nanog mailing list archives
Re: IPv6 Security Frequently Asked Questions (FAQ)
From: Fernando Gont <fgont () si6networks com>
Date: Fri, 8 Mar 2019 04:30:54 -0300
Hello, Mark, Thanks for your feedback! Please see in-line.... On 8/3/19 04:10, Mark Andrews wrote:
"Generation of IPv6 fragments in response to ICMPv6 PTB messages has been deprecated in the revised IPv6 specification" IS INCORRECT generation of fragments is “discouraged". Discouraged and deprecated mean different thing.
There is a writeo here. The text should have said "generation of IPv6 atomic fragments", or, "Generation of IPv6 fragments in response to ICMPv6 PTB messages advertising an MTU smaller than 1280" The whole section refers to "atomic fragments" which might be generated even for protocols that are not supposed to employ fragmentation. I will clarify this in the next rev.
However, the use of such
fragmentation is discouraged in any application that is able to
adjust its packets to fit the measured path MTU (i.e., down to 1280
octets).
the whole of 4.4 is very badly worded and states things as fact which don’t
appear in RFC’s at all.
Please let me know if, considering the writeo I referred to above, you still feel the same.
The adding of a fragmentation header for PTB <1280 has gone. Fragmentation down to 1280 is still supposed to happen in response to a PTB. Packets still have to flow through paths that narrow down to 1280.
Agreed. This section is referred to this scenario: Say two nodes only mean to employ a TCP-based application (say two BGP peers). Say they filter fragments directed to them, since the TCP connections will avoid fragmentation. In such cases, what would seem as a "safe practice" may be not: if the involved systems employ a legacy IPv6 implementation, then an attacker can trigger the generation of IPv6 fragments (even for TCP conenctions) by spoofing an ICMPv6 PTB claiming an MTU < 1280. This is what this section is about: If you are going to drop fragments, make sure you also take care of ICMPv6 PTBs, since they may trigger fragmentation even for protocols that you'd assume would never emply fragmentation. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont () si6networks com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Current thread:
- IPv6 Security Frequently Asked Questions (FAQ) Fernando Gont (Mar 07)
- Re: IPv6 Security Frequently Asked Questions (FAQ) Mark Andrews (Mar 07)
- Re: IPv6 Security Frequently Asked Questions (FAQ) Fernando Gont (Mar 07)
- Re: IPv6 Security Frequently Asked Questions (FAQ) Mark Andrews (Mar 07)
- Re: IPv6 Security Frequently Asked Questions (FAQ) Fernando Gont (Mar 07)
- Re: IPv6 Security Frequently Asked Questions (FAQ) Mark Andrews (Mar 07)