On 20/08/2014 14:42, Lorenzo Colitti wrote:
> On Tue, Aug 19, 2014 at 4:56 PM, Brian E Carpenter <
> [email protected]> wrote:
>
>>> Can we then say that PTB packets < 1280 are invalid and should be ignored
>>> by hosts? Or should be ignored unless they are running a SIIT translator?
>> The host doesn't know in general if there is a translator downstream
>> (except in a DNS64/NAT64 scenario).
>>
>
> What does "downstream" mean? Do you mean "the host does not know if the
> other host it's talking to is behind a SIIT translator"? Or something else?
No, exactly that. SIIT is defined as a stateless translation,
and there's no direct way for a host to know it exists. So if
you get a PTB for <1280, you simply don't know if it's from a
real translator or not in the general case. That's why there's
a DOS risk in the first place.
It would be interesting to know if this matters. It only matters
if there is a significant number of operational paths with the
combination of SIIT and small IPv4 MTUs. I think we need more
data before 6man considers making an incompatible change.
Brian
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
