[LACNIC/Seguridad] Processing of IPv6 "atomic" fragments (Fwd: I-D Action: draft-ietf-6man-ipv6-atomic-fragments-00.txt)

Fernando Gont fernando en gont.com.ar
Jue Feb 2 21:33:00 BRST 2012 

Estimados,

FYI -- recien publicado, luego de haber sido aceptado como elemento de
trabajo del 6man wg. Disponible en
<http://www.ietf.org/internet-drafts/draft-ietf-6man-ipv6-atomic-fragments-00.txt>.

OpenBSD aplicó un parche en respuesta a este I-D hace un par de
semanas... y es esperable que suceda lo mismo con FreeBSD y otros.

Lectura complementaria:
<http://tools.ietf.org/html/draft-gont-6man-predictable-fragment-id>

P.S.: Sin esto, es posible realizar ataques de DoS basados en
fragmentacion contra tráfico que tipicamente no utiliza framentacion
(como por ejemplo TCP).

Saludos cordiales,
Fernando




-------- Original Message --------
Subject: I-D Action: draft-ietf-6man-ipv6-atomic-fragments-00.txt
Date: Thu, 02 Feb 2012 14:07:13 -0800
From: internet-drafts en ietf.org
To: i-d-announce en ietf.org
CC: ipv6 en ietf.org


A New Internet-Draft is available from the on-line Internet-Drafts
directories. This draft is a work item of the IPv6 Maintenance Working
Group of the IETF.

	Title           : Processing of IPv6 "atomic" fragments
	Author(s)       : Fernando Gont
	Filename        : draft-ietf-6man-ipv6-atomic-fragments-00.txt
	Pages           : 14
	Date            : 2012-02-01

   The IPv6 specification allows packets to contain a Fragment Header
   without the packet being actually fragmented into multiple pieces.
   Such packets typically result from hosts that have received an ICMPv6
   "Packet Too Big" error message that advertises a "Next-Hop MTU"
   smaller than 1280 bytes, and are currently processed by some
   implementations as "fragmented traffic".  Thus, by forging ICMPv6
   "Packet Too Big" error messages an attacker can cause hosts to employ
   "atomic fragments", and then launch any fragmentation-based attacks
   against such traffic.  This document discusses the generation of the
   aforementioned "atomic fragments", the corresponding security
   implications, and formally updates RFC 2460 and RFC 5722 such that
   fragmentation-based attack vectors against traffic employing "atomic
   fragments" are completely eliminated.


A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-6man-ipv6-atomic-fragments-00.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-ietf-6man-ipv6-atomic-fragments-00.txt

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 en ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Más información sobre la lista de distribución Seguridad