nanog mailing list archives
Re: Dropping IPv6 Fragments
From: Fernando Gont <fernando () gont com ar>
Date: Thu, 04 Oct 2012 15:15:46 -0400
Hi, Joel, On 10/04/2012 10:58 AM, joel jaeggli wrote:
So the thing I'd note is that stateless IPV6 ACLs or load balancing provide you with an interesting problem since a fragment does not contain the headers beyond the required unfragmentable headers.
In the real world, such packets are not legitimate, so feel free to drop them. draft-ietf-6man-oversized-header-chain formally addresses this issue.
Likewise with the acl I have the property that the initial packet has all the info in it while the fragment does not.
You're talking about initial-fragment vs non-initial fragments? -- If so, in theory *both* might be missing the upper layer information. IN practice, the first-fragment won't. If it does, feel free to drop it. Cheers, -- Fernando Gont e-mail: fernando () gont com ar || fgont () si6networks com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Current thread:
- Dropping IPv6 Fragments Tom Taylor (Oct 04)
- Re: Dropping IPv6 Fragments Saku Ytti (Oct 04)
- Re: Dropping IPv6 Fragments Tom Taylor (Oct 04)
- Re: Dropping IPv6 Fragments Sander Steffann (Oct 04)
- Re: Dropping IPv6 Fragments Dobbins, Roland (Oct 04)
- Re: Dropping IPv6 Fragments joel jaeggli (Oct 04)
- Re: Dropping IPv6 Fragments Dobbins, Roland (Oct 04)
- Re: Dropping IPv6 Fragments joel jaeggli (Oct 04)
- Re: Dropping IPv6 Fragments Fernando Gont (Oct 04)
- Re: Dropping IPv6 Fragments Masataka Ohta (Oct 04)
- Re: Dropping IPv6 Fragments Saku Ytti (Oct 04)
- Re: Dropping IPv6 Fragments Merike Kaeo (Oct 04)
- Re: Dropping IPv6 Fragments Mark Andrews (Oct 04)
- Re: Dropping IPv6 Fragments Benno Overeinder (Oct 05)