Internet Engineering Task Force (IETF) F. Gont Request for Comments: 8021 SI6 Networks / UTN-FRH Category: Informational W. Liu ISSN: 2070-1721 Huawei Technologies T. Anderson Redpill Linpro January 2017
Internet Engineering Task Force (IETF) F. Gont Request for Comments: 8021 SI6 Networks / UTN-FRH Category: Informational W. Liu ISSN: 2070-1721 Huawei Technologies T. Anderson Redpill Linpro January 2017
Generation of IPv6 Atomic Fragments Considered Harmful
生成被认为有害的IPv6原子片段
Abstract
摘要
This document discusses the security implications of the generation of IPv6 atomic fragments and a number of interoperability issues associated with IPv6 atomic fragments. It concludes that the aforementioned functionality is undesirable and thus documents the motivation for removing this functionality from an upcoming revision of the core IPv6 protocol specification (RFC 2460).
本文档讨论了生成IPv6原子片段的安全含义以及与IPv6原子片段相关的一些互操作性问题。它得出结论,上述功能是不可取的,因此记录了从即将发布的核心IPv6协议规范(RFC 2460)版本中删除此功能的动机。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8021.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc8021.
Copyright Notice
版权公告
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................2 2. Security Implications of the Generation of IPv6 Atomic Fragments .......................................................3 3. Additional Considerations .......................................5 4. Conclusions .....................................................8 5. Security Considerations .........................................8 6. References ......................................................9 6.1. Normative References .......................................9 6.2. Informative References ....................................10 Acknowledgements ..................................................12 Authors' Addresses ................................................12
1. Introduction ....................................................2 2. Security Implications of the Generation of IPv6 Atomic Fragments .......................................................3 3. Additional Considerations .......................................5 4. Conclusions .....................................................8 5. Security Considerations .........................................8 6. References ......................................................9 6.1. Normative References .......................................9 6.2. Informative References ....................................10 Acknowledgements ..................................................12 Authors' Addresses ................................................12
[RFC2460] specifies the IPv6 fragmentation mechanism, which allows IPv6 packets to be fragmented into smaller pieces such that they can fit in the Path MTU to the intended destination(s).
[RFC2460]指定IPv6分段机制,该机制允许将IPv6数据包分段为更小的数据块,以便它们能够适合MTU到预期目的地的路径。
A legacy IPv4/IPv6 translator implementing the Stateless IP/ICMP Translation Algorithm [RFC6145] may legitimately generate ICMPv6 "Packet Too Big" (PTB) error messages [RFC4443] advertising an MTU smaller than 1280 (the minimum IPv6 MTU). Section 5 of [RFC2460] states that, upon receiving such an ICMPv6 error message, hosts are not required to reduce the assumed Path MTU but must simply include a Fragment Header in all subsequent packets sent to that destination. The resulting packets will thus *not* be actually fragmented into several pieces; rather, they will be "atomic" fragments [RFC6946] (i.e., they will just include a Fragment Header with both the "Fragment Offset" and the "M" flag set to 0). [RFC6946] requires that these atomic fragments be essentially processed by the destination host(s) as non-fragmented traffic (since there are not
实现无状态IP/ICMP转换算法[RFC6145]的旧式IPv4/IPv6转换器可以合法地生成ICMPv6“数据包太大”(PTB)错误消息[RFC4443],通知小于1280(最小IPv6 MTU)的MTU。[RFC2460]的第5节指出,在接收到这样的ICMPv6错误消息时,主机不需要减少假定的路径MTU,但必须在发送到该目的地的所有后续数据包中包含一个片段头。因此,产生的数据包将*不是*实际上被分割成几个片段;相反,它们将是“原子”片段[RFC6946](即,它们将只包括一个片段头,其中“片段偏移量”和“M”标志都设置为0)。[RFC6946]要求这些原子片段基本上由目标主机作为非片段通信进行处理(因为没有
really any fragments to be reassembled). The goal of these atomic fragments is simply to convey an appropriate Identification value to be employed by IPv6/IPv4 translators for the resulting IPv4 fragments.
真的有任何碎片需要重新组装)。这些原子片段的目标只是传递一个适当的标识值,供IPv6/IPv4转换器用于生成的IPv4片段。
While atomic fragments might seem rather benign, there are scenarios in which the generation of IPv6 atomic fragments can be leveraged for performing a number of attacks against the corresponding IPv6 flows. Since there are concrete security implications arising from the generation of IPv6 atomic fragments and there is no real gain in generating IPv6 atomic fragments (as opposed to, for example, having IPv6/IPv4 translators generate an IPv4 Identification value themselves), we conclude that this functionality is undesirable.
虽然原子片段可能看起来相当温和,但在某些情况下,可以利用IPv6原子片段的生成对相应的IPv6流执行一些攻击。由于IPv6原子片段的生成会产生具体的安全影响,并且在生成IPv6原子片段时没有实际的收益(例如,与IPv6/IPv4转换器本身生成IPv4标识值相反),因此我们得出结论,此功能是不可取的。
Section 2 briefly discusses the security implications of the generation of IPv6 atomic fragments and describes a specific Denial-of-Service (DoS) attack vector that leverages the widespread dropping of IPv6 fragments in the public Internet. Section 3 provides additional considerations regarding the usefulness of generating IPv6 atomic fragments.
第2节简要讨论了IPv6原子碎片的产生的安全含义,并描述了一种特定的拒绝服务攻击向量,它利用了公共互联网中IPv6碎片的广泛下降。第3节提供了有关生成IPv6原子片段的有用性的其他注意事项。
The security implications of IP fragmentation have been discussed at length in [RFC6274] and [RFC7739]. An attacker can leverage the generation of IPv6 atomic fragments to trigger the use of fragmentation in an arbitrary IPv6 flow (in scenarios in which actual fragmentation of packets is not needed) and can subsequently perform any type of fragmentation-based attack against legacy IPv6 nodes that do not implement [RFC6946]. That is, employing fragmentation where not actually needed allows for fragmentation-based attack vectors to be employed, unnecessarily.
[RFC6274]和[RFC7739]中详细讨论了IP分段的安全含义。攻击者可以利用IPv6原子片段的生成触发在任意IPv6流中使用碎片(在不需要实际数据包碎片的情况下),并随后对未实现[RFC6946]的旧式IPv6节点执行任何类型的基于碎片的攻击。也就是说,在实际不需要的地方使用碎片允许不必要地使用基于碎片的攻击向量。
We note that, unfortunately, even nodes that already implement [RFC6946] can be subject to DoS attacks as a result of the generation of IPv6 atomic fragments. Let us assume that Host A is communicating with Host B and that, as a result of the widespread dropping of IPv6 packets that contain extension headers (including fragmentation) [RFC7872], some intermediate node filters fragments between Host B and Host A. If an attacker sends a forged ICMPv6 PTB error message to Host B, reporting an MTU smaller than 1280, this will trigger the generation of IPv6 atomic fragments from that moment on (as required by [RFC2460]). When Host B starts sending IPv6 atomic fragments (in response to the received ICMPv6 PTB error message), these packets will be dropped, since we previously noted that IPv6 packets with extension headers were being dropped between Host B and Host A. Thus, this situation will result in a DoS scenario.
我们注意到,不幸的是,即使是已经实现[RFC6946]的节点也可能由于IPv6原子片段的生成而受到DoS攻击。假设主机A正在与主机B通信,并且由于包含扩展头(包括碎片)的IPv6数据包的广泛丢弃[RFC7872],某些中间节点会过滤主机B和主机A之间的碎片。如果攻击者向主机B发送伪造的ICMPv6 PTB错误消息,报告MTU小于1280,这将触发从那一刻起生成IPv6原子片段(根据[RFC2460]的要求)。当主机B开始发送IPv6原子片段(响应收到的ICMPv6 PTB错误消息)时,这些数据包将被丢弃,因为我们之前注意到,在主机B和主机A之间丢弃了带有扩展头的IPv6数据包。因此,这种情况将导致DoS情况。
Another possible scenario is that in which two BGP peers are employing IPv6 transport and they implement Access Control Lists (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If the aforementioned BGP peers drop IPv6 fragments but still honor received ICMPv6 PTB error messages, an attacker could easily attack the corresponding peering session by simply sending an ICMPv6 PTB message with a reported MTU smaller than 1280 bytes. Once the attack packet has been sent, the aforementioned routers will themselves be the ones dropping their own traffic.
另一种可能的情况是,两个BGP对等方采用IPv6传输,并实施访问控制列表(ACL)以丢弃IPv6片段(以避免控制平面攻击)。如果上述BGP对等方丢弃IPv6片段,但仍然遵守收到的ICMPv6 PTB错误消息,则攻击者只需发送报告MTU小于1280字节的ICMPv6 PTB消息,即可轻松攻击相应的对等会话。一旦发送了攻击包,上述路由器本身就是丢弃自己流量的路由器。
The aforementioned attack vector is exacerbated by the following factors:
上述攻击向量由以下因素加剧:
o The attacker does not need to forge the IPv6 Source Address of his attack packets. Hence, deployment of simple filters as per BCP 38 [BCP38] does not help as a countermeasure.
o 攻击者不需要伪造其攻击数据包的IPv6源地址。因此,按照BCP 38[BCP38]部署简单过滤器无助于应对措施。
o Only the IPv6 addresses of the IPv6 packet embedded in the ICMPv6 payload need to be forged. While one could envision filtering devices enforcing filters in the style of BCP 38 on the ICMPv6 payload, the use of extension headers (by the attacker) could make this difficult, if not impossible.
o 只有嵌入在ICMPv6有效负载中的IPv6数据包的IPv6地址需要伪造。虽然可以设想过滤设备在ICMPv6负载上强制执行BCP 38样式的过滤器,但是(攻击者)使用扩展头可能会使这一点变得困难,甚至不可能。
o Many implementations fail to perform validation checks on the received ICMPv6 error messages as recommended in Section 5.2 of [RFC4443] and documented in [RFC5927]. It should be noted that in some cases, such as when an ICMPv6 error message has (supposedly) been elicited by a connectionless transport protocol (or some other connectionless protocol being encapsulated in IPv6), it may be virtually impossible to perform validation checks on the received ICMPv6 error message. And, because of IPv6 extension headers, the ICMPv6 payload might not even contain any useful information on which to perform validation checks.
o 许多实现未能按照[RFC4443]第5.2节中的建议和[RFC5927]中的记录,对收到的ICMPv6错误消息执行验证检查。应注意,在某些情况下,例如当无连接传输协议(或封装在IPv6中的其他无连接协议)已(假定)引发ICMPv6错误消息时,可能实际上不可能对接收到的ICMPv6错误消息执行验证检查。而且,由于IPv6扩展头,ICMPv6负载甚至可能不包含任何有用的信息来执行验证检查。
o Upon receipt of one of the aforementioned ICMPv6 PTB error messages, the Destination Cache [RFC4861] is usually updated to reflect that any subsequent packets to such a destination should include a Fragment Header. This means that a single ICMPv6 PTB error message might affect multiple communication instances (e.g., TCP connections) with such a destination.
o 在收到上述ICMPv6 PTB错误消息之一时,通常更新目标缓存[RFC4861],以反映到该目标的任何后续数据包应包括片段头。这意味着一条ICMPv6 PTB错误消息可能会影响与该目的地的多个通信实例(例如TCP连接)。
o As noted in Section 3, SIIT (the Stateless IP/ICMP Translation Algorithm) [RFC6145], including derivative protocols such as Stateful NAT64 (Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers) [RFC6146], was the only technology making use of atomic fragments. Unfortunately, an IPv6 node cannot easily limit its exposure to the aforementioned attack vector by only generating IPv6 atomic fragments towards IPv4 destinations
o 如第3节所述,SIIT(无状态IP/ICMP转换算法)[RFC6145],包括有状态NAT64(从IPv6客户端到IPv4服务器的网络地址和协议转换)[RFC6146]等衍生协议,是唯一利用原子片段的技术。不幸的是,IPv6节点不能仅通过向IPv4目的地生成IPv6原子碎片来限制其暴露于上述攻击向量。
behind a stateless translator. This is due to the fact that Section 3.3 of [RFC6052] encourages operators to use a Network-Specific Prefix (NSP) that maps the IPv4 address space into IPv6. When an NSP is being used, IPv6 addresses representing IPv4 nodes (reached through a stateless translator) are indistinguishable from native IPv6 addresses.
在一个无状态翻译器后面。这是因为[RFC6052]第3.3节鼓励运营商使用网络特定前缀(NSP),将IPv4地址空间映射到IPv6。使用NSP时,表示IPv4节点的IPv6地址(通过无状态转换器到达)与本机IPv6地址无法区分。
Besides the security assessment provided in Section 2, it is interesting to evaluate the pros and cons of having an IPv6-to-IPv4 translating router rely on the generation of IPv6 atomic fragments.
除了第2节中提供的安全评估外,还需要评估IPv6到IPv4转换路由器依赖于IPv6原子片段生成的利弊。
Relying on the generation of IPv6 atomic fragments implies a reliance on:
依赖IPv6原子片段的生成意味着依赖于:
1. ICMPv6 packets arriving from the translator to the destination IPv6 node
1. 从转换器到达目标IPv6节点的ICMPv6数据包
2. The ability of the nodes receiving ICMPv6 PTB messages reporting an MTU smaller than 1280 bytes to actually produce atomic fragments
2. 接收报告MTU小于1280字节的ICMPv6 PTB消息的节点实际生成原子碎片的能力
3. Support for IPv6 fragmentation on the IPv6 side of the translator
3. 在转换器的IPv6端支持IPv6分段
4. The ability of the translator implementation to access the information conveyed by the Fragment Header
4. 转换器实现访问片段头传递的信息的能力
5. The value extracted from the low-order 16 bits of the IPv6 fragment header Identification field resulting in an appropriate IPv4 Identification value
5. 从IPv6片段头标识字段的低阶16位提取的值,产生适当的IPv4标识值
Unfortunately,
不幸地
1. There exists a fair share of evidence of ICMPv6 PTB error messages being dropped on the public Internet (for instance, that is one of the reasons for which Packetization Layer Path MTU Discovery (PLPMTUD) [RFC4821] was produced). Therefore, relying on such messages being successfully delivered will affect the robustness of the protocol that relies on them.
1. 有相当一部分证据表明ICMPv6 PTB错误消息被丢弃在公共互联网上(例如,这是产生打包层路径MTU发现(PLPMTUD)[RFC4821]的原因之一)。因此,依赖这些消息的成功传递将影响依赖它们的协议的健壮性。
2. A number of IPv6 implementations have been known to fail to generate IPv6 atomic fragments in response to ICMPv6 PTB messages reporting an MTU smaller than 1280 bytes. Additionally, the results included in Section 6 of [RFC6145] note that 57% of the tested web servers failed to produce IPv6 atomic fragments in response to ICMPv6 PTB messages reporting an MTU smaller than
2. 已知许多IPv6实现无法生成IPv6原子片段,以响应报告MTU小于1280字节的ICMPv6 PTB消息。此外,[RFC6145]第6节中包含的结果指出,57%的测试web服务器未能生成IPv6原子片段,以响应报告MTU小于的ICMPv6 PTB消息
1280 bytes. Thus, any protocol relying on IPv6 atomic fragment generation for proper functioning will have interoperability problems with the aforementioned IPv6 stacks.
1280字节。因此,任何依赖IPv6原子片段生成以实现正常功能的协议都会与上述IPv6堆栈存在互操作性问题。
3. IPv6 atomic fragment generation represents a case in which fragmented traffic is produced where otherwise it would not be needed. Since there is widespread dropping of IPv6 fragments in the public Internet [RFC7872], this would mean that the (unnecessary) use of IPv6 fragmentation might result, unnecessarily, in a DoS situation even in legitimate cases.
3. IPv6原子片段生成代表了一种情况,在这种情况下,在不需要碎片的情况下会产生碎片流量。由于公共互联网[RFC7872]中的IPv6碎片大量丢失,这意味着(不必要的)使用IPv6碎片可能会导致不必要的拒绝服务情况,即使在合法情况下也是如此。
4. The packet-handling API at the node where the translator is running may obscure fragmentation-related information. In such scenarios, the information conveyed by the Fragment Header may be unavailable to the translator. [JOOL] discusses a sample framework (Linux Netfilter) that hinders access to the information conveyed in IPv6 fragments.
4. 转换器正在运行的节点上的数据包处理API可能会掩盖碎片相关信息。在这种情况下,片段头传递的信息可能对翻译器不可用。[JOOL]讨论了一个示例框架(Linux Netfilter),它阻碍了对IPv6片段中传输的信息的访问。
5. While [RFC2460] requires that the IPv6 fragment header Identification field of a fragmented packet be different than that of any other fragmented packet sent recently with the same Source Address and Destination Address, there is no requirement on the low-order 16 bits of such a value. Thus, there is no guarantee that IPv4 fragment Identification collisions will be avoided or reduced by employing the low-order 16 bits of the IPv6 fragment header Identification field of a packet sent by a source host. Besides, collisions might occur where two distinct IPv6 Destination Addresses are translated into the same IPv4 address, such that Identification values that might have been generated to be unique in the context of IPv6 end up colliding when used in the context of translated IPv4.
5. 虽然[RFC2460]要求碎片数据包的IPv6碎片报头标识字段不同于最近使用相同源地址和目的地地址发送的任何其他碎片数据包的IPv6碎片报头标识字段,但不要求该值的低阶16位。因此,不能保证通过使用源主机发送的数据包的IPv6片段头标识字段的低阶16位来避免或减少IPv4片段标识冲突。此外,当两个不同的IPv6目标地址被转换为相同的IPv4地址时,可能会发生冲突,因此,在IPv6上下文中生成的唯一标识值在转换后的IPv4上下文中使用时最终会发生冲突。
We note that SIIT essentially employs the Fragment Header of IPv6 atomic fragments to signal the translator how to set the Don't Fragment (DF) bit of IPv4 datagrams (the DF bit is cleared when the IPv6 packet contains a Fragment Header and is otherwise set to 1 when the IPv6 packet does not contain a Fragment Header). Additionally, the translator will employ the low-order 16 bits of the IPv6 fragment header Identification field for setting the IPv4 Identification. At least in theory, this is expected to reduce the IPv4 Identification collision rate in the following specific scenario:
我们注意到,SIIT基本上使用IPv6原子片段的片段头来通知转换器如何设置IPv4数据报的不片段(DF)位(当IPv6数据包包含片段头时,DF位被清除,当IPv6数据包不包含片段头时,DF位被设置为1)。此外,转换器将使用IPv6片段头标识字段的低位16位来设置IPv4标识。至少在理论上,这有望在以下特定场景中降低IPv4标识冲突率:
1. An IPv6 node communicates with an IPv4 node (through SIIT).
1. IPv6节点(通过SIIT)与IPv4节点通信。
2. The IPv4 node is located behind an IPv4 link with an MTU smaller than 1260 bytes. An IPv4 Path MTU of 1260 corresponds to an IPv6 Path MTU of 1280, due to an optionless IPv4 header being 20 bytes shorter than the IPv6 header.
2. IPv4节点位于MTU小于1260字节的IPv4链路后面。IPv4路径MTU为1260对应于IPv6路径MTU为1280,因为无选项IPv4标头比IPv6标头短20字节。
3. ECMP routing [RFC2992] with more than one translator is employed, for example, for redundancy purposes.
3. 例如,出于冗余目的,使用带有多个转换器的ECMP路由[RFC2992]。
In such a scenario, if each translator were to select the IPv4 Identification on its own (rather than selecting the IPv4 Identification from the low-order 16 bits of the fragment Identification of IPv6 atomic fragments), this could possibly lead to IPv4 Identification collisions. However, as noted above, the value extracted from the low-order 16 bits of the IPv6 fragment header Identification field might not result in an appropriate IPv4 Identification: for example, a number of implementations set the IPv6 fragment header Identification field according to the output of a Pseudorandom Number Generator (PRNG) (see Appendix B of [RFC7739]); hence, if the translator only employs the low-order 16 bits of such a value, it is very unlikely that relying on the fragment Identification of the IPv6 atomic fragment will result in a reduced IPv4 Identification collision rate (when compared to the case where the translator selects each IPv4 Identification on its own). Besides, because of the limited size of the IPv4 Identification field, it is nevertheless virtually impossible to guarantee uniqueness of the IPv4 Identification values without artificially limiting the data rate of fragmented traffic [RFC6864] [RFC4963].
在这种情况下,如果每个转换器自行选择IPv4标识(而不是从IPv6原子片段的片段标识的低阶16位中选择IPv4标识),这可能会导致IPv4标识冲突。然而,如上所述,从IPv6片段头标识字段的低阶16位提取的值可能不会导致适当的IPv4标识:例如,许多实现根据伪随机数生成器(PRNG)的输出设置IPv6片段头标识字段(参见[RFC7739]的附录B);因此,如果转换器仅使用该值的低阶16位,则依赖IPv6原子片段的片段标识将不太可能导致IPv4标识冲突率降低(与转换器自行选择每个IPv4标识的情况相比)。此外,由于IPv4标识字段的大小有限,在不人为限制分段流量的数据速率的情况下,实际上不可能保证IPv4标识值的唯一性[RFC6864][RFC4963]。
[RFC6145] was the only "consumer" of IPv6 atomic fragments, and it correctly and diligently noted (in its Section 6) the possible interoperability problems of relying on IPv6 atomic fragments, proposing a workaround that led to more robust behavior and simplified code. [RFC6145] has been obsoleted by [RFC7915], such that SIIT does not rely on IPv6 atomic fragments.
[RFC6145]是IPv6原子片段的唯一“消费者”,它正确而认真地指出了(在第6节中)依赖IPv6原子片段可能存在的互操作性问题,提出了一种解决方案,从而导致更健壮的行为和简化的代码。[RFC6145]已被[RFC7915]淘汰,因此SIIT不依赖IPv6原子片段。
Taking all of the above considerations into account, we recommend that IPv6 atomic fragments be deprecated.
考虑到以上所有因素,我们建议不要使用IPv6原子片段。
In particular:
特别地:
o IPv4/IPv6 translators should be updated to not generate ICMPv6 PTB error messages containing an MTU value smaller than the minimum IPv6 MTU of 1280 bytes. This will ensure that current IPv6 nodes will never have a legitimate need to start generating IPv6 atomic fragments.
o 应更新IPv4/IPv6转换器,以不生成包含MTU值小于1280字节的最小IPv6 MTU的ICMPv6 PTB错误消息。这将确保当前IPv6节点永远不会有开始生成IPv6原子片段的合法需要。
o The recommendation in the previous bullet ensures that there are no longer any valid reasons for ICMPv6 PTB error messages reporting an MTU value smaller than the minimum IPv6 MTU (1280 bytes). IPv6 nodes should therefore be updated to ignore ICMPv6 PTB error messages reporting an MTU smaller than 1280 bytes as invalid.
o 上一个项目符号中的建议确保ICMPv6 PTB错误消息报告MTU值小于最小IPv6 MTU(1280字节)的原因不再有效。因此,应更新IPv6节点以忽略报告小于1280字节的MTU无效的ICMPv6 PTB错误消息。
We note that these recommendations have been incorporated in [IPv6-PMTUD], [IPv6-Spec], and [RFC7915].
我们注意到这些建议已纳入[IPv6 PMTUD]、[IPv6规范]和[RFC7915]中。
This document briefly discusses the security implications of the generation of IPv6 atomic fragments and describes one specific DoS attack vector that leverages the widespread dropping of IPv6 fragments in the public Internet. It concludes that the generation of IPv6 atomic fragments is an undesirable feature and documents the motivation for removing this functionality from [IPv6-Spec].
本文简要讨论了IPv6原子碎片的产生的安全含义,并描述了一种特定的DoS攻击向量,它利用了IPv6碎片在公共互联网中的广泛下降。它得出结论,IPv6原子片段的生成是一个不受欢迎的功能,并记录了从[IPv6规范]中删除此功能的动机。
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, December 1998, <http://www.rfc-editor.org/info/rfc2460>.
[RFC2460]Deering,S.和R.Hinden,“互联网协议,第6版(IPv6)规范”,RFC 2460,DOI 10.17487/RFC2460,1998年12月<http://www.rfc-editor.org/info/rfc2460>.
[BCP38] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000, <http://www.rfc-editor.org/info/rfc2827>.
[BCP38]Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,2000年5月<http://www.rfc-editor.org/info/rfc2827>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", RFC 4443, DOI 10.17487/RFC4443, March 2006, <http://www.rfc-editor.org/info/rfc4443>.
[RFC4443]Conta,A.,Deering,S.,和M.Gupta,Ed.,“互联网协议版本6(IPv6)规范的互联网控制消息协议(ICMPv6)”,RFC 4443,DOI 10.17487/RFC4443,2006年3月<http://www.rfc-editor.org/info/rfc4443>.
[RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, <http://www.rfc-editor.org/info/rfc4821>.
[RFC4821]Mathis,M.和J.Heffner,“打包层路径MTU发现”,RFC 4821,DOI 10.17487/RFC4821,2007年3月<http://www.rfc-editor.org/info/rfc4821>.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, DOI 10.17487/RFC4861, September 2007, <http://www.rfc-editor.org/info/rfc4861>.
[RFC4861]Narten,T.,Nordmark,E.,Simpson,W.,和H.Soliman,“IP版本6(IPv6)的邻居发现”,RFC 4861,DOI 10.17487/RFC48612007年9月<http://www.rfc-editor.org/info/rfc4861>.
[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011, <http://www.rfc-editor.org/info/rfc6145>.
[RFC6145]Li,X.,Bao,C.,和F.Baker,“IP/ICMP翻译算法”,RFC 6145DOI 10.17487/RFC6145,2011年4月<http://www.rfc-editor.org/info/rfc6145>.
[RFC7915] Bao, C., Li, X., Baker, F., Anderson, T., and F. Gont, "IP/ICMP Translation Algorithm", RFC 7915, DOI 10.17487/RFC7915, June 2016, <http://www.rfc-editor.org/info/rfc7915>.
[RFC7915]Bao,C.,Li,X.,Baker,F.,Anderson,T.,和F.Gont,“IP/ICMP翻译算法”,RFC 7915,DOI 10.17487/RFC7915,2016年6月<http://www.rfc-editor.org/info/rfc7915>.
[RFC6864] Touch, J., "Updated Specification of the IPv4 ID Field", RFC 6864, DOI 10.17487/RFC6864, February 2013, <http://www.rfc-editor.org/info/rfc6864>.
[RFC6864]Touch,J.,“IPv4 ID字段的更新规范”,RFC 6864,DOI 10.17487/RFC6864,2013年2月<http://www.rfc-editor.org/info/rfc6864>.
[RFC2992] Hopps, C., "Analysis of an Equal-Cost Multi-Path Algorithm", RFC 2992, DOI 10.17487/RFC2992, November 2000, <http://www.rfc-editor.org/info/rfc2992>.
[RFC2992]Hopps,C.,“等成本多路径算法的分析”,RFC 2992,DOI 10.17487/RFC2992,2000年11月<http://www.rfc-editor.org/info/rfc2992>.
[RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, DOI 10.17487/RFC5927, July 2010, <http://www.rfc-editor.org/info/rfc5927>.
[RFC5927]Gont,F.,“ICMP对TCP的攻击”,RFC 5927,DOI 10.17487/RFC5927,2010年7月<http://www.rfc-editor.org/info/rfc5927>.
[RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly Errors at High Data Rates", RFC 4963, DOI 10.17487/RFC4963, July 2007, <http://www.rfc-editor.org/info/rfc4963>.
[RFC4963]Heffner,J.,Mathis,M.,和B.Chandler,“高数据速率下的IPv4重组错误”,RFC 4963,DOI 10.17487/RFC4963,2007年7月<http://www.rfc-editor.org/info/rfc4963>.
[RFC6052] Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X. Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052, DOI 10.17487/RFC6052, October 2010, <http://www.rfc-editor.org/info/rfc6052>.
[RFC6052]Bao,C.,Huitema,C.,Bagnulo,M.,Boucadair,M.,和X.Li,“IPv4/IPv6转换器的IPv6寻址”,RFC 6052,DOI 10.17487/RFC6052,2010年10月<http://www.rfc-editor.org/info/rfc6052>.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, April 2011, <http://www.rfc-editor.org/info/rfc6146>.
[RFC6146]Bagnulo,M.,Matthews,P.,和I.van Beijnum,“有状态NAT64:从IPv6客户端到IPv4服务器的网络地址和协议转换”,RFC 6146,DOI 10.17487/RFC6146,2011年4月<http://www.rfc-editor.org/info/rfc6146>.
[RFC6274] Gont, F., "Security Assessment of the Internet Protocol Version 4", RFC 6274, DOI 10.17487/RFC6274, July 2011, <http://www.rfc-editor.org/info/rfc6274>.
[RFC6274]Gont,F.,“互联网协议版本4的安全评估”,RFC 6274,DOI 10.17487/RFC6274,2011年7月<http://www.rfc-editor.org/info/rfc6274>.
[RFC6946] Gont, F., "Processing of IPv6 "Atomic" Fragments", RFC 6946, DOI 10.17487/RFC6946, May 2013, <http://www.rfc-editor.org/info/rfc6946>.
[RFC6946]Gont,F.,“IPv6原子片段的处理”,RFC 6946,DOI 10.17487/RFC6946,2013年5月<http://www.rfc-editor.org/info/rfc6946>.
[RFC7739] Gont, F., "Security Implications of Predictable Fragment Identification Values", RFC 7739, DOI 10.17487/RFC7739, February 2016, <http://www.rfc-editor.org/info/rfc7739>.
[RFC7739]Gont,F.,“可预测碎片识别值的安全影响”,RFC 7739,DOI 10.17487/RFC7739,2016年2月<http://www.rfc-editor.org/info/rfc7739>.
[RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu, "Observations on the Dropping of Packets with IPv6 Extension Headers in the Real World", RFC 7872, DOI 10.17487/RFC7872, June 2016, <http://www.rfc-editor.org/info/rfc7872>.
[RFC7872]Gont,F.,Linkova,J.,Chown,T.,和W.Liu,“关于在现实世界中使用IPv6扩展头丢弃数据包的观察”,RFC 7872,DOI 10.17487/RFC7872,2016年6月<http://www.rfc-editor.org/info/rfc7872>.
[IPv6-Spec] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", Work in Progress, draft-ietf-6man-rfc2460bis-08, November 2016.
[IPv6规范]Deering,S.和R.Hinden,“互联网协议,第6版(IPv6)规范”,正在进行的工作,草案-ietf-6man-rfc2460bis-082016年11月。
[IPv6-PMTUD] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., "Path MTU Discovery for IP version 6", Work in Progress, draft-ietf-6man-rfc1981bis-03, October 2016.
[IPv6 PMTUD]McCann,J.,Deering,S.,Mogul,J.,和R.Hinden,编辑,“IP版本6的路径MTU发现”,正在进行的工作,草稿-ietf-6man-rfc1981bis-032016年10月。
[JOOL] Leiva Popper, A., "nf_defrag_ipv4 and nf_defrag_ipv6", April 2015, <https://github.com/NICMx/Jool/wiki/ nf_defrag_ipv4-and-nf_defrag_ipv6#implementation-gotchas>.
[JOOL]Leiva Popper,A.,“nf_碎片整理ipv4和nf_碎片整理ipv6”,2015年4月<https://github.com/NICMx/Jool/wiki/ nf_碎片整理_ipv4-和-nf_碎片整理_ipv6#实现gotchas>。
Acknowledgements
致谢
The authors would like to thank (in alphabetical order) Congxiao Bao, Bob Briscoe, Carlos Jesus Bernardos Cano, Brian Carpenter, Bob Hinden, Tatuya Jinmei, Alberto Leiva Popper, Ted Lemon, Xing Li, Jeroen Massar, Erik Nordmark, Qiong Sun, Joe Touch, Ole Troan, Tina Tsou, and Bernie Volz for providing valuable comments on earlier versions of this document.
作者要感谢(按字母顺序排列)聪晓宝、鲍勃·布里斯科、卡洛斯·耶稣·贝纳多斯·卡诺、布赖恩·卡彭特、鲍勃·欣登、塔图娅·金梅、阿尔贝托·莱瓦·波普尔、特德·莱蒙、邢莉、杰伦·马萨、埃里克·诺德马克、琼孙、乔·图奇、奥勒·特罗安、蒂娜·邹、,感谢Bernie Volz对本文件早期版本的宝贵意见。
Fernando Gont would like to thank Jan Zorz / Go6 Lab <http://go6lab.si/>, and Jared Mauch / NTT America, for providing access to systems and networks that were employed to produce some of the tests that resulted in the publication of this document. Additionally, he would like to thank Ivan Arce, Guillermo Gont, and Diego Armando Maradona for their inspiration.
费尔南多·冈特要感谢扬·佐尔兹/Go6实验室<http://go6lab.si/>,以及Jared Mauch/NTT America,以提供对系统和网络的访问,这些系统和网络用于生成导致本文件出版的一些测试。此外,他还要感谢伊万·阿尔奇、吉列尔莫·贡特和迭戈·阿曼多·马拉多纳的灵感。
Authors' Addresses
作者地址
Fernando Gont SI6 Networks / UTN-FRH Evaristo Carriego 2644 Haedo, Provincia de Buenos Aires 1706 Argentina
Fernando Gont SI6 Networks/UTN-FRH Evaristo Carriego 2644 Haedo,布宜诺斯艾利斯省1706阿根廷
Phone: +54 11 4650 8472 Email: fgont@si6networks.com URI: http://www.si6networks.com
Phone: +54 11 4650 8472 Email: fgont@si6networks.com URI: http://www.si6networks.com
Will (Shucheng) Liu Huawei Technologies Bantian, Longgang District Shenzhen 518129 China
威尔(舒城)刘华威科技有限公司深圳市龙岗区坂田518129
Email: liushucheng@huawei.com
Email: liushucheng@huawei.com
Tore Anderson Redpill Linpro Vitaminveien 1A Oslo 0485 Norway
Tore Anderson Redpill Linpro Vitaminveien 1A奥斯陆0485挪威
Phone: +47 959 31 212 Email: tore@redpill-linpro.com URI: http://www.redpill-linpro.com
Phone: +47 959 31 212 Email: tore@redpill-linpro.com URI: http://www.redpill-linpro.com