ProxySG drops TCP SYN-ACK when an IPv6 Fragment header with no additional fragment is received

book

Article ID: 169423

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

ProxySG will drop a TCP SYN-ACK when an IPv6 Fragment header with no additional fragment is received from a remote device

  No.    Time      Source                                      Destination                            SrcPort DstPort Protocol Info
    243 5.866     fd00::dead:fee1:cb1                  fd00::123:226:b9ff:fe84:cb1 41465   80        TCP        41465 > http [SYN]
>  250 6.142     fd00::123:226:b9ff:fe84:cb1     fd00::dead:fee1:cb1              80         41465  TCP        http > 41465 [SYN, ACK]
    327 8.848     fd00::dead:fee1:cb1                  fd00::123:226:b9ff:fe84:cb1 41465   80        TCP        41465 > http [SYN]
    328 8.856     fd00::123:226:b9ff:fe84:cb1     fd00::dead:fee1:cb1              80         41465  TCP        http > 41465 [SYN, ACK]
    459 12.099   fd00::dead:fee1:cb1                  fd00::123:226:b9ff:fe84:cb1 41465   80        TCP        41465 > http [SYN]
    460 12.110   fd00::123:226:b9ff:fe84:cb1     fd00::dead:fee1:cb1              80         41465  TCP        http > 41465 [SYN, ACK]
    648 15.349   fd00::dead:fee1:cb1                  fd00::123:226:b9ff:fe84:cb1 41465   80        TCP        41465 > http [SYN]
    649 15.358   fd00::123:226:b9ff:fe84:cb1     fd00::dead:fee1:cb1              80         41465  TCP        http > 41465 [SYN, ACK]


Frame 250: 94 bytes on wire (752 bits), 94 bytes captured (752 bits)
Internet Protocol Version 6, Src: fd00::123:226:b9ff:fe84:cb1 (fd00::123:226:b9ff:fe84:cb1), Dst: fd00::dead:fee1:cb1 (fd00::dead:fee1:cb1)
    0110 .... = Version: 6
    .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
        .... 0000 00.. .... .... .... .... .... = Differentiated Services Field: Default (0x00000000)
        .... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
        .... .... ...0 .... .... .... .... .... = ECN-CE: Not set
    .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
    Payload length: 40
    Next header: IPv6 fragment (0x2c)
    Hop limit: 51
    Source: fd00::123:226:b9ff:fe84:cb1 (fd00::123:226:b9ff:fe84:cb1)
    Destination: fd00::dead:fee1:cb1 (fd00::dead:fee1:cb1)
>   Fragmentation Header
        Next header: TCP (0x06)
        0000 0000 0000 0... = Offset: 0 (0x0000)
>       .... .... .... ...0 = More Fragment: No
        Identification: 0x00005971
Transmission Control Protocol, Src Port: http (80), Dst Port: 31337 (41465), Seq: 0, Ack: 1, Len: 0

In the example above, ProxySG sends a TCP SYN to fd00::123:226:b9ff:fe84:cb1. fd00::123:226:b9ff:fe84:cb1 responded with a TCP SYN-ACK. However, at the IPv6 layer, a Fragment Header with no additional fragments is sent along.

Even though RFC2460 does not explicitly state a single packet with fragmentation header should be allowed or denied, SG treats it as an invalid fragment header. Hence, the packet is dropped.