In message <cag6teat9eodf-oihh0vow25gfc-p__p+no9ykmycbsuqhop...@mail.gmail.com> , Fernando Gont writes: > El 12/1/2017 16:28, "Mark Andrews" <[email protected]> escribi=C3=B3: > > > In message <[email protected]>, Fernando > > Gont writes: > > > Hi, Saku, > > > > > > On 01/12/2017 11:43 AM, Saku Ytti wrote: > > > > On 12 January 2017 at 13:19, Fernando Gont <[email protected]> > > wrote: > > > > > > > > Hey, > > > > > > > >> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280 > > > >> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are > > > >> welcome). > > > > > > > > Generally may be understood differently by different people. If > > > > generally is defined as single most typical behaviour/configuration, > > > > then generally people don't protect their infrastructure in any way at > > > > all, but fully rely vendor doing something reasonable. > > > > > > > > I would argue BCP is to have 'strict' CoPP. Where you specifically > > > > allow what you must then have ultimate rule to deny everything. If you > > > > have such CoPP, then this attack won't work, as you clearly didn't > > > > allow any fragments at all (as you didn't expect to receive BGP > > > > fragments from your neighbours). > > > > > > That's the point: If you don't allow fragments, but your peer honors > > > ICMPv6 PTB<1280, then dropping fragments creates the attack vector. > > > > And fragments are a *normal* part of IP for both IPv4 and IPv6. > > This obsession with dropping all fragments (and yes it is a obsession) > > is breaking the internet. > > Vendors got the frag reassembly code wrong so many times , that I > understand the folk that decides to drop them if deemed unnecessary.
Most of them literally decades ago. 20+ years ago while you waited for you vendor to fix the bug it made some sense as most of your boxes were vulnerable. It was a new threat back then. It doesn't make sense today. Packet bigger than 1500 are a part of todays internet. Have a look a the stats for dropped fragments. They aren't for the most part attack traffic. Its legitmate reply traffic that has been requested. > > Even if you don't want to allow all fragments through you can allow > > fragments between the two endpoints of a "active" connection. > > > > > At times folks want to get rid of fragments directed to them, rather than > > those going *through* them. > > > > > > You > > can apply port filters to the offset 0 fragments. If that fragment > > doesn't have enough headers to be able to filter then drop it. If > > your firewall is incapable of doing this then find a better firewall > > as the current one is a piece of garbage and should be in the recycle > > bin. > > > Which DoS is the bigger issue? Firewalls dropping fragments or > > reassembly buffers being exhausted? > > > > If there is no way for an attacker to trigger the use of fragmentation, and > > you don't need fragments (e.g. only tcp-based services), from a security > > pov you're certainly better off dropping frags that are thrown at you. Not > > that I like it, but.... > > Thanks, > Fernando > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
