ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)

Fernando Gont fgont at si6networks.com
Thu Jan 12 20:17:22 UTC 2017


El 12/1/2017 16:28, "Mark Andrews" <marka at isc.org> escribió:


In message <11ff128d-2fba-7c26-4a9c-5611433d85d2 at si6networks.com>, Fernando
Gon
t writes:
> Hi, Saku,
>
> On 01/12/2017 11:43 AM, Saku Ytti wrote:
> > On 12 January 2017 at 13:19, Fernando Gont <fgont at si6networks.com>
wrote:
> >
> > Hey,
> >
> >> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
> >> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
> >> welcome).
> >
> > Generally may be understood differently by different people. If
> > generally is defined as single most typical behaviour/configuration,
> > then generally people don't protect their infrastructure in any way at
> > all, but fully rely vendor doing something reasonable.
> >
> > I would argue BCP is to have 'strict' CoPP. Where you specifically
> > allow what you must then have ultimate rule to deny everything. If you
> > have such CoPP, then this attack won't work, as you clearly didn't
> > allow any fragments at all (as you didn't expect to receive BGP
> > fragments from your neighbours).
>
> That's the point: If you don't allow fragments, but your peer honors
> ICMPv6 PTB<1280, then dropping fragments creates the attack vector.

And fragments are a *normal* part of IP for both IPv4 and IPv6.
This obsession with dropping all fragments (and yes it is a obsession)
is breaking the internet.


Vendors got the frag reassembly code wrong so many times , that I
understand the folk  that decides to drop them if deemed unnecessary.


Even if you don't want to allow all fragments through you can allow
fragments between the two endpoints of a "active" connection.


At times folks want to get rid of fragments directed to them, rather than
those going *through* them.


You
can apply port filters to the offset 0 fragments.  If that fragment
doesn't have enough headers to be able to filter then drop it.  If
your firewall is incapable of doing this then find a better firewall
as the current one is a piece of garbage and should be in the recycle
bin.

Which DoS is the bigger issue?  Firewalls dropping fragments or
reassembly buffers being exhausted?


If there is no way for an attacker to trigger the use of fragmentation, and
you don't need fragments (e.g. only tcp-based services), from a security
pov you're certainly better off dropping frags  that are thrown at you. Not
that I like it, but....

Thanks,
Fernando



More information about the NANOG mailing list