RE: IPv6 and Tiny Fragments

[Vishwas Manral]

Hi Fred,   Good point. I agree, however a bigger limit would provide more protection, besides a lot of extension headers may not be valid in most cases, so TCP headers would come within the 800 bytes. Having a configurable minimum value with default closer to 800, could help too.   Pyda, on another note I have been wondering whether NAPT-PT work properly in the case where the first fragment, did not have the TCP port unless we maintained states of fragments (what the next header expected in the fragment is etc)?   Thanks, Vishwas From: Fred Baker [mailto:[EMAIL PROTECTED] Sent: Sunday, November 27, 2005 9:44 AM To: Vishwas Manral Cc: ipv6@ietf.org Subject: Re: IPv6 and Tiny Fragments   personally, I think that would simply mean that the tiny fragment attack would come at that size.   Better to simply design TCPs well so that the attack is of minimal effect.   On Nov 24, 2005, at 9:10 PM, Vishwas Manral wrote: Hi folks, I have been wondering how IPv6 will deal with the tiny fragment attack, RFC1858. Is there a minimum non-last fragment size specified for IPv6? With so many extension headers a size of around 80bytes IP Header+ payload may not necessarily be right. I think, we could specify something closer to 200 bytes, which would mean that we would certainly have the TCP header in the first fragment. Thanks, Vishwas

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------