IPv6 Security Frequently Asked Questions (FAQ)

Mark Andrews marka at isc.org
Fri Mar 8 07:36:07 UTC 2019 


> On 8 Mar 2019, at 6:30 pm, Fernando Gont <fgont at si6networks.com> wrote:
> 
> Hello, Mark,
> 
> Thanks for your feedback! Please see in-line....
> 
> On 8/3/19 04:10, Mark Andrews wrote:
>> "Generation of IPv6 fragments in response to ICMPv6 PTB messages has been deprecated in the revised IPv6 specification"
>> 
>> IS INCORRECT
>> 
>> generation of fragments is “discouraged".  Discouraged and deprecated mean different thing.  
> 
> There is a writeo here. The text should have said "generation of IPv6
> atomic fragments", or,
> 
> "Generation of IPv6 fragments in response to ICMPv6 PTB messages
> advertising an MTU smaller than 1280"
> 
> 
> The whole section refers to "atomic fragments" which might be generated
> even for protocols that are not supposed to employ fragmentation.
> 
> I will clarify this in the next rev.

Thanks

>> 					However, the use of such
>>   fragmentation is discouraged in any application that is able to
>>   adjust its packets to fit the measured path MTU (i.e., down to 1280
>>   octets).
>> 
>> the whole of 4.4 is very badly worded and states things as fact which don’t
>> appear in RFC’s at all.
> 
> Please let me know if, considering the writeo I referred to above, you
> still feel the same.

I think I’ll reserve judgement until I have seen the re-write.

>> The adding of a fragmentation header for PTB <1280 has gone.  Fragmentation
>> down to 1280 is still supposed to happen in response to a PTB.  Packets still
>> have to flow through paths that narrow down to 1280.
> 
> Agreed.
> 
> This section is referred to this scenario:
> 
> Say two nodes only mean to employ a TCP-based application (say two BGP
> peers). Say they filter fragments directed to them, since the TCP
> connections will avoid fragmentation.
> 
> In such cases, what would seem as a "safe practice" may be not: if the
> involved systems employ a legacy IPv6 implementation, then an attacker
> can trigger the generation of IPv6 fragments (even for TCP conenctions)
> by spoofing an ICMPv6 PTB claiming an MTU < 1280.
> 
> This is what this section is about: If you are going to drop fragments,
> make sure you also take care of ICMPv6 PTBs, since they may trigger
> fragmentation even for protocols that you'd assume would never emply
> fragmentation.
> 
> Thanks!
> 
> Cheers,
> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> 
> 
> 
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the NANOG mailing list