nanog mailing list archives
Re: v6 DNSSEC fail, was Buying IPv4 blocks
From: Brandon Martin <lists.nanog () monmotha net>
Date: Fri, 5 Oct 2018 16:43:24 -0400
On 10/5/18 3:16 AM, Mark Andrews wrote:
So require frag 0 to have what you require to do the filtering. Most stacks send maximal sized initial fragments up to 1280 bytes. For DNS the UDP header will be there as there is at least 8 bytes of fragmented packet. Additionally reassembly attacks are much harder as there is 32 bits of fragmentation identifier rather than 16 in IPv4. IPv6 fragmentation was designed with knowledge of the IPv4 reassembly attacks in mind.
You'll get no argument from me, here. This is not new nor are ways to deal with it unknown. Despite that, it's a common reason I hear for just blindly dropping all fragments. Personally, I consider such devices/stacks broken, but that doesn't mean we don't have to deal with them, unfortunately.
-- Brandon Martin
Current thread:
- Re: Buying IPv4 blocks, (continued)
- Re: Buying IPv4 blocks John Lee (Oct 04)
- Re: Buying IPv4 blocks Ross Tajvar (Oct 04)
- Re: Buying IPv4 blocks Matt Harris (Oct 04)
- Re: Buying IPv4 blocks John Levine (Oct 04)
- Re: Buying IPv4 blocks Marco Davids via NANOG (Oct 04)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks John Levine (Oct 04)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Mark Tinka (Oct 04)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Mark Andrews (Oct 04)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Brandon Martin (Oct 04)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Mark Andrews (Oct 05)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Brandon Martin (Oct 05)
- Re: Buying IPv4 blocks John Lee (Oct 04)
- RE: v6 DNSSEC fail, was Buying IPv4 blocks Naslund, Steve (Oct 07)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Brandon Martin (Oct 07)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Bryce Wilson (Oct 09)