nanog mailing list archives

Re: Dropping IPv6 Fragments

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Thu, 4 Oct 2012 15:15:45 +0000


On Oct 4, 2012, at 9:58 PM, joel jaeggli wrote:

Likewise with the acl I have the property that the initial packet has 
all the info in it while the fragment does not.


For iACLs, just filter non-initial fragments directed to infrastructure IPs.  Cisco & Juniper ACLs have ACL matching 
criteria for non-initial fragments.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton

Current thread:

Dropping IPv6 Fragments Tom Taylor (Oct 04)
- Re: Dropping IPv6 Fragments Saku Ytti (Oct 04)
  - Re: Dropping IPv6 Fragments Tom Taylor (Oct 04)
  - Re: Dropping IPv6 Fragments Sander Steffann (Oct 04)
    - Re: Dropping IPv6 Fragments Dobbins, Roland (Oct 04)
    - Re: Dropping IPv6 Fragments joel jaeggli (Oct 04)
    - Re: Dropping IPv6 Fragments Dobbins, Roland (Oct 04)
    - Re: Dropping IPv6 Fragments joel jaeggli (Oct 04)
    - Re: Dropping IPv6 Fragments Fernando Gont (Oct 04)
    - Re: Dropping IPv6 Fragments Masataka Ohta (Oct 04)
    - Re: Dropping IPv6 Fragments Merike Kaeo (Oct 04)
    - Re: Dropping IPv6 Fragments Mark Andrews (Oct 04)
    - Re: Dropping IPv6 Fragments Benno Overeinder (Oct 05)
- Re: Dropping IPv6 Fragments Mikael Abrahamsson (Oct 05)