Thanks. It is clear now. .as
On 26 Jan 2012, at 12:00, Fernando Gont wrote: > [Subject changed so that this doesn't "mix" with the poll] > > Hi, Arturo, > > On 01/26/2012 09:59 AM, Arturo Servin wrote: >> When you say "Namely, they try to perform IPv6 reassembly with the >> "atomic fragment" and any other fragments already queued with the >> same set {IPv6 Source Address, IPv6 Destination Address, Fragment >> Identification}." If there is just one packet what happen? Does the >> host just hang in there waiting for the next fragment (that possibly >> will never arrive) until it times out? > > I didn't test *this* one (will do this weekend, and let you know). But > they *do* mix the atomic fragment with fragments present in the fragment > queue. That is, the attacker (knowing that you're relying on atomic > fragments) can send lots of forged fragments to the victim system, such > that when your legitimate fragments arrive at the victim they get mixed > up with the malicious fragments, and hence they get discarded. > > >> Also, you quoted RFC2640 "In response to an IPv6 packet that is sent >> to an IPv4 destination (i.e., a packet that undergoes translation >> from IPv6 to IPv4) …" I wonder if there is any negative implication >> for IPv4/IPv6 translators if atomic fragments are forbidden as >> proposed. > > Dan Wing has noted that forbidding atomic fragments breaks RFC 6144. It > would also break the DNS if atomic fragments are employed for it. > > That's why draft-gont-6man-ipv6-atomic-fragments does *not* forbid > atomic fragments, but rather improves the their processing at the > receiving node. > > Essentially, what this proposal says "If you receive an atomic fragment, > don't 'merge it' with fragmented traffic, but just remove the > Fragmentation Header and process the packet as if it was not fragmented". > > Thanks! > > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: fg...@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------