Hi, On Wed, Dec 06, 2023 at 09:00:58AM +0000, Dobbins, Roland wrote: > On Dec 6, 2023, at 04:45, Gert Doering via cisco-nsp > <[email protected]> wrote: > > > deny ipv4 any any fragments > > This is approach is generally contraindicated, as it tends to break EDNS0, & > DNSSEC along with it.
I'd argue that the DNS folks recommend using EDNS0 with 1232 bytes, which works just fine to avoid fragments... http://www.dnsflagday.net/2020/ ... but of course you are right that unconditionally dropping all fragments is not a recommended approach unless acutely under attack. What we do here is exactly what you recommend - rate-limit fragments to some 200Mbit/s per network ingress, which is ~50x the normal peak rate of fragments seen, and closely monitor drop counts. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
