IPv6 fragmentation: overlapping segments are illegal, no? - TCP-IP

This is a discussion on IPv6 fragmentation: overlapping segments are illegal, no? - TCP-IP ; In IPv4, where routers may fragment, overlapping segments can happen because of variant routing paths or because of attackers forging them. In IPv6, where only hosts may fragment, overlapping segments can only happen because of attackers. It isn't legal for ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: IPv6 fragmentation: overlapping segments are illegal, no?

  1. IPv6 fragmentation: overlapping segments are illegal, no?

    In IPv4, where routers may fragment, overlapping segments can happen
    because of variant routing paths or because of attackers forging them.

    In IPv6, where only hosts may fragment, overlapping segments can only
    happen because of attackers. It isn't legal for a host to generate
    overlapping fragments by ITSELF, is it? Should it be?

    I would imagine that a correct IPv6 implementation should at least
    discard fragments that overlap others. Perhaps it is better if it
    discards the entire packet when it sees overlapping segments -- I'd
    rather hand the attacker a DoS attack than go through the mess with
    overlapping segments that we live with in IPv4.

    I'm surprised that the IPv6 spec doesn't talk about this. Is there an
    RFC that does?

    - geof

  2. Re: IPv6 fragmentation: overlapping segments are illegal, no?

    jeof@securify.com wrote:
    > In IPv4, where routers may fragment, overlapping segments can happen
    > because of variant routing paths or because of attackers forging them.
    >
    > In IPv6, where only hosts may fragment, overlapping segments can only
    > happen because of attackers. It isn't legal for a host to generate
    > overlapping fragments by ITSELF, is it?


    I can find nothing to say it is illegal.

    > Should it be?


    I don't think so. Since a reassembly algorithm is often already in place
    for existing IPv4 stacks, and because most hosts will need to support both
    IPv4 and IPv6 but not IPv6 alone, the implementation of that algorithm for
    IPv4 can typically be modified to handle IPv6 reassembly.

    Also, RFC 1122 recommends application of the "Robustness Principle": "Be
    liberal in what you accept, and conservative in what you send," which can
    be taken as argument to avoid dropping packets that are not per se illegal.

    > I would imagine that a correct IPv6 implementation should at least
    > discard fragments that overlap others. Perhaps it is better if it
    > discards the entire packet when it sees overlapping segments -- I'd
    > rather hand the attacker a DoS attack than go through the mess with
    > overlapping segments that we live with in IPv4.
    >
    > I'm surprised that the IPv6 spec doesn't talk about this. Is there an
    > RFC that does?


    The problem is that I can think of a number of "attacks" using
    fragmentation that do not involve overlap, so I'm not sure anything is
    gained at all by discarding overlapping IPv6 fragments.

  3. Re: IPv6 fragmentation: overlapping segments are illegal, no?

    In article
    <466eabc9-8aae-470f-a9c5-c24cf1b7e2e1@e10g2000prf.googlegroups.com>,
    jeof@securify.com wrote:

    > I would imagine that a correct IPv6 implementation should at least
    > discard fragments that overlap others. Perhaps it is better if it
    > discards the entire packet when it sees overlapping segments -- I'd
    > rather hand the attacker a DoS attack than go through the mess with
    > overlapping segments that we live with in IPv4.


    I don't see any need for a blanket discard of overlapping fragments.
    You only need to be concerned if you notice a DIFFERENCE in the
    overlapping portion.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  4. Re: IPv6 fragmentation: overlapping segments are illegal, no?

    On Dec 19, 4:08 pm, Barry Margolin wrote:

    > I don't see any need for a blanket discard of overlapping fragments.
    > You only need to be concerned if you notice a DIFFERENCE in the
    > overlapping portion.


    Exactly. I could imagine an implementation that might issue
    overlapping fragments if the MTU changed after the first fragment was
    sent and before the last. I think it's unlikely to occur in practice,
    but you should be liberal in what you accept.

    Of course, as you noted, if the overlapping portions differ, you
    should reject the packet entirely.

    DS

+ Reply to Thread