[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Tiny fragments and IPv6

To: Vishwas Manral <Vishwas@sinett.com>
Subject: Re: Tiny fragments and IPv6
From: Stig Venaas <Stig.Venaas@uninett.no>
Date: Tue, 29 Nov 2005 19:33:46 +0100
Cc: Margaret Wasserman <margaret@thingmagic.com>, Fred Baker <fred@cisco.com>, v6ops@ops.ietf.org
In-reply-to: <BB6D74C75CC76A419B6D6FA7C38317B278CA64@sinett-sbs.SiNett.LAN>
References: <BB6D74C75CC76A419B6D6FA7C38317B278CA64@sinett-sbs.SiNett.LAN>
User-agent: Mutt/1.4.1i

On Tue, Nov 29, 2005 at 10:25:11AM -0800, Vishwas Manral wrote:
> Hi Margaret,
>  
> One small difference is that we can have a lot of extension headers in IPv6 while we do not have the same in IPv4. In IPv4 the TCP header if present will be just after the IPv4 header, which may not be the case in IPv6 (because of the extension headers). Besides STD 5, RFC 791 states:-
> 
>       Every internet module must be able to forward a datagram of 68
>       octets without further fragmentation.  This is because an internet
>       header may be up to 60 octets, and the minimum fragment is 8
>       octets.

Well, this is because in some cases fragments cannot be made smaller if
they are to contain a maximum size IP header. I don't think it prohibits
smaller fragments. Isn't this sort of similar to the 1280 limit in IPv6?
You shouldn't need to fragment IPv6 datagrams of 1280 or less...

What I mainly would have like to see, both for IPv4 and IPv6, is some-
thing saying that fragments MUST not be overlapped. When receiving such
one could then just discard them...

Stig

>  
> There is no minimum non-last fragment size specified in IPv6. RFC1858 already states issues with IPv4 with tiny fragments.
>  
> Thanks,
> Vishwas
> ________________________________
> 
> From: Margaret Wasserman [mailto:margaret@thingmagic.com]
> Sent: Tue 11/29/2005 10:13 AM
> To: 'Fred Baker'; v6ops@ops.ietf.org
> Cc: Vishwas Manral
> Subject: RE: Tiny fragments and IPv6
> 
> 
> Why is this an IPv6-specific problem?  Is there a reason why the same type
> of attack does not work in IPv4?
> 
> Margaret
> 
> > -----Original Message-----
> > From: owner-v6ops@ops.ietf.org
> > [mailto:owner-v6ops@ops.ietf.org] On Behalf Of Fred Baker
> > Sent: Tuesday, November 29, 2005 8:23 AM
> > To: v6ops@ops.ietf.org
> > Cc: Vishwas Manral
> > Subject: Fwd: Tiny fragments and IPv6
> >
> > This has been moved to v6ops, as it is more operational in
> > nature than a protocol discussion.
> >
> > Begin forwarded message:
> >
> > > From: "Vishwas Manral" <Vishwas@sinett.com>
> > > Date: November 28, 2005 8:49:11 AM EST
> > > To: "IPv6" <ipv6@ietf.org>
> > > Subject: Tiny fragments and IPv6
> > >
> > > Hi folks,
> > >
> > > To summarize the discussion we have had on and off the list, I have
> > > put in a short draft.
> > >
> > > Do let me know if you have any comments or suggestions for the same?
> > >
> > > Thanks,
> > > Vishwas
> > >
> 
>  
> 
>  
>

References:
- RE: Tiny fragments and IPv6
  - From: "Vishwas Manral" <Vishwas@sinett.com>

Prev by Date: RE: Tiny fragments and IPv6
Next by Date: Re: Tiny fragments and IPv6
Previous by thread: RE: Tiny fragments and IPv6
Next by thread: RE: Tiny fragments and IPv6
Index(es):
- Date
- Thread