IPV6_USE_MIN_MTU

Please consider to setsockopt(IPV6_USE_MIN_MTU) to IPv6 UDP socket as per draft-andrews-dnsext-udp-fragmentation. Almost all DNS servers (BIND, Unbound, NSD, ... ) set this option.

PMTUD on DNS/UDP is actually harmful because it makes many timeouts and resends if there is small MTU link (e.g. v6 over v4 tunnel) between server and clients.

I wonder if enabling the option is optimal. Isn't it better to set the maximal MTU at the operating system level?

On linux, ip -6 route replace ... mtu 1280

The draft (draft-andrews-dnsext-udp-fragmentation) is explaining why IPV6_USE_MIN_MTU should be set to IPv6 UDP socket by default (and many DNS implementation do it).

If the host is completely dedicated to (knot)-DNS, it's ok to set MTU at operating system level. --- Users (including me) usually want to configure packet size per application.

There has been DNS cache poisoning attacks taking advantage of IP fragmentation. Forcing the fragmentation sounds a bit dangerous. I also hope that some of the IPv6 issues the draft was addressing had already been resolved — the draft was written in 2012 (and expired the same year).

I have just a little operational experience with IPv6. I'll ask some more people about their opinion on this.

This topic has been discussed a little bit on the mailing list: https://lists.nic.cz/pipermail/knot-dns-users/2016-June/000898.html

My conclusion is that forcing the fragmentation can actually cause more harm. So I don't want to se this option by default for all sockets. We could add a compile-time or run-time option for this purpose. However I think a better solution would be to add a separate config option for IPv6 EDNS buffer size as suggested by Anand.

I also wanted to check the implementation: It doesn't work with my current 4.5.7 Linux kernel. I'll try on FreeBSDs soon.

knot-2.2.1-disable-pmtud.diff

I wrote a patch to disable PMTUD for UDP socket for both IPv4 and IPv6 (Linux does pmtud on UDP/IPv4 by default). This patch includes extra bonus for mitigating DNS fragmentation attack for IPv4 UDP, by using Linux's newer sockopt IP_PMTUDISC_OMIT. This patch always disables pmtud but feel free to modify this patch to make the feature optional.

On concern about DNS fragmentation attack: IPv6-ID field is 32bit. If IPv6-ID is unpredictable that is same security level to normal TXID+port. I know older platform didn't ramdomise IPv6-ID (as Shulman pointed out), but secure (unpredictable IPv6-ID) implementation is already widely used. For example many of current installed Linux distros includes Linux > 3.1 which is secure[RFC7739]. RHEL(CentOS) 5/6 is based on older kernel, but Redhad has backported randomisation patch to their RHEL kernel [1]. At least FreeBSD 9.0 is later is also secure [RFC7739], and 9.2 and older is already end of support.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=723429

Thank you, Daisuke. I'll talke a look at the patch and we will discuss whether we want it in the main tree.

Reassigned to @ikrumlova

@ikrumlova could you look at this and refactor on top of current master and prepare MR? I think this is a very good idea and we should merge it.

The up-to-date version for Knot Resolver can be found here: https://gitlab.labs.nic.cz/knot/resolver/merge_requests/78 (e.g. omit *_PMTUD_DONT as Linux 3.15 is either everywhere or *_PMTUD_OMIT has been backported).

Started branch 467-ipv6_use_min_mtu

Mentioned in merge request !612 (closed)

Is it correct to set IPV6_PMTUDISC_OMIT to IPv6 sockets? My understanding is that IPV6_PMTUDISC_OMIT disables PMTUD for IPv6 but PMTUD is mandatory for IPv6. We don't need to implement Shulman attack mitigation for IPv6 fragment if we are using Linux 3.1 / FreeBSD 9 or later.

In my patch, strategies to prevent PMTUD issues addressed in draft-andrews-dnsext-udp-fragmentation differ between IPv4 and IPv6:

For IPv4 just ensure all outgoing UDP packet to DF=0 by

1. setsockopt(IP_PMTUDISC_OMIT) (Linux 3.15 or later) -- includes Shulman attack mitigation described below
2. setsockopt(IP_PMTUDISC_DONT) (Linux < 3.15)
3. setsockopt(IP_DONTFRAG) (BSDs and others)

For IPv6 ensure outgoing IPv6 packet size smaller than and equal to 1280.

Strategies to mitigate Shulman fragmentation attack also differ between IPv4 and IPv6:

For IPv4 ensure that packet fragmentation occurs if and only if fragmentation is needed -- Setting all outgoing UDP packet to DF=0 and not applying Path MTU information (forged possibly) with setsockopt(IP_PMTUDISC_OMIT) (Linux 3.15 or later only)

For IPv6 just recommend users to install secure kernel (Linux > 3.1, FreeBSD > 9) which randomise Identification field in IPv6 packet (or possibly, keep DNS UDP reply packet size <= 1280). In contrary to IPv4, just ignoring PMTU information (IPV6_PMTUDISC_OMIT) is not acceptable solution because PMTUD is mandatory for IPv6. Furthermore use of IPV6_PMTUDISC_OMIT is pointless since Linux 3.15 later implements Identification field randomisation.

These strategies are taken from Unbound:

https://github.com/NLnetLabs/unbound/blob/a91c2ceb03314cd1882ffa1a9c222e05979f5597/services/listen_dnsport.c#L354

removed assignee

added discussion enhancement knot labels

@hdais I think this issue could be closed? A modernized fix #640 (closed) was already applied and maximum UDP payload size over IPv6 can be tuned via https://www.knot-dns.cz/docs/2.8/html/reference.html#max-ipv6-udp-payload.

closed