IETF discusses deprecation of IPv6 fragmentation

Posted by   Virus Bulletin on   Jul 11, 2013

Little-used feature could have unintended security consequences.

As the Internet is (very) slowly migrating towards IPv6, researchers are reconsidering a little-used feature that allows for IPv6 packets to be fragmented by the sender and reassembled by the recipient.

Last year, we published an article on the security implications of the transition from IPv4 to IPv6. Some of these implications are a direct consequence of the incredibly large space of IP addresses: IP-based reputation services, such as DNS blacklists, will become a lot harder to maintain, while the fact that IPv6 does away with NAT makes any IPv6-connected device publicly routable - which will be greatly appreciated by those running botnets.

But IPv6 isn't merely IPv4 with a larger address space. It's a new protocol, where some of IPv4's properties have been removed (most notably the checksum, which is computed in a different layer), while new features have been added to allow for more flexibility. While this is a good thing, it also means that new software packages had to be written to deal with IPv6 packets - which are guaranteed to have vulnerabilities. It may also be that some of these new features have unintended consequences.

IPv4 headers IPv4 headers
 IPv4 and IPv6 packet headers (source: Wikimedia Commons).

I was reminded of this when I read a blog post by Arbor Networks' Bill Cerveny, who pointed to an IETF draft that proposes deprecating IPv6 fragment headers.

One feature of IPv6 is the ability of packets to be split up into fragments at the source and then reassembled at the destination. This allows for the sending of large packets, even if one of the links connecting destination and source happens to have a low Maximum Transmission Unit (MTU).

In practice, however, fragmentation and defragmentation of packets is resource intensive, and applications are encouraged instead to determine the path MTU: the smallest MTA of one of the links, or, as equivalent, the largest packet size that can be sent over the connection.

But it isn't merely inefficiency that is the problem with packet fragmentation: the IETF draft explains how fragmented packets can be used to bypass stateless firewalls that inspect each packet separately. Researchers have also found a number of ways in which cleverly crafted fragmentation packets can have unintended consequences and can, for instance, perform a DDoS attack on the recipient.

IETF discussions tend to take a long time and, as Cerveny points out, there are some cases where there may be no good alternatives to the use of IP fragments; hence it is far from clear whether packet fragmentation will end up being deprecated. And even if it is, we will have to wait and see if software will indeed stop allowing for IPv6 packets to be sent or received in fragments.

But it does point to a general issue with IPv6: as a new protocol, it is well possible that some of its lesser-known features, or their implementations in software, contain vulnerabilities. While it is good that security researchers are working hard to find such vulnerabilities, there will always be some that won't appear until they are being used in the wild.

For that reason, the rather slow adoption of IPv6 may actually be a blessing. True, it would be a disaster for the Internet if the migration were to stop - as we really will end up running out of IPv4 addresses. But to rush the migration to a new and relatively untested protocol would be even worse.

Posted on 11 July 2013 by Martijn Grooten



Latest posts:

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

New article: Dissecting the design and vulnerabilities in AZORult C&C panels

In a new article, Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.