IPv6 Security Frequently Asked Questions (FAQ)

• Previous message (by thread): IPv6 Security Frequently Asked Questions (FAQ)
• Next message (by thread): IPv6 Security Frequently Asked Questions (FAQ)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello, Mark,

Thanks for your feedback! Please see in-line....

On 8/3/19 04:10, Mark Andrews wrote:
> "Generation of IPv6 fragments in response to ICMPv6 PTB messages has been deprecated in the revised IPv6 specification"
> 
> IS INCORRECT
> 
> generation of fragments is “discouraged".  Discouraged and deprecated mean different thing.  

There is a writeo here. The text should have said "generation of IPv6
atomic fragments", or,

 "Generation of IPv6 fragments in response to ICMPv6 PTB messages
advertising an MTU smaller than 1280"


The whole section refers to "atomic fragments" which might be generated
even for protocols that are not supposed to employ fragmentation.

I will clarify this in the next rev.


> 
> 					However, the use of such
>    fragmentation is discouraged in any application that is able to
>    adjust its packets to fit the measured path MTU (i.e., down to 1280
>    octets).
> 
> the whole of 4.4 is very badly worded and states things as fact which don’t
> appear in RFC’s at all.

Please let me know if, considering the writeo I referred to above, you
still feel the same.


> 
> The adding of a fragmentation header for PTB <1280 has gone.  Fragmentation
> down to 1280 is still supposed to happen in response to a PTB.  Packets still
> have to flow through paths that narrow down to 1280.

Agreed.

This section is referred to this scenario:

Say two nodes only mean to employ a TCP-based application (say two BGP
peers). Say they filter fragments directed to them, since the TCP
connections will avoid fragmentation.

In such cases, what would seem as a "safe practice" may be not: if the
involved systems employ a legacy IPv6 implementation, then an attacker
can trigger the generation of IPv6 fragments (even for TCP conenctions)
by spoofing an ICMPv6 PTB claiming an MTU < 1280.

This is what this section is about: If you are going to drop fragments,
make sure you also take care of ICMPv6 PTBs, since they may trigger
fragmentation even for protocols that you'd assume would never emply
fragmentation.

Thanks!

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

• Previous message (by thread): IPv6 Security Frequently Asked Questions (FAQ)
• Next message (by thread): IPv6 Security Frequently Asked Questions (FAQ)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]