draft-ietf-intarea-frag-fragile-12.txt   draft-ietf-intarea-frag-fragile-13.txt 
Internet Area WG R. Bonica Internet Area WG R. Bonica
Internet-Draft Juniper Networks Internet-Draft Juniper Networks
Intended status: Best Current Practice F. Baker Intended status: Best Current Practice F. Baker
Expires: December 21, 2019 Unaffiliated Expires: December 26, 2019 Unaffiliated
G. Huston G. Huston
APNIC APNIC
R. Hinden R. Hinden
Check Point Software Check Point Software
O. Troan O. Troan
Cisco Cisco
F. Gont F. Gont
SI6 Networks SI6 Networks
June 19, 2019 June 24, 2019
IP Fragmentation Considered Fragile IP Fragmentation Considered Fragile
draft-ietf-intarea-frag-fragile-12 draft-ietf-intarea-frag-fragile-13
Abstract Abstract
This document describes IP fragmentation and explains how it This document describes IP fragmentation and explains how it
introduces fragility to Internet communication. introduces fragility to Internet communication.
This document also proposes alternatives to IP fragmentation and This document also proposes alternatives to IP fragmentation and
provides recommendations for developers and network operators. provides recommendations for developers and network operators.
Status of This Memo Status of This Memo
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 21, 2019. This Internet-Draft will expire on December 26, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 27 skipping to change at page 3, line 27
introduces. It also proposes alternatives to IP fragmentation and introduces. It also proposes alternatives to IP fragmentation and
provides recommendations for developers and network operators. provides recommendations for developers and network operators.
While this document identifies issues associated with IP While this document identifies issues associated with IP
fragmentation, it does not recommend deprecation. Legacy protocols fragmentation, it does not recommend deprecation. Legacy protocols
that depend upon IP fragmentation SHOULD be updated to remove that that depend upon IP fragmentation SHOULD be updated to remove that
dependency. However, some applications and environments (see dependency. However, some applications and environments (see
Section 6) require IP fragmentation. In these cases, the protocol Section 6) require IP fragmentation. In these cases, the protocol
will continue to rely on IP fragmentation, but the designer should to will continue to rely on IP fragmentation, but the designer should to
be aware that fragmented packets may result in blackholes; a design be aware that fragmented packets may result in blackholes; a design
should include appropriate safeguards (e.g. PLPMTU). should include appropriate safeguards.
Rather than deprecating IP Fragmentation, this document recommends Rather than deprecating IP Fragmentation, this document recommends
that upper-layer protocols address the problem of fragmentation at that upper-layer protocols address the problem of fragmentation at
their layer, reducing their reliance on IP fragmentation to the their layer, reducing their reliance on IP fragmentation to the
greatest degree possible. greatest degree possible.
1.1. IP-in-IP Tunnels 1.1. IP-in-IP Tunnels
This document acknowledges that in some cases, packets must be This document acknowledges that in some cases, packets must be
fragmented within IP-in-IP tunnels [I-D.ietf-intarea-tunnels]. fragmented within IP-in-IP tunnels [I-D.ietf-intarea-tunnels].
skipping to change at page 11, line 15 skipping to change at page 11, line 15
These reassembly issues are not easily reproducible in IPv6 because These reassembly issues are not easily reproducible in IPv6 because
the IPv6 identification field is 32 bits long. the IPv6 identification field is 32 bits long.
4.6. Security Vulnerabilities 4.6. Security Vulnerabilities
Security researchers have documented several attacks that exploit IP Security researchers have documented several attacks that exploit IP
fragmentation. The following are examples: fragmentation. The following are examples:
o Overlapping fragment attacks [RFC1858][RFC3128][RFC5722] o Overlapping fragment attacks [RFC1858][RFC3128][RFC5722]
o Resource exhaustion attacks (such as the Rose Attack, o Resource exhaustion attacks
https://web.archive.org/web/20110723091910/
http://www.digital.net/~gandalf/Rose_Frag_Attack_Explained.htm)
o Attacks based on predictable fragment identification values o Attacks based on predictable fragment identification values
[RFC7739] [RFC7739]
o Evasion of Network Intrusion Detection Systems (NIDS) [Ptacek1998] o Evasion of Network Intrusion Detection Systems (NIDS) [Ptacek1998]
In the overlapping fragment attack, an attacker constructs a series In the overlapping fragment attack, an attacker constructs a series
of packet fragments. The first fragment contains an IP header, a of packet fragments. The first fragment contains an IP header, a
transport-layer header, and some transport-layer payload. This transport-layer header, and some transport-layer payload. This
fragment complies with local security policy and is allowed to pass fragment complies with local security policy and is allowed to pass
 End of changes. 6 change blocks. 
8 lines changed or deleted 6 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/