In message <[email protected]>, Fernando Gon t writes: > Hi, Saku, > > On 01/12/2017 11:43 AM, Saku Ytti wrote: > > On 12 January 2017 at 13:19, Fernando Gont <[email protected]> wrote: > > > > Hey, > > > >> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280 > >> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are > >> welcome). > > > > Generally may be understood differently by different people. If > > generally is defined as single most typical behaviour/configuration, > > then generally people don't protect their infrastructure in any way at > > all, but fully rely vendor doing something reasonable. > > > > I would argue BCP is to have 'strict' CoPP. Where you specifically > > allow what you must then have ultimate rule to deny everything. If you > > have such CoPP, then this attack won't work, as you clearly didn't > > allow any fragments at all (as you didn't expect to receive BGP > > fragments from your neighbours). > > That's the point: If you don't allow fragments, but your peer honors > ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
And fragments are a *normal* part of IP for both IPv4 and IPv6. This obsession with dropping all fragments (and yes it is a obsession) is breaking the internet. Even if you don't want to allow all fragments through you can allow fragments between the two endpoints of a "active" connection. You can apply port filters to the offset 0 fragments. If that fragment doesn't have enough headers to be able to filter then drop it. If your firewall is incapable of doing this then find a better firewall as the current one is a piece of garbage and should be in the recycle bin. Which DoS is the bigger issue? Firewalls dropping fragments or reassembly buffers being exhausted? Yes, firewalls dropping fragments is a denial of service attack. The initial TCP exchange does not contain fragments. Most UDP protocols don't start with a packet that will need to be fragmented. For other protocols YMMV. Mark > -- > Fernando Gont > SI6 Networks > e-mail: [email protected] > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
