idnits 2.17.1 draft-ietf-6lo-minimal-fragment-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 242: '... does fragment forwarding MUST attempt...' RFC 2119 keyword, line 245: '... state MUST be removed. When a forw...' RFC 2119 keyword, line 246: '...rst fragment, it MUST look up state ba...' RFC 2119 keyword, line 248: '...s found, the fragment MUST be dropped;...' RFC 2119 keyword, line 249: '...ise the fragment MUST be forwarded usi...' (4 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (27 November 2019) is 1612 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-02) exists of draft-ietf-lwig-6lowpan-virtual-reassembly-01 ** Downref: Normative reference to an Informational draft: draft-ietf-lwig-6lowpan-virtual-reassembly (ref. 'LWIG-VRB') == Outdated reference: A later version (-21) exists of draft-ietf-6lo-fragment-recovery-07 Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 6lo T. Watteyne, Ed. 3 Internet-Draft Analog Devices 4 Intended status: Standards Track P. Thubert, Ed. 5 Expires: 30 May 2020 Cisco Systems 6 C. Bormann 7 Universitaet Bremen TZI 8 27 November 2019 10 On Forwarding 6LoWPAN Fragments over a Multihop IPv6 Network 11 draft-ietf-6lo-minimal-fragment-06 13 Abstract 15 This document introduces the capability to forward 6LoWPAN fragments. 16 This method reduces the latency and increases end-to-end reliability 17 in route-over forwarding. It is the companion to using virtual 18 reassembly buffers which is a pure implementation technique. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on 30 May 2020. 37 Copyright Notice 39 Copyright (c) 2019 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 44 license-info) in effect on the date of publication of this document. 45 Please review these documents carefully, as they describe your rights 46 and restrictions with respect to this document. Code Components 47 extracted from this document must include Simplified BSD License text 48 as described in Section 4.e of the Trust Legal Provisions and are 49 provided without warranty as described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Overview of 6LoWPAN Fragmentation . . . . . . . . . . . . . . 3 55 3. Limits of Per-Hop Fragmentation and Reassembly . . . . . . . 5 56 3.1. Latency . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 3.2. Memory Management and Reliability . . . . . . . . . . . . 5 58 4. Forwarding Fragments . . . . . . . . . . . . . . . . . . . . 6 59 5. Virtual Reassembly Buffer (VRB) Implementation . . . . . . . 7 60 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 61 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 62 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 63 9. Normative References . . . . . . . . . . . . . . . . . . . . 9 64 10. Informative References . . . . . . . . . . . . . . . . . . . 10 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 67 1. Introduction 69 The original 6LoWPAN fragmentation is defined in [6LoWPAN] and it is 70 implicitly defined for use over a single IP hop through possibly 71 multiple Layer-2 (mesh-under) hops in a meshed 6LoWPAN Network. 72 Although [6LoWPAN-HC] updates [6LoWPAN], it does not redefine 6LoWPAN 73 fragmentation. 75 This means that over a Layer-3 (route-over) network, an IP packet is 76 expected to be reassembled at every hop at the 6LoWPAN sublayer, 77 pushed to Layer-3 to be routed, and then fragmented again if the next 78 hop is another similar 6LoWPAN link. This draft introduces an 79 alternate approach called 6LoWPAN Fragment Forwarding (FF) whereby an 80 intermediate node forwards a fragment as soon as it is received if 81 the next hop is a similar 6LoWPAN link. The routing decision is made 82 on the first fragment, which has all the IPv6 routing information. 83 The first fragment is forwarded immediately and a state is stored to 84 enable forwarding the next fragments along the same path. 86 Done right, 6LoWPAN Fragment Forwarding techniques lead to more 87 streamlined operations, less buffer bloat and lower latency. It may 88 be wasteful if some fragments are missing after the first one since 89 the first fragment will still continue till the 6LoWPAN endpoint that 90 will attempt to perform the reassembly, and may be misused to the 91 point that performances fall behind that of per-hop recomposition. 92 This specification provides a generic overview of FF, discusses 93 advantages and caveats, and introduces a particular 6LoWPAN Fragment 94 Forwarding technique called Virtual Reassembly Buffer that can be 95 used while conserving the message formats defined in [6LoWPAN]. 97 2. Overview of 6LoWPAN Fragmentation 99 We use Figure 1 to illustrate 6LoWPAN fragmentation. We assume node 100 A forwards a packet to node B, possibly as part of a multi-hop route 101 between IPv6 source and destination nodes which are neither A nor B. 103 +---+ +---+ 104 ... ---| A |-------------------->| B |--- ... 105 +---+ +---+ 106 # (frag. 5) 108 123456789 123456789 109 +---------+ +---------+ 110 | # ###| |### # | 111 +---------+ +---------+ 112 outgoing incoming 113 fragmentation reassembly 114 buffer buffer 116 Figure 1: Fragmentation at node A, reassembly at node B. 118 Node A starts by compacting the IPv6 packet using the header 119 compression mechanism defined in [6LoWPAN-HC]. If the resulting 120 6LoWPAN packet does not fit into a single Link-Layer frame, node A's 121 6LoWPAN sublayer cuts it into multiple 6LoWPAN fragments, which it 122 transmits as separate Link-Layer frames to node B. Node B's 6LoWPAN 123 sublayer reassembles these fragments, inflates the compressed header 124 fields back to the original IPv6 header, and hands over the full IPv6 125 packet to its IPv6 layer. 127 In Figure 1, a packet forwarded by node A to node B is cut into nine 128 fragments, numbered 1 to 9 as follows: 130 * Each fragment is represented by the '#' symbol. 132 * Node A has sent fragments 1, 2, 3, 5, 6 to node B. 134 * Node B has received fragments 1, 2, 3, 6 from node A. 136 * Fragment 5 is still being transmitted at the link layer from node 137 A to node B. 139 The reassembly buffer for 6LoWPAN is indexed in node B by: 141 * a unique Identifier of Node A (e.g., Node A's Link-Layer address) 143 * the datagram_tag chosen by node A for this fragmented datagram 144 Because it may be hard for node B to correlate all possible Link- 145 Layer addresses that node A may use (e.g., short vs. long addresses), 146 node A must use the same Link-Layer address to send all the fragments 147 of the same datagram to node B. 149 Conceptually, the reassembly buffer in node B contains: 151 * a datagram_tag as received in the incoming fragments, associated 152 to Link-Layer address of node A for which the received 153 datagram_tag is unique, 155 * the actual packet data from the fragments received so far, in a 156 form that makes it possible to detect when the whole packet has 157 been received and can be processed or forwarded, 159 * a state indicating the fragments already received, 161 * a datagram_size, 163 * a timer that allows discarding a partially reassembled packet 164 after some timeout. 166 A fragmentation header is added to each fragment; it indicates what 167 portion of the packet that fragment corresponds to. Section 5.3 of 168 [6LoWPAN] defines the format of the header for the first and 169 subsequent fragments. All fragments are tagged with a 16-bit 170 "datagram_tag", used to identify which packet each fragment belongs 171 to. Each datagram can be uniquely identified by the sender Link- 172 Layer addresses of the frame that carries it and the datagram_tag 173 that the sender allocated for this datagram. [6LoWPAN] also mandates 174 that the first fragment is sent first and with a particular format 175 that is different than that of the next fragments. Each fragment but 176 the first one can be identified within its datagram by the datagram- 177 offset. 179 Node B's typical behavior, per [6LoWPAN], is as follows. Upon 180 receiving a fragment from node A with a datagram_tag previously 181 unseen from node A, node B allocates a buffer large enough to hold 182 the entire packet. The length of the packet is indicated in each 183 fragment (the datagram_size field), so node B can allocate the buffer 184 even if the first fragment it receives is not fragment 1. As 185 fragments come in, node B fills the buffer. When all fragments have 186 been received, node B inflates the compressed header fields into an 187 IPv6 header, and hands the resulting IPv6 packet to the IPv6 layer 188 which performs the route lookup. This behavior typically results in 189 per-hop fragmentation and reassembly. That is, the packet is fully 190 reassembled, then (re)fragmented, at every hop. 192 3. Limits of Per-Hop Fragmentation and Reassembly 194 There are at least 2 limits to doing per-hop fragmentation and 195 reassembly. See [ARTICLE] for detailed simulation results on both 196 limits. 198 3.1. Latency 200 When reassembling, a node needs to wait for all the fragments to be 201 received before being able to generate the IPv6 packet, and possibly 202 forward it to the next hop. This repeats at every hop. 204 This may result in increased end-to-end latency compared to a case 205 where each fragment is forwarded without per-hop reassembly. 207 3.2. Memory Management and Reliability 209 Constrained nodes have limited memory. Assuming a reassembly buffer 210 for a 6LoWPAN MTU of 1280 bytes as defined in section 4 of [6LoWPAN], 211 typical nodes only have enough memory for 1-3 reassembly buffers. 213 To illustrate this we use the topology from Figure 2, where nodes A, 214 B, C and D all send packets through node E. We further assume that 215 node E's memory can only hold 3 reassembly buffers. 217 +---+ +---+ 218 ... --->| A |------>| B | 219 +---+ +---+\ 220 \ 221 +---+ +---+ 222 | E |--->| F | ... 223 +---+ +---+ 224 / 225 / 226 +---+ +---+ 227 ... --->| C |------>| D | 228 +---+ +---+ 230 Figure 2: Illustrating the Memory Management Issue. 232 When nodes A, B and C concurrently send fragmented packets, all 3 233 reassembly buffers in node E are occupied. If, at that moment, node 234 D also sends a fragmented packet, node E has no option but to drop 235 one of the packets, lowering end-to-end reliability. 237 4. Forwarding Fragments 239 A 6LoWPAN Fragment Forwarding technique makes the routing decision on 240 the first fragment, which is always the one with the IPv6 address of 241 the destination. Upon a first fragment, a forwarding node (e.g. node 242 B in a A->B->C sequence) that does fragment forwarding MUST attempt 243 to create a state and forward the fragment. This is an atomic 244 operation, and if the first fragment cannot be forwarded then the 245 state MUST be removed. When a forwarding node receives a fragment 246 other than a first fragment, it MUST look up state based on the 247 source Link-Layer address and the datagram_tag in the received 248 fragment. If no such state is found, the fragment MUST be dropped; 249 otherwise the fragment MUST be forwarded using the information in the 250 state found. Since the datagram_tag is uniquely associated to the 251 source Link-Layer address of the fragment, the forwarding node MUST 252 assign a new datagram_tag from its own namespace for the next hop and 253 rewrite the fragment header of each fragment with that datagram_tag. 255 Compared to Section 2, the conceptual reassembly buffer in node B now 256 contains, assuming that node B is neither the source nor the final 257 destination: 259 * a datagram_tag as received in the incoming fragments, associated 260 to Link-Layer address of node A for which the received 261 datagram_tag is unique, 263 * the Link-Layer address that node B uses as source to forward the 264 fragments 266 * the Link-Layer address of the next hop C that is resolved on the 267 first fragment 269 * a datagram_tag that node B uniquely allocated for this datagram 270 and that is used when forwarding the fragments of the datagram 272 * a datagram_size, 274 * a buffer for the remainder of a previous fragment left to be sent, 276 * a timer that allows discarding the stale FF state after some 277 timeout. 279 A node that has not received the first fragment cannot forward the 280 next fragments. This means that if node B receives a fragment, node 281 A was in possession of the first fragment at some point. In order to 282 keep the operation simple, it makes sense to be consistent with 283 [6LoWPAN] and enforce that the first fragment is always sent first. 284 When that is done, if node B receives a fragment that is not the 285 first and for which it has no state, then node B treats this as an 286 error and refrain from creating a state or attempting to forward. 287 This also means that node A should perform all its possible retries 288 on the first fragment before it attempts to send the next fragments, 289 and that it should abort the datagram and release its state if it 290 fails to send the first fragment. 292 One benefit of Fragment Forwarding is that the memory that is used to 293 store the packet is now distributed along the path, which limits the 294 buffer bloat effect. Multiple fragments may progress in parallel 295 along the network as long as they do not interfere. An associated 296 caveat is that on a half duplex radio, if node A sends the next 297 fragment at the same time as node B forwards the previous fragment to 298 a node C down the path then node B will miss the next fragment. If 299 node C forwards the previous fragment to a node D at the same time 300 and on the same frequency as node A sends the next fragment to node 301 B, this may result in a hidden terminal problem at B whereby the 302 transmission from C interferes with that from A unbeknownst of node 303 A. It results that consecutive fragments must be reasonably spaced 304 in order to avoid the 2 forms of collision described above. A node 305 that has multiple packets or fragments to send via different next-hop 306 routers may interleave the messages in order to alleviate those 307 effects. 309 5. Virtual Reassembly Buffer (VRB) Implementation 311 Virtual Reassembly Buffer (VRB) is the implementation technique 312 described in [LWIG-VRB] in which a forwarder does not reassemble each 313 packet in its entirety before forwarding it. 315 VRB overcomes the limits listed in Section 3. Nodes do not wait for 316 the last fragment before forwarding, reducing end-to-end latency. 317 Similarly, the memory footprint of VRB is just the VRB table, 318 reducing the packet drop probability significantly. 320 There are, however, limits: 322 Non-zero Packet Drop Probability: The abstract data in a VRB table 323 entry contains at a minimum the Link-Layer address of the 324 predecessor and that of the successor, the datagram_tag used by 325 the predecessor and the local datagram_tag that this node will 326 swap with it. The VRB may need to store a few octets from the 327 last fragment that may not have fit within MTU and that will be 328 prepended to the next fragment. This yields a small footprint 329 that is 2 orders of magnitude smaller compared to needing a 330 1280-byte reassembly buffer for each packet. Yet, the size of the 331 VRB table necessarily remains finite. In the extreme case where a 332 node is required to concurrently forward more packets that it has 333 entries in its VRB table, packets are dropped. 335 No Fragment Recovery: There is no mechanism in VRB for the node that 336 reassembles a packet to request a single missing fragment. 337 Dropping a fragment requires the whole packet to be resent. This 338 causes unnecessary traffic, as fragments are forwarded even when 339 the destination node can never construct the original IPv6 packet. 341 No Per-Fragment Routing: All subsequent fragments follow the same 342 sequence of hops from the source to the destination node as the 343 first fragment, because the IP header is required to route the 344 fragment and is only present in the first fragment. A side effect 345 is that the first fragment must always be forwarded first. 347 The severity and occurrence of these limits depends on the Link-Layer 348 used. Whether these limits are acceptable depends entirely on the 349 requirements the application places on the network. 351 If the limits are present and not acceptable for the application, 352 future specifications may define new protocols to overcome these 353 limits. One example is [FRAG-RECOV] which defines a protocol which 354 allows fragment recovery. 356 6. Security Considerations 358 Secure joining and the Link-Layer security that it sets up protects 359 against those attacks from network outsiders. 361 "IP Fragmentation Considered Fragile" [FRAG-ILE] discusses security 362 threats that are linked to using IP fragmentation. The 6LoWPAN 363 fragmentation takes place underneath, but some issues described there 364 may still apply to 6lo fragments. 366 * Overlapping fragment attacks are possible with 6LoWPAN fragments 367 but there is no known firewall operation that would work on 368 6LoWPAN fragments at the time of this writing, so the exposure is 369 limited. An implementation of a firewall SHOULD NOT forward 370 fragments but recompose the IP packet, check it in the 371 uncompressed form, and then forward it again as fragments if 372 necessary. 374 * Resource exhaustion attacks are certainly possible and a sensitive 375 issue in a constrained network. An attacker can perform a Denial- 376 of-Service (DoS) attack on a node implementing VRB by generating a 377 large number of bogus first fragments without sending subsequent 378 fragments. This causes the VRB table to fill up. When hop-by-hop 379 reassembly is used, the same attck can be more damaging if the 380 node allocates a full datagram_size for each bogus first fragment. 381 With the VRB, the attack can be performed remotely on all nodes 382 along a path, but each node suffers a lesser hit. this is because 383 the VRB does not need to remember the full datagram as received so 384 far but only possibly a few octets from the last fragment that 385 could not fit in it. An implementation MUST protect itself to 386 keep the number of VRBs within capacity, and that old VRBs are 387 protected by a timer of a reasonable duration for the technology 388 and destroyed upon timeout. 390 * Attacks based on predictable fragment identification values are 391 also possible but can be avoided. The datagram_tag SHOULD be 392 assigned pseudo-randomly in order to defeat such attacks. 394 * Evasion of Network Intrusion Detection Systems (NIDS) leverages 395 ambiguity in the reassembly of the fragment. This sounds 396 difficult and mostly useless in a 6LoWPAN network since the 397 fragmentation is not end-to-end. 399 7. IANA Considerations 401 No requests to IANA are made by this document. 403 8. Acknowledgments 405 The authors would like to thank Yasuyuki Tanaka, Ines Robles and Dave 406 Thaler for their in-depth review of this document and improvement 407 suggestions. Also many thanks to Georgies Papadopoulos and Dominique 408 Barthel for their own reviews. 410 9. Normative References 412 [6LoWPAN] Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler, 413 "Transmission of IPv6 Packets over IEEE 802.15.4 414 Networks", RFC 4944, DOI 10.17487/RFC4944, September 2007, 415 . 417 [LWIG-VRB] Bormann, C. and T. Watteyne, "Virtual reassembly buffers 418 in 6LoWPAN", Work in Progress, Internet-Draft, draft-ietf- 419 lwig-6lowpan-virtual-reassembly-01, 11 March 2019, 420 . 423 [FRAG-RECOV] 424 Thubert, P., "6LoWPAN Selective Fragment Recovery", Work 425 in Progress, Internet-Draft, draft-ietf-6lo-fragment- 426 recovery-07, 23 October 2019, 427 . 430 10. Informative References 432 [6LoWPAN-HC] 433 Hui, J., Ed. and P. Thubert, "Compression Format for IPv6 434 Datagrams over IEEE 802.15.4-Based Networks", RFC 6282, 435 DOI 10.17487/RFC6282, September 2011, 436 . 438 [FRAG-ILE] Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., 439 and F. Gont, "IP Fragmentation Considered Fragile", Work 440 in Progress, Internet-Draft, draft-ietf-intarea-frag- 441 fragile-17, 30 September 2019, 442 . 445 [ARTICLE] Tanaka, Y., Minet, P., and T. Watteyne, "6LoWPAN Fragment 446 Forwarding", IEEE Communications Standards Magazine , 447 2019. 449 Authors' Addresses 451 Thomas Watteyne (editor) 452 Analog Devices 453 32990 Alvarado-Niles Road, Suite 910 454 Union City, CA 94587 455 United States of America 457 Email: thomas.watteyne@analog.com 459 Pascal Thubert (editor) 460 Cisco Systems, Inc 461 Building D, 45 Allee des Ormes - BP1200 462 06254 Mougins - Sophia Antipolis 463 France 465 Phone: +33 497 23 26 34 466 Email: pthubert@cisco.com 468 Carsten Bormann 469 Universitaet Bremen TZI 470 Postfach 330440 471 D-28359 Bremen 472 Germany 474 Email: cabo@tzi.org