[ipv6hackers] funny FreeBSD bug

Fernando Gont fgont at si6networks.com
Thu Jul 26 20:10:50 CEST 2012


Hi, Marc,

On 07/26/2012 12:35 PM, Marc Heuse wrote:
> I found a funny bug in freebsd (9.0 with all updates):
> if you send an ICMP toobig message to it with a too low MTU size,
> FreeBSD will prepend any packet data with an one-shot fragment (or
> atomic fragment as Fernando calls it).
> 
>   IPv6Hdr
>   Frag Hdr Offset 0, No more Frags Bit set
>   ICMP6/TCP/UDP

This is not a bug, but intended behaviour. It is meant to handle the
case of v6/v4 translators. A translator may receive an IPv6 packet that
needs to be fragmented before sending it to the IPv4 world. In that
case, it may send an ICMPv6 PTB with a MTU<1280. This will cause the
IPv6 sending host to include a Fragment Header in each packet, thus
selecting an appropriate Fragment ID. When the translator receives such
fragments, it will use the received Fragment ID for the IPv4 fragments.

The aforementioned behavior is required by stateless translators.

See slide 35 of
<http://www.si6networks.com/presentations/just4meeting2012/fgont-just4meeting2012-recent-advances-in-ipv6-security.pdf>
for a list of systems that support this behavior.

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492






More information about the Ipv6hackers mailing list