Deprecating the Generation of IPv6 Atomic Fragments
draft-gont-6man-deprecate-atomfrag-generation-01

Document Type Expired Internet-Draft (individual)
Last updated 2015-02-28 (latest revision 2014-08-27)
Stream (None)
Intended RFC status (None)
Formats
Expired & archived
plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at
https://www.ietf.org/archive/id/draft-gont-6man-deprecate-atomfrag-generation-01.txt

Abstract

The core IPv6 specification requires that when a host receives an ICMPv6 "Packet Too Big" message reporting a "Next-Hop MTU" smaller than 1280, the host includes a Fragment Header in all subsequent packets sent to that destination, without reducing the assumed Path- MTU. The simplicity with which ICMPv6 "Packet Too Big" messages can be forged, coupled with the widespread filtering of IPv6 fragments, results in an attack vector that can be leveraged for Denial of Service purposes. This document briefly discusses the aforementioned attack vector, and formally updates RFC2460 such that generation of IPv6 atomic fragments is deprecated, thus eliminating the aforementioned attack vector. Additionally, it formally updates RFC6145 such that the Stateless IP/ICMP Translation Algorithm (SIIT) does not rely on the generation of IPv6 atomic fragments, thus improving the robustness of the protocol.

Authors

Fernando Gont (fgont@si6networks.com)
Will LIU (liushucheng@huawei.com)
Tore Anderson (tore@redpill-linpro.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)