Project

General

Profile

Bug #7819

IPv6 Packet and MTU bug

Added by r a almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
networking
Start date:
2017-01-28
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

Is Openindiana/IllumOS vulnerable to the IPv6 Packet and MTU bug in relation to Atomic Fragment

An atomic fragment is designed into the IPv6 fragmentation mechanism. As RFC 6496 explains them: “when a host receives an ICMPv6 'Packet Too Big' message advertising a 'Next-Hop MTU' smaller than 1280 (the minimum IPv6 MTU), it is not required to reduce the assumed Path-MTU, but must simply include a Fragment Header in all subsequent packets sent to that destination. The resulting packets will thus not actually be fragmented into several pieces but will just include a Fragment Header with both the 'Fragment Offset' and the 'M' flag set to 0 (we refer to these packets as 'atomic fragments').”

From RFC 8021: “If an attacker sends a forged ICMPv6 PTB [packet too big] error message to Host B, reporting an MTU smaller than 1280, this will trigger the generation of IPv6 atomic fragments from that moment on (as required by [RFC2460]). When Host B starts sending IPv6 atomic fragments (in response to the received ICMPv6 PTB error message), these packets will be dropped, since we previously noted that IPv6 packets with extension headers were being dropped between Host B and Host A. Thus, this situation will result in a DoS scenario.”


Files

after (10.9 KB) after After 7819 fix (no atomic fragments) Dan McDonald, 2017-02-10 08:01 PM
before (11 KB) before Before 7819 fix (atomic fragments) Dan McDonald, 2017-02-10 08:01 PM
#1

Updated by Dan McDonald almost 4 years ago

Yes, we do not follow the recommendation in RFC 8021 yet. See this part of icmp_inbound_too_big_v6():

http://src.illumos.org/source/xref/illumos-gate/usr/src/uts/common/inet/ip/ip6.c#717

It is possible, too, that by honoring the suggestion in 8021 we can eliminate the symbol DCEF_TOO_SMALL_PMTU and all code that processes it.

#2

Updated by Dan McDonald almost 4 years ago

Turns out DCEF_TOO_SMALL_PMTU has uses in IPv4, so we cannot eliminate the symbol, but we can eliminate its use from IPv6.

#3

Updated by Dan McDonald almost 4 years ago

If there's an exploit program, please post it.

#4

Updated by Dan McDonald almost 4 years ago

I've eliminated atomic-fragments in response to PathMTU messages advertising less than 1280, and now ignore them. I'm attaching "before" and "after" packet sniffs.

Atomic fragments are still around for CGTP (Carrier-Grade Transport Protocol, a duplicate packet delivery. Look for "multi routing" in the source), but that needs to be explicitly enabled. Dealing with CGTP (including the possibility of removal) is a different issue.

#5

Updated by Electric Monk almost 4 years ago

git commit 7199b8e79a66167b9224eed40ed9bd8effcc49a8

commit  7199b8e79a66167b9224eed40ed9bd8effcc49a8
Author: Dan McDonald <danmcd@omniti.com>
Date:   2017-02-17T18:57:13.000Z

    7819 IPv6 Packet and MTU bug
    Reviewed by: Robert Mustacchi <rm@joyent.com>
    Reviewed by: Sebastien Roy <sebastien.roy@delphix.com>
    Approved by: Richard Lowe <richlowe@richlowe.net>

#6

Updated by Marcel Telka almost 4 years ago

  • Project changed from OpenIndiana Distribution to illumos gate
  • Category set to networking
  • Status changed from New to Closed
  • Assignee set to Dan McDonald
  • % Done changed from 0 to 100

Also available in: Atom PDF