idnits 2.17.1
draft-gont-6man-deprecate-atomfrag-generation-01.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** There is 1 instance of too long lines in the document, the longest one
being 4 characters in excess of 72.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
(Using the creation date from RFC2460, updated by this document, for
RFC5378 checks: 1997-07-30)
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (August 27, 2014) is 3523 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: 'RFC1191' is mentioned on line 386, but not defined
== Missing Reference: 'RFC1883' is mentioned on line 405, but not defined
** Obsolete undefined reference: RFC 1883 (Obsoleted by RFC 2460)
== Missing Reference: 'RFC4963' is mentioned on line 573, but not defined
== Missing Reference: 'RFC0791' is mentioned on line 460, but not defined
== Missing Reference: 'RFC4890' is mentioned on line 542, but not defined
== Missing Reference: 'RFC6144' is mentioned on line 539, but not defined
** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200)
** Obsolete normative reference: RFC 6145 (Obsoleted by RFC 7915)
== Outdated reference: A later version (-10) exists of
draft-ietf-6man-predictable-fragment-id-01
== Outdated reference: A later version (-02) exists of
draft-gont-v6ops-ipv6-ehs-in-real-world-00
Summary: 4 errors (**), 0 flaws (~~), 9 warnings (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 maintenance Working Group (6man) F. Gont
3 Internet-Draft SI6 Networks / UTN-FRH
4 Updates: 2460, 6145 (if approved) W. Liu
5 Intended status: Standards Track Huawei Technologies
6 Expires: February 28, 2015 T. Anderson
7 Redpill Linpro
8 August 27, 2014
10 Deprecating the Generation of IPv6 Atomic Fragments
11 draft-gont-6man-deprecate-atomfrag-generation-01
13 Abstract
15 The core IPv6 specification requires that when a host receives an
16 ICMPv6 "Packet Too Big" message reporting a "Next-Hop MTU" smaller
17 than 1280, the host includes a Fragment Header in all subsequent
18 packets sent to that destination, without reducing the assumed Path-
19 MTU. The simplicity with which ICMPv6 "Packet Too Big" messages can
20 be forged, coupled with the widespread filtering of IPv6 fragments,
21 results in an attack vector that can be leveraged for Denial of
22 Service purposes. This document briefly discusses the aforementioned
23 attack vector, and formally updates RFC2460 such that generation of
24 IPv6 atomic fragments is deprecated, thus eliminating the
25 aforementioned attack vector. Additionally, it formally updates
26 RFC6145 such that the Stateless IP/ICMP Translation Algorithm (SIIT)
27 does not rely on the generation of IPv6 atomic fragments, thus
28 improving the robustness of the protocol.
30 Status of This Memo
32 This Internet-Draft is submitted in full conformance with the
33 provisions of BCP 78 and BCP 79.
35 Internet-Drafts are working documents of the Internet Engineering
36 Task Force (IETF). Note that other groups may also distribute
37 working documents as Internet-Drafts. The list of current Internet-
38 Drafts is at http://datatracker.ietf.org/drafts/current/.
40 Internet-Drafts are draft documents valid for a maximum of six months
41 and may be updated, replaced, or obsoleted by other documents at any
42 time. It is inappropriate to use Internet-Drafts as reference
43 material or to cite them other than as "work in progress."
45 This Internet-Draft will expire on February 28, 2015.
47 Copyright Notice
49 Copyright (c) 2014 IETF Trust and the persons identified as the
50 document authors. All rights reserved.
52 This document is subject to BCP 78 and the IETF Trust's Legal
53 Provisions Relating to IETF Documents
54 (http://trustee.ietf.org/license-info) in effect on the date of
55 publication of this document. Please review these documents
56 carefully, as they describe your rights and restrictions with respect
57 to this document. Code Components extracted from this document must
58 include Simplified BSD License text as described in Section 4.e of
59 the Trust Legal Provisions and are provided without warranty as
60 described in the Simplified BSD License.
62 Table of Contents
64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
65 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
66 3. Denial of Service (DoS) attack vector . . . . . . . . . . . . 3
67 4. Additional Considerations . . . . . . . . . . . . . . . . . . 5
68 5. Updating RFC2460 . . . . . . . . . . . . . . . . . . . . . . 7
69 6. Updating RFC6145 . . . . . . . . . . . . . . . . . . . . . . 7
70 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
71 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14
72 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15
73 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
74 10.1. Normative References . . . . . . . . . . . . . . . . . . 15
75 10.2. Informative References . . . . . . . . . . . . . . . . . 15
76 Appendix A. Small Survey of OSes that Fail to Produce IPv6
77 Atomic Fragments . . . . . . . . . . . . . . . . . . 16
78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
80 1. Introduction
82 [RFC2460] specifies the IPv6 fragmentation mechanism, which allows
83 IPv6 packets to be fragmented into smaller pieces such that they fit
84 in the Path-MTU to the intended destination(s).
86 Section 5 of [RFC2460] states that, when a host receives an ICMPv6
87 "Packet Too Big" message [RFC4443] advertising a "Next-Hop MTU"
88 smaller than 1280 (the minimum IPv6 MTU), the host is not required to
89 reduce the assumed Path-MTU, but must simply include a Fragment
90 Header in all subsequent packets sent to that destination. The
91 resulting packets will thus *not* be actually fragmented into several
92 pieces, but rather just include a Fragment Header with both the
93 "Fragment Offset" and the "M" flag set to 0 (we refer to these
94 packets as "atomic fragments"). As required by [RFC6946], these
95 atomic fragments are essentially processed by the destination host as
96 non-fragment traffic (since there are not really any fragments to be
97 reassembled). IPv6/IPv4 translators will typically employ the
98 Fragment Identification information found in the Fragment Header to
99 select an appropriate Fragment Identification value for the resulting
100 IPv4 fragments.
102 While atomic fragments might seem rather benign, there are scenarios
103 in which the generation of IPv6 atomic fragments can introduce an
104 attack vector that can be exploited for denial of service purposes.
105 Since there are concrete security implications arising from the
106 generation of IPv6 atomic fragments, and there is no real gain in
107 generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4
108 translators generate a Fragment Identification value themselves),
109 this document formally updates [RFC2460], forbidding the generation
110 of IPv6 atomic fragments, such that the aforementioned attack vector
111 is eliminated. Additionally, it formally updates [RFC6145] such that
112 the Stateless IP/ICMP Translation Algorithm (SIIT) does not rely on
113 the generation of IPv6 atomic fragments.
115 Section 3 describes some possible attack scenarios. Section 4
116 provides additional considerations regarding the usefulness of
117 generating IPv6 atomic fragments. Section 5 formally updates RFC2460
118 such that this attack vector is eliminated. Section 6 formally
119 updates RFC6145 such that it does not relies on the generation of
120 IPv6 atomic fragments.
122 2. Terminology
124 IPv6 atomic fragments
125 IPv6 packets that contain a Fragment Header with the Fragment
126 Offset set to 0 and the M flag set to 0 (as defined by [RFC6946]).
128 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
129 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
130 document are to be interpreted as described in RFC 2119 [RFC2119].
132 3. Denial of Service (DoS) attack vector
134 Let us assume that Host A is communicating with Server B, and that,
135 as a result of the widespread filtering of IPv6 packets with
136 extension headers (including fragmentation)
137 [I-D.gont-v6ops-ipv6-ehs-in-real-world], some intermediate node
138 filters fragments between Host A and Server B. If an attacker sends
139 a forged ICMPv6 "Packet Too Big" (PTB) error message to server B,
140 reporting a Next-Hop MTU smaller than 1280, this will trigger the
141 generation of IPv6 atomic fragments from that moment on (as required
142 by [RFC2460]). When server B starts sending IPv6 atomic fragments
143 (in response to the received ICMPv6 PTB), these packets will be
144 dropped, since we previously noted that packets with IPv6 EHs were
145 being dropped between Host A and Server B. Thus, this situation will
146 result in a Denial of Service (DoS) scenario.
148 Another possible scenario is that in which two BGP peers are
149 employing IPv6 transport, and they implement ACLs to drop IPv6
150 fragments (to avoid control-plane attacks). If the aforementioned
151 BGP peers drop IPv6 fragments but still honor received ICMPv6 Packet
152 Too Big error messages, an attacker could easily attack the peering
153 session by simply sending an ICMPv6 PTB message with a reported MTU
154 smaller than 1280 bytes. Once the attack packet has been fired, it
155 will be the aforementioned routers themselves the ones dropping their
156 own traffic.
158 The aforementioned attack vector is exacerbated by the following
159 factors:
161 o The attacker does not need to forge the IPv6 Source Address of his
162 attack packets. Hence, deployment of simple BCP38 filters will
163 not help as a counter-measure.
165 o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6
166 payload need to be forged. While one could envision filtering
167 devices enforcing BCP38-style filters on the ICMPv6 payload, the
168 use of extension (by the attacker) could make this difficult, if
169 at all possible.
171 o Many implementations fail to perform validation checks on the
172 received ICMPv6 error messages, as recommended in Section 5.2 of
173 [RFC4443] and documented in [RFC5927]. It should be noted that in
174 some cases, such as when an ICMPv6 error message has (supposedly)
175 been elicited by a connection-less transport protocol (or some
176 other connection-less protocol being encapsulated in IPv6), it may
177 be virtually impossible to perform validation checks on the
178 received ICMPv6 error messages. And, because of IPv6 extension
179 headers, the ICMPv6 payload might not even contain any useful
180 information on which to perform validation checks.
182 o Upon receipt of one of the aforementioned ICMPv6 "Packet Too Big"
183 error messages, the Destination Cache [RFC4861] is usually updated
184 to reflect that any subsequent packets to such destination should
185 include a Fragment Header. This means that a single ICMPv6
186 "Packet Too Big" error message might affect multiple communication
187 instances (e.g., TCP connections) with such destination.
189 o As noted in Section 4, SIIT [RFC6145] is the only technology which
190 currently makes use of atomic fragments. Unfortunately, an IPv6
191 node cannot easily limit its exposure to the aforementioned attack
192 vector by only generating IPv6 atomic fragments towards IPv4
193 destinations behind a stateless translator. This is due to the
194 fact that Section 3.3 of RFC6052 [RFC6052] encourages operators to
195 use a Network-Specific Prefix (NSP) that maps the IPv4 address
196 space into IPv6. When an NSP is being used, IPv6 addresses
197 representing IPv4 nodes (reached through a stateless translator)
198 are indistinguishable from native IPv6 addresses.
200 4. Additional Considerations
202 Besides the security assessment provided in Section 3, it is
203 interesting to evaluate the pros and cons of having an IPv6-to-IPv4
204 translating router rely on the generation of IPv6 atomic fragments.
206 Relying on the generation of IPv6 atomic fragments implies a reliance
207 on:
209 1. ICMPv6 packets arriving from the translator to the IPv6 node
211 2. The ability of the nodes receiving ICMPv6 PTB messages reporting
212 an MTU smaller than 1280 bytes to actually produce atomic
213 fragments
215 3. Support for IPv6 fragmentation on the IPv6 side of the translator
217 Unfortunately,
219 o There exists a fair share of evidence of ICMPv6 Packet Too Big
220 messages being dropped on the public Internet (for instance, that
221 is one of the reasons for which PLPMTUD [RFC4821] was produced).
222 Therefore, relying on such messages being successfully delivered
223 will affect the robustness of the protocol that relies on them.
225 o A number of IPv6 implementations have been known to fail to
226 generate IPv6 atomic fragments in response to ICMPv6 PTB messages
227 reporting an MTU smaller than 1280 bytes (see Appendix A for a
228 small survey). Additionally, results included in Section 6 of
229 [RFC6145] note that 57% of the tested web servers failed to
230 produce IPv6 atomic fragments in response to ICMPv6 PTB messages
231 reporting an MTU smaller than 1280 bytes. Thus, any protocol
232 relying on IPv6 atomic fragment generation for proper functioning
233 will have interoperability problems with the aforementioned IPv6
234 stacks.
236 o IPv6 atomic fragment generation represents a case in which
237 fragmented traffic is produced where otherwise it would not be
238 needed. Since there is widespread filtering of IPv6 fragments in
239 the public Internet [I-D.gont-v6ops-ipv6-ehs-in-real-world], this
240 would mean that the (unnecessary) use of IPv6 fragmentation might
241 result, unnecessarily, in a Denial of Service situation even in
242 legitimate cases.
244 Finally, we note that SIIT essentially employs the Fragment Header of
245 IPv6 atomic fragments to signal the translator how to set the DF bit
246 of IPv4 datagrams (the DF bit is cleared when the IPv6 packet
247 contains a Fragment Header, and is otherwise set to 1 when the IPv6
248 packet does not contain an IPv6 Fragment Header). Additionally, the
249 translator will employ the low-order 16-bits of the IPv6 Fragment
250 Identification for setting the IPv4 Fragment Identification. At
251 least in theory, this is expected to reduce the Fragment ID collision
252 rate in the following specific scenario:
254 1. An IPv6 node communicates with an IPv4 node (through SIIT)
256 2. The IPv4 node is located behind an IPv4 link with an MTU < 1260
258 3. ECMP routing [RFC2992] with more than one translator are employed
259 for e.g., redundancy purposes
261 In such a scenario, if each translator were to select the IPv4
262 Fragment Identification on its own (rather than selecting the IPv4
263 Fragment ID from the low-order 16-bits of the Fragment Identification
264 of atomic fragments), this could possibly lead to IPv4 Fragment ID
265 collisions. However, since a number of implementations set IPv6
266 Fragment ID according to the output of a Pseudo-Random Number
267 Generator (PRNG) (see Appendix B of
268 [I-D.ietf-6man-predictable-fragment-id]) and the translator only
269 employs the low-order 16-bits of such value, it is very unlikely that
270 relying on the Fragment ID of the IPv6 atomic fragment will result in
271 a reduced Fragment ID collision rate (when compared to the case where
272 the translator selects each IPv4 Fragment ID on its own).
274 Finally, we note that [RFC6145] is currently the only "consumer" of
275 IPv6 atomic fragments, and it correctly and diligently notes (in
276 Section 6) the possible interoperability problems of relying on IPv6
277 atomic fragments, proposing as a workaround something very similar to
278 what we propose in Section 6. We believe that, by making the more
279 robust behavior the default behavior of the "IP/ICMP Translation
280 Algorithm", robustness is improved, and the corresponding code is
281 simplified.
283 5. Updating RFC2460
285 The following text from Section 5 of [RFC2460]:
287 "In response to an IPv6 packet that is sent to an IPv4 destination
288 (i.e., a packet that undergoes translation from IPv6 to IPv4), the
289 originating IPv6 node may receive an ICMP Packet Too Big message
290 reporting a Next-Hop MTU less than 1280. In that case, the IPv6
291 node is not required to reduce the size of subsequent packets to
292 less than 1280, but must include a Fragment header in those
293 packets so that the IPv6-to-IPv4 translating router can obtain a
294 suitable Identification value to use in resulting IPv4 fragments.
295 Note that this means the payload may have to be reduced to 1232
296 octets (1280 minus 40 for the IPv6 header and 8 for the Fragment
297 header), and smaller still if additional extension headers are
298 used."
300 is formally replaced with:
302 "An IPv6 node that receives an ICMPv6 Packet Too Big error message
303 that reports a Next-Hop MTU smaller than 1280 bytes (the minimum
304 IPv6 MTU) MUST NOT include a Fragment header in subsequent packets
305 sent to the corresponding destination. That is, IPv6 nodes MUST
306 NOT generate IPv6 atomic fragments."
308 6. Updating RFC6145
310 The following text from Section 4 (Translating from IPv4 to IPv6) of
311 [RFC6145]:
313 ---------------- cut here -------------- cut here ----------------
314 When the IPv4 sender does not set the DF bit, the translator SHOULD
315 always include an IPv6 Fragment Header to indicate that the sender
316 allows fragmentation. The translator MAY provide a configuration
317 function that allows the translator not to include the Fragment
318 Header for the non-fragmented IPv6 packets.
320 The rules in Section 4.1 ensure that when packets are fragmented,
321 either by the sender or by IPv4 routers, the low-order 16 bits of the
322 fragment identification are carried end-to-end, ensuring that packets
323 are correctly reassembled. In addition, the rules in Section 4.1 use
324 the presence of an IPv6 Fragment Header to indicate that the sender
325 might not be using path MTU discovery (i.e., the packet should not
326 have the DF flag set should it later be translated back to IPv4).
327 ---------------- cut here -------------- cut here ----------------
329 is formally replaced with:
331 ---------------- cut here -------------- cut here ----------------
332 The rules in Section 4.1 ensure that when packets are fragmented,
333 either by the sender or by IPv4 routers, the low-order 16 bits of the
334 fragment identification are carried end-to-end, ensuring that packets
335 are correctly reassembled.
336 ---------------- cut here -------------- cut here ----------------
338 The following text from Section 4.1 ("Translating IPv4 Headers into
339 IPv6 Headers") of [RFC6145]:
341 ---------------- cut here -------------- cut here ----------------
342 If there is a need to add a Fragment Header (the DF bit is not set or
343 the packet is a fragment), the header fields are set as above with
344 the following exceptions:
345 ---------------- cut here -------------- cut here ----------------
347 is formally replaced with:
349 ---------------- cut here -------------- cut here ----------------
350 If there is a need to add a Fragment Header (the packet is a
351 fragment), the header fields are set as above with the following
352 exceptions:
353 ---------------- cut here -------------- cut here ----------------
355 The following text from Section 4.2 ("Translating ICMPv4 Headers into
356 ICMPv6 Headers") of [RFC6145]:
358 ---------------- cut here -------------- cut here ----------------
359 Code 4 (Fragmentation Needed and DF was Set): Translate to
360 an ICMPv6 Packet Too Big message (Type 2) with Code set
361 to 0. The MTU field MUST be adjusted for the difference
362 between the IPv4 and IPv6 header sizes, i.e.,
363 minimum(advertised MTU+20, MTU_of_IPv6_nexthop,
364 (MTU_of_IPv4_nexthop)+20). Note that if the IPv4 router
365 set the MTU field to zero, i.e., the router does not
366 implement [RFC1191], then the translator MUST use the
367 plateau values specified in [RFC1191] to determine a
368 likely path MTU and include that path MTU in the ICMPv6
369 packet. (Use the greatest plateau value that is less
370 than the returned Total Length field.)
371 ---------------- cut here -------------- cut here ----------------
373 is formally replaced with:
375 ---------------- cut here -------------- cut here ----------------
376 Code 4 (Fragmentation Needed and DF was Set): Translate to
377 an ICMPv6 Packet Too Big message (Type 2) with Code set
378 to 0. The MTU field MUST be adjusted for the difference
379 between the IPv4 and IPv6 header sizes, but MUST NOT be
380 set to a value smaller than the minimum IPv6 MTU
381 (1280 bytes). That is, it should be set to maximum(1280,
382 minimum(advertised MTU+20, MTU_of_IPv6_nexthop,
383 (MTU_of_IPv4_nexthop)+20)). Note that if the IPv4 router
384 set the MTU field to zero, i.e., the router does not
385 implement [RFC1191], then the translator MUST use the
386 plateau values specified in [RFC1191] to determine a
387 likely path MTU and include that path MTU in the ICMPv6
388 packet. (Use the greatest plateau value that is less
389 than the returned Total Length field, but that is larger
390 than or equal to 1280.)
391 ---------------- cut here -------------- cut here ----------------
393 The following text from Section 5 ("Translating from IPv6 to IPv4")
394 of [RFC6145]:
396 ---------------- cut here -------------- cut here ----------------
397 There are some differences between IPv6 and IPv4 (in the areas of
398 fragmentation and the minimum link MTU) that affect the translation.
399 An IPv6 link has to have an MTU of 1280 bytes or greater. The
400 corresponding limit for IPv4 is 68 bytes. Path MTU discovery across
401 a translator relies on ICMP Packet Too Big messages being received
402 and processed by IPv6 hosts, including an ICMP Packet Too Big that
403 indicates the MTU is less than the IPv6 minimum MTU. This
404 requirement is described in Section 5 of [RFC2460] (for IPv6's
405 1280-octet minimum MTU) and Section 5 of [RFC1883] (for IPv6's
406 previous 576-octet minimum MTU).
408 In an environment where an ICMPv4 Packet Too Big message is
409 translated to an ICMPv6 Packet Too Big message, and the ICMPv6 Packet
410 Too Big message is successfully delivered to and correctly processed
411 by the IPv6 hosts (e.g., a network owned/operated by the same entity
412 that owns/operates the translator), the translator can rely on IPv6
413 hosts sending subsequent packets to the same IPv6 destination with
414 IPv6 Fragment Headers. In such an environment, when the translator
415 receives an IPv6 packet with a Fragment Header, the translator SHOULD
416 generate the IPv4 packet with a cleared Don't Fragment bit, and with
417 its identification value from the IPv6 Fragment Header, for all of
418 the IPv6 fragments (MF=0 or MF=1).
420 In an environment where an ICMPv4 Packet Too Big message is filtered
421 (by a network firewall or by the host itself) or not correctly
422 processed by the IPv6 hosts, the IPv6 host will never generate an
423 IPv6 packet with the IPv6 Fragment Header. In such an environment,
424 the translator SHOULD set the IPv4 Don't Fragment bit. While setting
425 the Don't Fragment bit may create PMTUD black holes [RFC2923] if
426 there are IPv4 links smaller than 1260 octets, this is considered
427 safer than causing IPv4 reassembly errors [RFC4963].
428 ---------------- cut here -------------- cut here ----------------
430 is formally replaced with:
432 ---------------- cut here -------------- cut here ----------------
433 There are some differences between IPv6 and IPv4 (in the areas of
434 fragmentation and the minimum link MTU) that affect the translation.
435 An IPv6 link has to have an MTU of 1280 bytes or greater. The
436 corresponding limit for IPv4 is 68 bytes. Path MTU discovery across
437 a translator relies on ICMP Packet Too Big messages being received
438 and processed by IPv6 hosts.
440 The difference in the minimum MTUs of IPv4 and IPv6 is accommodated
441 as follows:
443 o When translating an ICMPv4 "Fragmentation Needed" packet, the
444 indicated MTU in the resulting ICMPv6 "Packet Too Big" will
445 never be set to a value lower than 1280. This ensures that the
446 IPv6 nodes will never have to encounter or handle Path MTU
447 values lower than the minimum IPv6 link MTU of 1280. See
448 Section 4.2.
450 o When the resulting IPv4 packet is smaller than or equal to 1260
451 bytes, the translator MUST send the packet with a cleared Don't
452 Fragment bit. Otherwise, the packet MUST be sent with the Don't
453 Fragment bit set. See Section 5.1.
455 This approach allows Path MTU Discovery to operate end-to-end for
456 paths whose MTU are not smaller than minimum IPv6 MTU of 1280 (which
457 corresponds to MTU of 1260 in the IPv4 domain). On paths that have
458 IPv4 links with MTU < 1260, the IPv4 router(s) connected to those
459 links will fragment the packets in accordance with Section 2.3 of
460 [RFC0791].
461 ---------------- cut here -------------- cut here ----------------
463 The following text from Section 5.1 ("Translating IPv6 Headers into
464 IPv4 Headers") of [RFC6145]:
466 ---------------- cut here -------------- cut here ----------------
467 Identification: All zero. In order to avoid black holes caused by
468 ICMPv4 filtering or non-[RFC2460]-compatible IPv6 hosts (a
469 workaround is discussed in Section 6), the translator MAY provide
470 a function to generate the identification value if the packet size
471 is greater than 88 bytes and less than or equal to 1280 bytes.
472 The translator SHOULD provide a method for operators to enable or
473 disable this function.
475 Flags: The More Fragments flag is set to zero. The Don't Fragment
476 (DF) flag is set to one. In order to avoid black holes caused by
477 ICMPv4 filtering or non-[RFC2460]-compatible IPv6 hosts (a
478 workaround is discussed in Section 6), the translator MAY provide
479 a function as follows. If the packet size is greater than 88
480 bytes and less than or equal to 1280 bytes, it sets the DF flag to
481 zero; otherwise, it sets the DF flag to one. The translator
482 SHOULD provide a method for operators to enable or disable this
483 function.
484 ---------------- cut here -------------- cut here ----------------
486 is formally replaced with:
488 ---------------- cut here -------------- cut here ----------------
489 Identification: Set according to a Fragment Identification
490 generator at the translator.
492 Flags: The More Fragments flag is set to zero. The Don't Fragment
493 (DF) flag is set as follows: If the packet size is less than or
494 equal to 1260 bytes, it is set to zero; otherwise, it is set to
495 one.
496 ---------------- cut here -------------- cut here ----------------
498 The following text from Section 5.1.1 ("IPv6 Fragment Processing") of
499 [RFC6145]:
501 ---------------- cut here -------------- cut here ----------------
502 If a translated packet with DF set to 1 will be larger than the MTU
503 of the next-hop interface, then the translator MUST drop the packet
504 and send the ICMPv6 Packet Too Big (Type 2, Code 0) error message to
505 the IPv6 host with an adjusted MTU in the ICMPv6 message.
506 ---------------- cut here -------------- cut here ----------------
508 is formally replaced with:
510 ---------------- cut here -------------- cut here ----------------
511 If an IPv6 packet that is smaller than or equal to 1280 bytes results
512 (after translation) in an IPv4 packet that is larger than the MTU of
513 the next-hop interface, then the translator MUST perform IPv4
514 fragmentation on that packet such that it can be transferred over the
515 constricting link.
516 ---------------- cut here -------------- cut here ----------------
518 Finally, the following text from 6 ("Special Considerations for
519 ICMPv6 Packet Too Big") of [RFC6145]:
521 ---------------- cut here -------------- cut here ----------------
522 Two recent studies analyzed the behavior of IPv6-capable web servers
523 on the Internet and found that approximately 95% responded as
524 expected to an IPv6 Packet Too Big that indicated MTU = 1280, but
525 only 43% responded as expected to an IPv6 Packet Too Big that
526 indicated an MTU < 1280. It is believed that firewalls violating
527 Section 4.3.1 of [RFC4890] are at fault. Both failures (the 5% wrong
528 response when MTU = 1280 and the 57% wrong response when MTU < 1280)
529 will cause PMTUD black holes [RFC2923]. Unfortunately, the
530 translator cannot improve the failure rate of the first case (MTU =
531 1280), but the translator can improve the failure rate of the second
532 case (MTU < 1280). There are two approaches to resolving the problem
533 with sending ICMPv6 messages indicating an MTU < 1280. It SHOULD be
534 possible to configure a translator for either of the two approaches.
536 The first approach is to constrain the deployment of the IPv6/IPv4
537 translator by observing that four of the scenarios intended for
538 stateless IPv6/IPv4 translators do not have IPv6 hosts on the
539 Internet (Scenarios 1, 2, 5, and 6 described in [RFC6144], which
540 refer to "An IPv6 network"). In these scenarios, IPv6 hosts, IPv6-
541 host-based firewalls, and IPv6 network firewalls can be administered
542 in compliance with Section 4.3.1 of [RFC4890] and therefore avoid the
543 problem witnessed with IPv6 hosts on the Internet.
545 The second approach is necessary if the translator has IPv6 hosts,
546 IPv6-host-based firewalls, or IPv6 network firewalls that do not (or
547 cannot) comply with Section 5 of [RFC2460] -- such as IPv6 hosts on
548 the Internet. This approach requires the translator to do the
549 following:
551 1. In the IPv4-to-IPv6 direction: if the MTU value of ICMPv4 Packet
552 Too Big (PTB) messages is less than 1280, change it to 1280.
553 This is intended to cause the IPv6 host and IPv6 firewall to
554 process the ICMP PTB message and generate subsequent packets to
555 this destination with an IPv6 Fragment Header.
557 Note: Based on recent studies, this is effective for 95% of IPv6
558 hosts on the Internet.
560 2. In the IPv6-to-IPv4 direction:
562 A. If there is a Fragment Header in the IPv6 packet, the last 16
563 bits of its value MUST be used for the IPv4 identification
564 value.
566 B. If there is no Fragment Header in the IPv6 packet:
568 a. If the packet is less than or equal to 1280 bytes:
570 - The translator SHOULD set DF to 0 and generate an IPv4
571 identification value.
573 - To avoid the problems described in [RFC4963], it is
574 RECOMMENDED that the translator maintain 3-tuple state
575 for generating the IPv4 identification value.
577 b. If the packet is greater than 1280 bytes, the translator
578 SHOULD set the IPv4 DF bit to 1.
579 ---------------- cut here -------------- cut here ----------------
581 is formally replaced with:
583 ---------------- cut here -------------- cut here ----------------
584 A number of studies (see e.g. ) indicate that it not unusual for networks
585 to drop ICMPv6 Packet Too Big error messages. Such packet drops will
586 result in PMTUD blackholes [RFC2923], which can only be overcome with
587 PLPMTUD [RFC4821].
588 ---------------- cut here -------------- cut here ----------------
590 7. IANA Considerations
592 There are no IANA registries within this document. The RFC-Editor
593 can remove this section before publication of this document as an
594 RFC.
596 8. Security Considerations
598 This document describes a Denial of Service (DoS) attack vector that
599 leverages the widespread filtering of IPv6 fragments in the public
600 Internet by means of ICMPv6 PTB error messages. Additionally, it
601 formally updates [RFC2460] such that this attack vector is
602 eliminated, and also formally updated [RFC6145] such that it does not
603 rely on IPv6 atomic fragments.
605 9. Acknowledgements
607 The authors would like to thank (in alphabetical order) Bob Briscoe,
608 Brian Carpenter, Tatuya Jinmei, Jeroen Massar, and Erik Nordmark, for
609 providing valuable comments on earlier versions of this document.
611 Fernando Gont would like to thank Jan Zorz and Go6 Lab
612 for providing access to systems and networks that
613 were employed to produce some of tests that resulted in the
614 publication of this document. Additionally, he would like to thank
615 SixXS for providing IPv6 connectivity.
617 10. References
619 10.1. Normative References
621 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
622 (IPv6) Specification", RFC 2460, December 1998.
624 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
625 Requirement Levels", BCP 14, RFC 2119, March 1997.
627 [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control
628 Message Protocol (ICMPv6) for the Internet Protocol
629 Version 6 (IPv6) Specification", RFC 4443, March 2006.
631 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU
632 Discovery", RFC 4821, March 2007.
634 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
635 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
636 September 2007.
638 [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
639 Algorithm", RFC 6145, April 2011.
641 10.2. Informative References
643 [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", RFC
644 2923, September 2000.
646 [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path
647 Algorithm", RFC 2992, November 2000.
649 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010.
651 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
652 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
653 October 2010.
655 [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", RFC
656 6946, May 2013.
658 [I-D.ietf-6man-predictable-fragment-id]
659 Gont, F., "Security Implications of Predictable Fragment
660 Identification Values", draft-ietf-6man-predictable-
661 fragment-id-01 (work in progress), April 2014.
663 [I-D.gont-v6ops-ipv6-ehs-in-real-world]
664 Gont, F., Linkova, J., Chown, T., and W. Will, "IPv6
665 Extension Headers in the Real World", draft-gont-v6ops-
666 ipv6-ehs-in-real-world-00 (work in progress), August 2014.
668 [Morbitzer]
669 Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis.
670 Thesis number: 670. Department of Computing Science,
671 Radboud University Nijmegen. August 2013,
672 .
675 Appendix A. Small Survey of OSes that Fail to Produce IPv6 Atomic
676 Fragments
678 [This section will probably be removed from this document before it
679 is published as an RFC].
681 This section includes a non-exhaustive list of operating systems that
682 *fail* to produce IPv6 atomic fragments. It is based on the results
683 published in [RFC6946] and [Morbitzer].
685 The following Operating Systems fail to generate IPv6 atomic
686 fragments in response to ICMPv6 PTB messages that report an MTU
687 smaller than 1280 bytes:
689 o FreeBSD 8.0
691 o Linux kernel 2.6.32
693 o Linux kernel 3.2
695 o Mac OS X 10.6.7
697 o NetBSD 5.1
699 Authors' Addresses
701 Fernando Gont
702 SI6 Networks / UTN-FRH
703 Evaristo Carriego 2644
704 Haedo, Provincia de Buenos Aires 1706
705 Argentina
707 Phone: +54 11 4650 8472
708 Email: fgont@si6networks.com
709 URI: http://www.si6networks.com
711 Will(Shucheng) Liu
712 Huawei Technologies
713 Bantian, Longgang District
714 Shenzhen 518129
715 P.R. China
717 Email: liushucheng@huawei.com
719 Tore Anderson
720 Redpill Linpro
721 Vitaminveien 1A
722 NO-0485 Oslo
723 NORWAY
725 Phone: +47 959 31 212
726 Email: tore@redpill-linpro.com