Discussion:
IPv6 fragmentation issue for first fragment
(too old to reply)
Loganaden Velvindron
2012-10-21 13:15:30 UTC
Permalink
An interesting case is explained here about:

http://tools.ietf.org/id/draft-ietf-6man-oversized-header-chain-01.txt

Quote:

If a packet is fragmented, the first fragment of the packet (i.e.,
that with a Fragment Offset of 0) MUST contain the entire IPv6 header
chain.

I'm still new to ipv6 and i was thinking about something like this:

if fragoff == 0 && q6->ip6q_unfraglen > 1280, drop_packet(); else process_it();

It's probably wrong, but I'd appreciate some help.
--
Brightest day,
Blackest night,
No bug shall escape my sight,
And those who worship evil's mind,
be wary of my powers,
puffy lantern's light !

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Greg Troxel
2012-10-21 14:50:22 UTC
Permalink
Post by Loganaden Velvindron
http://tools.ietf.org/id/draft-ietf-6man-oversized-header-chain-01.txt
If a packet is fragmented, the first fragment of the packet (i.e.,
that with a Fragment Offset of 0) MUST contain the entire IPv6 header
chain.
if fragoff == 0 && q6->ip6q_unfraglen > 1280, drop_packet(); else process_it();
Are you worrying about outbound or inbound processing?

The headers are variable length. So on outbound, if one is creating a
fragment that won't include all of them, I think you have to return an
error (probably to the socket, but tunnel-mode IPsec packets can count
as locally sourced).

On inbound, absent trying to firewall, I'm not sure there is much to be
done, other than to check for this and drop. But a firewall probably
should chase the header chain for first fragments and verify that it
fits. A firewall probably should be validating all the headers anyway.

Can you point to something in the NetBSD code that's wrong? (I'm not
trying to claim that there is nothing wrong.)
Loganaden Velvindron
2012-10-21 15:50:12 UTC
Permalink
Post by Greg Troxel
Post by Loganaden Velvindron
http://tools.ietf.org/id/draft-ietf-6man-oversized-header-chain-01.txt
If a packet is fragmented, the first fragment of the packet (i.e.,
that with a Fragment Offset of 0) MUST contain the entire IPv6 header
chain.
if fragoff == 0 && q6->ip6q_unfraglen > 1280, drop_packet(); else process_it();
Are you worrying about outbound or inbound processing?
Inbound for now.
Post by Greg Troxel
The headers are variable length. So on outbound, if one is creating a
fragment that won't include all of them, I think you have to return an
error (probably to the socket, but tunnel-mode IPsec packets can count
as locally sourced).
According to my understanding of the draft, the first fragment should include
all the headers including the extension headers as well as TCP/UDP, if present.

I still haven't looked at the outbound part.
Post by Greg Troxel
On inbound, absent trying to firewall, I'm not sure there is much to be
done, other than to check for this and drop.
Yes. I'm interested in that part: detecting that this has occured in
the first fragment,
and drop the packet if the headers don't fit below the MTU.
Post by Greg Troxel
But a firewall probably
should chase the header chain for first fragments and verify that it
fits. A firewall probably should be validating all the headers anyway.
Can you point to something in the NetBSD code that's wrong? (I'm not
trying to claim that there is nothing wrong.)
I'm not sure about this part, as NetBSD already implements many checks.

From cvsweb:
/*
* If it's the 1st fragment, record the length of the
* unfragmentable part and the next header of the fragment header.
*/

if (fragoff == 0) {
q6->ip6q_unfrglen = offset - sizeof(struct ip6_hdr) -
sizeof(struct ip6_frag);
q6->ip6q_nxt = ip6f->ip6f_nxt;
}

/*
* Check that the reassembled packet would not exceed 65535 bytes
* in size.
* If it would exceed, discard the fragment and return an ICMP error.
*/
frgpartlen = sizeof(struct ip6_hdr) + ntohs(ip6->ip6_plen) - offset;
if (q6->ip6q_unfrglen >= 0) {
/* The 1st fragment has already arrived. */
if (q6->ip6q_unfrglen + fragoff + frgpartlen > IPV6_MAXPACKET) {
mutex_exit(&frag6_lock);
icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
offset - sizeof(struct ip6_frag) +
offsetof(struct ip6_frag, ip6f_offlg));
return IPPROTO_DONE;
}
} else if (fragoff + frgpartlen > IPV6_MAXPACKET) {
mutex_exit(&frag6_lock);
icmp6_error(m, ICMP6_PARAM_PROB, ICMP6_PARAMPROB_HEADER,
offset - sizeof(struct ip6_frag) +
offsetof(struct ip6_frag, ip6f_offlg));
return IPPROTO_DONE;
}


I was thinking about a similar check for the first fragment. What do
you think :-) ?

I should add that I just started reading the RFCs :-)
--
Brightest day,
Blackest night,
No bug shall escape my sight,
And those who worship evil's mind,
be wary of my powers,
puffy lantern's light !

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...