Re: Dropping IPv6 Fragments

[joel jaeggli <joelja () bogus com>]

On 10/4/12 7:36 AM, Dobbins, Roland wrote:
> On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote:
>
> > The closer you get to the edge the more common it might become...
> iACLs should be implemented at the network edge to drop all IPv4 and IPv6 traffic - including non-initial fragments - 
> directed towards point-to-point links, loopbacks, and other internal infrastructure with exceptions made for cases where 
> there's a legitimate need for sources outside your network to be able to communicate with your infrastructure.
>
> As mentioned previously on the thread, this has nothing to do with transit data-plane traffic, which should be left 
> untouched unless it's specifically classified as attack traffic or other undesirable traffic.
>
> There's an apparently common misperception that fragmented traffic is somehow bad.  It isn't.  It's normal, under most 
> circumstances.  Protect your infrastructure proactively, deal with anything else on a case-by-case basis.

So the thing I'd note is that stateless IPV6 ACLs or load balancing 
provide you with an interesting problem since a fragment does not 
contain the headers beyond the required unfragmentable headers. it is 
possible but unlikely that the fragment  will hash into the same bucket 
in a stateless load balancer (using what's left of 5-tuple).

Likewise with the acl I have the property that the initial packet has 
all the info in it while the fragment does not. I would have to 
reassemble the packet  (which isn't going to happen in the place where 
the stateless acl is applied) prior to being able to decide to pass it 
or not (or just pass fragments through that acl).
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>
>
>           Luck is the residue of opportunity and design.
>
>                        -- John Milton