On Mon, 23 Sep 2013, Fernando Gont wrote: > On 09/23/2013 12:57 AM, C. M. Heard wrote: > > > > There are two issues that Warren's comments brought to the fore: > > > > 1.) One of the reasons why operators block fragments is that if > > fragments are allowed into one's network, it is relatively easy > > for an attacker to make a DOS attack on end systems by sending > > an incomplete series of fragments. This ties up resources until > > the end system's reassembly timer expires. > > This is, I'd say, inaccurate. > > Unless you have a very sloppy IPv6 implementation (that does not enforce > limits on the maximum number of queued fragments), an attacker will only > be able to DoS communication instances (e.g. TCP connections) that > employ fragmentation. Such fragmentation attacks won't have any effect > on non-fragmented traffic.
In that I hear an echo of some of the pushback in the V6OPS WGLC of draft-taylor-v6ops-fragdrop (see, e.g., comments from Havard Eidnes at http://www.ietf.org/mail-archive/web/v6ops/current/msg17409.html) > > It would also be helpful to get some indication on whether a > > modified UDP or a new UDP-like protocol that supports transport > > layer payload segmentation solves enough problems to be worth the > > effort to specify, implement, and deploy. At the moment, the only > > compelling use case seems to be DNS (and more particularly DNSSEC). > > There is already a work-around in that case, namely TCP [ ... ] > > If you care about fragmentation-based attacks, you really don't want to > use TCP. There are a bunch of attacks that can be (by far) more > devastating than the fragmentation-based ones (see > <http://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf>). That is an important observation, for two reasons: - it suggests that getting fragments to work or making a UDP-like protocol that has equivalent functionality is important for DNSSEC - it suggests that looking askance at IPv6 fragmentation is not logical if one is not at least as concerned about TCP, which does NOT seem to be widely blocked Thanks //cmh -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
