idnits 2.17.1
draft-gont-6man-deprecate-atomfrag-generation-00.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
-- The draft header indicates that this document updates RFC2460, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
(Using the creation date from RFC2460, updated by this document, for
RFC5378 checks: 1997-07-30)
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (August 19, 2014) is 3535 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200)
== Outdated reference: A later version (-02) exists of
draft-gont-v6ops-ipv6-ehs-in-real-world-00
Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 maintenance Working Group (6man) F. Gont
3 Internet-Draft SI6 Networks / UTN-FRH
4 Updates: 2460 (if approved) W. Liu
5 Intended status: Standards Track Huawei Technologies
6 Expires: February 20, 2015 August 19, 2014
8 Deprecating the Generation of IPv6 Atomic Fragments
9 draft-gont-6man-deprecate-atomfrag-generation-00
11 Abstract
13 The core IPv6 specification requires that when a host receives an
14 ICMPv6 "Packet Too Big" message reporting a "Next-Hop MTU" smaller
15 than 1280, the host includes a Fragment Header in all subsequent
16 packets sent to that destination, without reducing the assumed Path-
17 MTU. The simplicity with which ICMPv6 "Packet Too Big" messages can
18 be forged, coupled with the widespread filtering of IPv6 fragments,
19 results in an attack vector that can be leveraged for Denial of
20 Service purposes. This document briefly discusses the aforementioned
21 attack vector, and formally deprecates the generation of IPv6 atomic
22 fragments, such that the aforementioned attack vector is eliminated.
24 Status of This Memo
26 This Internet-Draft is submitted in full conformance with the
27 provisions of BCP 78 and BCP 79.
29 Internet-Drafts are working documents of the Internet Engineering
30 Task Force (IETF). Note that other groups may also distribute
31 working documents as Internet-Drafts. The list of current Internet-
32 Drafts is at http://datatracker.ietf.org/drafts/current/.
34 Internet-Drafts are draft documents valid for a maximum of six months
35 and may be updated, replaced, or obsoleted by other documents at any
36 time. It is inappropriate to use Internet-Drafts as reference
37 material or to cite them other than as "work in progress."
39 This Internet-Draft will expire on February 20, 2015.
41 Copyright Notice
43 Copyright (c) 2014 IETF Trust and the persons identified as the
44 document authors. All rights reserved.
46 This document is subject to BCP 78 and the IETF Trust's Legal
47 Provisions Relating to IETF Documents
48 (http://trustee.ietf.org/license-info) in effect on the date of
49 publication of this document. Please review these documents
50 carefully, as they describe your rights and restrictions with respect
51 to this document. Code Components extracted from this document must
52 include Simplified BSD License text as described in Section 4.e of
53 the Trust Legal Provisions and are provided without warranty as
54 described in the Simplified BSD License.
56 Table of Contents
58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
59 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
60 3. Denial of Service (DoS) attack vector . . . . . . . . . . . . 3
61 4. Updating RFC2460 . . . . . . . . . . . . . . . . . . . . . . 4
62 5. Additional Considerations . . . . . . . . . . . . . . . . . . 5
63 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
64 7. Security Considerations . . . . . . . . . . . . . . . . . . . 5
65 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5
66 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
67 9.1. Normative References . . . . . . . . . . . . . . . . . . 6
68 9.2. Informative References . . . . . . . . . . . . . . . . . 6
69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
71 1. Introduction
73 [RFC2460] specifies the IPv6 fragmentation mechanism, which allows
74 IPv6 packets to be fragmented into smaller pieces such that they fit
75 in the Path-MTU to the intended destination(s).
77 Section 5 of [RFC2460] states that, when a host receives an ICMPv6
78 "Packet Too Big" message [RFC4443] advertising a "Next-Hop MTU"
79 smaller than 1280 (the minimum IPv6 MTU), the host is not required to
80 reduce the assumed Path-MTU, but must simply include a Fragment
81 Header in all subsequent packets sent to that destination. The
82 resulting packets will thus *not* be actually fragmented into several
83 pieces, but rather just include a Fragment Header with both the
84 "Fragment Offset" and the "M" flag set to 0 (we refer to these
85 packets as "atomic fragments"). As required by [RFC6946], these
86 atomic fragments are essentially processed by the destination host as
87 non-fragment traffic (since there are not really any fragments to be
88 reassembled). IPv6/IPv4 translators will typically employ the
89 Fragment Identification information found in the Fragment Header to
90 select an appropriate Fragment Identification value for the resulting
91 IPv4 fragments.
93 While atomic fragments might seem rather benign, there are scenarios
94 in which the generation of IPv6 atomic fragments can introduce an
95 attack vector that can be exploited for denial of service purposes.
96 Since there are concrete security implications arising from the
97 generation of IPv6 atomic fragments, and there is no real gain in
98 generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4
99 translators generate a Fragment Identification value themselves),
100 this document formally updates [RFC2460], forbidding the generation
101 of IPv6 atomic fragments, such that the aforementioned attack vector
102 is eliminated.
104 Section 3 describes some possible attack scenarios. Section 5
105 provides additional considerations regarding the usefulness of
106 generating IPv6 atomic fragments. Section 4 formally updates RFC2460
107 such that this attack vector is eliminated.
109 2. Terminology
111 IPv6 atomic fragments
112 IPv6 packets that contain a Fragment Header with the Fragment
113 Offset set to 0 and the M flag set to 0 (as defined by [RFC6946]).
115 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
116 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
117 document are to be interpreted as described in RFC 2119 [RFC2119].
119 3. Denial of Service (DoS) attack vector
121 Let us assume that Host A is communicating with Server B, and that,
122 as a result of the widespread filtering of IPv6 packets with
123 extension headers (including fragmentation)
124 [I-D.gont-v6ops-ipv6-ehs-in-real-world], some intermediate node
125 filters fragments between Host A and Server B. If an attacker sends
126 a forged ICMPv6 "Packet Too Big" (PTB) error message to server B,
127 reporting a Next-Hop MTU smaller than 1280, this will trigger the
128 generation of IPv6 atomic fragments from that moment on (as required
129 by [RFC2460]). When server server B starts sending IPv6 atomic
130 fragments (in response to the received ICMPv6 PTB), these packets
131 will be dropped, since we previously noted that packets with IPv6 EHs
132 were being dropped between Host A and Server B. Thus, this situation
133 will result in a Denial of Service (DoS) scenario.
135 Another possible scenario is that in which two BGP peers are
136 employing IPv6 transport, and they implement ACLs to drop IPv6
137 fragments (to avoid control-plane attacks). If the aforementioned
138 BGP peers drop IPv6 fragments but still honor received ICMPv6 Packet
139 Too Big error messages, an attacker could easily attack the peering
140 session by simply sending an ICMPv6 PTB message with a reported MTU
141 smaller than 1280 bytes. Once the attack packet has been fired, it
142 will be the aforementioned routers themselves the ones dropping their
143 own traffic.
145 The aforementioned attack vector is exacerbated by the following
146 factors:
148 o The attacker does not need to forge the IPv6 Source Address of his
149 attack packets. Hence, deployment of simple BCP38 filters will
150 not help as a counter-measure.
152 o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6
153 payload need to be forged. While one could envision filtering
154 devices enforcing BCP38-style filters on the ICMPv6 payload, the
155 use of extension (by the attacker) could make this difficult, if
156 at all possible.
158 o Many implementations fail to perform validation checks on the
159 received ICMPv6 error messages, as recommended in Section 5.2 of
160 [RFC4443] and documented in [RFC5927]. It should be noted that in
161 some cases, such as when an ICMPv6 error message has (supposedly)
162 been elicited by a connection-less transport protocol (or some
163 other connection-less protocol being encapsulated in IPv6), it may
164 be virtually impossible to perform validation checks on the
165 received ICMPv6 error messages. And, because of IPv6 extension
166 headers, the ICMPv6 payload might not even contain any useful
167 information on which to perform validation checks.
169 o Upon receipt of one of the aforementioned ICMPv6 "Packet Too Big"
170 error messages, the Destination Cache [RFC4861] is usually updated
171 to reflect that any subsequent packets to such destination should
172 include a Fragment Header. This means that a single ICMPv6
173 "Packet Too Big" error message might affect multiple communication
174 instances (e.g., TCP connections) with such destination.
176 4. Updating RFC2460
178 The following text from Section 5 of [RFC2460]:
180 "In response to an IPv6 packet that is sent to an IPv4 destination
181 (i.e., a packet that undergoes translation from IPv6 to IPv4), the
182 originating IPv6 node may receive an ICMP Packet Too Big message
183 reporting a Next-Hop MTU less than 1280. In that case, the IPv6
184 node is not required to reduce the size of subsequent packets to
185 less than 1280, but must include a Fragment header in those
186 packets so that the IPv6-to-IPv4 translating router can obtain a
187 suitable Identification value to use in resulting IPv4 fragments.
188 Note that this means the payload may have to be reduced to 1232
189 octets (1280 minus 40 for the IPv6 header and 8 for the Fragment
190 header), and smaller still if additional extension headers are
191 used."
193 is formally replaced with:
195 "IPv6 nodes MUST discard ICMPv6 Packet Too Big error messages that
196 report a Next-Hop MTU smaller than 1280 bytes (the minimum IPv6
197 MTU)."
199 5. Additional Considerations
201 Besides the security assessment provided in Section 3, it is
202 interesting to evaluate if there is any gain in generating IPv6
203 atomic fragments (to provide for Fragment Identification value) as
204 opposed to just let IPv6/IPv4 translators select an appropriate IPv4
205 Fragment Identification value.
207 After some analysis, one can conclude that, if anything, an IPv6/IPv4
208 translator is in a much better position to select an appropriate
209 Fragment Identification value for the packet that are to be
210 translated from the IPv6 to the IPv4 world. For instance, an IPv6
211 node will generate Fragment Identification values without any
212 knowledge of the Fragment ID values being generated by other IPv6
213 nodes employing the translator. Thus, an IPv6/IPv4 translator is in
214 a much better position to generate Fragment IDs that will not result
215 in collisions (i.e., that will not be reused for the same tuple
216 {Source Address, Destination Address}.
218 6. IANA Considerations
220 There are no IANA registries within this document. The RFC-Editor
221 can remove this section before publication of this document as an
222 RFC.
224 7. Security Considerations
226 This document describes a Denial of Service (DoS) attack vector that
227 leverages the widespread filtering of IPv6 fragments in the public
228 Internet by means of ICMPv6 PTB error messages. Additionally, it
229 formally updates [RFC2460] such that this attack vector is
230 eliminated.
232 8. Acknowledgements
234 Fernando Gont would like to thank Jan Zorz and Go6 Lab
235 for providing access to systems and networks that
236 were employed to produce some of the measurement results presented in
237 this document. Additionally, he would like to thank SixXS
238 for providing IPv6 connectivity.
240 9. References
242 9.1. Normative References
244 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
245 (IPv6) Specification", RFC 2460, December 1998.
247 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
248 Requirement Levels", BCP 14, RFC 2119, March 1997.
250 [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control
251 Message Protocol (ICMPv6) for the Internet Protocol
252 Version 6 (IPv6) Specification", RFC 4443, March 2006.
254 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
255 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
256 September 2007.
258 9.2. Informative References
260 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010.
262 [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", RFC
263 6946, May 2013.
265 [I-D.gont-v6ops-ipv6-ehs-in-real-world]
266 Gont, F., Linkova, J., Chown, T., and W. Will, "IPv6
267 Extension Headers in the Real World", draft-gont-v6ops-
268 ipv6-ehs-in-real-world-00 (work in progress), August 2014.
270 Authors' Addresses
272 Fernando Gont
273 SI6 Networks / UTN-FRH
274 Evaristo Carriego 2644
275 Haedo, Provincia de Buenos Aires 1706
276 Argentina
278 Phone: +54 11 4650 8472
279 Email: fgont@si6networks.com
280 URI: http://www.si6networks.com
281 Will(Shucheng) Liu
282 Huawei Technologies
283 Bantian, Longgang District
284 Shenzhen 518129
285 P.R. China
287 Email: liushucheng@huawei.com