[157048] in North American Network Operators' Group
Re: Dropping IPv6 Fragments
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Thu Oct 4 10:36:47 2012
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Thu, 4 Oct 2012 14:36:28 +0000
In-Reply-To: <3A0C0104-8118-4CEE-89D2-98815ABFBD93@steffann.nl>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote:
> The closer you get to the edge the more common it might become...
iACLs should be implemented at the network edge to drop all IPv4 and IPv6 t=
raffic - including non-initial fragments - directed towards point-to-point =
links, loopbacks, and other internal infrastructure with exceptions made fo=
r cases where there's a legitimate need for sources outside your network to=
be able to communicate with your infrastructure.
As mentioned previously on the thread, this has nothing to do with transit =
data-plane traffic, which should be left untouched unless it's specifically=
classified as attack traffic or other undesirable traffic.
There's an apparently common misperception that fragmented traffic is someh=
ow bad. It isn't. It's normal, under most circumstances. Protect your in=
frastructure proactively, deal with anything else on a case-by-case basis.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
