This documentation has been moved
IPv6 Virtual Fragmentation Reassembly
Download this chapter
IPv6 Virtual Fragmentation ReassemblyIPv6 Virtual Fragmentation Reassembly
 Feedback

Table Of Contents

IPv6 Virtual Fragmentation Reassembly

Finding Feature Information

Contents

Restrictions for IPv6 Virtual Fragmentation Reassembly

About IPv6 Virtual Fragmentation Reassembly

VFR Detection of Fragment Attacks

Configuring IPv6 Virtual Fragmentation Reassembly

Configuration Example for IPv6 Virtual Fragmentation Reassembly

Additional References

Related Documents

Standards

MIBs

Technical Assistance

Feature Information for Implementing IPv6 Virtual Fragmentation Reassembly


IPv6 Virtual Fragmentation Reassembly

First Published: July 25, 2011
Last Updated: September 1, 2011

This document describes the IPv6 Virtual Fragmentation Reassembly (VFR) feature.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Implementing IPv6 Virtual Fragmentation Reassembly" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Restrictions for IPv6 Virtual Fragmentation Reassembly

About IPv6 Virtual Fragmentation Reassembly

Configuring IPv6 Virtual Fragmentation Reassembly

Configuration Example for IPv6 Virtual Fragmentation Reassembly

Additional References

Feature Information for Implementing IPv6 Virtual Fragmentation Reassembly

Restrictions for IPv6 Virtual Fragmentation Reassembly

VFR causes a performance impact because of functions such as packet copying, fragment validation, and fragment reorder. This performance impact varies depending on the number of concurrent IP datagrams that are being reassembled.

VFR should not be enabled on a router that is on an asymmetric path. The reassembly process requires all of the fragments within an IPv6 datagram. Routers placed in the asymmetric path may not receive all of the fragments, so the fragment reassembly will fail.

About IPv6 Virtual Fragmentation Reassembly

Fragmentation is a process of breaking down an IPv6 datagram into smaller packets to be transmitted over different types of network media. Noninitial fragments of a fragmented IPv6 packet are used to pass through stateful network address translation 64 (NAT64) without any examination due to the lack of the L4 header, which usually is only available on the initial fragment.

IPv6 VFR works with NAT64 to collect fragments and provide L4 info for all fragments for NAT64 features. By default, NAT64 enables and disables IPv6 VFR internally; that is, when NAT64 is enabled on an interface, IPv6 VFR is automatically enabled on that interface.

If more than one feature attempts to automatically enable VFR on an interface, VFR will maintain a reference count to keep track of the number of features that have enabled VFR. When the reference count is reduced to 0, VFR is automatically disabled.

Caution IPv6 VFR is automatically enabled by a feature that needs IPv6 VFR support. If IPv6 VFR is enabled manually, it will occupy extra bandwidth and cause slow performance.

VFR Detection of Fragment Attacks

The IPv6 VFR provides validation against attacks involving fragments. When VFR detects a possible attack, it can log an alert message and drop the fragmented packets.

IPv6 VFR detects and prevents the following types of fragment attacks:

Tiny fragment attack—In a tiny fragment attack, the attacker makes the fragment size small enough to force Layer 4 (TCP and UDP) header fields into the second fragment. Therefore, the ACL rules that have been configured for those fields will not match. VFR drops all tiny fragments, and an alert message such as "VFR-3-TINY_FRAGMENTS" is logged to the syslog server.

Overlapping fragment attack—In an overlapping fragment attack, the attacker can overwrite the fragment offset in the noninitial IPv6 fragment packets. When the firewall reassembles the IPv6 fragments, it might create the wrong IPv6 packets, causing the memory to overflow or the system to reload. VFR drops all fragments within a fragment chain if an overlap fragment is detected.

Buffer overflow attack—In this type of denial of service (DoS) attack, the attacker can continuously send a large number of incomplete IPv6 fragments, causing the firewall to lose time and memory while trying to reassemble the fake packets.

To avoid buffer overflow and control memory use, configure a maximum threshold for the number of IPv6 datagrams that are being reassembled and the number of fragments per datagram. Use the ipv6 virtual-reassembly command to specify these parameters.

When the maximum number of datagrams that can be reassembled at any given time is reached, all subsequent fragments are dropped, and the global statistics item "ReassDrop" is incremented by 1. When the maximum number of fragments per datagram is reached, subsequent fragments are dropped, and the global statistics item "ReassTooManyFrags" is incremented by 1.

In addition to the maximum threshold values, each IPv6 datagram is associated with a managed timer. If the IPv6 datagram does not receive all of the fragments within the specified time, the timer expires, and the IPv6 datagram and all of its fragments are dropped.

Configuring IPv6 Virtual Fragmentation Reassembly

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ipv6 virtual-reassembly [in | out] [max-reassemblies maxreassemblies] [max-fragments max-fragments] [timeout seconds] [drop-fragments]

5. exit

6. show ipv6 virtual-reassembly interface interface-type

7. show ipv6 virtual-reassembly features interface interface-type

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface gigabitethernet 3/1/1

Specifies an interface type and number, and places the router in interface configuration mode.

Step 4 

ipv6 virtual-reassembly [in | out] [max-reassemblies maxreassemblies] [max-fragments max-fragments] [timeout seconds] [drop-fragments]

Example:

Router(config-if)# ipv6 virtual-reassembly max-reassemblies 32 max-fragments 4 timeout 7

Enables VFR on an interface.

Step 5 

exit

Example:

Router(config-if)# exit

Exits interface configuration mode and places the router in global configuration mode.

Enter this command twice to reach privileged EXEC mode.

Step 6 

show ipv6 virtual-reassembly interface interface-type

Example:

Router# show ipv6 virtual-reassembly interface e1/1/1

Displays VFR configuration and statistical information on a specific interface.

Step 7 

show ipv6 virtual-reassembly features interface interface-type

Example:

Router# show ipv6 virtual-reassembly features

Displays VFR information on all interfaces or on a specified interface.


Configuration Example for IPv6 Virtual Fragmentation Reassembly 

Router# show ipv6 virtual-reassembly interface gigabitethernet1/1/1

GigabitEthernet1/1/1: 

IPv6 Virtual Fragment Reassembly (VFR) is ENABLED(in)

Concurrent reassemblies (max-reassemblies): 64

Fragments per reassembly (max-fragments): 16

Reassembly timeout (timeout): 3 seconds

Drop fragments: OFF

Current reassembly count: 0

Current fragment count: 0

Total reassembly count: 6950

Total reassembly timeout count: 9

GigabitEthernet1/1/1: 

IPv6 Virtual Fragment Reassembly (VFR) is ENABLED(out)

Concurrent reassemblies (max-reassemblies): 64

Fragments per reassembly (max-fragments): 16

Reassembly timeout (timeout): 3 seconds

Drop fragments: OFF

Current reassembly count: 0

Current fragment count: 0

Total reassembly count: 0

Total reassembly timeout count: 0

Additional References

Related Documents

Related Topic
Document Title

Stateful network address translation 64 (NAT64)

Stateful Network Address Translation 64

IPv4 VFR

Virtual Fragment Reassembly

IPv6 supported features

"Start Here: Cisco IOS XE Software Release Specifics for IPv6 Features," Cisco IOS XE IPv6 Configuration Guide

Basic IPv6 configuration tasks

"Implementing IPv6 Addressing and Basic Connectivity," Cisco IOS XE IPv6 Configuration Guide

IPv6 commands: complete command syntax, command mode, defaults, usage guidelines, and examples

Cisco IOS IPv6 Command Reference


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


Technical Assistance

Description
Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html


Feature Information for Implementing IPv6 Virtual Fragmentation Reassembly

Table 1 lists the features in this module and provides links to specific configuration information.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 1 Feature Information for IPv6 Virtual Fragmentation Reassembly 

Feature Name
Releases
Feature Information

IPv6 Virtual Fragmentation Reassembly

Cisco IOS XE Release 3.4S

The IPv6 VFR feature provides the ability to collect the fragments and provide L4 info for all fragments for NAT64 features.


Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2002-2011 Cisco Systems, Inc. All rights reserved.