nanog mailing list archives
Re: Dropping IPv6 Fragments
From: Benno Overeinder <benno () NLnetLabs nl>
Date: Fri, 05 Oct 2012 15:17:33 +0200
On 10/04/2012 04:36 PM, Dobbins, Roland wrote:
On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote:The closer you get to the edge the more common it might become...iACLs should be implemented at the network edge to drop all IPv4 and IPv6 traffic - including non-initial fragments - directed towards point-to-point links, loopbacks, and other internal infrastructure with exceptions made for cases where there's a legitimate need for sources outside your network to be able to communicate with your infrastructure. As mentioned previously on the thread, this has nothing to do with transit data-plane traffic, which should be left untouched unless it's specifically classified as attack traffic or other undesirable traffic. There's an apparently common misperception that fragmented traffic is somehow bad. It isn't. It's normal, under most circumstances. Protect your infrastructure proactively, deal with anything else on a case-by-case basis.
Two students worked on a project in June to measure fragment dropping in IPv6 (and IPv4) using the RIPE Atlas probe infrastructure. Their findings are consistent with Sander's remark. The core seems to do fine, but at the edges it is observed that some middleboxes/CPEs do drop IPv6 fragments. I think this is consistent with the remarks of Joel and Roland earlier on Cisco/Juniper iACL vs. simpler boxes in your network. You can find the report at http://www.nlnetlabs.nl/downloads/publications/pmtu-black-holes-msc-thesis.pdf. Best, -- Benno -- Benno J. Overeinder NLnet Labs http://www.nlnetlabs.nl/
Current thread:
- Re: Dropping IPv6 Fragments, (continued)
- Re: Dropping IPv6 Fragments Tom Taylor (Oct 04)
- Re: Dropping IPv6 Fragments Sander Steffann (Oct 04)
- Re: Dropping IPv6 Fragments Dobbins, Roland (Oct 04)
- Re: Dropping IPv6 Fragments joel jaeggli (Oct 04)
- Re: Dropping IPv6 Fragments Dobbins, Roland (Oct 04)
- Re: Dropping IPv6 Fragments joel jaeggli (Oct 04)
- Re: Dropping IPv6 Fragments Fernando Gont (Oct 04)
- Re: Dropping IPv6 Fragments Masataka Ohta (Oct 04)
- Re: Dropping IPv6 Fragments Merike Kaeo (Oct 04)
- Re: Dropping IPv6 Fragments Mark Andrews (Oct 04)
- Re: Dropping IPv6 Fragments Benno Overeinder (Oct 05)