Project

General

Profile

Actions

Bug #7819

closed

IPv6 Packet and MTU bug

Added by r a over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
networking
Start date:
2017-01-28
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
External Bug:

Description

Is Openindiana/IllumOS vulnerable to the IPv6 Packet and MTU bug in relation to Atomic Fragment

An atomic fragment is designed into the IPv6 fragmentation mechanism. As RFC 6496 explains them: “when a host receives an ICMPv6 'Packet Too Big' message advertising a 'Next-Hop MTU' smaller than 1280 (the minimum IPv6 MTU), it is not required to reduce the assumed Path-MTU, but must simply include a Fragment Header in all subsequent packets sent to that destination. The resulting packets will thus not actually be fragmented into several pieces but will just include a Fragment Header with both the 'Fragment Offset' and the 'M' flag set to 0 (we refer to these packets as 'atomic fragments').”

From RFC 8021: “If an attacker sends a forged ICMPv6 PTB [packet too big] error message to Host B, reporting an MTU smaller than 1280, this will trigger the generation of IPv6 atomic fragments from that moment on (as required by [RFC2460]). When Host B starts sending IPv6 atomic fragments (in response to the received ICMPv6 PTB error message), these packets will be dropped, since we previously noted that IPv6 packets with extension headers were being dropped between Host B and Host A. Thus, this situation will result in a DoS scenario.”


Files

after (10.9 KB) after After 7819 fix (no atomic fragments) Dan McDonald, 2017-02-10 08:01 PM
before (11 KB) before Before 7819 fix (atomic fragments) Dan McDonald, 2017-02-10 08:01 PM
Actions

Also available in: Atom PDF