On 13 September 2014 06:24, Roland Dobbins <[email protected]> wrote:
> > No. IP fragmentation is a normal part of TCP/IP communications across the > Internet. It isn't something to actively wish for, but it's perfectly > normal. > Google "Fragmentation Considered Harmful" - nothing significant has changed in the decades that have passed. I still wouldn't turn it off, but there are issues you should be aware of. > Yes, allow it; there's no security issue. This is a myth originating with > clueless vendors in the mid-1990s, and propagated today Confused > Information Systems Security Professionals (CISSPs) and their ilk. > In the 1990s fragmentation-based attacks against IP stacks were very real, it took a long time for vendors to fix their stacks completely, and longer to get fixes deployed; we didn't have the "patch everything monthly" culture firmly established yet. I agree that I wouldn't worry too much about the *security* of IP fragmentation today, but back then it was not a myth. [ get off my lawn ;) ] -- Harald
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
