[prev in list] [next in list] [prev in thread] [next in thread]
List: ipng
Subject: Re: [6MAN] draft-ietf-6man-oversized-header-chain-02 (was Re: Re: draft-ietf-6man-ext-transmit-01)
From: Fernando Gont <fgont () si6networks ! com>
Date: 2013-06-11 12:18:07
Message-ID: 51B7157F.8050007 () si6networks ! com
[Download RAW message or body]
On 06/11/2013 02:06 PM, joel jaeggli wrote:
>>> in my view there is no difference between the following cases:
>>> - 2nd fragment
>>> - extension header chain longer than first packet
>>> - unknown extension header
>>> - unknown L4 - ESP
>> These cases are different (at least from a fw point of view).
>>
>> - 2nd fragment is okay, beacuse you'd apply the fltering policy t the
>> first fragment.
> Wierdly I'm not that interested in a filtering half a dos attack. which
> is probably what happens with amplification and EDNS0 or just some joker
> sending me a metric ton of fragments.
That is a separate issue. The discussion was about which packets were
harmful from an inspection point of view.
Whether to filter fragments or not is a different issues, and probably
depends which device the fragments are destined to, and whether there
can be a legitimate use case for them or not (e.g., you might want to
allow fragments for clients, but drop them if they are destined to your
web server... in the same way that you might filter fragments to your
router, but not through your router).
Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic