Assessing Modern Operating Systems' IPv6 Fragmentation Handling

IPv6 is the next (current?) generation Internet protocol. It has been designed to overcome many limitations of IPv4 and fix some of the issues and weaknesses. Nevertheless, IPv6 fragmentation presented many vulnerabilities similar to the IPv4 ones in the past: new testing models were presented to check the presence of such problems.

In this work, we demonstrate that IPv6 fragmentation issues are still present today in operating systems because of the weakness of the model used to test their compliance. We also propose a new model that overcomes these limitations.

This research is a joint work with Edoardo Di Paolo and prof. Angelo Spognardi.

Assessing Modern Operating Systems’ IPv6 Fragmentation Handling

The evolution of the Internet has brought about numerous advancements, but it has also given rise to vulnerabilities found within the IPv4 protocol. Issues stemming from IP fragmentation have been a persistent challenge, leading to a spectrum of potential attacks. While IPv6 aimed to address some of these concerns through modifications to fragmentation handling and the introduction of specific extension headers, the problems persist, as documented extensively in the literature.

One of the primary culprits behind these challenges is the issue of overlapping fragments. When these fragments are reassembled, they can give rise to unexpected or even malicious packets. In an attempt to mitigate this, RFC 5722 mandated that IPv6 hosts must silently drop the entire packet in the presence of overlapping fragments (including previous and future fragments of the same packet). Despite this directive, subsequent studies have cast doubt on the efficacy of these measures, leading to ongoing concerns about the security of IPv6 fragmentation.

The Need for a Comprehensive Assessment

Various methodologies have been proposed to determine whether IPv6 hosts are susceptible to overlapping fragments and related attacks. However, not all of these methods have proven complete or accurate.

We propose a novel model designed to assess IPv6 fragmentation handling, focusing specifically on the reassembling strategies employed by modern operating systems.

A Shift in Perspective: Fragment-Based Reassembly Policies

Previous models primarily considered the operating system’s reassembly policy as byte-based. However, a significant evolution has occurred in modern reassembly policies in operating systems. We discovered that network stacks have shifted towards a fragment-based approach nowadays, which makes previous models ineffective.

For example, the Shankar and Paxson model leverages the byte-based approach when A, B and D fragments are overlapping. The same overlapping will produce a false negative in the new fragment-based approach, indicating that an operating system implements the RFC correctly when, in fact, it does not.

Evaluating RFC-5722 and RFC-9099 Compliance

We propose a new model based on the Shankar and Paxson. Differently from Shankar and Paxson, the new model requires more fragmented packets to correctly assess whether the operating system correctly implements mitigation against this attack.

Using our model, we conducted an in-depth evaluation of modern operating systems to assess their compliance with RFC-5722 and RFC-9099 regarding fragmentation handling. The results of our study suggest that IPv6 fragmentation remains a potential threat, with some operating systems exhibiting vulnerabilities despite the established standards.

ESORICS 2023

This work has been accepted and presented at ESORICS 2023 conference in The Hague. A pre-print version is available at https://arxiv.org/abs/2309.03525.