Security Implications of Predictable Fragment Identification Values
RFC 7739, “Security Implications of Predictable Fragment Identification Values”, is an Informational document published in February 2016 by F. Gont. The canonical text is published by the RFC Editor.
Abstract
IPv6 specifies the Fragment Header, which is employed for the fragmentation and reassembly mechanisms. The Fragment Header contains an "Identification" field that, together with the IPv6 Source Address and the IPv6 Destination Address of a packet, identifies fragments that correspond to the same original datagram, such that they can be reassembled together by the receiving host. The only requirement for setting the Identification field is that the corresponding value must be different than that employed for any other fragmented datagram sent recently with the same Source Address and Destination Address. Some implementations use a simple global counter for setting the Identification field, thus leading to predictable Identification values. This document analyzes the security implications of predictable Identification values, and provides implementation guidance for setting the Identification field of the Fragment Header, such that the aforementioned security implications are mitigated.
What “Informational” means
Published for the general information of the community. It does not define an IETF standard and carries no standards-track status.
The canonical text of RFC 7739 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 7738 A Uniform Resource Name Namespace for the Consultative Committee for Space Data Systems
- RFC 7740 Simulating Partial Mesh of Multipoint-to-Multipoint Provider Tunnels with Ingress Replication
- RFC 7737 Label Switched Path Ping and Traceroute Reply Mode Simplification
- RFC 7741 RTP Payload Format for VP8 Video
- RFC 7742 WebRTC Video Processing and Codec Requirements
- RFC 7735 Tracking Reviews of Documents
- RFC 7743 Relayed Echo Reply Mechanism for Label Switched Path Ping
- RFC 7734 Support for Shortest Path Bridging MAC Mode over Ethernet VPN