nanog mailing list archives
Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
From: Saku Ytti <saku () ytti fi>
Date: Thu, 12 Jan 2017 21:31:53 +0200
On 12 January 2017 at 17:02, Fernando Gont <fgont () si6networks com> wrote:
That's the point: If you don't allow fragments, but your peer honors ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
Thanks. I think I got it now. Best I can offer is that B could try to verify the embedded original packet? Hopefully attacker won't have access to that information. An if attacker has access to that information, they may as well do TCP RST, right? Didn't we have same issues in IPv4 with ICMP unreachable and frag neeeded, DF set? And vendors implemented more verification if the ICMP message should be accepted. -- ++ytti
Current thread:
- ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Saku Ytti (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Mark Andrews (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Mark Andrews (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 13)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Mark Andrews (Jan 13)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Valdis . Kletnieks (Jan 13)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Saku Ytti (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Saku Ytti (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Saku Ytti (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Mark Andrews (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 13)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Mark Andrews (Jan 13)