idnits 2.17.1
draft-ietf-6man-deprecate-atomfrag-generation-02.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
-- The draft header indicates that this document updates RFC6145, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
(Using the creation date from RFC2460, updated by this document, for
RFC5378 checks: 1997-07-30)
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (July 4, 2015) is 3213 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Unused Reference: 'RFC2923' is defined on line 351, but no explicit
reference was found in the text
** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200)
** Obsolete normative reference: RFC 6145 (Obsoleted by RFC 7915)
== Outdated reference: A later version (-10) exists of
draft-ietf-6man-predictable-fragment-id-08
== Outdated reference: A later version (-02) exists of
draft-ietf-v6ops-ipv6-ehs-in-real-world-00
Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 3 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 maintenance Working Group (6man) F. Gont
3 Internet-Draft SI6 Networks / UTN-FRH
4 Updates: 2460, 6145 (if approved) W. Liu
5 Intended status: Standards Track Huawei Technologies
6 Expires: January 5, 2016 T. Anderson
7 Redpill Linpro
8 July 4, 2015
10 Deprecating the Generation of IPv6 Atomic Fragments
11 draft-ietf-6man-deprecate-atomfrag-generation-02
13 Abstract
15 The core IPv6 specification requires that when a host receives an
16 ICMPv6 "Packet Too Big" message reporting an MTU smaller than 1280
17 bytes, the host includes a Fragment Header in all subsequent packets
18 sent to that destination, without reducing the assumed Path-MTU. The
19 simplicity with which ICMPv6 "Packet Too Big" messages can be forged,
20 coupled with the widespread filtering of IPv6 fragments, results in
21 an attack vector that can be leveraged for Denial of Service
22 purposes. This document briefly discusses the aforementioned attack
23 vector, and formally updates RFC2460 such that generation of IPv6
24 atomic fragments is deprecated, thus eliminating the aforementioned
25 attack vector.
27 Status of This Memo
29 This Internet-Draft is submitted in full conformance with the
30 provisions of BCP 78 and BCP 79.
32 Internet-Drafts are working documents of the Internet Engineering
33 Task Force (IETF). Note that other groups may also distribute
34 working documents as Internet-Drafts. The list of current Internet-
35 Drafts is at http://datatracker.ietf.org/drafts/current/.
37 Internet-Drafts are draft documents valid for a maximum of six months
38 and may be updated, replaced, or obsoleted by other documents at any
39 time. It is inappropriate to use Internet-Drafts as reference
40 material or to cite them other than as "work in progress."
42 This Internet-Draft will expire on January 5, 2016.
44 Copyright Notice
46 Copyright (c) 2015 IETF Trust and the persons identified as the
47 document authors. All rights reserved.
49 This document is subject to BCP 78 and the IETF Trust's Legal
50 Provisions Relating to IETF Documents
51 (http://trustee.ietf.org/license-info) in effect on the date of
52 publication of this document. Please review these documents
53 carefully, as they describe your rights and restrictions with respect
54 to this document. Code Components extracted from this document must
55 include Simplified BSD License text as described in Section 4.e of
56 the Trust Legal Provisions and are provided without warranty as
57 described in the Simplified BSD License.
59 Table of Contents
61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
62 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
63 3. Denial of Service (DoS) attack vector . . . . . . . . . . . . 3
64 4. Additional Considerations . . . . . . . . . . . . . . . . . . 5
65 5. Updating RFC2460 . . . . . . . . . . . . . . . . . . . . . . 6
66 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
67 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
68 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
69 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
70 9.1. Normative References . . . . . . . . . . . . . . . . . . 7
71 9.2. Informative References . . . . . . . . . . . . . . . . . 8
72 Appendix A. Small Survey of OSes that Fail to Produce IPv6
73 Atomic Fragments . . . . . . . . . . . . . . . . . . 9
74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
76 1. Introduction
78 [RFC2460] specifies the IPv6 fragmentation mechanism, which allows
79 IPv6 packets to be fragmented into smaller pieces such that they fit
80 in the Path-MTU to the intended destination(s).
82 Section 5 of [RFC2460] states that, when a host receives an ICMPv6
83 "Packet Too Big" message [RFC4443] advertising an MTU smaller than
84 1280 bytes (the minimum IPv6 MTU), the host is not required to reduce
85 the assumed Path-MTU, but must simply include a Fragment Header in
86 all subsequent packets sent to that destination. The resulting
87 packets will thus *not* be actually fragmented into several pieces,
88 but rather just include a Fragment Header with both the "Fragment
89 Offset" and the "M" flag set to 0 (we refer to these packets as
90 "atomic fragments"). As required by [RFC6946], these atomic
91 fragments are essentially processed by the destination host as non-
92 fragment traffic (since there are not really any fragments to be
93 reassembled). The goal of these atomic fragments has been to convey
94 an appropriate Fragment Identification value to be employed by IPv6/
95 IPv4 translators for the resulting IPv4 fragments.
97 While atomic fragments might seem rather benign, there are scenarios
98 in which the generation of IPv6 atomic fragments can introduce an
99 attack vector that can be exploited for denial of service purposes.
100 Since there are concrete security implications arising from the
101 generation of IPv6 atomic fragments, and there is no real gain in
102 generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4
103 translators generate a Fragment Identification value themselves),
104 this document formally updates [RFC2460], forbidding the generation
105 of IPv6 atomic fragments, such that the aforementioned attack vector
106 is eliminated.
108 Section 3 describes some possible attack scenarios. Section 4
109 provides additional considerations regarding the usefulness of
110 generating IPv6 atomic fragments. Section 5 formally updates RFC2460
111 such that this attack vector is eliminated.
113 2. Terminology
115 IPv6 atomic fragments
116 IPv6 packets that contain a Fragment Header with the Fragment
117 Offset set to 0 and the M flag set to 0 (as defined by [RFC6946]).
119 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
120 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
121 document are to be interpreted as described in RFC 2119 [RFC2119].
123 3. Denial of Service (DoS) attack vector
125 Let us assume that Host A is communicating with Server B, and that,
126 as a result of the widespread filtering of IPv6 packets with
127 extension headers (including fragmentation)
128 [I-D.ietf-v6ops-ipv6-ehs-in-real-world], some intermediate node
129 filters fragments between Host A and Server B. If an attacker sends
130 a forged ICMPv6 "Packet Too Big" (PTB) error message to server B,
131 reporting an MTU smaller than 1280, this will trigger the generation
132 of IPv6 atomic fragments from that moment on (as required by
133 [RFC2460]). When server B starts sending IPv6 atomic fragments (in
134 response to the received ICMPv6 PTB), these packets will be dropped,
135 since we previously noted that packets with IPv6 EHs were being
136 dropped between Host A and Server B. Thus, this situation will
137 result in a Denial of Service (DoS) scenario.
139 Another possible scenario is that in which two BGP peers are
140 employing IPv6 transport, and they implement ACLs to drop IPv6
141 fragments (to avoid control-plane attacks). If the aforementioned
142 BGP peers drop IPv6 fragments but still honor received ICMPv6 Packet
143 Too Big error messages, an attacker could easily attack the peering
144 session by simply sending an ICMPv6 PTB message with a reported MTU
145 smaller than 1280 bytes. Once the attack packet has been sent, it
146 will be the aforementioned routers themselves the ones dropping their
147 own traffic.
149 The aforementioned attack vector is exacerbated by the following
150 factors:
152 o The attacker does not need to forge the IPv6 Source Address of his
153 attack packets. Hence, deployment of simple BCP38 filters will
154 not help as a counter-measure.
156 o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6
157 payload needs to be forged. While one could envision filtering
158 devices enforcing BCP38-style filters on the ICMPv6 payload, the
159 use of extension headers (by the attacker) could make this
160 difficult, if at all possible.
162 o Many implementations fail to perform validation checks on the
163 received ICMPv6 error messages, as recommended in Section 5.2 of
164 [RFC4443] and documented in [RFC5927]. It should be noted that in
165 some cases, such as when an ICMPv6 error message has (supposedly)
166 been elicited by a connection-less transport protocol (or some
167 other connection-less protocol being encapsulated in IPv6), it may
168 be virtually impossible to perform validation checks on the
169 received ICMPv6 error messages. And, because of IPv6 extension
170 headers, the ICMPv6 payload might not even contain any useful
171 information on which to perform validation checks.
173 o Upon receipt of one of the aforementioned ICMPv6 "Packet Too Big"
174 error messages, the Destination Cache [RFC4861] is usually updated
175 to reflect that any subsequent packets to such destination should
176 include a Fragment Header. This means that a single ICMPv6
177 "Packet Too Big" error message might affect multiple communication
178 instances (e.g., TCP connections) with such destination.
180 o As noted in Section 4, SIIT [RFC6145] (including derivative
181 protocols such as Stateful NAT64 [RFC6146]) is the only technology
182 which currently makes use of atomic fragments. Unfortunately, an
183 IPv6 node cannot easily limit its exposure to the aforementioned
184 attack vector by only generating IPv6 atomic fragments towards
185 IPv4 destinations behind a stateless translator. This is due to
186 the fact that Section 3.3 of RFC6052 [RFC6052] encourages
187 operators to use a Network-Specific Prefix (NSP) that maps the
188 IPv4 address space into IPv6. When an NSP is being used, IPv6
189 addresses representing IPv4 nodes (reached through a stateless
190 translator) are indistinguishable from native IPv6 addresses.
192 4. Additional Considerations
194 Besides the security assessment provided in Section 3, it is
195 interesting to evaluate the pros and cons of having an IPv6-to-IPv4
196 translating router rely on the generation of IPv6 atomic fragments.
198 Relying on the generation of IPv6 atomic fragments implies a reliance
199 on:
201 1. ICMPv6 packets arriving from the translator to the IPv6 node
203 2. The ability of the nodes receiving ICMPv6 PTB messages reporting
204 an MTU smaller than 1280 bytes to actually produce atomic
205 fragments
207 3. Support for IPv6 fragmentation on the IPv6 side of the translator
209 Unfortunately,
211 o There exists a fair share of evidence of ICMPv6 Packet Too Big
212 messages being dropped on the public Internet (for instance, that
213 is one of the reasons for which PLPMTUD [RFC4821] was produced).
214 Therefore, relying on such messages being successfully delivered
215 will affect the robustness of the protocol that relies on them.
217 o A number of IPv6 implementations have been known to fail to
218 generate IPv6 atomic fragments in response to ICMPv6 PTB messages
219 reporting an MTU smaller than 1280 bytes (see Appendix A for a
220 small survey). Additionally, the results included in Section 6 of
221 [RFC6145] note that 57% of the tested web servers failed to
222 produce IPv6 atomic fragments in response to ICMPv6 PTB messages
223 reporting an MTU smaller than 1280 bytes. Thus, any protocol
224 relying on IPv6 atomic fragment generation for proper functioning
225 will have interoperability problems with the aforementioned IPv6
226 stacks.
228 o IPv6 atomic fragment generation represents a case in which
229 fragmented traffic is produced where otherwise it would not be
230 needed. Since there is widespread filtering of IPv6 fragments in
231 the public Internet [I-D.ietf-v6ops-ipv6-ehs-in-real-world], this
232 would mean that the (unnecessary) use of IPv6 fragmentation might
233 result, unnecessarily, in a Denial of Service situation even in
234 legitimate cases.
236 Finally, we note that SIIT essentially employs the Fragment Header of
237 IPv6 atomic fragments to signal the translator how to set the DF bit
238 of IPv4 datagrams (the DF bit is cleared when the IPv6 packet
239 contains a Fragment Header, and is otherwise set to 1 when the IPv6
240 packet does not contain an IPv6 Fragment Header). Additionally, the
241 translator will employ the low-order 16-bits of the IPv6 Fragment
242 Identification for setting the IPv4 Fragment Identification. At
243 least in theory, this is expected to reduce the Fragment ID collision
244 rate in the following specific scenario:
246 1. An IPv6 node communicates with an IPv4 node (through SIIT)
248 2. The IPv4 node is located behind an IPv4 link with an MTU < 1260
250 3. ECMP routing [RFC2992] with more than one translator is employed
251 for e.g., redundancy purposes
253 In such a scenario, if each translator were to select the IPv4
254 Fragment Identification on its own (rather than selecting the IPv4
255 Fragment ID from the low-order 16-bits of the Fragment Identification
256 of atomic fragments), this could possibly lead to IPv4 Fragment ID
257 collisions. However, since a number of implementations set IPv6
258 Fragment ID according to the output of a Pseudo-Random Number
259 Generator (PRNG) (see Appendix B of
260 [I-D.ietf-6man-predictable-fragment-id]) and the translator only
261 employs the low-order 16-bits of such value, it is very unlikely that
262 relying on the Fragment ID of the IPv6 atomic fragment will result in
263 a reduced Fragment ID collision rate (when compared to the case where
264 the translator selects each IPv4 Fragment ID on its own).
266 Finally, we note that [RFC6145] is currently the only "consumer" of
267 IPv6 atomic fragments, and it correctly and diligently notes (in
268 Section 6) the possible interoperability problems of relying on IPv6
269 atomic fragments, proposing as a workaround that leads to more robust
270 behavior and simplified code.
272 5. Updating RFC2460
274 The following text from Section 5 of [RFC2460]:
276 "In response to an IPv6 packet that is sent to an IPv4 destination
277 (i.e., a packet that undergoes translation from IPv6 to IPv4), the
278 originating IPv6 node may receive an ICMP Packet Too Big message
279 reporting a Next-Hop MTU less than 1280. In that case, the IPv6
280 node is not required to reduce the size of subsequent packets to
281 less than 1280, but must include a Fragment header in those
282 packets so that the IPv6-to-IPv4 translating router can obtain a
283 suitable Identification value to use in resulting IPv4 fragments.
284 Note that this means the payload may have to be reduced to 1232
285 octets (1280 minus 40 for the IPv6 header and 8 for the Fragment
286 header), and smaller still if additional extension headers are
287 used."
289 is formally replaced with:
291 "An IPv6 node that receives an ICMPv6 Packet Too Big error message
292 that reports a Next-Hop MTU smaller than 1280 bytes (the minimum
293 IPv6 MTU) MUST NOT include a Fragment header in subsequent packets
294 sent to the corresponding destination. That is, IPv6 nodes MUST
295 NOT generate IPv6 atomic fragments."
297 6. IANA Considerations
299 There are no IANA registries within this document. The RFC-Editor
300 can remove this section before publication of this document as an
301 RFC.
303 7. Security Considerations
305 This document describes a Denial of Service (DoS) attack vector that
306 leverages the widespread filtering of IPv6 fragments in the public
307 Internet by means of ICMPv6 PTB error messages. Additionally, it
308 formally updates [RFC2460] such that this attack vector is
309 eliminated.
311 8. Acknowledgements
313 The authors would like to thank (in alphabetical order) Alberto
314 Leiva, Bob Briscoe, Brian Carpenter, Tatuya Jinmei, Jeroen Massar,
315 and Erik Nordmark, for providing valuable comments on earlier
316 versions of this document.
318 Fernando Gont would like to thank Fernando Gont would like to thank
319 Jan Zorz / Go6 Lab , and Jared Mauch / NTT
320 America, for providing access to systems and networks that were
321 employed to produce some of tests that resulted in the publication of
322 this document. Additionally, he would like to thank SixXS
323 for providing IPv6 connectivity.
325 9. References
327 9.1. Normative References
329 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
330 (IPv6) Specification", RFC 2460, December 1998.
332 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
333 Requirement Levels", BCP 14, RFC 2119, March 1997.
335 [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control
336 Message Protocol (ICMPv6) for the Internet Protocol
337 Version 6 (IPv6) Specification", RFC 4443, March 2006.
339 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU
340 Discovery", RFC 4821, March 2007.
342 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
343 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
344 September 2007.
346 [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
347 Algorithm", RFC 6145, April 2011.
349 9.2. Informative References
351 [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", RFC
352 2923, September 2000.
354 [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path
355 Algorithm", RFC 2992, November 2000.
357 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010.
359 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
360 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
361 October 2010.
363 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
364 NAT64: Network Address and Protocol Translation from IPv6
365 Clients to IPv4 Servers", RFC 6146, April 2011.
367 [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", RFC
368 6946, May 2013.
370 [I-D.ietf-6man-predictable-fragment-id]
371 Gont, F., "Security Implications of Predictable Fragment
372 Identification Values", draft-ietf-6man-predictable-
373 fragment-id-08 (work in progress), June 2015.
375 [I-D.ietf-v6ops-ipv6-ehs-in-real-world]
376 Gont, F., Linkova, J., Chown, T., and S. LIU,
377 "Observations on IPv6 EH Filtering in the Real World",
378 draft-ietf-v6ops-ipv6-ehs-in-real-world-00 (work in
379 progress), April 2015.
381 [Morbitzer]
382 Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis.
383 Thesis number: 670. Department of Computing Science,
384 Radboud University Nijmegen. August 2013,
385 .
388 Appendix A. Small Survey of OSes that Fail to Produce IPv6 Atomic
389 Fragments
391 [This section will probably be removed from this document before it
392 is published as an RFC].
394 This section includes a non-exhaustive list of operating systems that
395 *fail* to produce IPv6 atomic fragments. It is based on the results
396 published in [RFC6946] and [Morbitzer].
398 The following Operating Systems fail to generate IPv6 atomic
399 fragments in response to ICMPv6 PTB messages that report an MTU
400 smaller than 1280 bytes:
402 o FreeBSD 8.0
404 o Linux kernel 2.6.32
406 o Linux kernel 3.2
408 o Mac OS X 10.6.7
410 o NetBSD 5.1
412 Authors' Addresses
414 Fernando Gont
415 SI6 Networks / UTN-FRH
416 Evaristo Carriego 2644
417 Haedo, Provincia de Buenos Aires 1706
418 Argentina
420 Phone: +54 11 4650 8472
421 Email: fgont@si6networks.com
422 URI: http://www.si6networks.com
423 Will(Shucheng) Liu
424 Huawei Technologies
425 Bantian, Longgang District
426 Shenzhen 518129
427 P.R. China
429 Email: liushucheng@huawei.com
431 Tore Anderson
432 Redpill Linpro
433 Vitaminveien 1A
434 Oslo 0485
435 Norway
437 Phone: +47 959 31 212
438 Email: tore@redpill-linpro.com
439 URI: http://www.redpill-linpro.com