In message <[email protected]>, Roland Dobbins wri tes: > > > On Sep 13, 2014, at 4:37 PM, Franck Martin <[email protected]> wrote: > > > My understanding is that UDP fragmentation is something frown upon in > IPv4 and even more on IPv6 (because of processing power needed, and > security concerns)? > > No. IP fragmentation is a normal part of TCP/IP communications across > the Internet. It isn't something to actively wish for, but it's > perfectly normal. > > > -limit size to <1500? on both IPv4 and IPv6? > > No.
But do force IPv6 to fragment at 1280. This advoids PMTUD. > > -allow UDP fragmentation on IPv4 and IPv6, how securely? > > Yes, allow it; there's no security issue. This is a myth originating > with clueless vendors in the mid-1990s, and propagated today Confused > Information Systems Security Professionals (CISSPs) and their ilk. > > > Any good documentation, pointers? > > Slide 153 of this deck: > > <https://app.box.com/s/r7an1moswtc7ce58f8gg> > > ---------------------------------------------------------------------- > Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> > > Equo ne credite, Teucri. > > -- Laocoon > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
