ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
marka at isc.org
Thu Jan 12 19:28:45 UTC 2017
In message <11ff128d-2fba-7c26-4a9c-5611433d85d2 at si6networks.com>, Fernando Gon
> Hi, Saku,
> On 01/12/2017 11:43 AM, Saku Ytti wrote:
> > On 12 January 2017 at 13:19, Fernando Gont <fgont at si6networks.com> wrote:
> > Hey,
> >> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
> >> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
> >> welcome).
> > Generally may be understood differently by different people. If
> > generally is defined as single most typical behaviour/configuration,
> > then generally people don't protect their infrastructure in any way at
> > all, but fully rely vendor doing something reasonable.
> > I would argue BCP is to have 'strict' CoPP. Where you specifically
> > allow what you must then have ultimate rule to deny everything. If you
> > have such CoPP, then this attack won't work, as you clearly didn't
> > allow any fragments at all (as you didn't expect to receive BGP
> > fragments from your neighbours).
> That's the point: If you don't allow fragments, but your peer honors
> ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
And fragments are a *normal* part of IP for both IPv4 and IPv6.
This obsession with dropping all fragments (and yes it is a obsession)
is breaking the internet.
Even if you don't want to allow all fragments through you can allow
fragments between the two endpoints of a "active" connection. You
can apply port filters to the offset 0 fragments. If that fragment
doesn't have enough headers to be able to filter then drop it. If
your firewall is incapable of doing this then find a better firewall
as the current one is a piece of garbage and should be in the recycle
Which DoS is the bigger issue? Firewalls dropping fragments or
reassembly buffers being exhausted? Yes, firewalls dropping fragments
is a denial of service attack.
The initial TCP exchange does not contain fragments. Most UDP
protocols don't start with a packet that will need to be fragmented.
For other protocols YMMV.
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG