ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
marka at isc.org
Fri Jan 13 02:07:41 UTC 2017
In message <CAG6TeAt9eodf-OihH0vow25GFC-P__P+NO9yKMycBsUQhOpYuA at mail.gmail.com>
, Fernando Gont writes:
> El 12/1/2017 16:28, "Mark Andrews" <marka at isc.org> escribi=C3=B3:
> > In message <11ff128d-2fba-7c26-4a9c-5611433d85d2 at si6networks.com>, Fernando Gont writes:
> > > Hi, Saku,
> > >
> > > On 01/12/2017 11:43 AM, Saku Ytti wrote:
> > > > On 12 January 2017 at 13:19, Fernando Gont <fgont at si6networks.com>
> > wrote:
> > > >
> > > > Hey,
> > > >
> > > >> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
> > > >> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
> > > >> welcome).
> > > >
> > > > Generally may be understood differently by different people. If
> > > > generally is defined as single most typical behaviour/configuration,
> > > > then generally people don't protect their infrastructure in any way at
> > > > all, but fully rely vendor doing something reasonable.
> > > >
> > > > I would argue BCP is to have 'strict' CoPP. Where you specifically
> > > > allow what you must then have ultimate rule to deny everything. If you
> > > > have such CoPP, then this attack won't work, as you clearly didn't
> > > > allow any fragments at all (as you didn't expect to receive BGP
> > > > fragments from your neighbours).
> > >
> > > That's the point: If you don't allow fragments, but your peer honors
> > > ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
> > And fragments are a *normal* part of IP for both IPv4 and IPv6.
> > This obsession with dropping all fragments (and yes it is a obsession)
> > is breaking the internet.
> Vendors got the frag reassembly code wrong so many times , that I
> understand the folk that decides to drop them if deemed unnecessary.
Most of them literally decades ago. 20+ years ago while you waited
for you vendor to fix the bug it made some sense as most of your
boxes were vulnerable. It was a new threat back then. It doesn't
make sense today.
Packet bigger than 1500 are a part of todays internet. Have a look
a the stats for dropped fragments. They aren't for the most part
attack traffic. Its legitmate reply traffic that has been requested.
> > Even if you don't want to allow all fragments through you can allow
> > fragments between the two endpoints of a "active" connection.
> > At times folks want to get rid of fragments directed to them, rather than
> > those going *through* them.
> > You
> > can apply port filters to the offset 0 fragments. If that fragment
> > doesn't have enough headers to be able to filter then drop it. If
> > your firewall is incapable of doing this then find a better firewall
> > as the current one is a piece of garbage and should be in the recycle
> > bin.
> > Which DoS is the bigger issue? Firewalls dropping fragments or
> > reassembly buffers being exhausted?
> > If there is no way for an attacker to trigger the use of fragmentation, and
> > you don't need fragments (e.g. only tcp-based services), from a security
> > pov you're certainly better off dropping frags that are thrown at you. Not
> > that I like it, but....
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG