Re: [RFC PATCH net-next] ipv6: stop sending PTB packets for MTU < 1280

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Fernando Gont <fgont@si6networks.com>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>,
	Hagen Paul Pfeifer <hagen@jauu.net>
Cc: netdev@vger.kernel.org
Subject: Re: [RFC PATCH net-next] ipv6: stop sending PTB packets for MTU < 1280
Date: Wed, 27 Aug 2014 17:33:10 -0300	[thread overview]
Message-ID: <53FE4086.8040708@si6networks.com> (raw)
In-Reply-To: <1409006842.6274.69.camel@localhost>

On 08/25/2014 07:47 PM, Hannes Frederic Sowa wrote:
> Hi Hagen,
> 
> On Di, 2014-08-26 at 00:25 +0200, Hagen Paul Pfeifer wrote:
>> Reduce the attack vector and stop generating ICMPv6 packet to big for
>> packets smaller then the minimal required IPv6 MTU.
>>
>> See
>> http://tools.ietf.org/html/draft-gont-6man-deprecate-atomfrag-generation-00
> 
> I wonder if we should wait until this gets RFC status?
> 
> I very much welcome this decision! I already raised this problem some
> time ago:
> http://lists.openwall.net/netdev/2013/12/31/17

FWIW, this issue you reported is related, but different from the one
I've described. The one I've described is based on sending ICMPv6
PTB<1280.   RFC2460 states that when you receive an ICMPv6 PTB<1280 you
should add a Fragment Header to all packets sent to that destination
(i.e., produce the so called "IPv6 atomic fragments").

These "atomic fragments" have an offset=0, and MF=0 -- i.e., they are
not really fragmented.

Hence the trivial way to mitigate this attack is to drop incoming ICMPv6
PTB1280 (or, at the very least, don't react to them by sending all
subsequent packets with a Fragment Header).

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

next prev parent reply	other threads:[~2014-08-27 21:02 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <53F33C4F.2070807@si6networks.com>
2014-08-19 18:58 ` Deprecating the *generation* of IPv6 atomic fragments (Fwd: DoS attacks (ICMPv6-based) resulting from IPv6 EH drops) Fernando Gont
2014-08-25 22:25   ` [RFC PATCH net-next] ipv6: stop sending PTB packets for MTU < 1280 Hagen Paul Pfeifer
2014-08-25 22:47     ` Hannes Frederic Sowa
2014-08-26  8:06       ` Hagen Paul Pfeifer
2014-08-27 20:33       ` Fernando Gont [this message]
2014-08-27 20:57         ` Hagen Paul Pfeifer
2014-08-27 23:07         ` Hannes Frederic Sowa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53FE4086.8040708@si6networks.com \
    --to=fgont@si6networks.com \
    --cc=hagen@jauu.net \
    --cc=hannes@stressinduktion.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.