IPv6 Stateless Fragmentation Identification Options

Fragmented IPv6 packets are often dropped because there is no way to identify whether a fragment matches a otherwise permitted packet as the L4 header information is not available on all the fragments. The document defines hop-by-hop options that can be used to supply the missing information in non initial fragments. The informtion required differs depending upon the L4 packet. For TCP and UDP the source and destination ports are needed. For ICMP the type of ICMP packet is needed. These options are expected to be used by middle boxes (firewalls and loadbalancers) and end nodes.

For TCP and UDP a skippable hop-by-hop option (for backwards compatibilty) containing the source and destination ports from the TCP and UDP headers is needed. To permit the use of NATs, however undesired, the option contents are marked changable enroute. The option code has nmemonic PORTS and value (TBD) and is added to all fragments of UDP and TCP packets when they are fragmented. By adding the option to all fragments you reduce the amount of fragmentation reassembly failures that would result if you only added the option to non-initial fragments and were dropping non-initial fragments without this option.

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0|0|1| (TBD) | 4 | source port | +---------------+---------------+---------------+---------------+ | destination port | +-------------------------------+

The use of these options will expose nodes to more fragmention based attacks and potentually more traffic which will ultimately be dropped if a attacker can guess which option values will be permitted. With the exception of the fragmentation based attacks, permitting fragments with these options is no worse that permitting multiple unfragmented packets based in the same parameters.