Reassembly of atomic fragments (was: Re: Consensus call on adopting: draft-gont-6man-ipv6-atomic-fragments)

Thu, 26 Jan 2012 15:17:56 -0800 

[Subject changed so that this doesn't "mix" with the poll]

Hi, Arturo,

On 01/26/2012 09:59 AM, Arturo Servin wrote:
> When you say "Namely, they try to perform IPv6 reassembly with the
> "atomic fragment" and any other fragments already queued with the
> same set {IPv6 Source Address, IPv6 Destination Address, Fragment
> Identification}." If there is just one packet what happen? Does the
> host just hang in there waiting for the next fragment (that possibly
> will never arrive) until it times out?

I didn't test *this* one (will do this weekend, and let you know). But
they *do* mix the atomic fragment with fragments present in the fragment
queue. That is, the attacker (knowing that you're relying on atomic
fragments) can send lots of forged fragments to the victim system, such
that when your legitimate fragments arrive at the victim they get mixed
up with the malicious fragments, and hence they get discarded.


> Also, you quoted RFC2640 "In response to an IPv6 packet that is sent
> to an IPv4 destination (i.e., a packet that undergoes translation
> from IPv6 to IPv4) …" I wonder if there is any negative implication
> for IPv4/IPv6 translators if atomic fragments are forbidden as
> proposed.

Dan Wing has noted that forbidding atomic fragments breaks RFC 6144. It
would also break the DNS if atomic fragments are employed for it.

That's why draft-gont-6man-ipv6-atomic-fragments does *not* forbid
atomic fragments, but rather improves the their processing at the
receiving node.

Essentially, what this proposal says "If you receive an atomic fragment,
don't 'merge it' with fragmented traffic, but just remove the
Fragmentation Header and process the packet as if it was not fragmented".

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492



--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Reply via email to