nanog mailing list archives
Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
From: Mark Andrews <marka () isc org>
Date: Fri, 13 Jan 2017 06:28:45 +1100
In message <11ff128d-2fba-7c26-4a9c-5611433d85d2 () si6networks com>, Fernando Gon t writes:
Hi, Saku, On 01/12/2017 11:43 AM, Saku Ytti wrote:On 12 January 2017 at 13:19, Fernando Gont <fgont () si6networks com> wrote: Hey,I'm curious about whether folks are normally filtering ICMPv6 PTB<1280 and/or IPv6 fragments targeted to BGP routers (off-list datapoints are welcome).Generally may be understood differently by different people. If generally is defined as single most typical behaviour/configuration, then generally people don't protect their infrastructure in any way at all, but fully rely vendor doing something reasonable. I would argue BCP is to have 'strict' CoPP. Where you specifically allow what you must then have ultimate rule to deny everything. If you have such CoPP, then this attack won't work, as you clearly didn't allow any fragments at all (as you didn't expect to receive BGP fragments from your neighbours).That's the point: If you don't allow fragments, but your peer honors ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
And fragments are a *normal* part of IP for both IPv4 and IPv6. This obsession with dropping all fragments (and yes it is a obsession) is breaking the internet. Even if you don't want to allow all fragments through you can allow fragments between the two endpoints of a "active" connection. You can apply port filters to the offset 0 fragments. If that fragment doesn't have enough headers to be able to filter then drop it. If your firewall is incapable of doing this then find a better firewall as the current one is a piece of garbage and should be in the recycle bin. Which DoS is the bigger issue? Firewalls dropping fragments or reassembly buffers being exhausted? Yes, firewalls dropping fragments is a denial of service attack. The initial TCP exchange does not contain fragments. Most UDP protocols don't start with a packet that will need to be fragmented. For other protocols YMMV. Mark
-- Fernando Gont SI6 Networks e-mail: fgont () si6networks com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Saku Ytti (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Mark Andrews (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Mark Andrews (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 13)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Mark Andrews (Jan 13)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Valdis . Kletnieks (Jan 13)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Saku Ytti (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Saku Ytti (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Saku Ytti (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Fernando Gont (Jan 12)
- Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers) Mark Andrews (Jan 12)