On 01/12/2017 11:07 PM, Mark Andrews wrote: > In message > <cag6teat9eodf-oihh0vow25gfc-p__p+no9ykmycbsuqhop...@mail.gmail.com> > , Fernando Gont writes: >> El 12/1/2017 16:28, "Mark Andrews" <[email protected]> escribi=C3=B3: >> >>> In message <[email protected]>, Fernando >>> Gont writes: >>>> Hi, Saku, >>>> >>>> On 01/12/2017 11:43 AM, Saku Ytti wrote: >>>>> On 12 January 2017 at 13:19, Fernando Gont <[email protected]> >>> wrote: >>>>> >>>>> Hey, >>>>> >>>>>> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280 >>>>>> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are >>>>>> welcome). >>>>> >>>>> Generally may be understood differently by different people. If >>>>> generally is defined as single most typical behaviour/configuration, >>>>> then generally people don't protect their infrastructure in any way at >>>>> all, but fully rely vendor doing something reasonable. >>>>> >>>>> I would argue BCP is to have 'strict' CoPP. Where you specifically >>>>> allow what you must then have ultimate rule to deny everything. If you >>>>> have such CoPP, then this attack won't work, as you clearly didn't >>>>> allow any fragments at all (as you didn't expect to receive BGP >>>>> fragments from your neighbours). >>>> >>>> That's the point: If you don't allow fragments, but your peer honors >>>> ICMPv6 PTB<1280, then dropping fragments creates the attack vector. >>> >>> And fragments are a *normal* part of IP for both IPv4 and IPv6. >>> This obsession with dropping all fragments (and yes it is a obsession) >>> is breaking the internet. >> >> Vendors got the frag reassembly code wrong so many times , that I >> understand the folk that decides to drop them if deemed unnecessary. > > Most of them literally decades ago.
Disagree. Microsoft "reinvented" ping-o-death in IPv6, there have been several one-packet crashes disclosed for Cisco's (an the list continues). > 20+ years ago while you waited > for you vendor to fix the bug it made some sense as most of your > boxes were vulnerable. It was a new threat back then. It doesn't > make sense today. Let's face it: The quality of many IPv6 implementations is that of IPv4 implementations in the '90s. Sad, but true. > Packet bigger than 1500 are a part of todays internet. Have a look > a the stats for dropped fragments. They aren't for the most part > attack traffic. Its legitmate reply traffic that has been requested. I don't disagree with you wrt the need for fragmentation in some scenarios. I'm just saying that when you only employ TCP-based services, it may make sense to drop fragments targeted *at you*. Fragmentation is only needed for non-TCP services. and if your system does not use non-tcp services, it may be a sensible thing to drop fragments targetted at you. Thanks, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
