From the SI6 Networks Blog ...Recently, we assessed the fragmentation and reassembly policies of some popular IPv6 implementations, such that we could evaluate the feasibility of IPv6-fragmentation-based insertion/evasion attacks with current IPv6 implementations (similar to those described by Ptacek and Newsham for IPv4). The aforementioned assessment was not "casual", but was mostly motivated by recent improvements in the IPv6 fragmentation and reassembly implementations of a number of popular IPv6 stacks. The improvements mostly fall into these categories:
- Forbidding overlapping fragments (RFC 5722)
- Improving the handling of IPv6 atomic fragments (draft-ietf-6man-ipv6-atomic-fragments)
- Improving the Fragment Identification generation policy (draft-gont-6man-ipv6-predictable-id)
As one might expect, all of these aspects are intimately related, and interact with each other in most scenarios.
This article discusses the first two items: the basic fragment reassembly policy of some popular IPv6 implementations (item #1 above) and the processing of IPv6 atomic fragments (item #2 above) of such implementations. Read the Blog entry.