From owner-freebsd-net@FreeBSD.ORG  Sat Dec 20 22:40:39 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id E5DD68FA
 for <freebsd-net@freebsd.org>; Sat, 20 Dec 2014 22:40:39 +0000 (UTC)
Received: from olymp.kibab.com (olymp6.kibab.com [IPv6:2a01:4f8:160:84c1::2])
 by mx1.freebsd.org (Postfix) with ESMTP id AB3532D85
 for <freebsd-net@freebsd.org>; Sat, 20 Dec 2014 22:40:39 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.8.3 olymp.kibab.com 8084E75917
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bakulin.de; s=default;
 t=1419115237; bh=3ql1M/v5illkpJpGdPC2slYHadLn4gSK2mBJnjmg61I=;
 h=Date:From:To:Subject;
 b=QwXKusGTslEBK7b0bXv0j1lbeCsdqCFtWwgmLdn/IK4rAMcFROjhhRZ/hVlUv+dTX
 BAtZbBypSRArGArLe47DHMmlyIbqEtewm8N+PSIaGxjNVDNDWfhyh6Ur+gLpYmIcsl
 /HsxaCTHHXnJz2jn9jHJ91avL1rc77KgKEV1CGlw=
Message-ID: <5495FAE5.8090707@bakulin.de>
Date: Sat, 20 Dec 2014 23:40:37 +0100
From: Ilya Bakulin <ilya@bakulin.de>
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Subject: IPv6 fragments handling
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Dec 2014 22:40:40 -0000

Hi list,

I've been running OpenBSD IPv6 fragmentation tests
(regress/sys/netinet6/frag6)
and noticed that FreeBSD doesn't drop the IPv6 packet if it receives a
fragment
that partially overlaps with already received data.

The test that fails is frag6_overhead0.py, but also frag6_overhead.py.

There is an RFC-5722 that explicitly tells to discard such packets [1]:

------------------------------------------------
4. Node Behavior


   IPv6 nodes transmitting datagrams that need to be fragmented MUST NOT
   create overlapping fragments.  When reassembling an IPv6 datagram, if
   one or more its constituent fragments is determined to be an
   overlapping fragment, the entire datagram (and any constituent
   fragments, including those not yet received) MUST be silently
   discarded.

   Nodes MAY also provide mechanisms to track the reception of such
   packets, for instance, by implementing counters or alarms relating to
   these events.
------------------------------------------------

But what we do is just silently discarding the overlapping segment, see [2].
When using PF with fragment reassembly, the behavior changes to what RFC
says
and the packet is completely dropped.

There is no security issue with current behavior, because the already
received
part is never overwritten, but following RFC a bit closer would be nice.

Maybe we should fix the stack to drop such packets?

[1] https://tools.ietf.org/html/rfc5722#section-4
[2] https://github.com/freebsd/freebsd/blob/master/sys/netinet6/frag6.c#L443