On 2014-08-19 14:00, Fernando Gont wrote: [..] > 1) some BGP servers accept ICMPv6 PTB that claim an MTU < 1280, and > react (as expected) by generating atomic fragments, *and*,
Anything accepting an MTU < 1280 does not belong on the Interwebs. Hence, it would be good that kind of broken code can't send anything. [..] > As noted in the I-D, the mitigations seem to be: > > 1) Artificially limit your packets to 1280, and drop all incoming ICMPv6 > PTB, or, > > 2) Have your device just drop ICMPv6 PTB that claim a Next-Hop MTU > smaller than 1280. Don't forget: 0) BCP38. Though, one would have to inspect the ICMPv6 packet too then.... Hmm, maybe time to test that out in sixxsd... Greets, Jeroen _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
