowledgements
The authors would like to thank (in alphabetical order) Congxiao Bao, The authors would like to thank (in alphabetical order) Congxiao Bao,
Carlos Jesus Bernardos Cano, Bob Briscoe, Brian Carpenter, Tatuya Carlos Jesus Bernardos Cano, Bob Briscoe, Brian Carpenter, Tatuya
Jinmei, Bob Hinden, Alberto Leiva, Ted Lemon, Xing Li, Jeroen Massar, Jinmei, Bob Hinden, Alberto Leiva, Ted Lemon, Xing Li, Jeroen Massar,
Erik Nordmark, Qiong Sun, Ole Troan, Tina Tsou, and Bernie Volz, for Erik Nordmark, Joe Touch, Qiong Sun, Ole Troan, Tina Tsou, and Bernie
providing valuable comments on earlier versions of this document. Volz, for providing valuable comments on earlier versions of this
document.
Fernando Gont would like to thank Jan Zorz / Go6 Lab Fernando Gont would like to thank Jan Zorz / Go6 Lab
<http://go6lab.si/>, and Jared Mauch / NTT America, for providing <http://go6lab.si/>, and Jared Mauch / NTT America, for providing
access to systems and networks that were employed to produce some of access to systems and networks that were employed to produce some of
the tests that resulted in the publication of this document. the tests that resulted in the publication of this document.
Additionally, he would like to thank SixXS <https://www.sixxs.net> Additionally, he would like to thank SixXS <https://www.sixxs.net>
for providing IPv6 connectivity. for providing IPv6 connectivity.
8. References 8. References
 End of changes. 14 change blocks. 
44 lines changed or deleted 61 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/