Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)

[Fernando Gont <fgont () si6networks com>]

Hi, Saku,

On 01/12/2017 11:43 AM, Saku Ytti wrote:
> On 12 January 2017 at 13:19, Fernando Gont <fgont () si6networks com> wrote:
>
> Hey,
>
> > I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
> > and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
> > welcome).
>
> Generally may be understood differently by different people. If
> generally is defined as single most typical behaviour/configuration,
> then generally people don't protect their infrastructure in any way at
> all, but fully rely vendor doing something reasonable.
>
> I would argue BCP is to have 'strict' CoPP. Where you specifically
> allow what you must then have ultimate rule to deny everything. If you
> have such CoPP, then this attack won't work, as you clearly didn't
> allow any fragments at all (as you didn't expect to receive BGP
> fragments from your neighbours).

That's the point: If you don't allow fragments, but your peer honors
ICMPv6 PTB<1280, then dropping fragments creates the attack vector.

-- 
Fernando Gont
SI6 Networks
e-mail: fgont () si6networks com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492