nanog mailing list archives
Re: v6 DNSSEC fail, was Buying IPv4 blocks
From: Brandon Martin <lists.nanog () monmotha net>
Date: Fri, 5 Oct 2018 02:22:48 -0400
On 10/5/18 1:53 AM, Mark Andrews wrote:
If you don’t want fragmented IPv6 UDP responses use server ::/0 { edns-udp-size 1232; }; That’s 1280 - IPv6 header - UDP header. Anything bigger than that can theoretically be fragmented. You will then have to deal with PMTUD failures as the servers switch over to TCP.
Speaking of, anyone have any good reports similar to that which was the genesis of this discussion but regarding PMTUD broken-ness on IPv6? Perhaps specifically focusing on its impact w.r.t DNS over TCP?
My understanding is that this is quite common on IPv4 but not as evident due to in-transit transparent fragmentation.
What I find ridiculous is firewall vendor that claim to support adding stateful rules on demand but don’t add “from <src> to <dst> frag offset != 0” when they add “from <src> to <dst> proto xxx src-port <dst-port> dst-port <src-port>” or don’t do packet reassembly to work around the lack of passing fragments. This is IP and fragments are part and parcel of IP whether it is IPv4 or IPv6.
I think the "justification" for not allowing fragments is that they can be crafted specifically to evade filter policies.
Now, I'd argue that, if you want to not be a broken device, you then need to do reassembly so that you can inspect. At minimum, do so for the typical attack case which uses very small fragments and/or large L3 headers to split up application data since the result is presumably something that fits within the MTU of your LAN. Or statefully track whether fragments are expected for a conversation. Or drop fragments that could be used to evade policies but permit fragments that couldn't. Or...something other than breaking things horribly and whining that the protocol is broken.
Of course, a lot of these are also the same boxes that, through design or misconfiguration, break PMTUD, too, I suspect.
-- Brandon Martin
Current thread:
- Re: Buying IPv4 blocks, (continued)
- Re: Buying IPv4 blocks John Curran (Oct 02)
- Re: Buying IPv4 blocks Ross Tajvar (Oct 04)
- Re: Buying IPv4 blocks John Lee (Oct 04)
- Re: Buying IPv4 blocks Ross Tajvar (Oct 04)
- Re: Buying IPv4 blocks Matt Harris (Oct 04)
- Re: Buying IPv4 blocks John Levine (Oct 04)
- Re: Buying IPv4 blocks Marco Davids via NANOG (Oct 04)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks John Levine (Oct 04)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Mark Tinka (Oct 04)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Mark Andrews (Oct 04)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Brandon Martin (Oct 04)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Mark Andrews (Oct 05)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Brandon Martin (Oct 05)
- Re: Buying IPv4 blocks John Lee (Oct 04)
- RE: v6 DNSSEC fail, was Buying IPv4 blocks Naslund, Steve (Oct 07)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Brandon Martin (Oct 07)
- Re: v6 DNSSEC fail, was Buying IPv4 blocks Bryce Wilson (Oct 09)