Re: Reassembly of atomic fragments (was: Re: Consensus call on adopting: draft-gont-6man-ipv6-atomic-fragments)

Fri, 27 Jan 2012 06:40:04 -0800 

        Thanks. It is clear now.

.as

On 26 Jan 2012, at 12:00, Fernando Gont wrote:

> [Subject changed so that this doesn't "mix" with the poll]
> 
> Hi, Arturo,
> 
> On 01/26/2012 09:59 AM, Arturo Servin wrote:
>> When you say "Namely, they try to perform IPv6 reassembly with the
>> "atomic fragment" and any other fragments already queued with the
>> same set {IPv6 Source Address, IPv6 Destination Address, Fragment
>> Identification}." If there is just one packet what happen? Does the
>> host just hang in there waiting for the next fragment (that possibly
>> will never arrive) until it times out?
> 
> I didn't test *this* one (will do this weekend, and let you know). But
> they *do* mix the atomic fragment with fragments present in the fragment
> queue. That is, the attacker (knowing that you're relying on atomic
> fragments) can send lots of forged fragments to the victim system, such
> that when your legitimate fragments arrive at the victim they get mixed
> up with the malicious fragments, and hence they get discarded.
> 
> 
>> Also, you quoted RFC2640 "In response to an IPv6 packet that is sent
>> to an IPv4 destination (i.e., a packet that undergoes translation
>> from IPv6 to IPv4) …" I wonder if there is any negative implication
>> for IPv4/IPv6 translators if atomic fragments are forbidden as
>> proposed.
> 
> Dan Wing has noted that forbidding atomic fragments breaks RFC 6144. It
> would also break the DNS if atomic fragments are employed for it.
> 
> That's why draft-gont-6man-ipv6-atomic-fragments does *not* forbid
> atomic fragments, but rather improves the their processing at the
> receiving node.
> 
> Essentially, what this proposal says "If you receive an atomic fragment,
> don't 'merge it' with fragmented traffic, but just remove the
> Fragmentation Header and process the packet as if it was not fragmented".
> 
> Thanks!
> 
> Best regards,
> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fg...@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> 
> 

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Reply via email to