Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)

[Fernando Gont <fgont () si6networks com>]

On 01/12/2017 11:07 PM, Mark Andrews wrote:
> In message <CAG6TeAt9eodf-OihH0vow25GFC-P__P+NO9yKMycBsUQhOpYuA () mail gmail com>
> , Fernando Gont writes:
> > El 12/1/2017 16:28, "Mark Andrews" <marka () isc org> escribi=C3=B3:
> >
> > > In message <11ff128d-2fba-7c26-4a9c-5611433d85d2 () si6networks com>, Fernando Gont writes:
> > > > Hi, Saku,
> > > >
> > > > On 01/12/2017 11:43 AM, Saku Ytti wrote:
> > > > > On 12 January 2017 at 13:19, Fernando Gont <fgont () si6networks com>
> > > wrote:
> > > > > Hey,
> > > > >
> > > > > > I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
> > > > > > and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
> > > > > > welcome).
> > > > >
> > > > > Generally may be understood differently by different people. If
> > > > > generally is defined as single most typical behaviour/configuration,
> > > > > then generally people don't protect their infrastructure in any way at
> > > > > all, but fully rely vendor doing something reasonable.
> > > > >
> > > > > I would argue BCP is to have 'strict' CoPP. Where you specifically
> > > > > allow what you must then have ultimate rule to deny everything. If you
> > > > > have such CoPP, then this attack won't work, as you clearly didn't
> > > > > allow any fragments at all (as you didn't expect to receive BGP
> > > > > fragments from your neighbours).
> > > >
> > > > That's the point: If you don't allow fragments, but your peer honors
> > > > ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
> > >
> > > And fragments are a *normal* part of IP for both IPv4 and IPv6.
> > > This obsession with dropping all fragments (and yes it is a obsession)
> > > is breaking the internet.
> >
> > Vendors got the frag reassembly code wrong so many times , that I
> > understand the folk that decides to drop them if deemed unnecessary.
>
> Most of them literally decades ago. 

Disagree. Microsoft "reinvented" ping-o-death in IPv6, there have been
several one-packet crashes disclosed for Cisco's (an the list continues).



> 20+ years ago while you waited
> for you vendor to fix the bug it made some sense as most of your
> boxes were vulnerable.  It was a new threat back then.  It doesn't
> make sense today.

Let's face it: The quality of many IPv6 implementations is that of IPv4
implementations in the '90s. Sad, but true.



> Packet bigger than 1500 are a part of todays internet.  Have a look
> a the stats for dropped fragments.  They aren't for the most part
> attack traffic.  Its legitmate reply traffic that has been requested.

I don't disagree with you wrt the need for fragmentation in some
scenarios. I'm just saying that when you only employ TCP-based services,
it may make sense to drop fragments targeted *at you*.

Fragmentation is only needed for non-TCP services. and if your system
does not use non-tcp services, it may be a sensible thing to drop
fragments targetted at you.


Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont () si6networks com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492