Hi, there are certainly many security issues in IPv6 related with fragmentation, but still not convinced if its use should be deprecated completely. We should not remove any feature that may cause security issues. We may need it some day. On the contrary, I believe that we should try to fix it.
I believe that some of the draft RFCs proposed by Fernando Gont are in the good direction (regarding the RA-Guard case, the generation of the fragment id values, etc), as well as the newly accepted RFC regarding the handling of atomic fragments. Apart from the above, what remains to be fixed, in my humble opinion, are the following: a. Tiny fragments (smaller than 1280 bytes) should not be accepted (unless they are atomic fragments or the last fragment of a datagram). b. RFC 5722 should be updated so as only the overlapping fragments to be dropped, not all the ones already received, or the ones that follow (as it is the recommendation now). This is already implemented by FreeBSD and seems to me the most proper way for handling overlapping fragments. We should also never forget that the rest of IPvt6Extension headers can result in datagrams much bigger than 1280 bytes, 1500 bytes, or even more. So, if you want to deprecate fragmentation in IPv6, you should also deprecate or at least change the extension headers usage in IPv6. Which actually means, redesign IPv6. Just my 0.02$ Antonios 2013/6/27 Brian E Carpenter <brian.e.carpen...@gmail.com> > Cutting to the chase, and assuming that the next version > will have more analysis and observational evidence, I'm thinking > something like the following: > > 3. Recommendation > > This memo deprecates IPv6 fragmentation and the IPv6 fragment header. > Application and transport layer protocols SHOULD support effective > PMTU discovery [RFC4821], since ICMP-based PMTU discovery [RFC1981] > is unreliable. Any application or transport layer protocol that > cannot support effective PMTU discovery MUST NOT in any circumstances > send IPv6 packets that exceed the IPv6 minimum MTU of 1280 bytes. > > IPv6 stacks and forwarding nodes SHOULD continue to support inbound > fragmented IPv6 packets as specified in [RFC2460]. However, this > requirement exceeds the capability of some types of forwarding node > such as firewalls and load balancers. Therefore implementers and > operators need to be aware that on many paths through the Internet, > IPv6 fragmentation will fail. Legacy applications and transport layer > protocols that do not conform to the previous paragraph can expect > connectivity failures as a result. > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------