socketsnetwork-programmingtcpnetwork-protocolsipv6

What are the benefits of removing fragmentation from IPv6?


I was working on a project which includes developing an application using java sockets. However while reading some fundamentals and newly upcoming IPv6 paradigm which motivated me to ask below question,

What are the benefits of removing fragmentation from IPv6?

It would be helpful if someone can give me understanding about why?

I have researched on internet but haven't found any useful description.


Solution

  • Preface

    What are the benefits of removing fragmentation from IPv6?

    It is a common mis-understanding that there is no IPv6 fragmentation because the IPv6 header doesn't have the fragment-offset field that IPv4 does; however, it's not exactly accurate. IPv6 doesn't allow routers to fragment packets; however, end-nodes may insert an IPv6 fragmentation header1.

    IPv4 Fragmentation and Security Vulnerabilities

    As RFC 5722 states2, one of the problems with fragmentation is that it tends to create security holes. During the late 1990's there were several well-known attacks on Windows 95 that exploited overlapping IPv4 fragments3; furthermore, in-line fragmentation of packets is risky to burn into internet router silicon due to the long list of issues that must be handled. One of the biggest issues is that overlapping fragments buffered in a router (awaiting reassembly) could potentially cause a security vulnerability on that device if they are mis-handled. The end-result is that most router implementations push packets requiring fragmentation to software; this doesn't scale at large speeds.

    IPv4 Router Buffering of Fragments

    Another issue is that if IPv4 routers are configured to reassemble fragments, you must buffer them for a period of time until the rest are received. It is possible for someone to leverage this dynamic and send very large numbers of unfinished IP fragments; forcing the device in question to spend many resources waiting for an opportunity to reassemble.

    Summary

    In short, there are just too many hairy issues to allow a router to handle fragmentation. IPv6 hosts implementations should use TCP Path MTU discovery to avoid the need for fragmentation where possible; however, UDP is known to be fragmented for applications such as SNMP get-bulk. PMTUD also implies that several ICMPv6 messages need to be permitted end-to-end; interestingly many IPv4 firewall admins block ICMP to guard against hostile network mapping (and then naively block all ICMPv6), not realizing that blocking all ICMP breaks things in subtle ways4.


    END-NOTES

    1. See Section 4.5 of the Internet Protocol, Version 6 (IPv6) Specification

    2. From RFC 5722: Handling of Overlapping IPv6 Fragments:

      Commonly used firewalls use the algorithm specified in RFC1858 to weed out malicious packets that try to overwrite parts of the transport-layer header in order to bypass inbound connection checks. RFC1858 prevents an overlapping fragment attack on an upper-layer protocol (in this case, TCP) by recommending that packets with a fragment offset of 1 be dropped.
      While this works well for IPv4 fragments, it will not work for IPv6 fragments. This is because the fragmentable part of the IPv6 packet can contain extension headers before the TCP header, making this check less effective.

    3. See Teardrop attack (wikipedia)

    4. See RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls