IPv6 Stateless Fragmentation Identification OptionsInternet Systems Consortium950 Charter StreetRedwood CityCA94063USmarka@isc.org
Fragmented IPv6 packets are often dropped because there is no
way to identify whether a fragment matches a otherwise permitted
packet as the L4 header information is not available on all the
fragments.
The document defines hop-by-hop options that can be used to
supply the missing information in non initial fragments.
Fragmented IPv6 packets are often dropped because there is no
way to identify whether a fragment matches a otherwise permitted
packet as the L4 header information is not available on all the
fragments.
The document defines hop-by-hop options that can be used to
supply the missing information in non initial fragments.
The informtion required differs depending upon the L4 packet.
For TCP and UDP the source and destination ports are needed.
For ICMP the type of ICMP packet is needed.
These options are expected to be used by middle boxes (firewalls
and loadbalancers) and end nodes.
For TCP and UDP a skippable hop-by-hop option (for backwards compatibilty) containing
the source and destination ports from the TCP and UDP headers
is needed. To permit the use of NATs, however undesired,
the option contents are marked changable enroute. The option code
has nmemonic PORTS and value (TBD) and is added to all
fragments of UDP and TCP packets when they are fragmented.
By adding the option to all fragments you reduce the amount
of fragmentation reassembly failures that would result if
you only added the option to non-initial fragments and were
dropping non-initial fragments without this option.
The use of these options will expose nodes to more fragmention
based attacks and potentually more traffic which will ultimately
be dropped if a attacker can guess which option values will be
permitted.
With the exception of the fragmentation based attacks, permitting
fragments with these options is no worse that permitting multiple
unfragmented packets based in the same parameters.
Internet Protocol, Version 6 (IPv6) Specification