[193352] in North American Network Operators' Group
Re: ICMPv6 PTBs and IPv6 frag filtering (particularly at BGP peers)
daemon@ATHENA.MIT.EDU (Saku Ytti)
Thu Jan 12 09:43:11 2017
X-Original-To: nanog@nanog.org
In-Reply-To: <14a68ac0-b79b-f8d6-3545-e1814ecc6a92@si6networks.com>
From: Saku Ytti <saku@ytti.fi>
Date: Thu, 12 Jan 2017 16:43:06 +0200
To: Fernando Gont <fgont@si6networks.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On 12 January 2017 at 13:19, Fernando Gont <fgont@si6networks.com> wrote:
Hey,
> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
> welcome).
Generally may be understood differently by different people. If
generally is defined as single most typical behaviour/configuration,
then generally people don't protect their infrastructure in any way at
all, but fully rely vendor doing something reasonable.
I would argue BCP is to have 'strict' CoPP. Where you specifically
allow what you must then have ultimate rule to deny everything. If you
have such CoPP, then this attack won't work, as you clearly didn't
allow any fragments at all (as you didn't expect to receive BGP
fragments from your neighbours).
--
++ytti
