[157061] in North American Network Operators' Group
Re: Dropping IPv6 Fragments
daemon@ATHENA.MIT.EDU (Fernando Gont)
Thu Oct 4 15:19:40 2012
Date: Thu, 04 Oct 2012 15:15:46 -0400
From: Fernando Gont <fernando@gont.com.ar>
To: joel jaeggli <joelja@bogus.com>
In-Reply-To: <506DA41C.70800@bogus.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi, Joel,
On 10/04/2012 10:58 AM, joel jaeggli wrote:
> So the thing I'd note is that stateless IPV6 ACLs or load balancing
> provide you with an interesting problem since a fragment does not
> contain the headers beyond the required unfragmentable headers.
In the real world, such packets are not legitimate, so feel free to drop
them. draft-ietf-6man-oversized-header-chain formally addresses this issue.
> Likewise with the acl I have the property that the initial packet has
> all the info in it while the fragment does not.
You're talking about initial-fragment vs non-initial fragments? -- If
so, in theory *both* might be missing the upper layer information. IN
practice, the first-fragment won't. If it does, feel free to drop it.
Cheers,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
