On 09/24/2013 10:51 PM, C. M. Heard wrote: >> If you care about fragmentation-based attacks, you really don't want to >> use TCP. There are a bunch of attacks that can be (by far) more >> devastating than the fragmentation-based ones (see >> <http://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf>). > > That is an important observation, for two reasons: > > - it suggests that getting fragments to work or making a UDP-like > protocol that has equivalent functionality is important for DNSSEC > > - it suggests that looking askance at IPv6 fragmentation is not > logical if one is not at least as concerned about TCP, which does > NOT seem to be widely blocked
FWIW, I came across this (worth-reading) article: <http://www.circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns/> -- please take a look at th section on TCP usage. Cheers, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
