rfc8021.txt   rfc8021-fgont_late-entry.txt 
Internet Engineering Task Force (IETF) F. Gont Internet Engineering Task Force (IETF) F. Gont
Request for Comments: 8021 SI6 Networks / UTN-FRH Request for Comments: 7943 SI6 Networks / UTN-FRH
Category: Informational W. Liu Category: Informational W. Liu
ISSN: 2070-1721 Huawei Technologies ISSN: 2070-1721 Huawei Technologies
T. Anderson T. Anderson
Redpill Linpro Redpill Linpro
November 2016 November 2016
Generation of IPv6 Atomic Fragments Considered Harmful Generation of IPv6 Atomic Fragments Considered Harmful
Abstract Abstract
skipping to change at page 1, line 36 skipping to change at page 1, line 36
This document is a product of the Internet Engineering Task Force This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has (IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 7841. Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata, Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8021. http://www.rfc-editor.org/info/rfc7943.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction ....................................................2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Security Implications of the Generation of IPv6 Atomic 2. Security Implications of the Generation of IPv6 Atomic
Fragments .......................................................3 Fragments . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Additional Considerations .......................................5 3. Additional Considerations . . . . . . . . . . . . . . . . . . 5
4. Conclusions .....................................................7 4. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations .........................................8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. References ......................................................8 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Normative References ........................................8 6.1. Normative References . . . . . . . . . . . . . . . . . . 8
6.2. Informative References ......................................9 6.2. Informative References . . . . . . . . . . . . . . . . . 9
Acknowledgements ..................................................11 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses ................................................11 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
[RFC2460] specifies the IPv6 fragmentation mechanism, which allows [RFC2460] specifies the IPv6 fragmentation mechanism, which allows
IPv6 packets to be fragmented into smaller pieces such that they can IPv6 packets to be fragmented into smaller pieces such that they can
fit in the Path MTU to the intended destination(s). fit in the Path MTU to the intended destination(s).
A legacy IPv4/IPv6 translator implementing the Stateless IP/ICMP A legacy IPv4/IPv6 translator implementing the Stateless IP/ICMP
Translation Algorithm [RFC6145] may legitimately generate ICMPv6 Translation Algorithm [RFC6145] may legitimately generate ICMPv6
"Packet Too Big" (PTB) error messages [RFC4443] advertising a "Packet Too Big" (PTB) error messages [RFC4443] advertising an MTU
"Next-Hop MTU" smaller than 1280 (the minimum IPv6 MTU). Section 5 smaller than 1280 (the minimum IPv6 MTU). Section 5 of [RFC2460]
of [RFC2460] states that, upon receiving such an ICMPv6 error states that, upon receiving such an ICMPv6 error message, hosts are
message, hosts are not required to reduce the assumed Path MTU but not required to reduce the assumed Path MTU but must simply include a
must simply include a Fragment Header in all subsequent packets sent Fragment Header in all subsequent packets sent to that destination.
to that destination. The resulting packets will thus *not* be The resulting packets will thus *not* be actually fragmented into
actually fragmented into several pieces; rather, they will be several pieces; rather, they will be "atomic" fragments [RFC6946]
"atomic" fragments [RFC6946] (i.e., they will just include a Fragment (i.e., they will just include a Fragment Header with both the
Header with both the "Fragment Offset" and the "M" flag set to 0). "Fragment Offset" and the "M" flag set to 0). [RFC6946] requires
[RFC6946] requires that these atomic fragments be essentially that these atomic fragments be essentially processed by the
processed by the destination host as non-fragmented traffic (since destination host(s) as non-fragmented traffic (since there are not
there are not really any fragments to be reassembled). The goal of really any fragments to be reassembled). The goal of these atomic
these atomic fragments is simply to convey an appropriate fragments is simply to convey an appropriate Identification value to
Identification value to be employed by IPv6/IPv4 translators for the be employed by IPv6/IPv4 translators for the resulting IPv4
resulting IPv4 fragments. fragments.
While atomic fragments might seem rather benign, there are scenarios While atomic fragments might seem rather benign, there are scenarios
in which the generation of IPv6 atomic fragments can be leveraged for in which the generation of IPv6 atomic fragments can be leveraged for
performing a number of attacks against the corresponding IPv6 flows. performing a number of attacks against the corresponding IPv6 flows.
Since there are concrete security implications arising from the Since there are concrete security implications arising from the
generation of IPv6 atomic fragments and there is no real gain in generation of IPv6 atomic fragments and there is no real gain in
generating IPv6 atomic fragments (as opposed to, for example, having generating IPv6 atomic fragments (as opposed to, for example, having
IPv6/IPv4 translators generate a Fragment Identification value IPv6/IPv4 translators generate an IPv4 Identification value
themselves), we conclude that this functionality is undesirable. themselves), we conclude that this functionality is undesirable.
Section 2 briefly discusses the security implications of the Section 2 briefly discusses the security implications of the
generation of IPv6 atomic fragments and describes a specific Denial- generation of IPv6 atomic fragments and describes a specific Denial-
of-Service (DoS) attack vector that leverages the widespread of-Service (DoS) attack vector that leverages the widespread dropping
filtering of IPv6 fragments in the public Internet. Section 3 of IPv6 fragments in the public Internet. Section 3 provides
provides additional considerations regarding the usefulness of additional considerations regarding the usefulness of generating IPv6
generating IPv6 atomic fragments. atomic fragments.
2. Security Implications of the Generation of IPv6 Atomic Fragments 2. Security Implications of the Generation of IPv6 Atomic Fragments
The security implications of IP fragmentation have been discussed at The security implications of IP fragmentation have been discussed at
length in [RFC6274] and [RFC7739]. An attacker can leverage the length in [RFC6274] and [RFC7739]. An attacker can leverage the
generation of IPv6 atomic fragments to trigger the use of generation of IPv6 atomic fragments to trigger the use of
fragmentation in an arbitrary IPv6 flow (in scenarios in which actual fragmentation in an arbitrary IPv6 flow (in scenarios in which actual
fragmentation of packets is not needed) and can subsequently perform fragmentation of packets is not needed) and can subsequently perform
any type of fragmentation-based attack against legacy IPv6 nodes that any type of fragmentation-based attack against legacy IPv6 nodes that
do not implement [RFC6946]. That is, employing fragmentation where do not implement [RFC6946]. That is, employing fragmentation where
not actually needed allows for fragmentation-based attack vectors to not actually needed allows for fragmentation-based attack vectors to
be employed, unnecessarily. be employed, unnecessarily.
We note that, unfortunately, even nodes that already implement We note that, unfortunately, even nodes that already implement
[RFC6946] can be subject to DoS attacks as a result of the generation [RFC6946] can be subject to DoS attacks as a result of the generation
of IPv6 atomic fragments. Let us assume that Host A is communicating of IPv6 atomic fragments. Let us assume that Client A is
with Server B and that, as a result of the widespread dropping of communicating with Server B and that, as a result of the widespread
IPv6 packets that contain extension headers (including fragmentation) dropping of IPv6 packets that contain extension headers (including
[RFC7872], some intermediate node filters fragments between Server B fragmentation) [RFC7872], some intermediate node filters fragments
and Host A. If an attacker sends a forged ICMPv6 PTB error message between Server B and Client A. If an attacker sends a forged ICMPv6
to Server B, reporting an MTU smaller than 1280, this will trigger PTB error message to Server B, reporting an MTU smaller than 1280,
the generation of IPv6 atomic fragments from that moment on (as this will trigger the generation of IPv6 atomic fragments from that
required by [RFC2460]). When Server B starts sending IPv6 atomic moment on (as required by [RFC2460]). When Server B starts sending
fragments (in response to the received ICMPv6 PTB error message), IPv6 atomic fragments (in response to the received ICMPv6 PTB error
these packets will be dropped, since we previously noted that IPv6 message), these packets will be dropped, since we previously noted
packets with extension headers were being dropped between Server B that IPv6 packets with extension headers were being dropped between
and Host A. Thus, this situation will result in a DoS scenario. Server B and Client A. Thus, this situation will result in a DoS
scenario.
Another possible scenario is that in which two BGP peers are Another possible scenario is that in which two BGP peers are
employing IPv6 transport and they implement Access Control Lists employing IPv6 transport and they implement Access Control Lists
(ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If
the aforementioned BGP peers drop IPv6 fragments but still honor the aforementioned BGP peers drop IPv6 fragments but still honor
received ICMPv6 PTB error messages, an attacker could easily attack received ICMPv6 PTB error messages, an attacker could easily attack
the peering session by simply sending an ICMPv6 PTB message with a the corresponding peering session by simply sending an ICMPv6 PTB
reported MTU smaller than 1280 bytes. Once the attack packet has message with a reported MTU smaller than 1280 bytes. Once the attack
been sent, the aforementioned routers will themselves be the ones packet has been sent, the aforementioned routers will themselves be
dropping their own traffic. the ones dropping their own traffic.
The aforementioned attack vector is exacerbated by the following The aforementioned attack vector is exacerbated by the following
factors: factors:
o The attacker does not need to forge the IPv6 Source Address of his o The attacker does not need to forge the IPv6 Source Address of his
attack packets. Hence, deployment of simple filters in the style attack packets. Hence, deployment of simple BCP38 filters does
of BCP 38 not help as a countermeasure. not help as a countermeasure.
o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6 o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6
payload need to be forged. While one could envision filtering payload need to be forged. While one could envision filtering
devices enforcing filters per BCP 38 on the ICMPv6 payload, the devices enforcing BCP38-style filters on the ICMPv6 payload, the
use of extension headers (by the attacker) could make this use of extension headers (by the attacker) could make this
difficult, if at all possible. difficult, if at all possible.
o Many implementations fail to perform validation checks on the o Many implementations fail to perform validation checks on the
received ICMPv6 error messages as recommended in Section 5.2 of received ICMPv6 error messages as recommended in Section 5.2 of
[RFC4443] and documented in [RFC5927]. It should be noted that in [RFC4443] and documented in [RFC5927]. It should be noted that in
some cases, such as when an ICMPv6 error message has (supposedly) some cases, such as when an ICMPv6 error message has (supposedly)
been elicited by a connectionless transport protocol (or some been elicited by a connectionless transport protocol (or some
other connectionless protocol being encapsulated in IPv6), it may other connectionless protocol being encapsulated in IPv6), it may
be virtually impossible to perform validation checks on the be virtually impossible to perform validation checks on the
skipping to change at page 5, line 5 skipping to change at page 4, line 44
TCP connections) with such a destination. TCP connections) with such a destination.
o As noted in Section 3, SIIT (the Stateless IP/ICMP Translation o As noted in Section 3, SIIT (the Stateless IP/ICMP Translation
Algorithm) [RFC6145], including derivative protocols such as Algorithm) [RFC6145], including derivative protocols such as
Stateful NAT64 (Network Address and Protocol Translation from IPv6 Stateful NAT64 (Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers) [RFC6146], was the only technology making Clients to IPv4 Servers) [RFC6146], was the only technology making
use of atomic fragments. Unfortunately, an IPv6 node cannot use of atomic fragments. Unfortunately, an IPv6 node cannot
easily limit its exposure to the aforementioned attack vector by easily limit its exposure to the aforementioned attack vector by
only generating IPv6 atomic fragments towards IPv4 destinations only generating IPv6 atomic fragments towards IPv4 destinations
behind a stateless translator. This is due to the fact that behind a stateless translator. This is due to the fact that
Section 3.3 of [RFC6052] encourages operators to use a Section 3.3 of [RFC6052] encourages operators to use a Network-
Network-Specific Prefix (NSP) that maps the IPv4 address space Specific Prefix (NSP) that maps the IPv4 address space into IPv6.
into IPv6. When an NSP is being used, IPv6 addresses representing When an NSP is being used, IPv6 addresses representing IPv4 nodes
IPv4 nodes (reached through a stateless translator) are (reached through a stateless translator) are indistinguishable
indistinguishable from native IPv6 addresses. from native IPv6 addresses.
3. Additional Considerations 3. Additional Considerations
Besides the security assessment provided in Section 2, it is Besides the security assessment provided in Section 2, it is
interesting to evaluate the pros and cons of having an IPv6-to-IPv4 interesting to evaluate the pros and cons of having an IPv6-to-IPv4
translating router rely on the generation of IPv6 atomic fragments. translating router rely on the generation of IPv6 atomic fragments.
Relying on the generation of IPv6 atomic fragments implies a Relying on the generation of IPv6 atomic fragments implies a reliance
reliance on: on:
1. ICMPv6 packets arriving from the translator to the IPv6 node 1. ICMPv6 packets arriving from the translator to the destination
IPv6 node
2. The ability of the nodes receiving ICMPv6 PTB messages reporting 2. The ability of the nodes receiving ICMPv6 PTB messages reporting
an MTU smaller than 1280 bytes to actually produce atomic an MTU smaller than 1280 bytes to actually produce atomic
fragments fragments
3. Support for IPv6 fragmentation on the IPv6 side of the translator 3. Support for IPv6 fragmentation on the IPv6 side of the translator
4. The ability of the translator implementation to access the 4. The ability of the translator implementation to access the
information conveyed by the IPv6 Fragment Header information conveyed by the IPv6 Fragment Header
5. The value extracted from the low-order 16 bits of the IPv6 5. The value extracted from the low-order 16 bits of the IPv6
fragment Identification resulting in an appropriate IPv4 fragment Identification resulting in an appropriate IPv4
Identification value Identification value
Unfortunately, Unfortunately,
1. There exists a fair share of evidence of ICMPv6 PTB messages being 1. There exists a fair share of evidence of ICMPv6 PTB error
dropped on the public Internet (for instance, that is one of the messages being dropped on the public Internet (for instance, that
reasons for which Packetization Layer Path MTU Discovery (PLPMTUD) is one of the reasons for which Packetization Layer Path MTU
[RFC4821] was produced). Therefore, relying on such messages Discovery (PLPMTUD) [RFC4821] was produced). Therefore, relying
being successfully delivered will affect the robustness of the on such messages being successfully delivered will affect the
protocol that relies on them. robustness of the protocol that relies on them.
2. A number of IPv6 implementations have been known to fail to 2. A number of IPv6 implementations have been known to fail to
generate IPv6 atomic fragments in response to ICMPv6 PTB messages generate IPv6 atomic fragments in response to ICMPv6 PTB messages
reporting an MTU smaller than 1280 bytes. Additionally, the reporting an MTU smaller than 1280 bytes. Additionally, the
results included in Section 6 of [RFC6145] note that 57% of the results included in Section 6 of [RFC6145] note that 57% of the
tested web servers failed to produce IPv6 atomic fragments in tested web servers failed to produce IPv6 atomic fragments in
response to ICMPv6 PTB messages reporting an MTU smaller than response to ICMPv6 PTB messages reporting an MTU smaller than
1280 bytes. Thus, any protocol relying on IPv6 atomic fragment 1280 bytes. Thus, any protocol relying on IPv6 atomic fragment
generation for proper functioning will have interoperability generation for proper functioning will have interoperability
problems with the aforementioned IPv6 stacks. problems with the aforementioned IPv6 stacks.
3. IPv6 atomic fragment generation represents a case in which 3. IPv6 atomic fragment generation represents a case in which
fragmented traffic is produced where otherwise it would not be fragmented traffic is produced where otherwise it would not be
needed. Since there is widespread filtering of IPv6 fragments in needed. Since there is widespread dropping of IPv6 fragments in
the public Internet [RFC7872], this would mean that the the public Internet [RFC7872], this would mean that the
(unnecessary) use of IPv6 fragmentation might result, (unnecessary) use of IPv6 fragmentation might result,
unnecessarily, in a DoS situation even in legitimate cases. unnecessarily, in a DoS situation even in legitimate cases.
4. The packet-handling API at the node where the translator is 4. The packet-handling API at the node where the translator is
running may obscure fragmentation-related information. In such running may obscure fragmentation-related information. In such
scenarios, the information conveyed by the Fragment Header may be scenarios, the information conveyed by the Fragment Header may be
unavailable to the translator. [JOOL] discusses a sample unavailable to the translator. [JOOL] discusses a sample
framework (Linux Netfilter) that hinders access to the information framework (Linux Netfilter) that hinders access to the
conveyed in IPv6 atomic fragments. information conveyed in IPv6 fragments.
5. While [RFC2460] requires that the IPv6 fragment Identification of 5. While [RFC2460] requires that the IPv6 fragment Identification of
a fragmented packet be different than that of any other fragmented a fragmented packet be different than that of any other
packet sent recently with the same Source Address and Destination fragmented packet sent recently with the same Source Address and
Address, there is no requirement on the low-order 16 bits of such Destination Address, there is no requirement on the low-order 16
a value. Thus, there is no guarantee that IPv4 fragment bits of such a value. Thus, there is no guarantee that IPv4
identification collisions will be avoided or reduced by employing Identification collisions will be avoided or reduced by employing
the low-order 16 bits of the IPv6 fragment Identification of a the low-order 16 bits of the IPv6 fragment Identification of a
packet sent by a source host. Besides, collisions might occur packet sent by a source host. Besides, collisions might occur
where two distinct IPv6 Destination Addresses are translated into where two distinct IPv6 Destination Addresses are translated into
the same IPv4 address, such that Identification values that might the same IPv4 address, such that Identification values that might
have been generated to be unique in the context of IPv6 end up have been generated to be unique in the context of IPv6 end up
colliding when used in the context of translated IPv4. colliding when used in the context of translated IPv4.
We note that SIIT essentially employs the Fragment Header of IPv6 We note that SIIT essentially employs the Fragment Header of IPv6
atomic fragments to signal the translator how to set the atomic fragments to signal the translator how to set the Don't
Don't Fragment (DF) bit of IPv4 datagrams (the DF bit is cleared when Fragment (DF) bit of IPv4 datagrams (the DF bit is cleared when the
the IPv6 packet contains a Fragment Header and is otherwise set to 1 IPv6 packet contains a Fragment Header and is otherwise set to 1 when
when the IPv6 packet does not contain an IPv6 Fragment Header). the IPv6 packet does not contain an IPv6 Fragment Header).
Additionally, the translator will employ the low-order 16 bits of the Additionally, the translator will employ the low-order 16 bits of the
IPv6 Fragment Identification for setting the IPv4 Fragment IPv6 fragment Identification for setting the IPv4 Identification. At
Identification. At least in theory, this is expected to reduce the least in theory, this is expected to reduce the IPv4 Identification
IPv4 Identification collision rate in the following specific collision rate in the following specific scenario:
scenario:
1. An IPv6 node communicates with an IPv4 node (through SIIT). 1. An IPv6 node communicates with an IPv4 node (through SIIT).
2. The IPv4 node is located behind an IPv4 link with an MTU smaller 2. The IPv4 node is located behind an IPv4 link with an MTU smaller
than 1260 bytes. An IPv4 Path MTU of 1260 corresponds to an IPv6 than 1260 bytes. An IPv4 Path MTU of 1260 corresponds to an IPv6
Path MTU of 1280, due to an optionless IPv4 header being 20 bytes Path MTU of 1280, due to an optionless IPv4 header being 20 bytes
shorter than the IPv6 header. shorter than the IPv6 header.
3. ECMP routing [RFC2992] with more than one translator is employed 3. ECMP routing [RFC2992] with more than one translator is employed,
(for example) for redundancy purposes. for example, for redundancy purposes.
In such a scenario, if each translator were to select the IPv4 In such a scenario, if each translator were to select the IPv4
Identification on its own (rather than selecting the IPv4 Identification on its own (rather than selecting the IPv4
Identification from the low-order 16 bits of the Fragment Identification from the low-order 16 bits of the fragment
Identification of IPv6 atomic fragments), this could possibly lead to Identification of IPv6 atomic fragments), this could possibly lead to
IPv4 Identification collisions. However, as noted above, the value IPv4 Identification collisions. However, as noted above, the value
extracted from the low-order 16 bits of the IPv6 fragment extracted from the low-order 16 bits of the IPv6 fragment
Identification might not result in an appropriate IPv4 Identification might not result in an appropriate IPv4
Identification: for example, a number of implementations set the IPv6 Identification: for example, a number of implementations set the IPv6
Fragment Identification according to the output of a Pseudorandom fragment Identification according to the output of a Pseudorandom
Number Generator (PRNG) (see Appendix B of [RFC7739]); hence, if the Number Generator (PRNG) (see Appendix B of [RFC7739]); hence, if the
translator only employs the low-order 16 bits of such a value, it is translator only employs the low-order 16 bits of such a value, it is
very unlikely that relying on the Fragment Identification of the IPv6 very unlikely that relying on the fragment Identification of the IPv6
atomic fragment will result in a reduced IPv4 Identification atomic fragment will result in a reduced IPv4 Identification
collision rate (when compared to the case where the translator collision rate (when compared to the case where the translator
selects each IPv4 Identification on its own). Besides, because of selects each IPv4 Identification on its own). Besides, because of
the limited size of the IPv4 Identification field, it is nevertheless the limited size of the IPv4 Identification field, it is nevertheless
virtually impossible to guarantee uniqueness of the virtually impossible to guarantee uniqueness of the IPv4
IPv4 Identification values without artificially limiting the data Identification values without artificially limiting the data rate of
rate of fragmented traffic [RFC6864] [RFC4963]. fragmented traffic [RFC6864] [RFC4963].
[RFC6145] was the only "consumer" of IPv6 atomic fragments, and it [RFC6145] was the only "consumer" of IPv6 atomic fragments, and it
correctly and diligently noted (in its Section 6) the possible correctly and diligently noted (in its Section 6) the possible
interoperability problems of relying on IPv6 atomic fragments, interoperability problems of relying on IPv6 atomic fragments,
proposing a workaround that led to more robust behavior and proposing a workaround that led to more robust behavior and
simplified code. [RFC6145] has been obsoleted by [RFC7915], such simplified code. [RFC6145] has been obsoleted by [RFC7915], such
that SIIT does not rely on IPv6 atomic fragments. that SIIT does not rely on IPv6 atomic fragments.
4. Conclusions 4. Conclusions
Taking all of the above considerations into account, we recommend Taking all of the above considerations into account, we recommend
that IPv6 atomic fragments be deprecated. that IPv6 atomic fragments be deprecated.
In particular: In particular:
o IPv4/IPv6 translators should be updated to not generate ICMPv6 PTB o IPv4/IPv6 translators should be updated to not generate ICMPv6 PTB
errors containing a Path MTU value smaller than the minimum IPv6 error messages containing an MTU value smaller than the minimum
MTU of 1280 bytes. This will ensure that current IPv6 nodes will IPv6 MTU of 1280 bytes. This will ensure that current IPv6 nodes
never have a legitimate need to start generating IPv6 atomic will never have a legitimate need to start generating IPv6 atomic
fragments. fragments.
o The recommendation in the previous bullet ensures that there are o The recommendation in the previous bullet ensures that there are
no longer any valid reasons for ICMPv6 PTB errors containing a no longer any valid reasons for ICMPv6 PTB error messages
Path MTU value smaller than the minimum IPv6 MTU to exist. IPv6 reporting an MTU value smaller than the minimum IPv6 MTU (1280
nodes should therefore be updated to ignore them as invalid. bytes). IPv6 nodes should therefore be updated to ignore ICMPv6
PTB error messages reporting an MTU smaller than 1280 bytes as
invalid.
We note that these recommendations have been incorporated in We note that these recommendations have been incorporated in
[IPv6-PMTUD], [IPv6-Spec], and [RFC7915]. [IPv6-PMTUD], [IPv6-Spec], and [RFC7915].
5. Security Considerations 5. Security Considerations
This document briefly discusses the security implications of the This document briefly discusses the security implications of the
generation of IPv6 atomic fragments and describes one specific DoS generation of IPv6 atomic fragments and describes one specific DoS
attack vector that leverages the widespread filtering of IPv6 attack vector that leverages the widespread dropping of IPv6
fragments in the public Internet. It concludes that the generation fragments in the public Internet. It concludes that the generation
of IPv6 atomic fragments is an undesirable feature and documents the of IPv6 atomic fragments is an undesirable feature and documents the
motivation for removing this functionality from [IPv6-Spec]. motivation for removing this functionality from [IPv6-Spec].
6. References 6. References
6.1. Normative References 6.1. Normative References
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
skipping to change at page 9, line 50 skipping to change at page 9, line 50
February 2016, <http://www.rfc-editor.org/info/rfc7739>. February 2016, <http://www.rfc-editor.org/info/rfc7739>.
[RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu, [RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu,
"Observations on the Dropping of Packets with IPv6 "Observations on the Dropping of Packets with IPv6
Extension Headers in the Real World", RFC 7872, Extension Headers in the Real World", RFC 7872,
DOI 10.17487/RFC7872, June 2016, DOI 10.17487/RFC7872, June 2016,
<http://www.rfc-editor.org/info/rfc7872>. <http://www.rfc-editor.org/info/rfc7872>.
[IPv6-Spec] [IPv6-Spec]
Deering, S. and R. Hinden, "Internet Protocol, Version 6 Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", Work in Progress, (IPv6) Specification", Work in Progress, draft-ietf-6man-
draft-ietf-6man-rfc2460bis-07, October 2016. rfc2460bis-07, October 2016.
[IPv6-PMTUD] [IPv6-PMTUD]
McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., McCann, J., Deering, S., Mogul, J., and R. Hinden, "Path
"Path MTU Discovery for IP version 6", Work in Progress, MTU Discovery for IP version 6", Work in Progress, draft-
draft-ietf-6man-rfc1981bis-03, October 2016. ietf-6man-rfc1981bis-03, October 2016.
[Morbitzer]
Morbitzer, M., "TCP Idle Scans in IPv6", Master's Thesis.
Thesis number: 670. Department of Computing Science,
Radboud University Nijmegen. August 2013,
<http://www.ru.nl/publish/pages/769526/
m_morbitzer_masterthesis.pdf>.
[JOOL] Leiva Popper, A., "nf_defrag_ipv4 and nf_defrag_ipv6", [JOOL] Leiva Popper, A., "nf_defrag_ipv4 and nf_defrag_ipv6",
April 2015, <https://github.com/NICMx/Jool/wiki/ April 2015, <https://github.com/NICMx/Jool/wiki/
nf_defrag_ipv4-and-nf_defrag_ipv6#implementation-gotchas>. nf_defrag_ipv4-and-nf_defrag_ipv6#implementation-gotchas>.
Acknowledgements Acknowledgements
The authors would like to thank (in alphabetical order) Congxiao Bao, The authors would like to thank (in alphabetical order) Congxiao Bao,
Bob Briscoe, Carlos Jesus Bernardos Cano, Brian Carpenter, Carlos Jesus Bernardos Cano, Bob Briscoe, Brian Carpenter, Tatuya
Bob Hinden, Tatuya Jinmei, Alberto Leiva, Ted Lemon, Xing Li, Jinmei, Bob Hinden, Alberto Leiva, Ted Lemon, Xing Li, Jeroen Massar,
Jeroen Massar, Erik Nordmark, Qiong Sun, Joe Touch, Ole Troan, Erik Nordmark, Joe Touch, Qiong Sun, Ole Troan, Tina Tsou, and Bernie
Tina Tsou, and Bernie Volz for providing valuable comments on earlier Volz, for providing valuable comments on earlier versions of this
draft versions of this document. document.
Fernando Gont would like to thank Jan Zorz / Go6 Lab Fernando Gont would like to thank Jan Zorz / Go6 Lab
<http://go6lab.si/> and Jared Mauch / NTT America for providing <http://go6lab.si/>, and Jared Mauch / NTT America, for providing
access to systems and networks that were employed to produce some of access to systems and networks that were employed to produce some of
the tests that resulted in the publication of this document. the tests that resulted in the publication of this document.
Additionally, he would like to thank SixXS <https://www.sixxs.net> Additionally, he would like to thank Ivan Arce and Diego Armando
for providing IPv6 connectivity. Maradona for their inspiration.
Authors' Addresses Authors' Addresses
Fernando Gont Fernando Gont
SI6 Networks / UTN-FRH SI6 Networks / UTN-FRH
Evaristo Carriego 2644 Evaristo Carriego 2644
Haedo, Provincia de Buenos Aires 1706 Haedo, Provincia de Buenos Aires 1706
Argentina Argentina
Phone: +54 11 4650 8472 Phone: +54 11 4650 8472
Email: fgont@si6networks.com Email: fgont@si6networks.com
URI: http://www.si6networks.com URI: http://www.si6networks.com
Will(Shucheng) Liu
Will (Shucheng) Liu
Huawei Technologies Huawei Technologies
Bantian, Longgang District Bantian, Longgang District
Shenzhen 518129 Shenzhen 518129
China P.R. China
Email: liushucheng@huawei.com Email: liushucheng@huawei.com
Tore Anderson Tore Anderson
Redpill Linpro Redpill Linpro
Vitaminveien 1A Vitaminveien 1A
Oslo 0485 Oslo 0485
Norway Norway
Phone: +47 959 31 212 Phone: +47 959 31 212
 End of changes. 43 change blocks. 
154 lines changed or deleted 162 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/