Re: IPv6 Security Frequently Asked Questions (FAQ)

[Mark Andrews <marka () isc org>]

"Generation of IPv6 fragments in response to ICMPv6 PTB messages has been deprecated in the revised IPv6 specification"

IS INCORRECT

generation of fragments is “discouraged".  Discouraged and deprecated mean different thing.  

                                        However, the use of such
   fragmentation is discouraged in any application that is able to
   adjust its packets to fit the measured path MTU (i.e., down to 1280
   octets).

the whole of 4.4 is very badly worded and states things as fact which don’t
appear in RFC’s at all.

The adding of a fragmentation header for PTB <1280 has gone.  Fragmentation
down to 1280 is still supposed to happen in response to a PTB.  Packets still
have to flow through paths that narrow down to 1280.

> On 8 Mar 2019, at 5:42 pm, Fernando Gont <fgont () si6networks com> wrote:
>
> Folks,
>
> The Internet Society has posted the "IPv6 Security Frequently Asked
> Questions (FAQ)" I authored.
>
> The document is available (in HTML, and also easy-to-print PDF) at:
>
> https://www.internetsociety.org/deploy360/ipv6/security/faq/
>
> If you think there are other questions that should be added, or have
> comments on the answers, please do let me know -- the document can
> eventually be revised.
>
> Thanks!
>
> Cheers,
> -- 
> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont () si6networks com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org