> -----Original Message----- > From: Brian E Carpenter [mailto:[email protected]] > Sent: Tuesday, January 03, 2012 12:24 PM > To: Dan Wing > Cc: 'Fernando Gont'; 'Fernando Gont'; [email protected] > Subject: Re: Fragmentation-related security issues > > On 2012-01-04 08:02, Dan Wing wrote: > > ... > >>> and the current IPv6 specification also allows PTB < 1280, > >>> http://tools.ietf.org/html/rfc2460#section-5 says: > >>> > >>> In response to an IPv6 packet that is sent to an IPv4 > destination > >>> (i.e., a packet that undergoes translation from IPv6 to IPv4), > the > >>> originating IPv6 node may receive an ICMP Packet Too Big message > >>> reporting a Next-Hop MTU less than 1280. In that case, the IPv6 > >> node > >>> is not required to reduce the size of subsequent packets to less > >> than > >>> 1280, but must include a Fragment header in those packets so > that > >> the > >>> IPv6-to-IPv4 translating router can obtain a suitable > >> Identification > >>> value to use in resulting IPv4 fragments. Note that this means > >> the > >>> payload may have to be reduced to 1232 octets (1280 minus 40 for > >> the > >>> IPv6 header and 8 for the Fragment header), and smaller still if > >>> additional extension headers are used. > >> Exactly. And my question was about whether the "atomic fragments" > that > >> were found in the wild were the result of translators, or of IPv6 > >> networks that "violate" the standard and do not support an MTU of >= > >> 1280. > > > > Dunno. > > > > I am only trying to point out that IPv6 hosts need to handle > receiving > > ICMP packet-too-big of less than 1280, because we are going to see > > more stateless IPv6/IPv4 translators. If IPv6 hosts don't handle > > ICMP packet-too-big of less than 1280, those IPv4/IPv6 translators > > won't work with sub-1280 MTU IPv4 paths. > > > > And Ran has pointed out other deployments where sub-1280 MTUs are > > being used on IPv6. (An aside comment: I wonder if those networks > > can use LFI (link fragmentation and interleaving), which allows > > preserving the layer 3 MTU and should also provide the smaller > > packets needed by the layer 1 or 2 network). > > > > So, I don't think we can just wish away packet-too-big < 1280. > > Sadly, that seems to be true unless we make a much more radical change, > because of translators.
Or, we declare a new restriction that translators are not expected to work if the IPv4 network has an MTU less than 1260 (1260=1280-20, because IPv6 header is 20B bigger than IPv4 header). I don't know if there is consensus for such a restriction. To date, both RFC2765 and RFC6145 avoided such a restriction. However, if there are widespread IPv6 host implementations or firewalls that erroneously filter or ignore ICMP PTB < 1280, it may force IPv6/IPv4 translator deployments to accept that restriction, and modify their IPv4 networks to have MTU>=1260. Such IPv4 network modifications would add to further pain to IPv6 coexistence. MTU research by Ben Stasiewicz and Matthew Luckie (WAND), published and presented at RIPE and other conferences, shows a 2-3% failure rate to various popular web sites. They did additional testing during World IPv6 Day, but I haven't dug into those results yet. -d -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
