Re: [c-nsp] ACL to block udp/0?
On Dec 6, 2023, at 17:46, Gert Doering wrote: I'd argue that the DNS folks recommend using EDNS0 with 1232 bytes, which works just fine to avoid fragments... Of course, the last true Internet flag day was in 1994, flag days aren’t possible anymore, & this is far from universally implemented. ;> I know you know this, just stating it for the record. Concur 100% otherwise, of course. Roland Dobbins ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACL to block udp/0?
Hi, On Wed, Dec 06, 2023 at 09:00:58AM +, Dobbins, Roland wrote: > On Dec 6, 2023, at 04:45, Gert Doering via cisco-nsp > wrote: > > > deny ipv4 any any fragments > > This is approach is generally contraindicated, as it tends to break EDNS0, & > DNSSEC along with it. I'd argue that the DNS folks recommend using EDNS0 with 1232 bytes, which works just fine to avoid fragments... http://www.dnsflagday.net/2020/ ... but of course you are right that unconditionally dropping all fragments is not a recommended approach unless acutely under attack. What we do here is exactly what you recommend - rate-limit fragments to some 200Mbit/s per network ingress, which is ~50x the normal peak rate of fragments seen, and closely monitor drop counts. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACL to block udp/0?
On Dec 6, 2023, at 04:45, Gert Doering via cisco-nsp wrote: deny ipv4 any any fragments This is approach is generally contraindicated, as it tends to break EDNS0, & DNSSEC along with it. If the target is a broadband access network, you can use flow telemetry to measure normal rates of non-initial fragments destined for it (said rates are generally minimal). You can then implements a QoS policy to police down non-initial fragments in excess of the rate you’ve decided upon, ensuring that you leave some headroom for normal variations in traffic rates. It would be a good idea to exempt the well-known, well-run open resolvers like Google DNS, Quad9, OpenDNS, et. al. from this policy, as well as your own on-net resolvers. If the target is a downstream transit customer, something sitting in an IDC, etc., more research & nuance in terms of tACLs, policies, & rates is likely necessary. Roland Dobbins ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
