[157056] in North American Network Operators' Group
Re: Dropping IPv6 Fragments
daemon@ATHENA.MIT.EDU (Merike Kaeo)
Thu Oct 4 13:42:52 2012
From: Merike Kaeo <merike@doubleshotsecurity.com>
In-Reply-To: <8B29D89C-9DBC-4BDD-BA1A-D2FD9421BFCF@arbor.net>
Date: Thu, 4 Oct 2012 10:42:31 -0700
To: "Dobbins, Roland" <rdobbins@arbor.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Oct 4, 2012, at 7:36 AM, Dobbins, Roland wrote:
>=20
> On Oct 4, 2012, at 9:26 PM, Sander Steffann wrote:
>=20
>> The closer you get to the edge the more common it might become...
>=20
> iACLs should be implemented at the network edge to drop all IPv4 and =
IPv6 traffic - including non-initial fragments - directed towards =
point-to-point links, loopbacks, and other internal infrastructure with =
exceptions made for cases where there's a legitimate need for sources =
outside your network to be able to communicate with your infrastructure.
>=20
> As mentioned previously on the thread, this has nothing to do with =
transit data-plane traffic, which should be left untouched unless it's =
specifically classified as attack traffic or other undesirable traffic.
+1
> There's an apparently common misperception that fragmented traffic is =
somehow bad. It isn't. It's normal, under most circumstances. Protect =
your infrastructure proactively, deal with anything else on a =
case-by-case basis.
Same misconception as ICMP is bad....historical artifact from attacks in =
early 90's that just perpetuate in mythical best practice. =20
I was just investigating with varying folks whether they also log v6 =
fragment filtering exceptions and whether anyone has seen anything =
'interesting' :) Nothing interesting yet.=20
I'm co-authoring a doc in IETF which consolidates v6 security practices =
and looks to provide info for what current BCP is as folks are more =
actively deploying v6. Was just at RIPE to get input from that operator =
community and want to solicit input here as well. =20
Doc is at: http://tools.ietf.org/html/draft-ietf-opsec-v6-00
Feedback on mailing list would be great: =
https://www.ietf.org/mailman/listinfo/opsec but, if easier to send =
email to authors just do so directly and we'll incorporate and vet =
appropriately. All 3 authors follow quite a few *NOG lists and have =
been involved in deployments so hopefully this can help educate the less =
informed.
- merike
=20
>=20
> =
-----------------------------------------------------------------------
> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>=20
> Luck is the residue of opportunity and design.
>=20
> -- John Milton
>=20
>=20
