Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)

[Mark Andrews <marka () isc org>]

In message <CAG6TeAt9eodf-OihH0vow25GFC-P__P+NO9yKMycBsUQhOpYuA () mail gmail com>
, Fernando Gont writes:
> El 12/1/2017 16:28, "Mark Andrews" <marka () isc org> escribi=C3=B3:
>
> > In message <11ff128d-2fba-7c26-4a9c-5611433d85d2 () si6networks com>, Fernando Gont writes:
> > > Hi, Saku,
> > >
> > > On 01/12/2017 11:43 AM, Saku Ytti wrote:
> > > > On 12 January 2017 at 13:19, Fernando Gont <fgont () si6networks com>
> > wrote:
> > > > Hey,
> > > >
> > > > > I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
> > > > > and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
> > > > > welcome).
> > > >
> > > > Generally may be understood differently by different people. If
> > > > generally is defined as single most typical behaviour/configuration,
> > > > then generally people don't protect their infrastructure in any way at
> > > > all, but fully rely vendor doing something reasonable.
> > > >
> > > > I would argue BCP is to have 'strict' CoPP. Where you specifically
> > > > allow what you must then have ultimate rule to deny everything. If you
> > > > have such CoPP, then this attack won't work, as you clearly didn't
> > > > allow any fragments at all (as you didn't expect to receive BGP
> > > > fragments from your neighbours).
> > >
> > > That's the point: If you don't allow fragments, but your peer honors
> > > ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
> >
> > And fragments are a *normal* part of IP for both IPv4 and IPv6.
> > This obsession with dropping all fragments (and yes it is a obsession)
> > is breaking the internet.
>
> Vendors got the frag reassembly code wrong so many times , that I
> understand the folk that decides to drop them if deemed unnecessary.

Most of them literally decades ago.  20+ years ago while you waited
for you vendor to fix the bug it made some sense as most of your
boxes were vulnerable.  It was a new threat back then.  It doesn't
make sense today.

Packet bigger than 1500 are a part of todays internet.  Have a look
a the stats for dropped fragments.  They aren't for the most part
attack traffic.  Its legitmate reply traffic that has been requested.

> > Even if you don't want to allow all fragments through you can allow
> > fragments between the two endpoints of a "active" connection.
>
> > At times folks want to get rid of fragments directed to them, rather than
> > those going *through* them.
> >
> >
> > You
> > can apply port filters to the offset 0 fragments.  If that fragment
> > doesn't have enough headers to be able to filter then drop it.  If
> > your firewall is incapable of doing this then find a better firewall
> > as the current one is a piece of garbage and should be in the recycle
> > bin.
>
> > Which DoS is the bigger issue?  Firewalls dropping fragments or
> > reassembly buffers being exhausted?
>
>
> > If there is no way for an attacker to trigger the use of fragmentation, and
> > you don't need fragments (e.g. only tcp-based services), from a security
> > pov you're certainly better off dropping frags  that are thrown at you. Not
> > that I like it, but....
>
> Thanks,
> Fernando
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org