nanog mailing list archives
Re: Dropping IPv6 Fragments
From: Mark Andrews <marka () isc org>
Date: Fri, 05 Oct 2012 07:14:07 +1000
In message <C7E7DE67-F668-45B4-9D64-2058400DC161 () doubleshotsecurity com>, Merik e Kaeo writes:
On Oct 4, 2012, at 7:36 AM, Dobbins, Roland wrote:=20 On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote: =20The closer you get to the edge the more common it might become...=20 iACLs should be implemented at the network edge to drop all IPv4 and =IPv6 traffic - including non-initial fragments - directed towards = point-to-point links, loopbacks, and other internal infrastructure with = exceptions made for cases where there's a legitimate need for sources = outside your network to be able to communicate with your infrastructure.=20 As mentioned previously on the thread, this has nothing to do with =transit data-plane traffic, which should be left untouched unless it's = specifically classified as attack traffic or other undesirable traffic. +1There's an apparently common misperception that fragmented traffic is =somehow bad. It isn't. It's normal, under most circumstances. Protect = your infrastructure proactively, deal with anything else on a = case-by-case basis. Same misconception as ICMP is bad....historical artifact from attacks in = early 90's that just perpetuate in mythical best practice. =20
And it really hurts modern DNS where UDP responses often exceed Ethernet MTU. For IPv6 UDP DNS responses are often fragmented at 1280 to prevent PMTUD being needed. For IPv4 PMTUD should be off if your vendor followed the RFC's (know exception are Linux and Solaris boxes). Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: Dropping IPv6 Fragments, (continued)
- Re: Dropping IPv6 Fragments Saku Ytti (Oct 04)
- Re: Dropping IPv6 Fragments Tom Taylor (Oct 04)
- Re: Dropping IPv6 Fragments Sander Steffann (Oct 04)
- Re: Dropping IPv6 Fragments Dobbins, Roland (Oct 04)
- Re: Dropping IPv6 Fragments joel jaeggli (Oct 04)
- Re: Dropping IPv6 Fragments Dobbins, Roland (Oct 04)
- Re: Dropping IPv6 Fragments joel jaeggli (Oct 04)
- Re: Dropping IPv6 Fragments Fernando Gont (Oct 04)
- Re: Dropping IPv6 Fragments Masataka Ohta (Oct 04)
- Re: Dropping IPv6 Fragments Saku Ytti (Oct 04)
- Re: Dropping IPv6 Fragments Merike Kaeo (Oct 04)
- Re: Dropping IPv6 Fragments Mark Andrews (Oct 04)
- Re: Dropping IPv6 Fragments Benno Overeinder (Oct 05)