nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Dropping IPv6 Fragments

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Thu, 4 Oct 2012 14:36:28 +0000

On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote:


The closer you get to the edge the more common it might become...


iACLs should be implemented at the network edge to drop all IPv4 and IPv6 traffic - including non-initial fragments - 
directed towards point-to-point links, loopbacks, and other internal infrastructure with exceptions made for cases 
where there's a legitimate need for sources outside your network to be able to communicate with your infrastructure.

As mentioned previously on the thread, this has nothing to do with transit data-plane traffic, which should be left 
untouched unless it's specifically classified as attack traffic or other undesirable traffic.

There's an apparently common misperception that fragmented traffic is somehow bad.  It isn't.  It's normal, under most 
circumstances.  Protect your infrastructure proactively, deal with anything else on a case-by-case basis.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton
Previous By Date Next
Previous By Thread Next

Current thread: