On Jun 18, 2013, at 8:22 AM, Mark Andrews <[email protected]> wrote: >> My goal as it were was to look at if fragmentation were expected to work >> that I don't really want to expose myself to reciving a 4k response (via >> UDP) because the risk of an amplification attack becomes very large >> indeed. Even if I filter fragments (because I have to or as a product of >> limitations such an attack my be targeted at the infrastructure rather >> than the endpoint that's the notional target. > > Yet fragmented packets work fine if you don't put a middle box in the > middle that has a conniption when it sees a fragmented packet.
This is practically every box on IPv6. Fragments REALLY don't work on IPv6. > As for being exposed you really can't prevent being exposed. > > As for not replying with fragmented packets, that it self causes > operational problems as you move the traffic to TCP which unless > you have taken measures to reduce the sement sizes runs the risk > of PMTUD problems. Some of the ORG servers limit the UDP size then > don't do PMTUD well which is a real pain if you are behind a tunnel. IPv6 is much better on PMTU discovery than IPv4, and with IPv6, you can always just set to use the minimum IPv6 (1200B) MTU and bypass all PMTU discovery anyway. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
