idnits 2.17.1 draft-ietf-6lo-minimal-fragment-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 244: '... does fragment forwarding MUST attempt...' RFC 2119 keyword, line 247: '... state MUST be removed. When a forw...' RFC 2119 keyword, line 248: '...rst fragment, it MUST look up state ba...' RFC 2119 keyword, line 250: '...s found, the fragment MUST be dropped;...' RFC 2119 keyword, line 251: '...ise the fragment MUST be forwarded usi...' (4 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (26 November 2019) is 1613 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-02) exists of draft-ietf-lwig-6lowpan-virtual-reassembly-01 == Outdated reference: A later version (-21) exists of draft-ietf-6lo-fragment-recovery-07 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 6lo T. Watteyne, Ed. 3 Internet-Draft Analog Devices 4 Intended status: Informational P. Thubert, Ed. 5 Expires: 29 May 2020 Cisco Systems 6 C. Bormann 7 Universitaet Bremen TZI 8 26 November 2019 10 On Forwarding 6LoWPAN Fragments over a Multihop IPv6 Network 11 draft-ietf-6lo-minimal-fragment-05 13 Abstract 15 This document introduces the capability to forward 6LoWPAN fragments. 16 This method reduces the latency and increases end-to-end reliability 17 in route-over forwarding. It is the companion to using virtual 18 reassembly buffers which is a pure implementation technique. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on 29 May 2020. 37 Copyright Notice 39 Copyright (c) 2019 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 44 license-info) in effect on the date of publication of this document. 45 Please review these documents carefully, as they describe your rights 46 and restrictions with respect to this document. Code Components 47 extracted from this document must include Simplified BSD License text 48 as described in Section 4.e of the Trust Legal Provisions and are 49 provided without warranty as described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Overview of 6LoWPAN Fragmentation . . . . . . . . . . . . . . 3 55 3. Limits of Per-Hop Fragmentation and Reassembly . . . . . . . 5 56 3.1. Latency . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 3.2. Memory Management and Reliability . . . . . . . . . . . . 5 58 4. Forwarding Fragments . . . . . . . . . . . . . . . . . . . . 6 59 5. Virtual Reassembly Buffer (VRB) Implementation . . . . . . . 7 60 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 61 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 62 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 63 9. Normative References . . . . . . . . . . . . . . . . . . . . 9 64 10. Informative References . . . . . . . . . . . . . . . . . . . 9 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 67 1. Introduction 69 The original 6LoWPAN fragmentation is defined in [6LoWPAN] and it is 70 implicitly defined for use over a single IP hop through possibly 71 multiple Layer-2 (mesh-under) hops in a meshed 6LoWPAN Network. 72 Although [6LoWPAN-HC] updates [6LoWPAN], it does not redefine 6LoWPAN 73 fragmentation. 75 This means that over a Layer-3 (route-over) network, an IP packet is 76 expected to be reassembled at every hop at the 6LoWPAN sublayer, 77 pushed to Layer-3 to be routed, and then fragmented again if the next 78 hop is another similar 6LoWPAN link. This draft introduces an 79 alternate approach called 6LoWPAN Fragment Forwarding (FF) whereby an 80 intermediate node forwards a fragment as soon as it is received if 81 the next hop is a similar 6LoWPAN link. The routing decision is made 82 on the first fragment, which has all the IPv6 routing information. 83 The first fragment is forwarded immediately and a state is stored to 84 enable forwarding the next fragments along the same path. 86 Done right, 6LoWPAN Fragment Forwarding techniques lead to more 87 streamlined operations, less buffer bloat and lower latency. It may 88 be wasteful if some fragments are missing after the first one since 89 the first fragment will still continue till the 6LoWPAN endpoint that 90 will attempt to perform the reassembly, and may be misused to the 91 point that performances fall behind that of per-hop recomposition. 92 This specification provides a generic overview of FF, discusses 93 advantages and caveats, and introduces a particular 6LoWPAN Fragment 94 Forwarding technique called Virtual Reassembly Buffer that can be 95 used while conserving the message formats defined in [6LoWPAN]. 97 2. Overview of 6LoWPAN Fragmentation 99 We use Figure 1 to illustrate 6LoWPAN fragmentation. We assume node 100 A forwards a packet to node B, possibly as part of a multi-hop route 101 between IPv6 source and destination nodes which are neither A nor B. 103 +---+ +---+ 104 ... ---| A |-------------------->| B |--- ... 105 +---+ +---+ 106 # (frag. 5) 108 123456789 123456789 109 +---------+ +---------+ 110 | # ###| |### # | 111 +---------+ +---------+ 112 outgoing incoming 113 fragmentation reassembly 114 buffer buffer 116 Figure 1: Fragmentation at node A, reassembly at node B. 118 Node A starts by compacting the IPv6 packet using the header 119 compression mechanism defined in [6LoWPAN-HC]. If the resulting 120 6LoWPAN packet does not fit into a single Link-Layer frame, node A's 121 6LoWPAN sublayer cuts it into multiple 6LoWPAN fragments, which it 122 transmits as separate Link-Layer frames to node B. Node B's 6LoWPAN 123 sublayer reassembles these fragments, inflates the compressed header 124 fields back to the original IPv6 header, and hands over the full IPv6 125 packet to its IPv6 layer. 127 In Figure 1, a packet forwarded by node A to node B is cut into nine 128 fragments, numbered 1 to 9 as follows: 130 * Each fragment is represented by the '#' symbol. 132 * Node A has sent fragments 1, 2, 3, 5, 6 to node B. 134 * Node B has received fragments 1, 2, 3, 6 from node A. 136 * Fragment 5 is still being transmitted at the link layer from node 137 A to node B. 139 The reassembly buffer for 6LoWPAN is indexed in node B by: 141 * a unique Identifier of Node A (e.g., Node A's Link-Layer address) 143 * the datagram_tag chosen by node A for this fragmented datagram 144 Because it may be hard for node B to correlate all possible Link- 145 Layer addresses that node A may use (e.g., short vs. long addresses), 146 node A must use the same Link-Layer address to send all the fragments 147 of the same datagram to node B. 149 Conceptually, the reassembly buffer in node B contains: 151 * a datagram_tag as received in the incoming fragments, associated 152 to Link-Layer address of node A for which the received 153 datagram_tag is unique, 155 * the actual packet data from the fragments received so far, in a 156 form that makes it possible to detect when the whole packet has 157 been received and can be processed or forwarded, 159 * a state indicating the fragments already received, 161 * a datagram_size, 163 * a timer that allows discarding a partially reassembled packet 164 after some timeout. 166 A fragmentation header is added to each fragment; it indicates what 167 portion of the packet that fragment corresponds to. Section 5.3 of 168 [6LoWPAN] defines the format of the header for the first and 169 subsequent fragments. All fragments are tagged with a 16-bit 170 "datagram_tag", used to identify which packet each fragment belongs 171 to. Each datagram can be uniquely identified by the sender Link- 172 Layer addresses of the frame that carries it and the datagram_tag 173 that the sender allocated for this datagram. [6LoWPAN] also mandates 174 that the first fragment is sent first and with a particular format 175 that is different than that of the next fragments. Each fragment but 176 the first one can be identified within its datagram by the datagram- 177 offset. 179 Node B's typical behavior, per [6LoWPAN], is as follows. Upon 180 receiving a fragment from node A with a datagram_tag previously 181 unseen from node A, node B allocates a buffer large enough to hold 182 the entire packet. The length of the packet is indicated in each 183 fragment (the datagram_size field), so node B can allocate the buffer 184 even if the first fragment it receives is not fragment 1. As 185 fragments come in, node B fills the buffer. When all fragments have 186 been received, node B inflates the compressed header fields into an 187 IPv6 header, and hands the resulting IPv6 packet to the IPv6 layer 188 whihc performs the route lookup. 190 This behavior typically results in per-hop fragmentation and 191 reassembly. That is, the packet is fully reassembled, then 192 (re)fragmented, at every hop. 194 3. Limits of Per-Hop Fragmentation and Reassembly 196 There are at least 2 limits to doing per-hop fragmentation and 197 reassembly. See [ARTICLE] for detailed simulation results on both 198 limits. 200 3.1. Latency 202 When reassembling, a node needs to wait for all the fragments to be 203 received before being able to generate the IPv6 packet, and possibly 204 forward it to the next hop. This repeats at every hop. 206 This may result in increased end-to-end latency compared to a case 207 where each fragment is forwarded without per-hop reassembly. 209 3.2. Memory Management and Reliability 211 Constrained nodes have limited memory. Assuming a reassembly buffer 212 for a 6LoWPAN MTU of 1280 bytes as defined in section 4 of [6LoWPAN], 213 typical nodes only have enough memory for 1-3 reassembly buffers. 215 To illustrate this we use the topology from Figure 2, where nodes A, 216 B, C and D all send packets through node E. We further assume that 217 node E's memory can only hold 3 reassembly buffers. 219 +---+ +---+ 220 ... --->| A |------>| B | 221 +---+ +---+\ 222 \ 223 +---+ +---+ 224 | E |--->| F | ... 225 +---+ +---+ 226 / 227 / 228 +---+ +---+ 229 ... --->| C |------>| D | 230 +---+ +---+ 232 Figure 2: Illustrating the Memory Management Issue. 234 When nodes A, B and C concurrently send fragmented packets, all 3 235 reassembly buffers in node E are occupied. If, at that moment, node 236 D also sends a fragmented packet, node E has no option but to drop 237 one of the packets, lowering end-to-end reliability. 239 4. Forwarding Fragments 241 A 6LoWPAN Fragment Forwarding technique makes the routing decision on 242 the first fragment, which is always the one with the IPv6 address of 243 the destination. Upon a first fragment, a forwarding node (e.g. node 244 B in a A->B->C sequence) that does fragment forwarding MUST attempt 245 to create a state and forward the fragment. This is an atomic 246 operation, and if the first fragment cannot be forwarded then the 247 state MUST be removed. When a forwarding node receives a fragment 248 other than a first fragment, it MUST look up state based on the 249 source Link-Layer address and the datagram_tag in the received 250 fragment. If no such state is found, the fragment MUST be dropped; 251 otherwise the fragment MUST be forwarded using the information in the 252 state found. Since the datagram_tag is uniquely associated to the 253 source Link-Layer address of the fragment, the forwarding node MUST 254 assign a new datagram_tag from its own namespace for the next hop and 255 rewrite the fragment header of each fragment with that datagram_tag. 257 Compared to Section 2, the conceptual reassembly buffer in node B now 258 contains, assuming that node B is neither the source nor the final 259 destination: 261 * a datagram_tag as received in the incoming fragments, associated 262 to Link-Layer address of node A for which the received 263 datagram_tag is unique, 265 * the Link-Layer address that node B uses as source to forward the 266 fragments 268 * the Link-Layer address of the next hop C that is resolved on the 269 first fragment 271 * a datagram_tag that node B uniquely allocated for this datagram 272 and that is used when forwarding the fragments of the datagram 274 * a datagram_size, 276 * a buffer for the remainder of a previous fragment left to be sent, 278 * a timer that allows discarding the stale FF state after some 279 timeout. 281 A node that has not received the first fragment cannot forward the 282 next fragments. This means that if node B receives a fragment, node 283 A was in possession of the first fragment at some point. In order to 284 keep the operation simple, it makes sense to be consistent with 285 [6LoWPAN] and enforce that the first fragment is always sent first. 286 When that is done, if node B receives a fragment that is not the 287 first and for which it has no state, then node B treats this as an 288 error and refrain from creating a state or attempting to forward. 289 This also means that node A should perform all its possible retries 290 on the first fragment before it attempts to send the next fragments, 291 and that it should abort the datagram and release its state if it 292 fails to send the first fragment. 294 One benefit of Fragment Forwarding is that the memory that is used to 295 store the packet is now distributed along the path, which limits the 296 buffer bloat effect. Multiple fragments may progress in parallel 297 along the network as long as they do not interfere. An associated 298 caveat is that on a half duplex radio, if node A sends the next 299 fragment at the same time as node B forwards the previous fragment to 300 a node C down the path then node B will miss the next fragment. If 301 node C forwards the previous fragment to a node D at the same time 302 and on the same frequency as node A sends the next fragment to node 303 B, this may result in a hidden terminal problem at B whereby the 304 transmission from C interferes with that from A unbeknownst of node 305 A. It results that consecutive fragments must be reasonably spaced 306 in order to avoid the 2 forms of collision described above. A node 307 that has multiple packets or fragments to send via different next-hop 308 routers may interleave the messages in order to alleviate those 309 effects. 311 5. Virtual Reassembly Buffer (VRB) Implementation 313 Virtual Reassembly Buffer (VRB) is the implementation technique 314 described in [LWIG-VRB] in which a forwarder does not reassemble each 315 packet in its entirety before forwarding it. 317 VRB overcomes the limits listed in Section 3. Nodes do not wait for 318 the last fragment before forwarding, reducing end-to-end latency. 319 Similarly, the memory footprint of VRB is just the VRB table, 320 reducing the packet drop probability significantly. 322 There are, however, limits: 324 Non-zero Packet Drop Probability: The abstract data in a VRB table 325 entry contains at a minimum the Link-Layer address of the 326 predecessor and that of the successor, the datagram_tag used by 327 the predecessor and the local datagram_tag that this node will 328 swap with it. The VRB may need to store a few octets from the 329 last fragment that may not have fit within MTU and that will be 330 prepended to the next fragment. This yields a small footprint 331 that is 2 orders of magnitude smaller compared to needing a 332 1280-byte reassembly buffer for each packet. Yet, the size of the 333 VRB table necessarily remains finite. In the extreme case where a 334 node is required to concurrently forward more packets that it has 335 entries in its VRB table, packets are dropped. 337 No Fragment Recovery: There is no mechanism in VRB for the node that 338 reassembles a packet to request a single missing fragment. 339 Dropping a fragment requires the whole packet to be resent. This 340 causes unnecessary traffic, as fragments are forwarded even when 341 the destination node can never construct the original IPv6 packet. 343 No Per-Fragment Routing: All subsequent fragments follow the same 344 sequence of hops from the source to the destination node as the 345 first fragment, because the IP header is required to route the 346 fragment and is only present in the first fragment. A side effect 347 is that the first fragment must always be forwarded first. 349 The severity and occurrence of these limits depends on the Link-Layer 350 used. Whether these limits are acceptable depends entirely on the 351 requirements the application places on the network. 353 If the limits are present and not acceptable for the application, 354 future specifications may define new protocols to overcome these 355 limits. One example is [FRAG-RECOV] which defines a protocol which 356 allows fragment recovery. 358 6. Security Considerations 360 Secure joining and the Link-Layer security that it sets up protects 361 against those attacks from network outsiders. 363 "IP Fragmentation Considered Fragile" [FRAG-ILE] discusses security 364 threats that are linked to using IP fragmentation. The 6LoWPAN 365 fragmentation takes place underneath, but some issues described there 366 may still apply to 6lo fragments. 368 * Overlapping fragment attacks are possible with 6LoWPAN fragments 369 but there is no known firewall operation that would work on 370 6LoWPAN fragments at the time of this writing, so the exposure is 371 limited. An implementation of a firewall SHOULD NOT forward 372 fragments but recompose the IP packet, check it in the 373 uncompressed form, and then forward it again as fragments if 374 necessary. 376 * Resource exhaustion attacks are certainly possible and a sensitive 377 issue in a constrained network. An attacker can perform a Denial- 378 of-Service (DoS) attack on a node implementing VRB by generating a 379 large number of bogus first fragments without sending subsequent 380 fragments. This causes the VRB table to fill up. When hop-by-hop 381 reassembly is used, the same attck can be more damaging if the 382 node allocates a full datagram_size for each bogus first fragment. 383 With the VRB, the attack can be performed remotely on all nodes 384 along a path, but each node suffers a lesser hit. this is because 385 the VRB does not need to remember the full datagram as received so 386 far but only possibly a few octets from the last fragment that 387 could not fit in it. An implementation MUST protect itself to 388 keep the number of VRBs within capacity, and that old VRBs are 389 protected by a timer of a reasonable duration for the technology 390 and destroyed upon timeout. 392 * Attacks based on predictable fragment identification values are 393 also possible but can be avoided. The datagramp_tag SHOULD be 394 assigned pseudo-randomly in order to defeat such attacks. 396 * Evasion of Network Intrusion Detection Systems (NIDS) leverages 397 ambiguity in the reassembly of the fragment. This sounds 398 difficult and mostly useless in a 6LoWPAN network since the 399 fragmentation is not end-to-end. 401 7. IANA Considerations 403 No requests to IANA are made by this document. 405 8. Acknowledgments 407 The authors would like to thank Yasuyuki Tanaka and Dave Thaler for 408 their in-depth review of this document and improvement suggestions. 409 Also many thanks to Georgies Papadopoulos and Dominique Barthel for 410 their own reviews. 412 9. Normative References 414 [6LoWPAN] Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler, 415 "Transmission of IPv6 Packets over IEEE 802.15.4 416 Networks", RFC 4944, DOI 10.17487/RFC4944, September 2007, 417 . 419 [LWIG-VRB] Bormann, C. and T. Watteyne, "Virtual reassembly buffers 420 in 6LoWPAN", Work in Progress, Internet-Draft, draft-ietf- 421 lwig-6lowpan-virtual-reassembly-01, 11 March 2019, 422 . 425 10. Informative References 427 [6LoWPAN-HC] 428 Hui, J., Ed. and P. Thubert, "Compression Format for IPv6 429 Datagrams over IEEE 802.15.4-Based Networks", RFC 6282, 430 DOI 10.17487/RFC6282, September 2011, 431 . 433 [FRAG-RECOV] 434 Thubert, P., "6LoWPAN Selective Fragment Recovery", Work 435 in Progress, Internet-Draft, draft-ietf-6lo-fragment- 436 recovery-07, 23 October 2019, 437 . 440 [FRAG-ILE] Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., 441 and F. Gont, "IP Fragmentation Considered Fragile", Work 442 in Progress, Internet-Draft, draft-ietf-intarea-frag- 443 fragile-17, 30 September 2019, 444 . 447 [ARTICLE] Tanaka, Y., Minet, P., and T. Watteyne, "6LoWPAN Fragment 448 Forwarding", IEEE Communications Standards Magazine , 449 2019. 451 Authors' Addresses 453 Thomas Watteyne (editor) 454 Analog Devices 455 32990 Alvarado-Niles Road, Suite 910 456 Union City, CA 94587 457 United States of America 459 Email: thomas.watteyne@analog.com 461 Pascal Thubert (editor) 462 Cisco Systems, Inc 463 Building D, 45 Allee des Ormes - BP1200 464 06254 Mougins - Sophia Antipolis 465 France 467 Phone: +33 497 23 26 34 468 Email: pthubert@cisco.com 470 Carsten Bormann 471 Universitaet Bremen TZI 472 Postfach 330440 473 D-28359 Bremen 474 Germany 475 Email: cabo@tzi.org