On 08/19/2014 09:31 AM, Jeroen Massar wrote: > On 2014-08-19 14:00, Fernando Gont wrote: > [..] >> 1) some BGP servers accept ICMPv6 PTB that claim an MTU < 1280, and >> react (as expected) by generating atomic fragments, *and*, > > Anything accepting an MTU < 1280 does not belong on the Interwebs. > > Hence, it would be good that kind of broken code can't send anything.
Well, RFC2460 requires so.... > [..] >> As noted in the I-D, the mitigations seem to be: >> >> 1) Artificially limit your packets to 1280, and drop all incoming ICMPv6 >> PTB, or, >> >> 2) Have your device just drop ICMPv6 PTB that claim a Next-Hop MTU >> smaller than 1280. > > Don't forget: > 0) BCP38. > > Though, one would have to inspect the ICMPv6 packet too then.... Agreed. You need to apply ICMPv6 to the embedded payload... > Hmm, maybe time to test that out in sixxsd... Just taking my chance to thank you for sixxsd! ;-) Cheers, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
