IPv6 Packet
Identification
Boeing Research & Technology
P.O. Box 3707
Seattle
WA
98124
USA
fltemplin@acm.org
I-D
Internet-Draft
Unlike Internet Protocol, version 4 (IPv4), Internet Protocol,
version 6 (IPv6) does not include an Identification field in the basic
packet header. Instead, IPv6 includes a 32-bit Identification field in a
Fragment Header extension since the architecture assumed that the sole
purpose for the Identification is to support the fragmentation and
reassembly process. This document asserts that per-packet
Identifications may be useful for other purposes, e.g., to allow
recipients to detect spurious packets that may have been injected into
the network by an attacker. But, rather than defining a new extension
header, this document recommends employing the existing Fragment Header
for per-packet identification even if the packet itself appears as an
"atomic fragment".
Unlike Internet Protocol, version 4 (IPv4) ,
Internet Protocol, version 6 (IPv6) does not
include an Identification field in the basic packet header. Instead,
IPv6 includes a 32-bit Identification field in a Fragment Header
extension since the architecture assumed that the sole purpose for an
Identification is to support the fragmentation and reassembly process.
This document asserts that per-packet Identifications may be useful for
other purposes, e.g., to allow recipients to detect spurious packets
that may have been injected into the network by an attacker. But, rather
than defining a new extension header, this document recommends employing
the existing Fragment Header for per-packet identification even if the
packet itself appears as an "atomic fragment".
Atomic fragments are defined as "IPv6 packets that contain a Fragment
Header with the Fragment Offset set to 0 and the M flag set to 0" . When an IPv6 source includes a Fragment Header
(i.e., either in an atomic fragment or in multiple fragments), only the
source itself and not an intermediate IPv6 node on the path is permitted
to alter its contents. This is mandated in the base IPv6 specification
which states "unlike IPv4, fragmentation in IPv6 is performed only by
source nodes, not by routers along a packet's delivery path".
IPv6 sources that include a Fragment Header include an unpredictable
Identification value with each packet . If the
IPv6 source and destination maintain a "window" of acceptable
Identification values, this may allow the destination to discern packets
originated by the true IPv6 source from spurious packets injected into
the network by an attacker.
This document therefore asserts that IPv6 sources are permitted to
include a Fragment Header in their packet transmissions (i.e., whether
as atomic fragments or in multiple fragments) as long as they include
suitable unpredictable Identification values. This includes IPv6
"jumbograms" (i.e., packets larger than 65,535 octets ) which can only be prepared as atomic fragments since
they are not eligible for fragmentation. Since the current jumbogram
specification forbids sources from including a Fragment Header of any
kind, this document updates .
When IPv6 sources and destinations have some way of maintaining
"windows" of acceptable Identification values, the destination may be
able to examine received packet Identifications to determine whether
they likely originated from the source. The AERO and OMNI specifications discuss methods for
maintaining windows of unpredictable values that may reduce attack
profiles in some environments.
The following updates to are requested:
Section 3, third paragraph, change: "The Jumbo Payload option
must not be used in a packet that carries a Fragment header" to:
"The Jumbo Payload option must not be used in a packet that carries
a non-atomic Fragment header ".
Section 3, in the list of errors, change: "error: Jumbo Payload
option present and Fragment header present" to: "error: Jumbo
Payload option present and non-atomic Fragment header present".
Add [RFC6946] to Informative References.
This document has no IANA considerations.
Communications networking security is necessary to preserve
confidentiality, integrity and availability.
This work was inspired by ongoing AERO/OMNI/DTN investigations.
.