idnits 2.17.1
draft-ietf-6man-deprecate-atomfrag-generation-06.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (April 4, 2016) is 2945 days in the past. Is this
intentional?
Checking references for intended status: Informational
----------------------------------------------------------------------------
** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200)
** Obsolete normative reference: RFC 6145 (Obsoleted by RFC 7915)
== Outdated reference: A later version (-13) exists of
draft-ietf-6man-rfc2460bis-04
Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 maintenance Working Group (6man) F. Gont
3 Internet-Draft SI6 Networks / UTN-FRH
4 Intended status: Informational W. Liu
5 Expires: October 6, 2016 Huawei Technologies
6 T. Anderson
7 Redpill Linpro
8 April 4, 2016
10 Generation of IPv6 Atomic Fragments Considered Harmful
11 draft-ietf-6man-deprecate-atomfrag-generation-06
13 Abstract
15 This document discusses the security implications of the generation
16 of IPv6 atomic fragments and a number of interoperability issues
17 associated with IPv6 atomic fragments, and concludes that the
18 aforementioned functionality is undesirable, thus documenting the
19 motivation for removing this functionality in the revision of the
20 core IPv6 protocol specification.
22 Status of This Memo
24 This Internet-Draft is submitted in full conformance with the
25 provisions of BCP 78 and BCP 79.
27 Internet-Drafts are working documents of the Internet Engineering
28 Task Force (IETF). Note that other groups may also distribute
29 working documents as Internet-Drafts. The list of current Internet-
30 Drafts is at http://datatracker.ietf.org/drafts/current/.
32 Internet-Drafts are draft documents valid for a maximum of six months
33 and may be updated, replaced, or obsoleted by other documents at any
34 time. It is inappropriate to use Internet-Drafts as reference
35 material or to cite them other than as "work in progress."
37 This Internet-Draft will expire on October 6, 2016.
39 Copyright Notice
41 Copyright (c) 2016 IETF Trust and the persons identified as the
42 document authors. All rights reserved.
44 This document is subject to BCP 78 and the IETF Trust's Legal
45 Provisions Relating to IETF Documents
46 (http://trustee.ietf.org/license-info) in effect on the date of
47 publication of this document. Please review these documents
48 carefully, as they describe your rights and restrictions with respect
49 to this document. Code Components extracted from this document must
50 include Simplified BSD License text as described in Section 4.e of
51 the Trust Legal Provisions and are provided without warranty as
52 described in the Simplified BSD License.
54 Table of Contents
56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
57 2. Security Implications of the Generation of IPv6 Atomic
58 Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . 3
59 3. Additional Considerations . . . . . . . . . . . . . . . . . . 4
60 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
62 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
63 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
64 7.1. Normative References . . . . . . . . . . . . . . . . . . 7
65 7.2. Informative References . . . . . . . . . . . . . . . . . 7
66 Appendix A. Small Survey of OSes that Fail to Produce IPv6
67 Atomic Fragments . . . . . . . . . . . . . . . . . . 9
68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
70 1. Introduction
72 [RFC2460] specifies the IPv6 fragmentation mechanism, which allows
73 IPv6 packets to be fragmented into smaller pieces such that they can
74 fit in the Path-MTU to the intended destination(s).
76 Section 5 of [RFC2460] states that, when a host receives an ICMPv6
77 "Packet Too Big" message [RFC4443] advertising an MTU smaller than
78 1280 bytes (the minimum IPv6 MTU), the host is not required to reduce
79 the assumed Path-MTU, but must simply include a Fragment Header in
80 all subsequent packets sent to that destination. The resulting
81 packets will thus *not* be actually fragmented into several pieces,
82 but rather be "atomic fragments" [RFC6946] (i.e., just include a
83 Fragment Header with both the "Fragment Offset" and the "M" flag set
84 to 0). [RFC6946] requires that these atomic fragments be essentially
85 processed by the destination host as non-fragmented traffic (since
86 there are not really any fragments to be reassembled). The goal of
87 these atomic fragments is simply to convey an appropriate
88 Identification value to be employed by IPv6/IPv4 translators for the
89 resulting IPv4 fragments.
91 While atomic fragments might seem rather benign, there are scenarios
92 in which the generation of IPv6 atomic fragments can be leveraged for
93 performing a number of attacks against the corresponding IPv6 flows.
94 Since there are concrete security implications arising from the
95 generation of IPv6 atomic fragments, and there is no real gain in
96 generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4
97 translators generate a Fragment Identification value themselves), we
98 conclude that this functionality is undesirable.
100 Section 2 briefly discusses the security implications of the
101 generation of IPv6 atomic fragments, and describes a specific Denial
102 of Service (DoS) attack vector that leverages the widespread
103 filtering of IPv6 fragments in the public Internet. Section 3
104 provides additional considerations regarding the usefulness of
105 generating IPv6 atomic fragments.
107 2. Security Implications of the Generation of IPv6 Atomic Fragments
109 The security implications of IP fragmentation have been discussed at
110 length in [RFC6274] and [RFC7739]. An attacker can leverage the
111 generation of IPv6 atomic fragments to trigger the use of
112 fragmentation in an arbitrary IPv6 flow and subsequently perform any
113 fragmentation-based attack against legacy IPv6 nodes that do not
114 implement [RFC6946].
116 Unfortunately, even nodes that already implement [RFC6946] can be
117 subject to DoS attacks as a result of the generation of IPv6 atomic
118 fragments. Let us assume that Host A is communicating with Server B,
119 and that, as a result of the widespread dropping of IPv6 packets that
120 contain extension headers (including fragmentation)
121 [I-D.ietf-v6ops-ipv6-ehs-in-real-world], some intermediate node
122 filters fragments between Host A and Server B. If an attacker sends
123 a forged ICMPv6 "Packet Too Big" (PTB) error message to server B,
124 reporting an MTU smaller than 1280, this will trigger the generation
125 of IPv6 atomic fragments from that moment on (as required by
126 [RFC2460]). When server B starts sending IPv6 atomic fragments (in
127 response to the received ICMPv6 PTB), these packets will be dropped,
128 since we previously noted that IPv6 packets with extension headers
129 were being dropped between Host A and Server B. Thus, this situation
130 will result in a Denial of Service (DoS) scenario.
132 Another possible scenario is that in which two BGP peers are
133 employing IPv6 transport, and they implement Access Control Lists
134 (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If
135 the aforementioned BGP peers drop IPv6 fragments but still honor
136 received ICMPv6 Packet Too Big error messages, an attacker could
137 easily attack the peering session by simply sending an ICMPv6 PTB
138 message with a reported MTU smaller than 1280 bytes. Once the attack
139 packet has been sent, it will be the aforementioned routers
140 themselves the ones dropping their own traffic.
142 The aforementioned attack vector is exacerbated by the following
143 factors:
145 o The attacker does not need to forge the IPv6 Source Address of his
146 attack packets. Hence, deployment of simple BCP38 filters will
147 not help as a counter-measure.
149 o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6
150 payload needs to be forged. While one could envision filtering
151 devices enforcing BCP38-style filters on the ICMPv6 payload, the
152 use of extension headers (by the attacker) could make this
153 difficult, if at all possible.
155 o Many implementations fail to perform validation checks on the
156 received ICMPv6 error messages, as recommended in Section 5.2 of
157 [RFC4443] and documented in [RFC5927]. It should be noted that in
158 some cases, such as when an ICMPv6 error message has (supposedly)
159 been elicited by a connection-less transport protocol (or some
160 other connection-less protocol being encapsulated in IPv6), it may
161 be virtually impossible to perform validation checks on the
162 received ICMPv6 error message. And, because of IPv6 extension
163 headers, the ICMPv6 payload might not even contain any useful
164 information on which to perform validation checks.
166 o Upon receipt of one of the aforementioned ICMPv6 "Packet Too Big"
167 error messages, the Destination Cache [RFC4861] is usually updated
168 to reflect that any subsequent packets to such destination should
169 include a Fragment Header. This means that a single ICMPv6
170 "Packet Too Big" error message might affect multiple communication
171 instances (e.g., TCP connections) with such destination.
173 o As noted in Section 3, SIIT [RFC6145] (including derivative
174 protocols such as Stateful NAT64 [RFC6146]) is the only technology
175 which currently makes use of atomic fragments. Unfortunately, an
176 IPv6 node cannot easily limit its exposure to the aforementioned
177 attack vector by only generating IPv6 atomic fragments towards
178 IPv4 destinations behind a stateless translator. This is due to
179 the fact that Section 3.3 of [RFC6052] encourages operators to use
180 a Network-Specific Prefix (NSP) that maps the IPv4 address space
181 into IPv6. When an NSP is being used, IPv6 addresses representing
182 IPv4 nodes (reached through a stateless translator) are
183 indistinguishable from native IPv6 addresses.
185 3. Additional Considerations
187 Besides the security assessment provided in Section 2, it is
188 interesting to evaluate the pros and cons of having an IPv6-to-IPv4
189 translating router rely on the generation of IPv6 atomic fragments.
191 Relying on the generation of IPv6 atomic fragments implies a reliance
192 on:
194 1. ICMPv6 packets arriving from the translator to the IPv6 node
196 2. The ability of the nodes receiving ICMPv6 PTB messages reporting
197 an MTU smaller than 1280 bytes to actually produce atomic
198 fragments
200 3. Support for IPv6 fragmentation on the IPv6 side of the translator
202 4. The ability of the translator implementation to access the
203 information conveyed by the IPv6 Fragment Header
205 Unfortunately,
207 1. There exists a fair share of evidence of ICMPv6 Packet Too Big
208 messages being dropped on the public Internet (for instance, that
209 is one of the reasons for which PLPMTUD [RFC4821] was produced).
210 Therefore, relying on such messages being successfully delivered
211 will affect the robustness of the protocol that relies on them.
213 2. A number of IPv6 implementations have been known to fail to
214 generate IPv6 atomic fragments in response to ICMPv6 PTB messages
215 reporting an MTU smaller than 1280 bytes (see Appendix A for a
216 small survey). Additionally, the results included in Section 6
217 of [RFC6145] note that 57% of the tested web servers failed to
218 produce IPv6 atomic fragments in response to ICMPv6 PTB messages
219 reporting an MTU smaller than 1280 bytes. Thus, any protocol
220 relying on IPv6 atomic fragment generation for proper functioning
221 will have interoperability problems with the aforementioned IPv6
222 stacks.
224 3. IPv6 atomic fragment generation represents a case in which
225 fragmented traffic is produced where otherwise it would not be
226 needed. Since there is widespread filtering of IPv6 fragments in
227 the public Internet [I-D.ietf-v6ops-ipv6-ehs-in-real-world], this
228 would mean that the (unnecessary) use of IPv6 fragmentation might
229 result, unnecessarily, in a Denial of Service situation even in
230 legitimate cases.
232 4. The packet-handling API at the node where the translator is
233 running may obscure fragmentation-related information. In such
234 scenarios, the information conveyed by the Fragment Header may be
235 unavailable to the translator. [JOOL] discusses a sample
236 framework (Linux Netfilter) that hinders access to the
237 information conveyed in IPv6 atomic fragments.
239 We note that SIIT essentially employs the Fragment Header of IPv6
240 atomic fragments to signal the translator how to set the DF bit of
241 IPv4 datagrams (the DF bit is cleared when the IPv6 packet contains a
242 Fragment Header, and is otherwise set to 1 when the IPv6 packet does
243 not contain an IPv6 Fragment Header). Additionally, the translator
244 will employ the low-order 16-bits of the IPv6 Fragment Identification
245 for setting the IPv4 Fragment Identification. At least in theory,
246 this is expected to reduce the IPv4 Identification collision rate in
247 the following specific scenario:
249 1. An IPv6 node communicates with an IPv4 node (through SIIT)
251 2. The IPv4 node is located behind an IPv4 link with an MTU smaller
252 than 1260 bytes
254 3. ECMP routing [RFC2992] with more than one translator is employed
255 for e.g., redundancy purposes
257 In such a scenario, if each translator were to select the IPv4
258 Identification on its own (rather than selecting the IPv4
259 Identification from the low-order 16-bits of the Fragment
260 Identification of IPv6 atomic fragments), this could possibly lead to
261 IPv4 Identification collisions. However, since a number of
262 implementations set the IPv6 Fragment Identification according to the
263 output of a Pseudo-Random Number Generator (PRNG) (see Appendix B of
264 [RFC7739]) and the translator only employs the low-order 16-bits of
265 such value, it is very unlikely that relying on the Fragment
266 Identification of the IPv6 atomic fragment will result in a reduced
267 IPv4 Identification collision rate (when compared to the case where
268 the translator selects each IPv4 Identification on its own).
270 Finally, we note that [RFC6145] is currently the only "consumer" of
271 IPv6 atomic fragments, and it correctly and diligently notes (in
272 Section 6) the possible interoperability problems of relying on IPv6
273 atomic fragments, proposing as a workaround that leads to more robust
274 behavior and simplified code.
276 4. IANA Considerations
278 There are no IANA registries within this document.
280 5. Security Considerations
282 This document briefly discusses the security implications of the
283 generation of IPv6 atomic fragments, and describes a specific Denial
284 of Service (DoS) attack vector that leverages the widespread
285 filtering of IPv6 fragments in the public Internet. It concludes
286 that the generation of IPv6 atomic fragments is an undesirable
287 feature, and documents the motivation for removing this functionality
288 from [I-D.ietf-6man-rfc2460bis].
290 6. Acknowledgements
292 The authors would like to thank (in alphabetical order) Congxiao Bao,
293 Bob Briscoe, Brian Carpenter, Tatuya Jinmei, Bob Hinden, Alberto
294 Leiva, Xing Li, Jeroen Massar, Erik Nordmark, Qiong Sun, Ole Troan,
295 and Tina Tsou, for providing valuable comments on earlier versions of
296 this document.
298 Fernando Gont would like to thank Jan Zorz / Go6 Lab
299 , and Jared Mauch / NTT America, for providing
300 access to systems and networks that were employed to produce some of
301 tests that resulted in the publication of this document.
302 Additionally, he would like to thank SixXS
303 for providing IPv6 connectivity.
305 7. References
307 7.1. Normative References
309 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
310 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
311 December 1998, .
313 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
314 Control Message Protocol (ICMPv6) for the Internet
315 Protocol Version 6 (IPv6) Specification", RFC 4443,
316 DOI 10.17487/RFC4443, March 2006,
317 .
319 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU
320 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007,
321 .
323 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
324 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
325 DOI 10.17487/RFC4861, September 2007,
326 .
328 [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
329 Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011,
330 .
332 7.2. Informative References
334 [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path
335 Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000,
336 .
338 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927,
339 DOI 10.17487/RFC5927, July 2010,
340 .
342 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
343 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
344 DOI 10.17487/RFC6052, October 2010,
345 .
347 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
348 NAT64: Network Address and Protocol Translation from IPv6
349 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
350 April 2011, .
352 [RFC6274] Gont, F., "Security Assessment of the Internet Protocol
353 Version 4", RFC 6274, DOI 10.17487/RFC6274, July 2011,
354 .
356 [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments",
357 RFC 6946, DOI 10.17487/RFC6946, May 2013,
358 .
360 [RFC7739] Gont, F., "Security Implications of Predictable Fragment
361 Identification Values", RFC 7739, DOI 10.17487/RFC7739,
362 February 2016, .
364 [I-D.ietf-v6ops-ipv6-ehs-in-real-world]
365 Gont, F., Linkova, J., Chown, T., and S. LIU,
366 "Observations on the Dropping of Packets with IPv6
367 Extension Headers in the Real World", draft-ietf-v6ops-
368 ipv6-ehs-in-real-world-02 (work in progress), December
369 2015.
371 [I-D.ietf-6man-rfc2460bis]
372 Deering, S. and B. Hinden, "Internet Protocol, Version 6
373 (IPv6) Specification", draft-ietf-6man-rfc2460bis-04 (work
374 in progress), March 2016.
376 [Morbitzer]
377 Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis.
378 Thesis number: 670. Department of Computing Science,
379 Radboud University Nijmegen. August 2013,
380 .
383 [JOOL] Leiva Popper, A., "nf_defrag_ipv4 and nf_defrag_ipv6",
384 April 2015, .
387 Appendix A. Small Survey of OSes that Fail to Produce IPv6 Atomic
388 Fragments
390 [This section will probably be removed from this document before it
391 is published as an RFC].
393 This section includes a non-exhaustive list of operating systems that
394 *fail* to produce IPv6 atomic fragments. It is based on the results
395 published in [RFC6946] and [Morbitzer]. It is simply meant as a
396 datapoint regarding the extent to which IPv6 implementations can be
397 relied upon to generate IPv6 atomic fragments.
399 The following Operating Systems fail to generate IPv6 atomic
400 fragments in response to ICMPv6 PTB messages that report an MTU
401 smaller than 1280 bytes:
403 o FreeBSD 8.0
405 o Linux kernel 2.6.32
407 o Linux kernel 3.2
409 o Linux kernel current
411 o Mac OS X 10.6.7
413 o NetBSD 5.1
415 Authors' Addresses
417 Fernando Gont
418 SI6 Networks / UTN-FRH
419 Evaristo Carriego 2644
420 Haedo, Provincia de Buenos Aires 1706
421 Argentina
423 Phone: +54 11 4650 8472
424 Email: fgont@si6networks.com
425 URI: http://www.si6networks.com
427 Will(Shucheng) Liu
428 Huawei Technologies
429 Bantian, Longgang District
430 Shenzhen 518129
431 P.R. China
433 Email: liushucheng@huawei.com
434 Tore Anderson
435 Redpill Linpro
436 Vitaminveien 1A
437 Oslo 0485
438 Norway
440 Phone: +47 959 31 212
441 Email: tore@redpill-linpro.com
442 URI: http://www.redpill-linpro.com