IPV6 FRAGMENTATION. The Case For Deprecation. Ron Bonica NANOG58



Similar documents
Internet Engineering Task Force (IETF) Juniper Networks January 2014

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

Network layer: Overview. Network layer functions IP Routing and forwarding

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Chapter 9. IP Secure

Security of IPv6 and DNSSEC for penetration testers

Firewalls and Intrusion Detection

IP addressing and forwarding Network layer

Moonv6 Test Suite. IPv6 Firewall Network Level Interoperability Test Suite. Technical Document. Revision 1.0

Discovering Path MTU black holes on the Internet using RIPE Atlas

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Lecture 15. IP address space managed by Internet Assigned Numbers Authority (IANA)

Introduction to the Junos Operating System

Internet Architecture and Philosophy

8.2 The Internet Protocol

Safeguards Against Denial of Service Attacks for IP Phones

Network Intrusion Detection Systems. Beyond packet filtering

EITF25 Internet Techniques and Applications L5: Wide Area Networks (WAN) Stefan Höst

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Network Layer IPv4. Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS. School of Computing, UNF

Access Control: Firewalls (1)

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

Linux Network Security

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Internet Ideal: Simple Network Model

IPv6 Security Assessment and Benchmarking Abstract Test Suite

How will the Migration from IPv4 to IPv6 Impact Voice and Visual Communication?

his document discusses implementation of dynamic mobile network routing (DMNR) in the EN-4000.

DoS Protection for UDP-Based Protocols

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

Chapter 8 Security Pt 2

Lecture Computer Networks

Chapter 3. TCP/IP Networks. 3.1 Internet Protocol version 4 (IPv4)

Moonv6 Test Suite. IPv6 Firewall Functionality and Interoperablility Test Suite. Technical Document. Revision 0.6

Firewalls CSCI 454/554

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

IPv6 Hardening Guide for Windows Servers

Barracuda Intrusion Detection and Prevention System

Firewall Design Considerations for IPv6

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

INLICHTINGEN DIENSTEN INLICHTINGEN DIENSTEN

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

6LoWPAN Technical Overview

Internet Protocol Version 6 (IPv6)

About Firewall Protection

Cisco Configuring Commonly Used IP ACLs

IPv6 Associated Protocols

Security Assessment of Neighbor Discovery for IPv6

Network Working Group Request for Comments: Ericsson P. Savola CSC/Funet September IPv6 Transition/Coexistence Security Considerations

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Abstract. Introduction. Section I. What is Denial of Service Attack?

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory

Vulnerabili3es and A7acks

Request for Comments: 1788 Category: Experimental April 1995

Denial Of Service. Types of attacks

Brocade NetIron Denial of Service Prevention

Network Configuration Example

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

DDoS attacks on electronic payment systems. Sean Rijs and Joris Claassen Supervisor: Stefan Dusée

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

Cisco IOS Flexible NetFlow Technology

Ethernet. Ethernet. Network Devices

Adjusting IP MTU, TCP MSS, and PMTUD on Windows and Sun Systems

The Myth of Twelve More Bytes. Security on the Post- Scarcity Internet

Layer Four Traceroute (and related tools) A modern, flexible path-discovery solution with advanced features for network (reverse) engineers

Solution of Exercise Sheet 5

Firewalls Netasq. Security Management by NETASQ

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Computer Networks/DV2 Lab

CS 43: Computer Networks IP. Kevin Webb Swarthmore College November 5, 2013

Networking Basics and Network Security

Unverified Fields - A Problem with Firewalls & Firewall Technology Today

Practical Security Assessment of IPv6 Networks and Devices. Fernando Gont

Managing Latency in IPS Networks

Strategies to Protect Against Distributed Denial of Service (DD

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Cisco Integrated Services Routers Performance Overview

FIREWALL AND NAT Lecture 7a

Limitations on Monitored Lines

FIREWALLS & CBAC. philip.heimer@hh.se

Technical Support Information Belkin internal use only

The SpeedTouch and Firewalling

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Junos OS. Denial-of-Service Attacks Feature Guide for Security Devices. Release 12.1X47-D10. Modified:

Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS)

Security with IPv6 Explored. U.S. IPv6 Summit Renée e Esposito Booz Allen Hamilton Richard Graveman RFG Security

IP Filter/Firewall Setup

SECURITY IN AN IPv6 WORLD MYTH & REALITY. SANOG XXIII Thimphu, Bhutan 14 January 2014 Chris Grundemann

RARP: Reverse Address Resolution Protocol

Firewalls. Pehr Söderman KTH-CSC

z/os V1R11 Communications Server system management and monitoring

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

1. Firewall Configuration

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

CS5008: Internet Computing

DDoS Attack Traceback

Transcription:

IPV6 FRAGMENTATION The Case For Deprecation Ron Bonica NANOG58

BACKGROUND 2 Copyright 2013 Juniper Networks, Inc. www.juniper.net

STATUS QUO In order to send a packet larger than the PMTU, an IPv6 node may fragment a packet at the source and have it reassembled at the destination In IPv6, only hosts can fragment In IPv4, both hosts and routers can fragment IPv6 Fragmentation has always been discouraged Reassembly is computationally expensive and inefficient Security concerns 3 Copyright 2013 Juniper Networks, Inc. www.juniper.net

SECURITY CONCERNS DoS attacks Attacker sends fragmented packets to victim Attack flow is optimized to consume resources on victim platform Attacker spoofs PTB message to victim s legitimate communication partners Causes legitimate communication partners to fragment packets that don t need to be fragmented Evasion of stateless firewall filters Stateless firewall selects packets based upon fields drawn from both the IP and TCP headers Attacker fragments packets so that IP header is in first fragment and TCP header is in second fragment All fragments evade selection by firewall draft-ietf-6man-oversized-header-chain 4 Copyright 2013 Juniper Networks, Inc. www.juniper.net

EXPOSING BUGS IN RARELY EXERCISED BRANCHES OF REASSEMBLY CODE Implementations occasionally deal badly with the following Fragment overlap Fragment overwrite Fragment overrun Too many fragments being reassembled simultaneously Too many packets that cannot be reassembled due to missing fragments The best implementations deal with these effectively But sometimes they don t Rarely exercised code on the OS should concern everyone 5 Copyright 2013 Juniper Networks, Inc. www.juniper.net

A (BAD) ALTERNATIVE TO IPV6 FRAGMENTATION All upper layers send packets smaller that 1280 bytes all of the time Works in the vast majority of cases Exception: In response to an IPv6 packet that is sent to an IPv4 destination, the originating IPv6 node may receive an ICMP Packet Too Big message reporting a Next-Hop MTU less than 1280 Hammer is way too big 6 Copyright 2013 Juniper Networks, Inc. www.juniper.net

A BETTER ALTERNATIVE IPV6 FRAGMENTATION An upper layer executes PMTUD [RFC 1981] or PLMTUD [RFC 4821] procedures Moves problems of fragmentation and reassembly from the IP layer to an upper layer There is no free lunch! Many TCP implementations support PMTUD and/or PLMTUD According to RFC 5405, a UDP-based application SHOULD NOT send UDP datagrams that result in IP packets exceeding the PMTU. The application should do one of the following: Use the path MTU information provided by the IP layer Implement PMTUD/PLMTUD itself Send only packets known not to exceed the PMTUD 7 Copyright 2013 Juniper Networks, Inc. www.juniper.net

THE BENEFIT OF PMTU/PLMTUD DISCOVERY Moves the problems of fragmentation and reassembly from the IP layer to an upper layer Either the transport or application layer Called a packetization layer Localizes risk Allows for layer specific optimizations Example: A particular packetization layer knows that it will never send a packet longer than 1280 bytes 8 Copyright 2013 Juniper Networks, Inc. www.juniper.net

OPERATIONAL REALITY 9 Copyright 2013 Juniper Networks, Inc. www.juniper.net

FRAGMENTED IPV6 TRAFFIC IS RARE Most popular TCP implementation perform PMTUD or PLMTUD procedures So, applications that ride over TCP rarely cause fragments to be sent Many UDP-based applications abide by the recommendations of RFC 5405 A few important UDP-based applications do not abide by the recommendations of RFC 5405 Example: DNSSEC can send large UDP packets. TCP alternative available 10 Copyright 2013 Juniper Networks, Inc. www.juniper.net

THE BITTER TRUTH Many operators discard fragmented IPv6 packets An NLnet Labs Study* reveals that IPv4 fragments were discarded along ~ 12% of observed paths IPv6 fragments were discarded along ~ 40% of observed paths So, if you are sending IPv4 and/or IPv6 fragments, they may not make it to their destination! * http://www.nlnetlabs.nl/downloads/publications/pmtu-blackholes-msc-thesis.pdf 11 Copyright 2013 Juniper Networks, Inc. www.juniper.net

RECOMMENDATION 12 Copyright 2013 Juniper Networks, Inc. www.juniper.net

A STANDARDS TRACK RFC (UPDATES RFC 2460) Deprecates the IPv6 Fragment Header Please, don t write any new applications that fragment packets Existing applications will continue to work As well or poorly as the do today States that operators MAY discard packets containing the IPv6 Fragment Header As, in fact, they already do 13 Copyright 2013 Juniper Networks, Inc. www.juniper.net

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information