nanog mailing list archives
Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
From: Fernando Gont <fgont () si6networks com>
Date: Thu, 12 Jan 2017 12:02:05 -0300
Hi, Saku, On 01/12/2017 11:43 AM, Saku Ytti wrote:
On 12 January 2017 at 13:19, Fernando Gont <fgont () si6networks com> wrote: Hey,I'm curious about whether folks are normally filtering ICMPv6 PTB<1280 and/or IPv6 fragments targeted to BGP routers (off-list datapoints are welcome).Generally may be understood differently by different people. If generally is defined as single most typical behaviour/configuration, then generally people don't protect their infrastructure in any way at all, but fully rely vendor doing something reasonable. I would argue BCP is to have 'strict' CoPP. Where you specifically allow what you must then have ultimate rule to deny everything. If you have such CoPP, then this attack won't work, as you clearly didn't allow any fragments at all (as you didn't expect to receive BGP fragments from your neighbours).
That's the point: If you don't allow fragments, but your peer honors ICMPv6 PTB<1280, then dropping fragments creates the attack vector. -- Fernando Gont SI6 Networks e-mail: fgont () si6networks com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Current thread:
- ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Saku Ytti (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Mark Andrews (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Mark Andrews (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 13)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Mark Andrews (Jan 13)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Valdis . Kletnieks (Jan 13)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Saku Ytti (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Saku Ytti (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Saku Ytti (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)