idnits 2.17.1
draft-ietf-6man-deprecate-atomfrag-generation-01.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** There is 1 instance of too long lines in the document, the longest one
being 4 characters in excess of 72.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
(Using the creation date from RFC2460, updated by this document, for
RFC5378 checks: 1997-07-30)
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (April 27, 2015) is 3288 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: 'RFC1191' is mentioned on line 387, but not defined
== Missing Reference: 'RFC1883' is mentioned on line 406, but not defined
** Obsolete undefined reference: RFC 1883 (Obsoleted by RFC 2460)
== Missing Reference: 'RFC4963' is mentioned on line 574, but not defined
== Missing Reference: 'RFC0791' is mentioned on line 461, but not defined
== Missing Reference: 'RFC4890' is mentioned on line 543, but not defined
== Missing Reference: 'RFC6144' is mentioned on line 540, but not defined
** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200)
** Obsolete normative reference: RFC 6145 (Obsoleted by RFC 7915)
== Outdated reference: A later version (-10) exists of
draft-ietf-6man-predictable-fragment-id-05
Summary: 4 errors (**), 0 flaws (~~), 8 warnings (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 maintenance Working Group (6man) F. Gont
3 Internet-Draft SI6 Networks / UTN-FRH
4 Updates: 2460, 6145 (if approved) W. Liu
5 Intended status: Standards Track Huawei Technologies
6 Expires: October 29, 2015 T. Anderson
7 Redpill Linpro
8 April 27, 2015
10 Deprecating the Generation of IPv6 Atomic Fragments
11 draft-ietf-6man-deprecate-atomfrag-generation-01
13 Abstract
15 The core IPv6 specification requires that when a host receives an
16 ICMPv6 "Packet Too Big" message reporting a "Next-Hop MTU" smaller
17 than 1280, the host includes a Fragment Header in all subsequent
18 packets sent to that destination, without reducing the assumed Path-
19 MTU. The simplicity with which ICMPv6 "Packet Too Big" messages can
20 be forged, coupled with the widespread filtering of IPv6 fragments,
21 results in an attack vector that can be leveraged for Denial of
22 Service purposes. This document briefly discusses the aforementioned
23 attack vector, and formally updates RFC2460 such that generation of
24 IPv6 atomic fragments is deprecated, thus eliminating the
25 aforementioned attack vector. Additionally, it formally updates
26 RFC6145 such that the Stateless IP/ICMP Translation Algorithm (SIIT)
27 does not rely on the generation of IPv6 atomic fragments, thus
28 improving the robustness of the protocol.
30 Status of This Memo
32 This Internet-Draft is submitted in full conformance with the
33 provisions of BCP 78 and BCP 79.
35 Internet-Drafts are working documents of the Internet Engineering
36 Task Force (IETF). Note that other groups may also distribute
37 working documents as Internet-Drafts. The list of current Internet-
38 Drafts is at http://datatracker.ietf.org/drafts/current/.
40 Internet-Drafts are draft documents valid for a maximum of six months
41 and may be updated, replaced, or obsoleted by other documents at any
42 time. It is inappropriate to use Internet-Drafts as reference
43 material or to cite them other than as "work in progress."
45 This Internet-Draft will expire on October 29, 2015.
47 Copyright Notice
49 Copyright (c) 2015 IETF Trust and the persons identified as the
50 document authors. All rights reserved.
52 This document is subject to BCP 78 and the IETF Trust's Legal
53 Provisions Relating to IETF Documents
54 (http://trustee.ietf.org/license-info) in effect on the date of
55 publication of this document. Please review these documents
56 carefully, as they describe your rights and restrictions with respect
57 to this document. Code Components extracted from this document must
58 include Simplified BSD License text as described in Section 4.e of
59 the Trust Legal Provisions and are provided without warranty as
60 described in the Simplified BSD License.
62 Table of Contents
64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
65 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
66 3. Denial of Service (DoS) attack vector . . . . . . . . . . . . 3
67 4. Additional Considerations . . . . . . . . . . . . . . . . . . 5
68 5. Updating RFC2460 . . . . . . . . . . . . . . . . . . . . . . 7
69 6. Updating RFC6145 . . . . . . . . . . . . . . . . . . . . . . 7
70 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
71 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14
72 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15
73 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
74 10.1. Normative References . . . . . . . . . . . . . . . . . . 15
75 10.2. Informative References . . . . . . . . . . . . . . . . . 15
76 Appendix A. Small Survey of OSes that Fail to Produce IPv6
77 Atomic Fragments . . . . . . . . . . . . . . . . . . 16
78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
80 1. Introduction
82 [RFC2460] specifies the IPv6 fragmentation mechanism, which allows
83 IPv6 packets to be fragmented into smaller pieces such that they fit
84 in the Path-MTU to the intended destination(s).
86 Section 5 of [RFC2460] states that, when a host receives an ICMPv6
87 "Packet Too Big" message [RFC4443] advertising a "Next-Hop MTU"
88 smaller than 1280 (the minimum IPv6 MTU), the host is not required to
89 reduce the assumed Path-MTU, but must simply include a Fragment
90 Header in all subsequent packets sent to that destination. The
91 resulting packets will thus *not* be actually fragmented into several
92 pieces, but rather just include a Fragment Header with both the
93 "Fragment Offset" and the "M" flag set to 0 (we refer to these
94 packets as "atomic fragments"). As required by [RFC6946], these
95 atomic fragments are essentially processed by the destination host as
96 non-fragment traffic (since there are not really any fragments to be
97 reassembled). IPv6/IPv4 translators will typically employ the
98 Fragment Identification information found in the Fragment Header to
99 select an appropriate Fragment Identification value for the resulting
100 IPv4 fragments.
102 While atomic fragments might seem rather benign, there are scenarios
103 in which the generation of IPv6 atomic fragments can introduce an
104 attack vector that can be exploited for denial of service purposes.
105 Since there are concrete security implications arising from the
106 generation of IPv6 atomic fragments, and there is no real gain in
107 generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4
108 translators generate a Fragment Identification value themselves),
109 this document formally updates [RFC2460], forbidding the generation
110 of IPv6 atomic fragments, such that the aforementioned attack vector
111 is eliminated. Additionally, it formally updates [RFC6145] such that
112 the Stateless IP/ICMP Translation Algorithm (SIIT) does not rely on
113 the generation of IPv6 atomic fragments.
115 Section 3 describes some possible attack scenarios. Section 4
116 provides additional considerations regarding the usefulness of
117 generating IPv6 atomic fragments. Section 5 formally updates RFC2460
118 such that this attack vector is eliminated. Section 6 formally
119 updates RFC6145 such that it does not relies on the generation of
120 IPv6 atomic fragments.
122 2. Terminology
124 IPv6 atomic fragments
125 IPv6 packets that contain a Fragment Header with the Fragment
126 Offset set to 0 and the M flag set to 0 (as defined by [RFC6946]).
128 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
129 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
130 document are to be interpreted as described in RFC 2119 [RFC2119].
132 3. Denial of Service (DoS) attack vector
134 Let us assume that Host A is communicating with Server B, and that,
135 as a result of the widespread filtering of IPv6 packets with
136 extension headers (including fragmentation)
137 [I-D.gont-v6ops-ipv6-ehs-in-real-world], some intermediate node
138 filters fragments between Host A and Server B. If an attacker sends
139 a forged ICMPv6 "Packet Too Big" (PTB) error message to server B,
140 reporting a Next-Hop MTU smaller than 1280, this will trigger the
141 generation of IPv6 atomic fragments from that moment on (as required
142 by [RFC2460]). When server B starts sending IPv6 atomic fragments
143 (in response to the received ICMPv6 PTB), these packets will be
144 dropped, since we previously noted that packets with IPv6 EHs were
145 being dropped between Host A and Server B. Thus, this situation will
146 result in a Denial of Service (DoS) scenario.
148 Another possible scenario is that in which two BGP peers are
149 employing IPv6 transport, and they implement ACLs to drop IPv6
150 fragments (to avoid control-plane attacks). If the aforementioned
151 BGP peers drop IPv6 fragments but still honor received ICMPv6 Packet
152 Too Big error messages, an attacker could easily attack the peering
153 session by simply sending an ICMPv6 PTB message with a reported MTU
154 smaller than 1280 bytes. Once the attack packet has been fired, it
155 will be the aforementioned routers themselves the ones dropping their
156 own traffic.
158 The aforementioned attack vector is exacerbated by the following
159 factors:
161 o The attacker does not need to forge the IPv6 Source Address of his
162 attack packets. Hence, deployment of simple BCP38 filters will
163 not help as a counter-measure.
165 o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6
166 payload need to be forged. While one could envision filtering
167 devices enforcing BCP38-style filters on the ICMPv6 payload, the
168 use of extension (by the attacker) could make this difficult, if
169 at all possible.
171 o Many implementations fail to perform validation checks on the
172 received ICMPv6 error messages, as recommended in Section 5.2 of
173 [RFC4443] and documented in [RFC5927]. It should be noted that in
174 some cases, such as when an ICMPv6 error message has (supposedly)
175 been elicited by a connection-less transport protocol (or some
176 other connection-less protocol being encapsulated in IPv6), it may
177 be virtually impossible to perform validation checks on the
178 received ICMPv6 error messages. And, because of IPv6 extension
179 headers, the ICMPv6 payload might not even contain any useful
180 information on which to perform validation checks.
182 o Upon receipt of one of the aforementioned ICMPv6 "Packet Too Big"
183 error messages, the Destination Cache [RFC4861] is usually updated
184 to reflect that any subsequent packets to such destination should
185 include a Fragment Header. This means that a single ICMPv6
186 "Packet Too Big" error message might affect multiple communication
187 instances (e.g., TCP connections) with such destination.
189 o As noted in Section 4, SIIT [RFC6145] (including derivative
190 protocols such as Stateful NAT64 [RFC6146]) is the only technology
191 which currently makes use of atomic fragments. Unfortunately, an
192 IPv6 node cannot easily limit its exposure to the aforementioned
193 attack vector by only generating IPv6 atomic fragments towards
194 IPv4 destinations behind a stateless translator. This is due to
195 the fact that Section 3.3 of RFC6052 [RFC6052] encourages
196 operators to use a Network-Specific Prefix (NSP) that maps the
197 IPv4 address space into IPv6. When an NSP is being used, IPv6
198 addresses representing IPv4 nodes (reached through a stateless
199 translator) are indistinguishable from native IPv6 addresses.
201 4. Additional Considerations
203 Besides the security assessment provided in Section 3, it is
204 interesting to evaluate the pros and cons of having an IPv6-to-IPv4
205 translating router rely on the generation of IPv6 atomic fragments.
207 Relying on the generation of IPv6 atomic fragments implies a reliance
208 on:
210 1. ICMPv6 packets arriving from the translator to the IPv6 node
212 2. The ability of the nodes receiving ICMPv6 PTB messages reporting
213 an MTU smaller than 1280 bytes to actually produce atomic
214 fragments
216 3. Support for IPv6 fragmentation on the IPv6 side of the translator
218 Unfortunately,
220 o There exists a fair share of evidence of ICMPv6 Packet Too Big
221 messages being dropped on the public Internet (for instance, that
222 is one of the reasons for which PLPMTUD [RFC4821] was produced).
223 Therefore, relying on such messages being successfully delivered
224 will affect the robustness of the protocol that relies on them.
226 o A number of IPv6 implementations have been known to fail to
227 generate IPv6 atomic fragments in response to ICMPv6 PTB messages
228 reporting an MTU smaller than 1280 bytes (see Appendix A for a
229 small survey). Additionally, results included in Section 6 of
230 [RFC6145] note that 57% of the tested web servers failed to
231 produce IPv6 atomic fragments in response to ICMPv6 PTB messages
232 reporting an MTU smaller than 1280 bytes. Thus, any protocol
233 relying on IPv6 atomic fragment generation for proper functioning
234 will have interoperability problems with the aforementioned IPv6
235 stacks.
237 o IPv6 atomic fragment generation represents a case in which
238 fragmented traffic is produced where otherwise it would not be
239 needed. Since there is widespread filtering of IPv6 fragments in
240 the public Internet [I-D.gont-v6ops-ipv6-ehs-in-real-world], this
241 would mean that the (unnecessary) use of IPv6 fragmentation might
242 result, unnecessarily, in a Denial of Service situation even in
243 legitimate cases.
245 Finally, we note that SIIT essentially employs the Fragment Header of
246 IPv6 atomic fragments to signal the translator how to set the DF bit
247 of IPv4 datagrams (the DF bit is cleared when the IPv6 packet
248 contains a Fragment Header, and is otherwise set to 1 when the IPv6
249 packet does not contain an IPv6 Fragment Header). Additionally, the
250 translator will employ the low-order 16-bits of the IPv6 Fragment
251 Identification for setting the IPv4 Fragment Identification. At
252 least in theory, this is expected to reduce the Fragment ID collision
253 rate in the following specific scenario:
255 1. An IPv6 node communicates with an IPv4 node (through SIIT)
257 2. The IPv4 node is located behind an IPv4 link with an MTU < 1260
259 3. ECMP routing [RFC2992] with more than one translator are employed
260 for e.g., redundancy purposes
262 In such a scenario, if each translator were to select the IPv4
263 Fragment Identification on its own (rather than selecting the IPv4
264 Fragment ID from the low-order 16-bits of the Fragment Identification
265 of atomic fragments), this could possibly lead to IPv4 Fragment ID
266 collisions. However, since a number of implementations set IPv6
267 Fragment ID according to the output of a Pseudo-Random Number
268 Generator (PRNG) (see Appendix B of
269 [I-D.ietf-6man-predictable-fragment-id]) and the translator only
270 employs the low-order 16-bits of such value, it is very unlikely that
271 relying on the Fragment ID of the IPv6 atomic fragment will result in
272 a reduced Fragment ID collision rate (when compared to the case where
273 the translator selects each IPv4 Fragment ID on its own).
275 Finally, we note that [RFC6145] is currently the only "consumer" of
276 IPv6 atomic fragments, and it correctly and diligently notes (in
277 Section 6) the possible interoperability problems of relying on IPv6
278 atomic fragments, proposing as a workaround something very similar to
279 what we propose in Section 6. We believe that, by making the more
280 robust behavior the default behavior of the "IP/ICMP Translation
281 Algorithm", robustness is improved, and the corresponding code is
282 simplified.
284 5. Updating RFC2460
286 The following text from Section 5 of [RFC2460]:
288 "In response to an IPv6 packet that is sent to an IPv4 destination
289 (i.e., a packet that undergoes translation from IPv6 to IPv4), the
290 originating IPv6 node may receive an ICMP Packet Too Big message
291 reporting a Next-Hop MTU less than 1280. In that case, the IPv6
292 node is not required to reduce the size of subsequent packets to
293 less than 1280, but must include a Fragment header in those
294 packets so that the IPv6-to-IPv4 translating router can obtain a
295 suitable Identification value to use in resulting IPv4 fragments.
296 Note that this means the payload may have to be reduced to 1232
297 octets (1280 minus 40 for the IPv6 header and 8 for the Fragment
298 header), and smaller still if additional extension headers are
299 used."
301 is formally replaced with:
303 "An IPv6 node that receives an ICMPv6 Packet Too Big error message
304 that reports a Next-Hop MTU smaller than 1280 bytes (the minimum
305 IPv6 MTU) MUST NOT include a Fragment header in subsequent packets
306 sent to the corresponding destination. That is, IPv6 nodes MUST
307 NOT generate IPv6 atomic fragments."
309 6. Updating RFC6145
311 The following text from Section 4 (Translating from IPv4 to IPv6) of
312 [RFC6145]:
314 ---------------- cut here -------------- cut here ----------------
315 When the IPv4 sender does not set the DF bit, the translator SHOULD
316 always include an IPv6 Fragment Header to indicate that the sender
317 allows fragmentation. The translator MAY provide a configuration
318 function that allows the translator not to include the Fragment
319 Header for the non-fragmented IPv6 packets.
321 The rules in Section 4.1 ensure that when packets are fragmented,
322 either by the sender or by IPv4 routers, the low-order 16 bits of the
323 fragment identification are carried end-to-end, ensuring that packets
324 are correctly reassembled. In addition, the rules in Section 4.1 use
325 the presence of an IPv6 Fragment Header to indicate that the sender
326 might not be using path MTU discovery (i.e., the packet should not
327 have the DF flag set should it later be translated back to IPv4).
328 ---------------- cut here -------------- cut here ----------------
330 is formally replaced with:
332 ---------------- cut here -------------- cut here ----------------
333 The rules in Section 4.1 ensure that when packets are fragmented,
334 either by the sender or by IPv4 routers, the low-order 16 bits of the
335 fragment identification are carried end-to-end, ensuring that packets
336 are correctly reassembled.
337 ---------------- cut here -------------- cut here ----------------
339 The following text from Section 4.1 ("Translating IPv4 Headers into
340 IPv6 Headers") of [RFC6145]:
342 ---------------- cut here -------------- cut here ----------------
343 If there is a need to add a Fragment Header (the DF bit is not set or
344 the packet is a fragment), the header fields are set as above with
345 the following exceptions:
346 ---------------- cut here -------------- cut here ----------------
348 is formally replaced with:
350 ---------------- cut here -------------- cut here ----------------
351 If there is a need to add a Fragment Header (the packet is a
352 fragment), the header fields are set as above with the following
353 exceptions:
354 ---------------- cut here -------------- cut here ----------------
356 The following text from Section 4.2 ("Translating ICMPv4 Headers into
357 ICMPv6 Headers") of [RFC6145]:
359 ---------------- cut here -------------- cut here ----------------
360 Code 4 (Fragmentation Needed and DF was Set): Translate to
361 an ICMPv6 Packet Too Big message (Type 2) with Code set
362 to 0. The MTU field MUST be adjusted for the difference
363 between the IPv4 and IPv6 header sizes, i.e.,
364 minimum(advertised MTU+20, MTU_of_IPv6_nexthop,
365 (MTU_of_IPv4_nexthop)+20). Note that if the IPv4 router
366 set the MTU field to zero, i.e., the router does not
367 implement [RFC1191], then the translator MUST use the
368 plateau values specified in [RFC1191] to determine a
369 likely path MTU and include that path MTU in the ICMPv6
370 packet. (Use the greatest plateau value that is less
371 than the returned Total Length field.)
372 ---------------- cut here -------------- cut here ----------------
374 is formally replaced with:
376 ---------------- cut here -------------- cut here ----------------
377 Code 4 (Fragmentation Needed and DF was Set): Translate to
378 an ICMPv6 Packet Too Big message (Type 2) with Code set
379 to 0. The MTU field MUST be adjusted for the difference
380 between the IPv4 and IPv6 header sizes, but MUST NOT be
381 set to a value smaller than the minimum IPv6 MTU
382 (1280 bytes). That is, it should be set to maximum(1280,
383 minimum(advertised MTU+20, MTU_of_IPv6_nexthop,
384 (MTU_of_IPv4_nexthop)+20)). Note that if the IPv4 router
385 set the MTU field to zero, i.e., the router does not
386 implement [RFC1191], then the translator MUST use the
387 plateau values specified in [RFC1191] to determine a
388 likely path MTU and include that path MTU in the ICMPv6
389 packet. (Use the greatest plateau value that is less
390 than the returned Total Length field, but that is larger
391 than or equal to 1280.)
392 ---------------- cut here -------------- cut here ----------------
394 The following text from Section 5 ("Translating from IPv6 to IPv4")
395 of [RFC6145]:
397 ---------------- cut here -------------- cut here ----------------
398 There are some differences between IPv6 and IPv4 (in the areas of
399 fragmentation and the minimum link MTU) that affect the translation.
400 An IPv6 link has to have an MTU of 1280 bytes or greater. The
401 corresponding limit for IPv4 is 68 bytes. Path MTU discovery across
402 a translator relies on ICMP Packet Too Big messages being received
403 and processed by IPv6 hosts, including an ICMP Packet Too Big that
404 indicates the MTU is less than the IPv6 minimum MTU. This
405 requirement is described in Section 5 of [RFC2460] (for IPv6's
406 1280-octet minimum MTU) and Section 5 of [RFC1883] (for IPv6's
407 previous 576-octet minimum MTU).
409 In an environment where an ICMPv4 Packet Too Big message is
410 translated to an ICMPv6 Packet Too Big message, and the ICMPv6 Packet
411 Too Big message is successfully delivered to and correctly processed
412 by the IPv6 hosts (e.g., a network owned/operated by the same entity
413 that owns/operates the translator), the translator can rely on IPv6
414 hosts sending subsequent packets to the same IPv6 destination with
415 IPv6 Fragment Headers. In such an environment, when the translator
416 receives an IPv6 packet with a Fragment Header, the translator SHOULD
417 generate the IPv4 packet with a cleared Don't Fragment bit, and with
418 its identification value from the IPv6 Fragment Header, for all of
419 the IPv6 fragments (MF=0 or MF=1).
421 In an environment where an ICMPv4 Packet Too Big message is filtered
422 (by a network firewall or by the host itself) or not correctly
423 processed by the IPv6 hosts, the IPv6 host will never generate an
424 IPv6 packet with the IPv6 Fragment Header. In such an environment,
425 the translator SHOULD set the IPv4 Don't Fragment bit. While setting
426 the Don't Fragment bit may create PMTUD black holes [RFC2923] if
427 there are IPv4 links smaller than 1260 octets, this is considered
428 safer than causing IPv4 reassembly errors [RFC4963].
429 ---------------- cut here -------------- cut here ----------------
431 is formally replaced with:
433 ---------------- cut here -------------- cut here ----------------
434 There are some differences between IPv6 and IPv4 (in the areas of
435 fragmentation and the minimum link MTU) that affect the translation.
436 An IPv6 link has to have an MTU of 1280 bytes or greater. The
437 corresponding limit for IPv4 is 68 bytes. Path MTU discovery across
438 a translator relies on ICMP Packet Too Big messages being received
439 and processed by IPv6 hosts.
441 The difference in the minimum MTUs of IPv4 and IPv6 is accommodated
442 as follows:
444 o When translating an ICMPv4 "Fragmentation Needed" packet, the
445 indicated MTU in the resulting ICMPv6 "Packet Too Big" will
446 never be set to a value lower than 1280. This ensures that the
447 IPv6 nodes will never have to encounter or handle Path MTU
448 values lower than the minimum IPv6 link MTU of 1280. See
449 Section 4.2.
451 o When the resulting IPv4 packet is smaller than or equal to 1260
452 bytes, the translator MUST send the packet with a cleared Don't
453 Fragment bit. Otherwise, the packet MUST be sent with the Don't
454 Fragment bit set. See Section 5.1.
456 This approach allows Path MTU Discovery to operate end-to-end for
457 paths whose MTU are not smaller than minimum IPv6 MTU of 1280 (which
458 corresponds to MTU of 1260 in the IPv4 domain). On paths that have
459 IPv4 links with MTU < 1260, the IPv4 router(s) connected to those
460 links will fragment the packets in accordance with Section 2.3 of
461 [RFC0791].
462 ---------------- cut here -------------- cut here ----------------
464 The following text from Section 5.1 ("Translating IPv6 Headers into
465 IPv4 Headers") of [RFC6145]:
467 ---------------- cut here -------------- cut here ----------------
468 Identification: All zero. In order to avoid black holes caused by
469 ICMPv4 filtering or non-[RFC2460]-compatible IPv6 hosts (a
470 workaround is discussed in Section 6), the translator MAY provide
471 a function to generate the identification value if the packet size
472 is greater than 88 bytes and less than or equal to 1280 bytes.
473 The translator SHOULD provide a method for operators to enable or
474 disable this function.
476 Flags: The More Fragments flag is set to zero. The Don't Fragment
477 (DF) flag is set to one. In order to avoid black holes caused by
478 ICMPv4 filtering or non-[RFC2460]-compatible IPv6 hosts (a
479 workaround is discussed in Section 6), the translator MAY provide
480 a function as follows. If the packet size is greater than 88
481 bytes and less than or equal to 1280 bytes, it sets the DF flag to
482 zero; otherwise, it sets the DF flag to one. The translator
483 SHOULD provide a method for operators to enable or disable this
484 function.
485 ---------------- cut here -------------- cut here ----------------
487 is formally replaced with:
489 ---------------- cut here -------------- cut here ----------------
490 Identification: Set according to a Fragment Identification
491 generator at the translator.
493 Flags: The More Fragments flag is set to zero. The Don't Fragment
494 (DF) flag is set as follows: If the size of the translated IPv4
495 packet is less than or equal to 1260 bytes, it is set to zero;
496 otherwise, it is set to one.
497 ---------------- cut here -------------- cut here ----------------
499 The following text from Section 5.1.1 ("IPv6 Fragment Processing") of
500 [RFC6145]:
502 ---------------- cut here -------------- cut here ----------------
503 If a translated packet with DF set to 1 will be larger than the MTU
504 of the next-hop interface, then the translator MUST drop the packet
505 and send the ICMPv6 Packet Too Big (Type 2, Code 0) error message to
506 the IPv6 host with an adjusted MTU in the ICMPv6 message.
507 ---------------- cut here -------------- cut here ----------------
509 is formally replaced with:
511 ---------------- cut here -------------- cut here ----------------
512 If an IPv6 packet that is smaller than or equal to 1280 bytes results
513 (after translation) in an IPv4 packet that is larger than the MTU of
514 the next-hop interface, then the translator MUST perform IPv4
515 fragmentation on that packet such that it can be transferred over the
516 constricting link.
517 ---------------- cut here -------------- cut here ----------------
519 Finally, the following text from 6 ("Special Considerations for
520 ICMPv6 Packet Too Big") of [RFC6145]:
522 ---------------- cut here -------------- cut here ----------------
523 Two recent studies analyzed the behavior of IPv6-capable web servers
524 on the Internet and found that approximately 95% responded as
525 expected to an IPv6 Packet Too Big that indicated MTU = 1280, but
526 only 43% responded as expected to an IPv6 Packet Too Big that
527 indicated an MTU < 1280. It is believed that firewalls violating
528 Section 4.3.1 of [RFC4890] are at fault. Both failures (the 5% wrong
529 response when MTU = 1280 and the 57% wrong response when MTU < 1280)
530 will cause PMTUD black holes [RFC2923]. Unfortunately, the
531 translator cannot improve the failure rate of the first case (MTU =
532 1280), but the translator can improve the failure rate of the second
533 case (MTU < 1280). There are two approaches to resolving the problem
534 with sending ICMPv6 messages indicating an MTU < 1280. It SHOULD be
535 possible to configure a translator for either of the two approaches.
537 The first approach is to constrain the deployment of the IPv6/IPv4
538 translator by observing that four of the scenarios intended for
539 stateless IPv6/IPv4 translators do not have IPv6 hosts on the
540 Internet (Scenarios 1, 2, 5, and 6 described in [RFC6144], which
541 refer to "An IPv6 network"). In these scenarios, IPv6 hosts, IPv6-
542 host-based firewalls, and IPv6 network firewalls can be administered
543 in compliance with Section 4.3.1 of [RFC4890] and therefore avoid the
544 problem witnessed with IPv6 hosts on the Internet.
546 The second approach is necessary if the translator has IPv6 hosts,
547 IPv6-host-based firewalls, or IPv6 network firewalls that do not (or
548 cannot) comply with Section 5 of [RFC2460] -- such as IPv6 hosts on
549 the Internet. This approach requires the translator to do the
550 following:
552 1. In the IPv4-to-IPv6 direction: if the MTU value of ICMPv4 Packet
553 Too Big (PTB) messages is less than 1280, change it to 1280.
554 This is intended to cause the IPv6 host and IPv6 firewall to
555 process the ICMP PTB message and generate subsequent packets to
556 this destination with an IPv6 Fragment Header.
558 Note: Based on recent studies, this is effective for 95% of IPv6
559 hosts on the Internet.
561 2. In the IPv6-to-IPv4 direction:
563 A. If there is a Fragment Header in the IPv6 packet, the last 16
564 bits of its value MUST be used for the IPv4 identification
565 value.
567 B. If there is no Fragment Header in the IPv6 packet:
569 a. If the packet is less than or equal to 1280 bytes:
571 - The translator SHOULD set DF to 0 and generate an IPv4
572 identification value.
574 - To avoid the problems described in [RFC4963], it is
575 RECOMMENDED that the translator maintain 3-tuple state
576 for generating the IPv4 identification value.
578 b. If the packet is greater than 1280 bytes, the translator
579 SHOULD set the IPv4 DF bit to 1.
580 ---------------- cut here -------------- cut here ----------------
582 is formally replaced with:
584 ---------------- cut here -------------- cut here ----------------
585 A number of studies (see e.g. ) indicate that it not unusual for networks
586 to drop ICMPv6 Packet Too Big error messages. Such packet drops will
587 result in PMTUD blackholes [RFC2923], which can only be overcome with
588 PLPMTUD [RFC4821].
589 ---------------- cut here -------------- cut here ----------------
591 7. IANA Considerations
593 There are no IANA registries within this document. The RFC-Editor
594 can remove this section before publication of this document as an
595 RFC.
597 8. Security Considerations
599 This document describes a Denial of Service (DoS) attack vector that
600 leverages the widespread filtering of IPv6 fragments in the public
601 Internet by means of ICMPv6 PTB error messages. Additionally, it
602 formally updates [RFC2460] such that this attack vector is
603 eliminated, and also formally updated [RFC6145] such that it does not
604 rely on IPv6 atomic fragments.
606 9. Acknowledgements
608 The authors would like to thank (in alphabetical order) Alberto
609 Leiva, Bob Briscoe, Brian Carpenter, Tatuya Jinmei, Jeroen Massar,
610 and Erik Nordmark, for providing valuable comments on earlier
611 versions of this document.
613 Fernando Gont would like to thank Jan Zorz and Go6 Lab
614 for providing access to systems and networks that
615 were employed to produce some of tests that resulted in the
616 publication of this document. Additionally, he would like to thank
617 SixXS for providing IPv6 connectivity.
619 10. References
621 10.1. Normative References
623 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
624 (IPv6) Specification", RFC 2460, December 1998.
626 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
627 Requirement Levels", BCP 14, RFC 2119, March 1997.
629 [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control
630 Message Protocol (ICMPv6) for the Internet Protocol
631 Version 6 (IPv6) Specification", RFC 4443, March 2006.
633 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU
634 Discovery", RFC 4821, March 2007.
636 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
637 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
638 September 2007.
640 [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
641 Algorithm", RFC 6145, April 2011.
643 10.2. Informative References
645 [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", RFC
646 2923, September 2000.
648 [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path
649 Algorithm", RFC 2992, November 2000.
651 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010.
653 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
654 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
655 October 2010.
657 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
658 NAT64: Network Address and Protocol Translation from IPv6
659 Clients to IPv4 Servers", RFC 6146, April 2011.
661 [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", RFC
662 6946, May 2013.
664 [I-D.ietf-6man-predictable-fragment-id]
665 Gont, F., "Security Implications of Predictable Fragment
666 Identification Values", draft-ietf-6man-predictable-
667 fragment-id-05 (work in progress), April 2015.
669 [I-D.gont-v6ops-ipv6-ehs-in-real-world]
670 Gont, F., Linkova, J., Chown, T., and W. Will,
671 "Observations on IPv6 EH Filtering in the Real World",
672 draft-gont-v6ops-ipv6-ehs-in-real-world-02 (work in
673 progress), March 2015.
675 [Morbitzer]
676 Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis.
677 Thesis number: 670. Department of Computing Science,
678 Radboud University Nijmegen. August 2013,
679 .
682 Appendix A. Small Survey of OSes that Fail to Produce IPv6 Atomic
683 Fragments
685 [This section will probably be removed from this document before it
686 is published as an RFC].
688 This section includes a non-exhaustive list of operating systems that
689 *fail* to produce IPv6 atomic fragments. It is based on the results
690 published in [RFC6946] and [Morbitzer].
692 The following Operating Systems fail to generate IPv6 atomic
693 fragments in response to ICMPv6 PTB messages that report an MTU
694 smaller than 1280 bytes:
696 o FreeBSD 8.0
698 o Linux kernel 2.6.32
700 o Linux kernel 3.2
701 o Mac OS X 10.6.7
703 o NetBSD 5.1
705 Authors' Addresses
707 Fernando Gont
708 SI6 Networks / UTN-FRH
709 Evaristo Carriego 2644
710 Haedo, Provincia de Buenos Aires 1706
711 Argentina
713 Phone: +54 11 4650 8472
714 Email: fgont@si6networks.com
715 URI: http://www.si6networks.com
717 Will(Shucheng) Liu
718 Huawei Technologies
719 Bantian, Longgang District
720 Shenzhen 518129
721 P.R. China
723 Email: liushucheng@huawei.com
725 Tore Anderson
726 Redpill Linpro
727 Vitaminveien 1A
728 Oslo 0485
729 Norway
731 Phone: +47 959 31 212
732 Email: tore@redpill-linpro.com
733 URI: http://www.redpill-linpro.com