IPv6 Packet and MTU bug
Is Openindiana/IllumOS vulnerable to the IPv6 Packet and MTU bug in relation to Atomic Fragment
An atomic fragment is designed into the IPv6 fragmentation mechanism. As RFC 6496 explains them: “when a host receives an ICMPv6 'Packet Too Big' message advertising a 'Next-Hop MTU' smaller than 1280 (the minimum IPv6 MTU), it is not required to reduce the assumed Path-MTU, but must simply include a Fragment Header in all subsequent packets sent to that destination. The resulting packets will thus not actually be fragmented into several pieces but will just include a Fragment Header with both the 'Fragment Offset' and the 'M' flag set to 0 (we refer to these packets as 'atomic fragments').”
From RFC 8021: “If an attacker sends a forged ICMPv6 PTB [packet too big] error message to Host B, reporting an MTU smaller than 1280, this will trigger the generation of IPv6 atomic fragments from that moment on (as required by [RFC2460]). When Host B starts sending IPv6 atomic fragments (in response to the received ICMPv6 PTB error message), these packets will be dropped, since we previously noted that IPv6 packets with extension headers were being dropped between Host B and Host A. Thus, this situation will result in a DoS scenario.”
Updated by Dan McDonald over 4 years ago
Yes, we do not follow the recommendation in RFC 8021 yet. See this part of icmp_inbound_too_big_v6():
It is possible, too, that by honoring the suggestion in 8021 we can eliminate the symbol DCEF_TOO_SMALL_PMTU and all code that processes it.
Updated by Dan McDonald about 4 years ago
I've eliminated atomic-fragments in response to PathMTU messages advertising less than 1280, and now ignore them. I'm attaching "before" and "after" packet sniffs.
Atomic fragments are still around for CGTP (Carrier-Grade Transport Protocol, a duplicate packet delivery. Look for "multi routing" in the source), but that needs to be explicitly enabled. Dealing with CGTP (including the possibility of removal) is a different issue.
Updated by Electric Monk about 4 years ago
commit 7199b8e79a66167b9224eed40ed9bd8effcc49a8 Author: Dan McDonald <firstname.lastname@example.org> Date: 2017-02-17T18:57:13.000Z 7819 IPv6 Packet and MTU bug Reviewed by: Robert Mustacchi <email@example.com> Reviewed by: Sebastien Roy <firstname.lastname@example.org> Approved by: Richard Lowe <email@example.com>