All of lore.kernel.org
 help / color / mirror / Atom feed
* Improved handling of IPv6 atomic fragments (FO=0, MF=0)
@ 2012-01-30 10:24 Fernando Gont
  2012-01-30 10:47 ` Eric Dumazet
  0 siblings, 1 reply; 2+ messages in thread
From: Fernando Gont @ 2012-01-30 10:24 UTC (permalink / raw)
  To: security, netdev

Folks,

FYI. We have published an IETF I-D that proposes an improved handling of
IPv6 atomic fragments (IPv6 fragments that have an offset of 0, and MF=0).

The I-D is available here:
<http://tools.ietf.org/id/draft-gont-6man-ipv6-atomic-fragments-00.txt>

The aforementioned behaviour eliminates fragmentation-based attacks
against traffic that employs atomic fragments, and has already been
implemented by OpenBSD.

Thanks,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Improved handling of IPv6 atomic fragments (FO=0, MF=0)
  2012-01-30 10:24 Improved handling of IPv6 atomic fragments (FO=0, MF=0) Fernando Gont
@ 2012-01-30 10:47 ` Eric Dumazet
  0 siblings, 0 replies; 2+ messages in thread
From: Eric Dumazet @ 2012-01-30 10:47 UTC (permalink / raw)
  To: Fernando Gont; +Cc: security, netdev

Le lundi 30 janvier 2012 à 07:24 -0300, Fernando Gont a écrit :
> Folks,
> 
> FYI. We have published an IETF I-D that proposes an improved handling of
> IPv6 atomic fragments (IPv6 fragments that have an offset of 0, and MF=0).
> 
> The I-D is available here:
> <http://tools.ietf.org/id/draft-gont-6man-ipv6-atomic-fragments-00.txt>
> 
> The aforementioned behaviour eliminates fragmentation-based attacks
> against traffic that employs atomic fragments, and has already been
> implemented by OpenBSD.
> 
> Thanks,

Unless I missed something, linux already does that.

ipv6_frag_rcv()

        if (!(fhdr->frag_off & htons(0xFFF9))) {
                /* It is not a fragmented frame */
                skb->transport_header += sizeof(struct frag_hdr);
                IP6_INC_STATS_BH(net,
                                 ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMOKS);

                IP6CB(skb)->nhoff = (u8 *)fhdr - skb_network_header(skb);
                return 1;
        }

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-01-30 10:48 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-01-30 10:24 Improved handling of IPv6 atomic fragments (FO=0, MF=0) Fernando Gont
2012-01-30 10:47 ` Eric Dumazet

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.