idnits 2.17.1
draft-ietf-6man-deprecate-atomfrag-generation-07.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (July 17, 2016) is 2839 days in the past. Is this
intentional?
Checking references for intended status: Informational
----------------------------------------------------------------------------
** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200)
** Obsolete normative reference: RFC 6145 (Obsoleted by RFC 7915)
== Outdated reference: A later version (-13) exists of
draft-ietf-6man-rfc2460bis-05
== Outdated reference: A later version (-08) exists of
draft-ietf-6man-rfc1981bis-02
Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 maintenance Working Group (6man) F. Gont
3 Internet-Draft SI6 Networks / UTN-FRH
4 Intended status: Informational W. Liu
5 Expires: January 18, 2017 Huawei Technologies
6 T. Anderson
7 Redpill Linpro
8 July 17, 2016
10 Generation of IPv6 Atomic Fragments Considered Harmful
11 draft-ietf-6man-deprecate-atomfrag-generation-07
13 Abstract
15 This document discusses the security implications of the generation
16 of IPv6 atomic fragments and a number of interoperability issues
17 associated with IPv6 atomic fragments, and concludes that the
18 aforementioned functionality is undesirable, thus documenting the
19 motivation for removing this functionality in the revision of the
20 core IPv6 protocol specification.
22 Status of This Memo
24 This Internet-Draft is submitted in full conformance with the
25 provisions of BCP 78 and BCP 79.
27 Internet-Drafts are working documents of the Internet Engineering
28 Task Force (IETF). Note that other groups may also distribute
29 working documents as Internet-Drafts. The list of current Internet-
30 Drafts is at http://datatracker.ietf.org/drafts/current/.
32 Internet-Drafts are draft documents valid for a maximum of six months
33 and may be updated, replaced, or obsoleted by other documents at any
34 time. It is inappropriate to use Internet-Drafts as reference
35 material or to cite them other than as "work in progress."
37 This Internet-Draft will expire on January 18, 2017.
39 Copyright Notice
41 Copyright (c) 2016 IETF Trust and the persons identified as the
42 document authors. All rights reserved.
44 This document is subject to BCP 78 and the IETF Trust's Legal
45 Provisions Relating to IETF Documents
46 (http://trustee.ietf.org/license-info) in effect on the date of
47 publication of this document. Please review these documents
48 carefully, as they describe your rights and restrictions with respect
49 to this document. Code Components extracted from this document must
50 include Simplified BSD License text as described in Section 4.e of
51 the Trust Legal Provisions and are provided without warranty as
52 described in the Simplified BSD License.
54 Table of Contents
56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
57 2. Security Implications of the Generation of IPv6 Atomic
58 Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . 3
59 3. Additional Considerations . . . . . . . . . . . . . . . . . . 5
60 4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 7
61 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
62 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
63 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
65 8.1. Normative References . . . . . . . . . . . . . . . . . . 8
66 8.2. Informative References . . . . . . . . . . . . . . . . . 9
67 Appendix A. Small Survey of OSes that Fail to Produce IPv6
68 Atomic Fragments . . . . . . . . . . . . . . . . . . 10
69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
71 1. Introduction
73 [RFC2460] specifies the IPv6 fragmentation mechanism, which allows
74 IPv6 packets to be fragmented into smaller pieces such that they can
75 fit in the Path-MTU to the intended destination(s).
77 A legacy IPv4/IPv6 translator implementing the Stateless IP/ICMP
78 Translation algorithm [RFC6145] may legitimately generate ICMPv6
79 "Packet Too Big" messages [RFC4443] advertising a "Next-Hop MTU"
80 smaller than 1280 (the minimum IPv6 MTU). Section 5 of [RFC2460]
81 states that, upon receiving such an ICMPv6 error message, hosts are
82 not required to reduce the assumed Path-MTU, but must simply include
83 a Fragment Header in all subsequent packets sent to that destination.
84 The resulting packets will thus *not* be actually fragmented into
85 several pieces, but rather be "atomic fragments" [RFC6946] (i.e.,
86 just include a Fragment Header with both the "Fragment Offset" and
87 the "M" flag set to 0). [RFC6946] requires that these atomic
88 fragments be essentially processed by the destination host as non-
89 fragmented traffic (since there are not really any fragments to be
90 reassembled). The goal of these atomic fragments is simply to convey
91 an appropriate Identification value to be employed by IPv6/IPv4
92 translators for the resulting IPv4 fragments.
94 While atomic fragments might seem rather benign, there are scenarios
95 in which the generation of IPv6 atomic fragments can be leveraged for
96 performing a number of attacks against the corresponding IPv6 flows.
98 Since there are concrete security implications arising from the
99 generation of IPv6 atomic fragments, and there is no real gain in
100 generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4
101 translators generate a Fragment Identification value themselves), we
102 conclude that this functionality is undesirable.
104 Section 2 briefly discusses the security implications of the
105 generation of IPv6 atomic fragments, and describes a specific Denial
106 of Service (DoS) attack vector that leverages the widespread
107 filtering of IPv6 fragments in the public Internet. Section 3
108 provides additional considerations regarding the usefulness of
109 generating IPv6 atomic fragments.
111 2. Security Implications of the Generation of IPv6 Atomic Fragments
113 The security implications of IP fragmentation have been discussed at
114 length in [RFC6274] and [RFC7739]. An attacker can leverage the
115 generation of IPv6 atomic fragments to trigger the use of
116 fragmentation in an arbitrary IPv6 flow and subsequently perform any
117 fragmentation-based attack against legacy IPv6 nodes that do not
118 implement [RFC6946].
120 Unfortunately, even nodes that already implement [RFC6946] can be
121 subject to DoS attacks as a result of the generation of IPv6 atomic
122 fragments. Let us assume that Host A is communicating with Server B,
123 and that, as a result of the widespread dropping of IPv6 packets that
124 contain extension headers (including fragmentation) [RFC7872], some
125 intermediate node filters fragments between Host A and Server B. If
126 an attacker sends a forged ICMPv6 "Packet Too Big" (PTB) error
127 message to server B, reporting an MTU smaller than 1280, this will
128 trigger the generation of IPv6 atomic fragments from that moment on
129 (as required by [RFC2460]). When server B starts sending IPv6 atomic
130 fragments (in response to the received ICMPv6 PTB), these packets
131 will be dropped, since we previously noted that IPv6 packets with
132 extension headers were being dropped between Host A and Server B.
133 Thus, this situation will result in a Denial of Service (DoS)
134 scenario.
136 Another possible scenario is that in which two BGP peers are
137 employing IPv6 transport, and they implement Access Control Lists
138 (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If
139 the aforementioned BGP peers drop IPv6 fragments but still honor
140 received ICMPv6 Packet Too Big error messages, an attacker could
141 easily attack the peering session by simply sending an ICMPv6 PTB
142 message with a reported MTU smaller than 1280 bytes. Once the attack
143 packet has been sent, the aforementioned routers will themselves be
144 the ones dropping their own traffic.
146 The aforementioned attack vector is exacerbated by the following
147 factors:
149 o The attacker does not need to forge the IPv6 Source Address of his
150 attack packets. Hence, deployment of simple BCP38 filters will
151 not help as a counter-measure.
153 o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6
154 payload needs to be forged. While one could envision filtering
155 devices enforcing BCP38-style filters on the ICMPv6 payload, the
156 use of extension headers (by the attacker) could make this
157 difficult, if at all possible.
159 o Many implementations fail to perform validation checks on the
160 received ICMPv6 error messages, as recommended in Section 5.2 of
161 [RFC4443] and documented in [RFC5927]. It should be noted that in
162 some cases, such as when an ICMPv6 error message has (supposedly)
163 been elicited by a connection-less transport protocol (or some
164 other connection-less protocol being encapsulated in IPv6), it may
165 be virtually impossible to perform validation checks on the
166 received ICMPv6 error message. And, because of IPv6 extension
167 headers, the ICMPv6 payload might not even contain any useful
168 information on which to perform validation checks.
170 o Upon receipt of one of the aforementioned ICMPv6 "Packet Too Big"
171 error messages, the Destination Cache [RFC4861] is usually updated
172 to reflect that any subsequent packets to such destination should
173 include a Fragment Header. This means that a single ICMPv6
174 "Packet Too Big" error message might affect multiple communication
175 instances (e.g., TCP connections) with such destination.
177 o As noted in Section 3, SIIT (Stateless IP/ICMP Translation
178 Algorithm) [RFC6145], including derivative protocols such as
179 Stateful NAT64 [RFC6146], was the only technology making use of
180 atomic fragments. Unfortunately, an IPv6 node cannot easily limit
181 its exposure to the aforementioned attack vector by only
182 generating IPv6 atomic fragments towards IPv4 destinations behind
183 a stateless translator. This is due to the fact that Section 3.3
184 of [RFC6052] encourages operators to use a Network-Specific Prefix
185 (NSP) that maps the IPv4 address space into IPv6. When an NSP is
186 being used, IPv6 addresses representing IPv4 nodes (reached
187 through a stateless translator) are indistinguishable from native
188 IPv6 addresses.
190 3. Additional Considerations
192 Besides the security assessment provided in Section 2, it is
193 interesting to evaluate the pros and cons of having an IPv6-to-IPv4
194 translating router rely on the generation of IPv6 atomic fragments.
196 Relying on the generation of IPv6 atomic fragments implies a reliance
197 on:
199 1. ICMPv6 packets arriving from the translator to the IPv6 node
201 2. The ability of the nodes receiving ICMPv6 PTB messages reporting
202 an MTU smaller than 1280 bytes to actually produce atomic
203 fragments
205 3. Support for IPv6 fragmentation on the IPv6 side of the translator
207 4. The ability of the translator implementation to access the
208 information conveyed by the IPv6 Fragment Header
210 Unfortunately,
212 1. There exists a fair share of evidence of ICMPv6 Packet Too Big
213 messages being dropped on the public Internet (for instance, that
214 is one of the reasons for which PLPMTUD [RFC4821] was produced).
215 Therefore, relying on such messages being successfully delivered
216 will affect the robustness of the protocol that relies on them.
218 2. A number of IPv6 implementations have been known to fail to
219 generate IPv6 atomic fragments in response to ICMPv6 PTB messages
220 reporting an MTU smaller than 1280 bytes (see Appendix A for a
221 small survey). Additionally, the results included in Section 6
222 of [RFC6145] note that 57% of the tested web servers failed to
223 produce IPv6 atomic fragments in response to ICMPv6 PTB messages
224 reporting an MTU smaller than 1280 bytes. Thus, any protocol
225 relying on IPv6 atomic fragment generation for proper functioning
226 will have interoperability problems with the aforementioned IPv6
227 stacks.
229 3. IPv6 atomic fragment generation represents a case in which
230 fragmented traffic is produced where otherwise it would not be
231 needed. Since there is widespread filtering of IPv6 fragments in
232 the public Internet [RFC7872], this would mean that the
233 (unnecessary) use of IPv6 fragmentation might result,
234 unnecessarily, in a Denial of Service situation even in
235 legitimate cases.
237 4. The packet-handling API at the node where the translator is
238 running may obscure fragmentation-related information. In such
239 scenarios, the information conveyed by the Fragment Header may be
240 unavailable to the translator. [JOOL] discusses a sample
241 framework (Linux Netfilter) that hinders access to the
242 information conveyed in IPv6 atomic fragments.
244 We note that SIIT essentially employs the Fragment Header of IPv6
245 atomic fragments to signal the translator how to set the DF bit of
246 IPv4 datagrams (the DF bit is cleared when the IPv6 packet contains a
247 Fragment Header, and is otherwise set to 1 when the IPv6 packet does
248 not contain an IPv6 Fragment Header). Additionally, the translator
249 will employ the low-order 16-bits of the IPv6 Fragment Identification
250 for setting the IPv4 Fragment Identification. At least in theory,
251 this is expected to reduce the IPv4 Identification collision rate in
252 the following specific scenario:
254 1. An IPv6 node communicates with an IPv4 node (through SIIT).
256 2. The IPv4 node is located behind an IPv4 link with an MTU smaller
257 than 1260 bytes. An IPv4 Path MTU of 1260 corresponds to an IPv6
258 Path MTU of 1280, due to an option-less IPv4 header being 20
259 bytes shorter than the IPv6 header.
261 3. ECMP routing [RFC2992] with more than one translator is employed
262 for e.g., redundancy purposes.
264 In such a scenario, if each translator were to select the IPv4
265 Identification on its own (rather than selecting the IPv4
266 Identification from the low-order 16-bits of the Fragment
267 Identification of IPv6 atomic fragments), this could possibly lead to
268 IPv4 Identification collisions. However, since a number of
269 implementations set the IPv6 Fragment Identification according to the
270 output of a Pseudo-Random Number Generator (PRNG) (see Appendix B of
271 [RFC7739]) and the translator only employs the low-order 16-bits of
272 such value, it is very unlikely that relying on the Fragment
273 Identification of the IPv6 atomic fragment will result in a reduced
274 IPv4 Identification collision rate (when compared to the case where
275 the translator selects each IPv4 Identification on its own).
276 Besides, because of the limited sized of the IPv4 identification
277 field, it is nevertheless virtually impossible to guarantee
278 uniqueness of the IPv4 identification values without artificially
279 limiting the data rate of fragmented traffic [RFC6864] [RFC4963].
281 [RFC6145] was the only "consumer" of IPv6 atomic fragments, and it
282 correctly and diligently noted (in Section 6) the possible
283 interoperability problems of relying on IPv6 atomic fragments,
284 proposing a workaround that led to more robust behavior and
285 simplified code. [RFC6145] has been obsoleted by [RFC7915], such
286 that SIIT does not rely on IPv6 atomic fragments.
288 Finally, we believe that IPv4 links with an MTU smaller than 1260
289 bytes are very uncommonly found in the modern Internet. At the same
290 time, we note that the sole purpose of IPv6 atomic fragments is to
291 make such links compatible with IPv4/IPv6 translation. We surmise,
292 therefore, that IPv6 atomic fragments are useful in only a minuscule
293 number of "real world" situations.
295 4. Conclusions
297 Taking all of the above considerations into account, we recommend
298 that IPv6 atomic fragments be deprecated.
300 In particular:
302 o IPv4/IPv6 translators should be updated to not generate ICMPv6
303 Packet Too Big errors containing a Path MTU value smaller than the
304 minimum IPv6 MTU of 1280 bytes. This will ensure that current
305 IPv6 nodes will never have a legitimate need to start generating
306 IPv6 atomic fragments.
308 o The recommendation in the previous bullet ensures there no longer
309 are any valid reasons for ICMPv6 Packet Too Big errors containing
310 a Path MTU value smaller than the minimum IPv6 MTU to exist. IPv6
311 nodes should therefore be updated to ignore them as invalid.
313 We note that these recommendations have been incorporated in
314 [I-D.ietf-6man-rfc1981bis], [I-D.ietf-6man-rfc2460bis] and [RFC7915].
316 5. IANA Considerations
318 There are no IANA registries within this document.
320 6. Security Considerations
322 This document briefly discusses the security implications of the
323 generation of IPv6 atomic fragments, and describes a specific Denial
324 of Service (DoS) attack vector that leverages the widespread
325 filtering of IPv6 fragments in the public Internet. It concludes
326 that the generation of IPv6 atomic fragments is an undesirable
327 feature, and documents the motivation for removing this functionality
328 from [I-D.ietf-6man-rfc2460bis].
330 7. Acknowledgements
332 The authors would like to thank (in alphabetical order) Congxiao Bao,
333 Carlos Jesus Bernardos Cano, Bob Briscoe, Brian Carpenter, Tatuya
334 Jinmei, Bob Hinden, Alberto Leiva, Ted Lemon, Xing Li, Jeroen Massar,
335 Erik Nordmark, Qiong Sun, Ole Troan, Tina Tsou, and Bernie Volz, for
336 providing valuable comments on earlier versions of this document.
338 Fernando Gont would like to thank Jan Zorz / Go6 Lab
339 , and Jared Mauch / NTT America, for providing
340 access to systems and networks that were employed to produce some of
341 the tests that resulted in the publication of this document.
342 Additionally, he would like to thank SixXS
343 for providing IPv6 connectivity.
345 8. References
347 8.1. Normative References
349 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
350 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
351 December 1998, .
353 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet
354 Control Message Protocol (ICMPv6) for the Internet
355 Protocol Version 6 (IPv6) Specification", RFC 4443,
356 DOI 10.17487/RFC4443, March 2006,
357 .
359 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU
360 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007,
361 .
363 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
364 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
365 DOI 10.17487/RFC4861, September 2007,
366 .
368 [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
369 Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011,
370 .
372 [RFC7915] Bao, C., Li, X., Baker, F., Anderson, T., and F. Gont,
373 "IP/ICMP Translation Algorithm", RFC 7915,
374 DOI 10.17487/RFC7915, June 2016,
375 .
377 [RFC6864] Touch, J., "Updated Specification of the IPv4 ID Field",
378 RFC 6864, DOI 10.17487/RFC6864, February 2013,
379 .
381 8.2. Informative References
383 [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path
384 Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000,
385 .
387 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927,
388 DOI 10.17487/RFC5927, July 2010,
389 .
391 [RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly
392 Errors at High Data Rates", RFC 4963,
393 DOI 10.17487/RFC4963, July 2007,
394 .
396 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
397 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
398 DOI 10.17487/RFC6052, October 2010,
399 .
401 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
402 NAT64: Network Address and Protocol Translation from IPv6
403 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
404 April 2011, .
406 [RFC6274] Gont, F., "Security Assessment of the Internet Protocol
407 Version 4", RFC 6274, DOI 10.17487/RFC6274, July 2011,
408 .
410 [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments",
411 RFC 6946, DOI 10.17487/RFC6946, May 2013,
412 .
414 [RFC7739] Gont, F., "Security Implications of Predictable Fragment
415 Identification Values", RFC 7739, DOI 10.17487/RFC7739,
416 February 2016, .
418 [RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu,
419 "Observations on the Dropping of Packets with IPv6
420 Extension Headers in the Real World", RFC 7872,
421 DOI 10.17487/RFC7872, June 2016,
422 .
424 [I-D.ietf-6man-rfc2460bis]
425 Deering, D. and R. Hinden, "Internet Protocol, Version 6
426 (IPv6) Specification", draft-ietf-6man-rfc2460bis-05 (work
427 in progress), June 2016.
429 [I-D.ietf-6man-rfc1981bis]
430 <>, J., <>, S., <>, J., and R. Hinden, "Path MTU Discovery
431 for IP version 6", draft-ietf-6man-rfc1981bis-02 (work in
432 progress), April 2016.
434 [Morbitzer]
435 Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis.
436 Thesis number: 670. Department of Computing Science,
437 Radboud University Nijmegen. August 2013,
438 .
441 [JOOL] Leiva Popper, A., "nf_defrag_ipv4 and nf_defrag_ipv6",
442 April 2015, .
445 Appendix A. Small Survey of OSes that Fail to Produce IPv6 Atomic
446 Fragments
448 [This section will probably be removed from this document before it
449 is published as an RFC].
451 This section includes a non-exhaustive list of operating systems that
452 *fail* to produce IPv6 atomic fragments. It is based on the results
453 published in [RFC6946] and [Morbitzer]. It is simply meant as a
454 datapoint regarding the extent to which IPv6 implementations can be
455 relied upon to generate IPv6 atomic fragments.
457 The following Operating Systems fail to generate IPv6 atomic
458 fragments in response to ICMPv6 PTB messages that report an MTU
459 smaller than 1280 bytes:
461 o FreeBSD 8.0
463 o Linux kernel 2.6.32
465 o Linux kernel 3.2
467 o Mac OS X 10.6.7
469 o NetBSD 5.1
471 Authors' Addresses
473 Fernando Gont
474 SI6 Networks / UTN-FRH
475 Evaristo Carriego 2644
476 Haedo, Provincia de Buenos Aires 1706
477 Argentina
479 Phone: +54 11 4650 8472
480 Email: fgont@si6networks.com
481 URI: http://www.si6networks.com
483 Will(Shucheng) Liu
484 Huawei Technologies
485 Bantian, Longgang District
486 Shenzhen 518129
487 P.R. China
489 Email: liushucheng@huawei.com
491 Tore Anderson
492 Redpill Linpro
493 Vitaminveien 1A
494 Oslo 0485
495 Norway
497 Phone: +47 959 31 212
498 Email: tore@redpill-linpro.com
499 URI: http://www.redpill-linpro.com