idnits 2.17.00 (12 Aug 2021) /tmp/idnits4779/draft-ietf-6man-deprecate-atomfrag-generation-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 12, 2016) is 2070 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 6145 (Obsoleted by RFC 7915) == Outdated reference: draft-ietf-6man-rfc2460bis has been published as RFC 8200 == Outdated reference: draft-ietf-6man-rfc1981bis has been published as RFC 8201 Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPv6 maintenance Working Group (6man) F. Gont 3 Internet-Draft SI6 Networks / UTN-FRH 4 Intended status: Informational W. Liu 5 Expires: March 16, 2017 Huawei Technologies 6 T. Anderson 7 Redpill Linpro 8 September 12, 2016 10 Generation of IPv6 Atomic Fragments Considered Harmful 11 draft-ietf-6man-deprecate-atomfrag-generation-08 13 Abstract 15 This document discusses the security implications of the generation 16 of IPv6 atomic fragments and a number of interoperability issues 17 associated with IPv6 atomic fragments, and concludes that the 18 aforementioned functionality is undesirable, thus documenting the 19 motivation for removing this functionality in the revision of the 20 core IPv6 protocol specification. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on March 16, 2017. 39 Copyright Notice 41 Copyright (c) 2016 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 2. Security Implications of the Generation of IPv6 Atomic 58 Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Additional Considerations . . . . . . . . . . . . . . . . . . 5 60 4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 7 61 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 62 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 63 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 65 8.1. Normative References . . . . . . . . . . . . . . . . . . 8 66 8.2. Informative References . . . . . . . . . . . . . . . . . 9 67 Appendix A. Small Survey of OSes that Fail to Produce IPv6 68 Atomic Fragments . . . . . . . . . . . . . . . . . . 10 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 71 1. Introduction 73 [RFC2460] specifies the IPv6 fragmentation mechanism, which allows 74 IPv6 packets to be fragmented into smaller pieces such that they can 75 fit in the Path-MTU to the intended destination(s). 77 A legacy IPv4/IPv6 translator implementing the Stateless IP/ICMP 78 Translation algorithm [RFC6145] may legitimately generate ICMPv6 79 "Packet Too Big" messages [RFC4443] advertising a "Next-Hop MTU" 80 smaller than 1280 (the minimum IPv6 MTU). Section 5 of [RFC2460] 81 states that, upon receiving such an ICMPv6 error message, hosts are 82 not required to reduce the assumed Path-MTU, but must simply include 83 a Fragment Header in all subsequent packets sent to that destination. 84 The resulting packets will thus *not* be actually fragmented into 85 several pieces, but rather be "atomic fragments" [RFC6946] (i.e., 86 just include a Fragment Header with both the "Fragment Offset" and 87 the "M" flag set to 0). [RFC6946] requires that these atomic 88 fragments be essentially processed by the destination host as non- 89 fragmented traffic (since there are not really any fragments to be 90 reassembled). The goal of these atomic fragments is simply to convey 91 an appropriate Identification value to be employed by IPv6/IPv4 92 translators for the resulting IPv4 fragments. 94 While atomic fragments might seem rather benign, there are scenarios 95 in which the generation of IPv6 atomic fragments can be leveraged for 96 performing a number of attacks against the corresponding IPv6 flows. 98 Since there are concrete security implications arising from the 99 generation of IPv6 atomic fragments, and there is no real gain in 100 generating IPv6 atomic fragments (as opposed to e.g. having IPv6/IPv4 101 translators generate a Fragment Identification value themselves), we 102 conclude that this functionality is undesirable. 104 Section 2 briefly discusses the security implications of the 105 generation of IPv6 atomic fragments, and describes a specific Denial 106 of Service (DoS) attack vector that leverages the widespread 107 filtering of IPv6 fragments in the public Internet. Section 3 108 provides additional considerations regarding the usefulness of 109 generating IPv6 atomic fragments. 111 2. Security Implications of the Generation of IPv6 Atomic Fragments 113 The security implications of IP fragmentation have been discussed at 114 length in [RFC6274] and [RFC7739]. An attacker can leverage the 115 generation of IPv6 atomic fragments to trigger the use of 116 fragmentation in an arbitrary IPv6 flow (in scenarios in which actual 117 fragmentation of packets is not needed), and subsequently perform any 118 fragmentation-based attack against legacy IPv6 nodes that do not 119 implement [RFC6946]. That is, employing fragmentation where not 120 actually needed allows for fragmentation-based attack vectors to be 121 employed, unnecessarily. 123 We note that, Unfortunately, even nodes that already implement 124 [RFC6946] can be subject to DoS attacks as a result of the generation 125 of IPv6 atomic fragments. Let us assume that Host A is communicating 126 with Server B, and that, as a result of the widespread dropping of 127 IPv6 packets that contain extension headers (including fragmentation) 128 [RFC7872], some intermediate node filters fragments between Server B 129 and Host A. If an attacker sends a forged ICMPv6 "Packet Too Big" 130 (PTB) error message to server B, reporting an MTU smaller than 1280, 131 this will trigger the generation of IPv6 atomic fragments from that 132 moment on (as required by [RFC2460]). When server B starts sending 133 IPv6 atomic fragments (in response to the received ICMPv6 PTB), these 134 packets will be dropped, since we previously noted that IPv6 packets 135 with extension headers were being dropped between Server B and Host 136 A. Thus, this situation will result in a Denial of Service (DoS) 137 scenario. 139 Another possible scenario is that in which two BGP peers are 140 employing IPv6 transport, and they implement Access Control Lists 141 (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If 142 the aforementioned BGP peers drop IPv6 fragments but still honor 143 received ICMPv6 Packet Too Big error messages, an attacker could 144 easily attack the peering session by simply sending an ICMPv6 PTB 145 message with a reported MTU smaller than 1280 bytes. Once the attack 146 packet has been sent, the aforementioned routers will themselves be 147 the ones dropping their own traffic. 149 The aforementioned attack vector is exacerbated by the following 150 factors: 152 o The attacker does not need to forge the IPv6 Source Address of his 153 attack packets. Hence, deployment of simple BCP38 filters will 154 not help as a counter-measure. 156 o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6 157 payload needs to be forged. While one could envision filtering 158 devices enforcing BCP38-style filters on the ICMPv6 payload, the 159 use of extension headers (by the attacker) could make this 160 difficult, if at all possible. 162 o Many implementations fail to perform validation checks on the 163 received ICMPv6 error messages, as recommended in Section 5.2 of 164 [RFC4443] and documented in [RFC5927]. It should be noted that in 165 some cases, such as when an ICMPv6 error message has (supposedly) 166 been elicited by a connection-less transport protocol (or some 167 other connection-less protocol being encapsulated in IPv6), it may 168 be virtually impossible to perform validation checks on the 169 received ICMPv6 error message. And, because of IPv6 extension 170 headers, the ICMPv6 payload might not even contain any useful 171 information on which to perform validation checks. 173 o Upon receipt of one of the aforementioned ICMPv6 "Packet Too Big" 174 error messages, the Destination Cache [RFC4861] is usually updated 175 to reflect that any subsequent packets to such destination should 176 include a Fragment Header. This means that a single ICMPv6 177 "Packet Too Big" error message might affect multiple communication 178 instances (e.g., TCP connections) with such destination. 180 o As noted in Section 3, SIIT (Stateless IP/ICMP Translation 181 Algorithm) [RFC6145], including derivative protocols such as 182 Stateful NAT64 [RFC6146], was the only technology making use of 183 atomic fragments. Unfortunately, an IPv6 node cannot easily limit 184 its exposure to the aforementioned attack vector by only 185 generating IPv6 atomic fragments towards IPv4 destinations behind 186 a stateless translator. This is due to the fact that Section 3.3 187 of [RFC6052] encourages operators to use a Network-Specific Prefix 188 (NSP) that maps the IPv4 address space into IPv6. When an NSP is 189 being used, IPv6 addresses representing IPv4 nodes (reached 190 through a stateless translator) are indistinguishable from native 191 IPv6 addresses. 193 3. Additional Considerations 195 Besides the security assessment provided in Section 2, it is 196 interesting to evaluate the pros and cons of having an IPv6-to-IPv4 197 translating router rely on the generation of IPv6 atomic fragments. 199 Relying on the generation of IPv6 atomic fragments implies a reliance 200 on: 202 1. ICMPv6 packets arriving from the translator to the IPv6 node 204 2. The ability of the nodes receiving ICMPv6 PTB messages reporting 205 an MTU smaller than 1280 bytes to actually produce atomic 206 fragments 208 3. Support for IPv6 fragmentation on the IPv6 side of the translator 210 4. The ability of the translator implementation to access the 211 information conveyed by the IPv6 Fragment Header 213 5. The value extracted from the low-order 16-bits of the IPv6 214 fragment Identification resulting in an appropriate IPv4 215 Identification value 217 Unfortunately, 219 1. There exists a fair share of evidence of ICMPv6 Packet Too Big 220 messages being dropped on the public Internet (for instance, that 221 is one of the reasons for which PLPMTUD [RFC4821] was produced). 222 Therefore, relying on such messages being successfully delivered 223 will affect the robustness of the protocol that relies on them. 225 2. A number of IPv6 implementations have been known to fail to 226 generate IPv6 atomic fragments in response to ICMPv6 PTB messages 227 reporting an MTU smaller than 1280 bytes (see Appendix A for a 228 small survey). Additionally, the results included in Section 6 229 of [RFC6145] note that 57% of the tested web servers failed to 230 produce IPv6 atomic fragments in response to ICMPv6 PTB messages 231 reporting an MTU smaller than 1280 bytes. Thus, any protocol 232 relying on IPv6 atomic fragment generation for proper functioning 233 will have interoperability problems with the aforementioned IPv6 234 stacks. 236 3. IPv6 atomic fragment generation represents a case in which 237 fragmented traffic is produced where otherwise it would not be 238 needed. Since there is widespread filtering of IPv6 fragments in 239 the public Internet [RFC7872], this would mean that the 240 (unnecessary) use of IPv6 fragmentation might result, 241 unnecessarily, in a Denial of Service situation even in 242 legitimate cases. 244 4. The packet-handling API at the node where the translator is 245 running may obscure fragmentation-related information. In such 246 scenarios, the information conveyed by the Fragment Header may be 247 unavailable to the translator. [JOOL] discusses a sample 248 framework (Linux Netfilter) that hinders access to the 249 information conveyed in IPv6 atomic fragments. 251 5. While [RFC2460] requires that the IPv6 fragment Identification of 252 a fragmented packet be different that of any other fragmented 253 packet sent recently with the same Source Address and Destination 254 Address, there is no requirement on the low-order 16-bits of such 255 value. Thus, there is no guarantee that, by employing the low- 256 order 16-bits of the IPv6 fragment Identification of a packet 257 sent by a source host, IPv4 fragment identification collisions 258 will be avoided or reduced. Besides, collisions might occur 259 where two distinct IPv6 Destination Addresses are translated into 260 the same IPv4 address, such that Identification values that might 261 have been generated to be unique in the IPv6 context end up 262 colliding when used in the translated IPv4 context. 264 We note that SIIT essentially employs the Fragment Header of IPv6 265 atomic fragments to signal the translator how to set the DF bit of 266 IPv4 datagrams (the DF bit is cleared when the IPv6 packet contains a 267 Fragment Header, and is otherwise set to 1 when the IPv6 packet does 268 not contain an IPv6 Fragment Header). Additionally, the translator 269 will employ the low-order 16-bits of the IPv6 Fragment Identification 270 for setting the IPv4 Fragment Identification. At least in theory, 271 this is expected to reduce the IPv4 Identification collision rate in 272 the following specific scenario: 274 1. An IPv6 node communicates with an IPv4 node (through SIIT). 276 2. The IPv4 node is located behind an IPv4 link with an MTU smaller 277 than 1260 bytes. An IPv4 Path MTU of 1260 corresponds to an IPv6 278 Path MTU of 1280, due to an option-less IPv4 header being 20 279 bytes shorter than the IPv6 header. 281 3. ECMP routing [RFC2992] with more than one translator is employed 282 for e.g., redundancy purposes. 284 In such a scenario, if each translator were to select the IPv4 285 Identification on its own (rather than selecting the IPv4 286 Identification from the low-order 16-bits of the Fragment 287 Identification of IPv6 atomic fragments), this could possibly lead to 288 IPv4 Identification collisions. However, as noted above, the value 289 extracted from the low-order 16-bits of the IPv6 fragment 290 Identification might not result in an appropriate IPv4 291 identification: for example, a number of implementations set the IPv6 292 Fragment Identification according to the output of a Pseudo-Random 293 Number Generator (PRNG) (see Appendix B of [RFC7739]); hence,if the 294 translator only employs the low-order 16-bits of such value, it is 295 very unlikely that relying on the Fragment Identification of the IPv6 296 atomic fragment will result in a reduced IPv4 Identification 297 collision rate (when compared to the case where the translator 298 selects each IPv4 Identification on its own). Besides, because of 299 the limited sized of the IPv4 identification field, it is 300 nevertheless virtually impossible to guarantee uniqueness of the IPv4 301 identification values without artificially limiting the data rate of 302 fragmented traffic [RFC6864] [RFC4963]. 304 [RFC6145] was the only "consumer" of IPv6 atomic fragments, and it 305 correctly and diligently noted (in Section 6) the possible 306 interoperability problems of relying on IPv6 atomic fragments, 307 proposing a workaround that led to more robust behavior and 308 simplified code. [RFC6145] has been obsoleted by [RFC7915], such 309 that SIIT does not rely on IPv6 atomic fragments. 311 4. Conclusions 313 Taking all of the above considerations into account, we recommend 314 that IPv6 atomic fragments be deprecated. 316 In particular: 318 o IPv4/IPv6 translators should be updated to not generate ICMPv6 319 Packet Too Big errors containing a Path MTU value smaller than the 320 minimum IPv6 MTU of 1280 bytes. This will ensure that current 321 IPv6 nodes will never have a legitimate need to start generating 322 IPv6 atomic fragments. 324 o The recommendation in the previous bullet ensures there no longer 325 are any valid reasons for ICMPv6 Packet Too Big errors containing 326 a Path MTU value smaller than the minimum IPv6 MTU to exist. IPv6 327 nodes should therefore be updated to ignore them as invalid. 329 We note that these recommendations have been incorporated in 330 [I-D.ietf-6man-rfc1981bis], [I-D.ietf-6man-rfc2460bis] and [RFC7915]. 332 5. IANA Considerations 334 There are no IANA registries within this document. 336 6. Security Considerations 338 This document briefly discusses the security implications of the 339 generation of IPv6 atomic fragments, and describes one specific 340 Denial of Service (DoS) attack vector that leverages the widespread 341 filtering of IPv6 fragments in the public Internet. It concludes 342 that the generation of IPv6 atomic fragments is an undesirable 343 feature, and documents the motivation for removing this functionality 344 from [I-D.ietf-6man-rfc2460bis]. 346 7. Acknowledgements 348 The authors would like to thank (in alphabetical order) Congxiao Bao, 349 Carlos Jesus Bernardos Cano, Bob Briscoe, Brian Carpenter, Tatuya 350 Jinmei, Bob Hinden, Alberto Leiva, Ted Lemon, Xing Li, Jeroen Massar, 351 Erik Nordmark, Joe Touch, Qiong Sun, Ole Troan, Tina Tsou, and Bernie 352 Volz, for providing valuable comments on earlier versions of this 353 document. 355 Fernando Gont would like to thank Jan Zorz / Go6 Lab 356 , and Jared Mauch / NTT America, for providing 357 access to systems and networks that were employed to produce some of 358 the tests that resulted in the publication of this document. 359 Additionally, he would like to thank SixXS 360 for providing IPv6 connectivity. 362 8. References 364 8.1. Normative References 366 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 367 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 368 December 1998, . 370 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 371 Control Message Protocol (ICMPv6) for the Internet 372 Protocol Version 6 (IPv6) Specification", RFC 4443, 373 DOI 10.17487/RFC4443, March 2006, 374 . 376 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 377 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 378 . 380 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 381 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 382 DOI 10.17487/RFC4861, September 2007, 383 . 385 [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation 386 Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011, 387 . 389 [RFC7915] Bao, C., Li, X., Baker, F., Anderson, T., and F. Gont, 390 "IP/ICMP Translation Algorithm", RFC 7915, 391 DOI 10.17487/RFC7915, June 2016, 392 . 394 [RFC6864] Touch, J., "Updated Specification of the IPv4 ID Field", 395 RFC 6864, DOI 10.17487/RFC6864, February 2013, 396 . 398 8.2. Informative References 400 [RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path 401 Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000, 402 . 404 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, 405 DOI 10.17487/RFC5927, July 2010, 406 . 408 [RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly 409 Errors at High Data Rates", RFC 4963, 410 DOI 10.17487/RFC4963, July 2007, 411 . 413 [RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. 414 Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, 415 DOI 10.17487/RFC6052, October 2010, 416 . 418 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 419 NAT64: Network Address and Protocol Translation from IPv6 420 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 421 April 2011, . 423 [RFC6274] Gont, F., "Security Assessment of the Internet Protocol 424 Version 4", RFC 6274, DOI 10.17487/RFC6274, July 2011, 425 . 427 [RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", 428 RFC 6946, DOI 10.17487/RFC6946, May 2013, 429 . 431 [RFC7739] Gont, F., "Security Implications of Predictable Fragment 432 Identification Values", RFC 7739, DOI 10.17487/RFC7739, 433 February 2016, . 435 [RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu, 436 "Observations on the Dropping of Packets with IPv6 437 Extension Headers in the Real World", RFC 7872, 438 DOI 10.17487/RFC7872, June 2016, 439 . 441 [I-D.ietf-6man-rfc2460bis] 442 Deering, D. and R. Hinden, "Internet Protocol, Version 6 443 (IPv6) Specification", draft-ietf-6man-rfc2460bis-05 (work 444 in progress), June 2016. 446 [I-D.ietf-6man-rfc1981bis] 447 <>, J., <>, S., <>, J., and R. Hinden, "Path MTU Discovery 448 for IP version 6", draft-ietf-6man-rfc1981bis-02 (work in 449 progress), April 2016. 451 [Morbitzer] 452 Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis. 453 Thesis number: 670. Department of Computing Science, 454 Radboud University Nijmegen. August 2013, 455 . 458 [JOOL] Leiva Popper, A., "nf_defrag_ipv4 and nf_defrag_ipv6", 459 April 2015, . 462 Appendix A. Small Survey of OSes that Fail to Produce IPv6 Atomic 463 Fragments 465 [This section will probably be removed from this document before it 466 is published as an RFC]. 468 This section includes a non-exhaustive list of operating systems that 469 *fail* to produce IPv6 atomic fragments. It is based on the results 470 published in [RFC6946] and [Morbitzer]. It is simply meant as a 471 datapoint regarding the extent to which IPv6 implementations can be 472 relied upon to generate IPv6 atomic fragments. 474 The following Operating Systems fail to generate IPv6 atomic 475 fragments in response to ICMPv6 PTB messages that report an MTU 476 smaller than 1280 bytes: 478 o FreeBSD 8.0 479 o Linux kernel 2.6.32 481 o Linux kernel 3.2 483 o Mac OS X 10.6.7 485 o NetBSD 5.1 487 Authors' Addresses 489 Fernando Gont 490 SI6 Networks / UTN-FRH 491 Evaristo Carriego 2644 492 Haedo, Provincia de Buenos Aires 1706 493 Argentina 495 Phone: +54 11 4650 8472 496 Email: fgont@si6networks.com 497 URI: http://www.si6networks.com 499 Will(Shucheng) Liu 500 Huawei Technologies 501 Bantian, Longgang District 502 Shenzhen 518129 503 P.R. China 505 Email: liushucheng@huawei.com 507 Tore Anderson 508 Redpill Linpro 509 Vitaminveien 1A 510 Oslo 0485 511 Norway 513 Phone: +47 959 31 212 514 Email: tore@redpill-linpro.com 515 URI: http://www.redpill-linpro.com